exorcist | 8d684a790a5683b8decde9fb5a819c4a164d3032723a151a30ff26d3c2b1aabf

Analysis

max time kernel
131s
max time network
133s
platform
windows10_x64
resource
win10
submitted
24-07-2020 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79385ed97732aee0036e67824de18e28.exe
Size

43KB
MD5

79385ed97732aee0036e67824de18e28
SHA1

2f65a2b8ac21b3505855f7b89551cc1f31bf636e
SHA256

8d684a790a5683b8decde9fb5a819c4a164d3032723a151a30ff26d3c2b1aabf
SHA512

db1d99884ab384ed571195e7c85105fe1f5bef2cb7e81f1f9380a8aef99f71e9d51a46e5ea6d81acee72aa2c2eb1b371cd11097678cbd27cfa0ef9b254630072

Score

10^/10

ransomware persistence exorcist

Malware Config

Signatures

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3112	timeout.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:adbpjrmig	79385ed97732aee0036e67824de18e28.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:lajwebwylzuwgkqu	79385ed97732aee0036e67824de18e28.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:adbpjrmig	79385ed97732aee0036e67824de18e28.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:lxqgwsimxzeqhnwaq	79385ed97732aee0036e67824de18e28.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:wrtonhzylpznh	79385ed97732aee0036e67824de18e28.exe

Suspicious behavior: EnumeratesProcesses 298 IoCs

pid	Process
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe
2920	79385ed97732aee0036e67824de18e28.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
560	vssadmin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d.bmp"	79385ed97732aee0036e67824de18e28.exe

Kills process with taskkill 87 IoCs

evasion

pid	Process
3144	taskkill.exe
3348	taskkill.exe
2412	taskkill.exe
3352	taskkill.exe
3840	taskkill.exe
3032	taskkill.exe
1736	taskkill.exe
3348	taskkill.exe
3144	taskkill.exe
3872	taskkill.exe
3376	taskkill.exe
3684	taskkill.exe
3440	taskkill.exe
3640	taskkill.exe
3396	taskkill.exe
3352	taskkill.exe
3872	taskkill.exe
3872	taskkill.exe
2924	taskkill.exe
732	taskkill.exe
736	taskkill.exe
3716	taskkill.exe
3388	taskkill.exe
3516	taskkill.exe
732	taskkill.exe
3392	taskkill.exe
2112	taskkill.exe
3684	taskkill.exe
3556	taskkill.exe
3640	taskkill.exe
3288	taskkill.exe
3716	taskkill.exe
3684	taskkill.exe
2916	taskkill.exe
488	taskkill.exe
68	taskkill.exe
736	taskkill.exe
1832	taskkill.exe
560	taskkill.exe
3212	taskkill.exe
992	taskkill.exe
3640	taskkill.exe
1736	taskkill.exe
3968	taskkill.exe
3036	taskkill.exe
976	taskkill.exe
3352	taskkill.exe
2412	taskkill.exe
2408	taskkill.exe
2412	taskkill.exe
2412	taskkill.exe
2924	taskkill.exe
3516	taskkill.exe
976	taskkill.exe
1832	taskkill.exe
560	taskkill.exe
3908	taskkill.exe
1736	taskkill.exe
3032	taskkill.exe
3376	taskkill.exe
1976	taskkill.exe
740	taskkill.exe
3168	taskkill.exe
3212	taskkill.exe
992	taskkill.exe
496	taskkill.exe
1436	taskkill.exe
3968	taskkill.exe
3144	taskkill.exe
3556	taskkill.exe
68	taskkill.exe
992	taskkill.exe
3348	taskkill.exe
740	taskkill.exe
3036	taskkill.exe
412	taskkill.exe
3108	taskkill.exe
3716	taskkill.exe
3516	taskkill.exe
3688	taskkill.exe
2320	taskkill.exe
3168	taskkill.exe
3516	taskkill.exe
3012	taskkill.exe
3144	taskkill.exe
980	taskkill.exe
996	taskkill.exe

