Analysis
-
max time kernel
155s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 05:06
General
-
Target
53430abd76a5cfcfada4962cd8925b2e32620c44a8863b445ba145f42dbfea64.exe
-
Size
327KB
-
MD5
bded054d3176eefeedb4470df9ee4716
-
SHA1
27588165c1235dc41214195030d5620091d41261
-
SHA256
53430abd76a5cfcfada4962cd8925b2e32620c44a8863b445ba145f42dbfea64
-
SHA512
372195ea89bb3bf7aa4bf73253e86ee165ab7773440c1969a4297879f6e129ad66944c973a96f136b51a670b4347004bf6546b1c6259edf9ecd48c6874ce3907
Score
10/10
Malware Config
Extracted
Path
C:\RyukReadMe.txt
Family
ryuk
Ransom Note
Gentlemen!
Your business is at serious risk.
There is a significant hole in the security system of your company.
We've easily penetrated your network.
You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks.
They can damage all your important data just for fun.
Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256.
No one can help you to restore files without our special decoder.
Photorec, RannohDecryptor etc. repair tools
are useless and can destroy your files irreversibly.
If you want to restore your files write to emails (contacts are at the bottom of the sheet)
and attach 2-3 encrypted files
(Less than 5 Mb each, non-archived and your files should not contain valuable information
(Databases, backups, large excel sheets, etc.)).
You will receive decrypted samples and our conditions how to get the decoder.
Please don't forget to write the name of your company in the subject of your e-mail.
You have to pay for decryption in Bitcoins.
The final price depends on how fast you write to us.
Every day of delay will cost you additional +0.5 BTC
Nothing personal just business
As soon as we get bitcoins you'll get all your decrypted data back.
Moreover you will get instructions how to close the hole in security
and how to avoid such problems in the future
+ we will recommend you special software that makes the most problems to hackers.
Attention! One more time !
Do not rename encrypted files.
Do not try to decrypt your data using third party software.
P.S. Remember, we are not scammers.
We don`t need your files and your information.
But after 2 weeks all your files and keys will be deleted automatically.
Just send a request immediately after infection.
All data will be restored absolutely.
Your warranty - decrypted samples.
contact emails
[email protected]
or
[email protected]
BTC wallet:
1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz
Ryuk
No system is safe
Wallets
1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Kills process with taskkill 44 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3720 -s 8362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\53430abd76a5cfcfada4962cd8925b2e32620c44a8863b445ba145f42dbfea64.exe"C:\Users\Admin\AppData\Local\Temp\53430abd76a5cfcfada4962cd8925b2e32620c44a8863b445ba145f42dbfea64.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\users\Public\qiLCL.exe"C:\users\Public\qiLCL.exe" C:\Users\Admin\AppData\Local\Temp\53430abd76a5cfcfada4962cd8925b2e32620c44a8863b445ba145f42dbfea64.exe2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM excel.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM steam.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM visio.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM winword.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Acronis VSS Provider" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Enterprise Client Service" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Agent" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Agent" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Clean Service" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Device Control Service" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos File Scanner Service" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y5⤵
-
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Health Service" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Agent" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Client" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Message Router" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Safestore Service" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Web Control Service" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Backup Service" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Filter Service" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RESvc /y5⤵
-
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop AcronisAgent /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop AcrSch2Svc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec System Recovery" /y4⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop tmlisten /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y5⤵
-
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos System Protection Service" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ARSM /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ARSM /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y4⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecManagementService /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecRPCService /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_filter /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop bedbg /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop bedbg /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop Antivirus /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Antivirus /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop DCAgent /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DCAgent /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EPSecurityService /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EPUpdateService /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EraserSvc11710 /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop FA_Scheduler /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EsgShKernel /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y4⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop IISAdmin /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop IMAP4Svc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IMAP4Svc /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop macmnsvc /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MBAMService /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MBEndpointAgent /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McAfeeFramework /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McShield /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McShield /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McTaskManager /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McTaskManager /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mfemms /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfemms /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MsDtsServer100 /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MsDtsServer110 /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeES /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeSRS /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y4⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y4⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y4⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKey /y5⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLSERVER /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MySQL80 /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL80 /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ntrtscan /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ntrtscan /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MySQL57 /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL57 /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop OracleClientCache80 /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop PDVFSService /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop POP3Svc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop POP3Svc /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y4⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SepMasterService /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SepMasterService /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ShMonitor /y3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ShMonitor /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop Smcinst /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SmcService /y3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y5⤵
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SmcService /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SMTPSvc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SNAC /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SNAC /y4⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop sophossps /y3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop macmnsvc /y5⤵
-
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLBrowser /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y5⤵
-
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SstpSvc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SstpSvc /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop svcGenericHost /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_service /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_service /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_update_64 /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamBackupSvc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamCloudSvc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamDeploymentService /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y5⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamRESTSvc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamTransportSvc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y4⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop W3Svc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop W3Svc /y4⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Smcinst /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop wbengine /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y4⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IISAdmin /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBAMService /y5⤵
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_update /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PROD /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "SQL Backups" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQL Backups" /y4⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophossps /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y5⤵
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Zoolz 2 Service" /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PROD /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y4⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y5⤵
-
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ESHASRV /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESHASRV /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ekrn /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ekrn /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sacsvr /y5⤵
-
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y4⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop klnagent /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop klnagent /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop AVP /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AVP /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y5⤵
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y4⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop wbengine /y3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EhttpSrv /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y5⤵
-
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop kavfsslp /y3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop kavfsslp /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop KAVFSGT /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y4⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\qiLCL.exe" /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\qiLCL.exe" /f4⤵
- Adds Run key to start application
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mfefire /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfefire /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop KAVFS /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFS /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop NetMsmqActivator /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop msftesql$PROD /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop WRSVC /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamNFSSvc /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamMountSvc /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamDeploySvc /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop UI0Detect /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TrueKey /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop tmlisten /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TmCCSF /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_filter /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLWriter /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SntpService /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SDRSVC /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SAVService /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SAVAdminService /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SamSs /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop sacsvr /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop RESvc /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$TPS /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y4⤵
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$TPS /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeSA /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeMTA /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeIS /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MsDtsServer /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mozyprobackup /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MMS /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mfevtp /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McAfeeEngineService /y3⤵
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop masvc /y3⤵
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVService /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SntpService /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y2⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WRSVC /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UI0Detect /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TmCCSF /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SDRSVC /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SamSs /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MMS /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfevtp /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop masvc /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
280KB
-
Filesize
1.3MB
-
Filesize
35.8MB