Suspicious use of WriteProcessMemory 555 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2408	2920	79385ed97732aee0036e67824de18e28.exe	68
PID 2920 wrote to memory of 2408	2920	79385ed97732aee0036e67824de18e28.exe	68
PID 2920 wrote to memory of 2408	2920	79385ed97732aee0036e67824de18e28.exe	68
PID 2408 wrote to memory of 3824	2408	cmd.exe	70
PID 2408 wrote to memory of 3824	2408	cmd.exe	70
PID 2408 wrote to memory of 3824	2408	cmd.exe	70
PID 2920 wrote to memory of 3352	2920	79385ed97732aee0036e67824de18e28.exe	73
PID 2920 wrote to memory of 3352	2920	79385ed97732aee0036e67824de18e28.exe	73
PID 2920 wrote to memory of 3352	2920	79385ed97732aee0036e67824de18e28.exe	73
PID 2920 wrote to memory of 3388	2920	79385ed97732aee0036e67824de18e28.exe	75
PID 2920 wrote to memory of 3388	2920	79385ed97732aee0036e67824de18e28.exe	75
PID 2920 wrote to memory of 3388	2920	79385ed97732aee0036e67824de18e28.exe	75
PID 2920 wrote to memory of 3336	2920	79385ed97732aee0036e67824de18e28.exe	77
PID 2920 wrote to memory of 3336	2920	79385ed97732aee0036e67824de18e28.exe	77
PID 2920 wrote to memory of 3336	2920	79385ed97732aee0036e67824de18e28.exe	77
PID 2920 wrote to memory of 1884	2920	79385ed97732aee0036e67824de18e28.exe	79
PID 2920 wrote to memory of 1884	2920	79385ed97732aee0036e67824de18e28.exe	79
PID 2920 wrote to memory of 1884	2920	79385ed97732aee0036e67824de18e28.exe	79
PID 2920 wrote to memory of 752	2920	79385ed97732aee0036e67824de18e28.exe	81
PID 2920 wrote to memory of 752	2920	79385ed97732aee0036e67824de18e28.exe	81
PID 2920 wrote to memory of 752	2920	79385ed97732aee0036e67824de18e28.exe	81
PID 752 wrote to memory of 560	752	cmd.exe	83
PID 752 wrote to memory of 560	752	cmd.exe	83
PID 752 wrote to memory of 560	752	cmd.exe	83
PID 2920 wrote to memory of 2172	2920	79385ed97732aee0036e67824de18e28.exe	84
PID 2920 wrote to memory of 2172	2920	79385ed97732aee0036e67824de18e28.exe	84
PID 2920 wrote to memory of 2172	2920	79385ed97732aee0036e67824de18e28.exe	84
PID 2920 wrote to memory of 3708	2920	79385ed97732aee0036e67824de18e28.exe	86
PID 2920 wrote to memory of 3708	2920	79385ed97732aee0036e67824de18e28.exe	86
PID 2920 wrote to memory of 3708	2920	79385ed97732aee0036e67824de18e28.exe	86
PID 3708 wrote to memory of 3640	3708	cmd.exe	88
PID 3708 wrote to memory of 3640	3708	cmd.exe	88
PID 3708 wrote to memory of 3640	3708	cmd.exe	88
PID 2920 wrote to memory of 3908	2920	79385ed97732aee0036e67824de18e28.exe	90
PID 2920 wrote to memory of 3908	2920	79385ed97732aee0036e67824de18e28.exe	90
PID 2920 wrote to memory of 3908	2920	79385ed97732aee0036e67824de18e28.exe	90
PID 3908 wrote to memory of 1736	3908	cmd.exe	92
PID 3908 wrote to memory of 1736	3908	cmd.exe	92
PID 3908 wrote to memory of 1736	3908	cmd.exe	92
PID 2920 wrote to memory of 3380	2920	79385ed97732aee0036e67824de18e28.exe	93
PID 2920 wrote to memory of 3380	2920	79385ed97732aee0036e67824de18e28.exe	93
PID 2920 wrote to memory of 3380	2920	79385ed97732aee0036e67824de18e28.exe	93
PID 3380 wrote to memory of 3968	3380	cmd.exe	95
PID 3380 wrote to memory of 3968	3380	cmd.exe	95
PID 3380 wrote to memory of 3968	3380	cmd.exe	95
PID 2920 wrote to memory of 3972	2920	79385ed97732aee0036e67824de18e28.exe	96
PID 2920 wrote to memory of 3972	2920	79385ed97732aee0036e67824de18e28.exe	96
PID 2920 wrote to memory of 3972	2920	79385ed97732aee0036e67824de18e28.exe	96
PID 3972 wrote to memory of 3144	3972	cmd.exe	98
PID 3972 wrote to memory of 3144	3972	cmd.exe	98
PID 3972 wrote to memory of 3144	3972	cmd.exe	98
PID 2920 wrote to memory of 4048	2920	79385ed97732aee0036e67824de18e28.exe	99
PID 2920 wrote to memory of 4048	2920	79385ed97732aee0036e67824de18e28.exe	99
PID 2920 wrote to memory of 4048	2920	79385ed97732aee0036e67824de18e28.exe	99
PID 4048 wrote to memory of 736	4048	cmd.exe	101
PID 4048 wrote to memory of 736	4048	cmd.exe	101
PID 4048 wrote to memory of 736	4048	cmd.exe	101
PID 2920 wrote to memory of 980	2920	79385ed97732aee0036e67824de18e28.exe	102
PID 2920 wrote to memory of 980	2920	79385ed97732aee0036e67824de18e28.exe	102
PID 2920 wrote to memory of 980	2920	79385ed97732aee0036e67824de18e28.exe	102
PID 980 wrote to memory of 3556	980	cmd.exe	104
PID 980 wrote to memory of 3556	980	cmd.exe	104
PID 980 wrote to memory of 3556	980	cmd.exe	104
PID 2920 wrote to memory of 3760	2920	79385ed97732aee0036e67824de18e28.exe	105
PID 2920 wrote to memory of 3760	2920	79385ed97732aee0036e67824de18e28.exe	105
PID 2920 wrote to memory of 3760	2920	79385ed97732aee0036e67824de18e28.exe	105
PID 3760 wrote to memory of 976	3760	cmd.exe	107
PID 3760 wrote to memory of 976	3760	cmd.exe	107
PID 3760 wrote to memory of 976	3760	cmd.exe	107
PID 2920 wrote to memory of 3828	2920	79385ed97732aee0036e67824de18e28.exe	108
PID 2920 wrote to memory of 3828	2920	79385ed97732aee0036e67824de18e28.exe	108
PID 2920 wrote to memory of 3828	2920	79385ed97732aee0036e67824de18e28.exe	108
PID 3828 wrote to memory of 3348	3828	cmd.exe	110
PID 3828 wrote to memory of 3348	3828	cmd.exe	110
PID 3828 wrote to memory of 3348	3828	cmd.exe	110
PID 2920 wrote to memory of 3168	2920	79385ed97732aee0036e67824de18e28.exe	111
PID 2920 wrote to memory of 3168	2920	79385ed97732aee0036e67824de18e28.exe	111
PID 2920 wrote to memory of 3168	2920	79385ed97732aee0036e67824de18e28.exe	111
PID 3168 wrote to memory of 1832	3168	cmd.exe	113
PID 3168 wrote to memory of 1832	3168	cmd.exe	113
PID 3168 wrote to memory of 1832	3168	cmd.exe	113
PID 2920 wrote to memory of 732	2920	79385ed97732aee0036e67824de18e28.exe	114
PID 2920 wrote to memory of 732	2920	79385ed97732aee0036e67824de18e28.exe	114
PID 2920 wrote to memory of 732	2920	79385ed97732aee0036e67824de18e28.exe	114
PID 732 wrote to memory of 68	732	cmd.exe	116
PID 732 wrote to memory of 68	732	cmd.exe	116
PID 732 wrote to memory of 68	732	cmd.exe	116
PID 2920 wrote to memory of 752	2920	79385ed97732aee0036e67824de18e28.exe	117
PID 2920 wrote to memory of 752	2920	79385ed97732aee0036e67824de18e28.exe	117
PID 2920 wrote to memory of 752	2920	79385ed97732aee0036e67824de18e28.exe	117
PID 752 wrote to memory of 3640	752	cmd.exe	119
PID 752 wrote to memory of 3640	752	cmd.exe	119
PID 752 wrote to memory of 3640	752	cmd.exe	119
PID 2920 wrote to memory of 3800	2920	79385ed97732aee0036e67824de18e28.exe	120
PID 2920 wrote to memory of 3800	2920	79385ed97732aee0036e67824de18e28.exe	120
PID 2920 wrote to memory of 3800	2920	79385ed97732aee0036e67824de18e28.exe	120
PID 3800 wrote to memory of 1736	3800	cmd.exe	122
PID 3800 wrote to memory of 1736	3800	cmd.exe	122
PID 3800 wrote to memory of 1736	3800	cmd.exe	122
PID 2920 wrote to memory of 3520	2920	79385ed97732aee0036e67824de18e28.exe	123
PID 2920 wrote to memory of 3520	2920	79385ed97732aee0036e67824de18e28.exe	123
PID 2920 wrote to memory of 3520	2920	79385ed97732aee0036e67824de18e28.exe	123
PID 3520 wrote to memory of 3968	3520	cmd.exe	125
PID 3520 wrote to memory of 3968	3520	cmd.exe	125
PID 3520 wrote to memory of 3968	3520	cmd.exe	125
PID 2920 wrote to memory of 1000	2920	79385ed97732aee0036e67824de18e28.exe	126
PID 2920 wrote to memory of 1000	2920	79385ed97732aee0036e67824de18e28.exe	126
PID 2920 wrote to memory of 1000	2920	79385ed97732aee0036e67824de18e28.exe	126
PID 1000 wrote to memory of 3144	1000	cmd.exe	128
PID 1000 wrote to memory of 3144	1000	cmd.exe	128
PID 1000 wrote to memory of 3144	1000	cmd.exe	128
PID 2920 wrote to memory of 2112	2920	79385ed97732aee0036e67824de18e28.exe	129
PID 2920 wrote to memory of 2112	2920	79385ed97732aee0036e67824de18e28.exe	129
PID 2920 wrote to memory of 2112	2920	79385ed97732aee0036e67824de18e28.exe	129
PID 2112 wrote to memory of 736	2112	cmd.exe	131
PID 2112 wrote to memory of 736	2112	cmd.exe	131
PID 2112 wrote to memory of 736	2112	cmd.exe	131
PID 2920 wrote to memory of 1976	2920	79385ed97732aee0036e67824de18e28.exe	132
PID 2920 wrote to memory of 1976	2920	79385ed97732aee0036e67824de18e28.exe	132
PID 2920 wrote to memory of 1976	2920	79385ed97732aee0036e67824de18e28.exe	132
PID 1976 wrote to memory of 3556	1976	cmd.exe	134
PID 1976 wrote to memory of 3556	1976	cmd.exe	134
PID 1976 wrote to memory of 3556	1976	cmd.exe	134
PID 2920 wrote to memory of 3708	2920	79385ed97732aee0036e67824de18e28.exe	135
PID 2920 wrote to memory of 3708	2920	79385ed97732aee0036e67824de18e28.exe	135
PID 2920 wrote to memory of 3708	2920	79385ed97732aee0036e67824de18e28.exe	135
PID 3708 wrote to memory of 976	3708	cmd.exe	137
PID 3708 wrote to memory of 976	3708	cmd.exe	137
PID 3708 wrote to memory of 976	3708	cmd.exe	137
PID 2920 wrote to memory of 3908	2920	79385ed97732aee0036e67824de18e28.exe	138
PID 2920 wrote to memory of 3908	2920	79385ed97732aee0036e67824de18e28.exe	138
PID 2920 wrote to memory of 3908	2920	79385ed97732aee0036e67824de18e28.exe	138
PID 3908 wrote to memory of 3348	3908	cmd.exe	140
PID 3908 wrote to memory of 3348	3908	cmd.exe	140
PID 3908 wrote to memory of 3348	3908	cmd.exe	140
PID 2920 wrote to memory of 3380	2920	79385ed97732aee0036e67824de18e28.exe	141
PID 2920 wrote to memory of 3380	2920	79385ed97732aee0036e67824de18e28.exe	141
PID 2920 wrote to memory of 3380	2920	79385ed97732aee0036e67824de18e28.exe	141
PID 3380 wrote to memory of 1832	3380	cmd.exe	143
PID 3380 wrote to memory of 1832	3380	cmd.exe	143
PID 3380 wrote to memory of 1832	3380	cmd.exe	143
PID 2920 wrote to memory of 3972	2920	79385ed97732aee0036e67824de18e28.exe	144
PID 2920 wrote to memory of 3972	2920	79385ed97732aee0036e67824de18e28.exe	144
PID 2920 wrote to memory of 3972	2920	79385ed97732aee0036e67824de18e28.exe	144
PID 3972 wrote to memory of 68	3972	cmd.exe	146
PID 3972 wrote to memory of 68	3972	cmd.exe	146
PID 3972 wrote to memory of 68	3972	cmd.exe	146
PID 2920 wrote to memory of 4048	2920	79385ed97732aee0036e67824de18e28.exe	147
PID 2920 wrote to memory of 4048	2920	79385ed97732aee0036e67824de18e28.exe	147
PID 2920 wrote to memory of 4048	2920	79385ed97732aee0036e67824de18e28.exe	147
PID 4048 wrote to memory of 3640	4048	cmd.exe	149
PID 4048 wrote to memory of 3640	4048	cmd.exe	149
PID 4048 wrote to memory of 3640	4048	cmd.exe	149
PID 2920 wrote to memory of 980	2920	79385ed97732aee0036e67824de18e28.exe	150
PID 2920 wrote to memory of 980	2920	79385ed97732aee0036e67824de18e28.exe	150
PID 2920 wrote to memory of 980	2920	79385ed97732aee0036e67824de18e28.exe	150
PID 980 wrote to memory of 1736	980	cmd.exe	152
PID 980 wrote to memory of 1736	980	cmd.exe	152
PID 980 wrote to memory of 1736	980	cmd.exe	152
PID 2920 wrote to memory of 3708	2920	79385ed97732aee0036e67824de18e28.exe	153
PID 2920 wrote to memory of 3708	2920	79385ed97732aee0036e67824de18e28.exe	153
PID 2920 wrote to memory of 3708	2920	79385ed97732aee0036e67824de18e28.exe	153
PID 3708 wrote to memory of 3288	3708	cmd.exe	155
PID 3708 wrote to memory of 3288	3708	cmd.exe	155
PID 3708 wrote to memory of 3288	3708	cmd.exe	155
PID 2920 wrote to memory of 3908	2920	79385ed97732aee0036e67824de18e28.exe	156
PID 2920 wrote to memory of 3908	2920	79385ed97732aee0036e67824de18e28.exe	156
PID 2920 wrote to memory of 3908	2920	79385ed97732aee0036e67824de18e28.exe	156
PID 3908 wrote to memory of 2924	3908	cmd.exe	158
PID 3908 wrote to memory of 2924	3908	cmd.exe	158
PID 3908 wrote to memory of 2924	3908	cmd.exe	158
PID 2920 wrote to memory of 3380	2920	79385ed97732aee0036e67824de18e28.exe	159
PID 2920 wrote to memory of 3380	2920	79385ed97732aee0036e67824de18e28.exe	159
PID 2920 wrote to memory of 3380	2920	79385ed97732aee0036e67824de18e28.exe	159
PID 3380 wrote to memory of 2320	3380	cmd.exe	161
PID 3380 wrote to memory of 2320	3380	cmd.exe	161
PID 3380 wrote to memory of 2320	3380	cmd.exe	161
PID 2920 wrote to memory of 3972	2920	79385ed97732aee0036e67824de18e28.exe	162
PID 2920 wrote to memory of 3972	2920	79385ed97732aee0036e67824de18e28.exe	162
PID 2920 wrote to memory of 3972	2920	79385ed97732aee0036e67824de18e28.exe	162
PID 3972 wrote to memory of 3108	3972	cmd.exe	164
PID 3972 wrote to memory of 3108	3972	cmd.exe	164
PID 3972 wrote to memory of 3108	3972	cmd.exe	164
PID 2920 wrote to memory of 4048	2920	79385ed97732aee0036e67824de18e28.exe	165
PID 2920 wrote to memory of 4048	2920	79385ed97732aee0036e67824de18e28.exe	165
PID 2920 wrote to memory of 4048	2920	79385ed97732aee0036e67824de18e28.exe	165
PID 4048 wrote to memory of 3032	4048	cmd.exe	167
PID 4048 wrote to memory of 3032	4048	cmd.exe	167
PID 4048 wrote to memory of 3032	4048	cmd.exe	167
PID 2920 wrote to memory of 3916	2920	79385ed97732aee0036e67824de18e28.exe	168
PID 2920 wrote to memory of 3916	2920	79385ed97732aee0036e67824de18e28.exe	168
PID 2920 wrote to memory of 3916	2920	79385ed97732aee0036e67824de18e28.exe	168
PID 3916 wrote to memory of 3716	3916	cmd.exe	170
PID 3916 wrote to memory of 3716	3916	cmd.exe	170
PID 3916 wrote to memory of 3716	3916	cmd.exe	170
PID 2920 wrote to memory of 4024	2920	79385ed97732aee0036e67824de18e28.exe	171
PID 2920 wrote to memory of 4024	2920	79385ed97732aee0036e67824de18e28.exe	171
PID 2920 wrote to memory of 4024	2920	79385ed97732aee0036e67824de18e28.exe	171
PID 4024 wrote to memory of 3388	4024	cmd.exe	173
PID 4024 wrote to memory of 3388	4024	cmd.exe	173
PID 4024 wrote to memory of 3388	4024	cmd.exe	173
PID 2920 wrote to memory of 1572	2920	79385ed97732aee0036e67824de18e28.exe	174
PID 2920 wrote to memory of 1572	2920	79385ed97732aee0036e67824de18e28.exe	174
PID 2920 wrote to memory of 1572	2920	79385ed97732aee0036e67824de18e28.exe	174
PID 1572 wrote to memory of 992	1572	cmd.exe	176
PID 1572 wrote to memory of 992	1572	cmd.exe	176
PID 1572 wrote to memory of 992	1572	cmd.exe	176
PID 2920 wrote to memory of 692	2920	79385ed97732aee0036e67824de18e28.exe	177
PID 2920 wrote to memory of 692	2920	79385ed97732aee0036e67824de18e28.exe	177
PID 2920 wrote to memory of 692	2920	79385ed97732aee0036e67824de18e28.exe	177
PID 692 wrote to memory of 3168	692	cmd.exe	179
PID 692 wrote to memory of 3168	692	cmd.exe	179
PID 692 wrote to memory of 3168	692	cmd.exe	179
PID 2920 wrote to memory of 1008	2920	79385ed97732aee0036e67824de18e28.exe	180
PID 2920 wrote to memory of 1008	2920	79385ed97732aee0036e67824de18e28.exe	180
PID 2920 wrote to memory of 1008	2920	79385ed97732aee0036e67824de18e28.exe	180
PID 1008 wrote to memory of 732	1008	cmd.exe	182
PID 1008 wrote to memory of 732	1008	cmd.exe	182
PID 1008 wrote to memory of 732	1008	cmd.exe	182
PID 2920 wrote to memory of 1736	2920	79385ed97732aee0036e67824de18e28.exe	183
PID 2920 wrote to memory of 1736	2920	79385ed97732aee0036e67824de18e28.exe	183
PID 2920 wrote to memory of 1736	2920	79385ed97732aee0036e67824de18e28.exe	183
PID 1736 wrote to memory of 560	1736	cmd.exe	185
PID 1736 wrote to memory of 560	1736	cmd.exe	185
PID 1736 wrote to memory of 560	1736	cmd.exe	185
PID 2920 wrote to memory of 3440	2920	79385ed97732aee0036e67824de18e28.exe	186
PID 2920 wrote to memory of 3440	2920	79385ed97732aee0036e67824de18e28.exe	186
PID 2920 wrote to memory of 3440	2920	79385ed97732aee0036e67824de18e28.exe	186
PID 3440 wrote to memory of 3716	3440	cmd.exe	188
PID 3440 wrote to memory of 3716	3440	cmd.exe	188
PID 3440 wrote to memory of 3716	3440	cmd.exe	188
PID 2920 wrote to memory of 3700	2920	79385ed97732aee0036e67824de18e28.exe	189
PID 2920 wrote to memory of 3700	2920	79385ed97732aee0036e67824de18e28.exe	189
PID 2920 wrote to memory of 3700	2920	79385ed97732aee0036e67824de18e28.exe	189
PID 3700 wrote to memory of 3144	3700	cmd.exe	191
PID 3700 wrote to memory of 3144	3700	cmd.exe	191
PID 3700 wrote to memory of 3144	3700	cmd.exe	191
PID 2920 wrote to memory of 2776	2920	79385ed97732aee0036e67824de18e28.exe	192
PID 2920 wrote to memory of 2776	2920	79385ed97732aee0036e67824de18e28.exe	192
PID 2920 wrote to memory of 2776	2920	79385ed97732aee0036e67824de18e28.exe	192
PID 2776 wrote to memory of 3684	2776	cmd.exe	194
PID 2776 wrote to memory of 3684	2776	cmd.exe	194
PID 2776 wrote to memory of 3684	2776	cmd.exe	194
PID 2920 wrote to memory of 508	2920	79385ed97732aee0036e67824de18e28.exe	195
PID 2920 wrote to memory of 508	2920	79385ed97732aee0036e67824de18e28.exe	195
PID 2920 wrote to memory of 508	2920	79385ed97732aee0036e67824de18e28.exe	195
PID 508 wrote to memory of 3352	508	cmd.exe	197
PID 508 wrote to memory of 3352	508	cmd.exe	197
PID 508 wrote to memory of 3352	508	cmd.exe	197
PID 2920 wrote to memory of 492	2920	79385ed97732aee0036e67824de18e28.exe	198
PID 2920 wrote to memory of 492	2920	79385ed97732aee0036e67824de18e28.exe	198
PID 2920 wrote to memory of 492	2920	79385ed97732aee0036e67824de18e28.exe	198
PID 492 wrote to memory of 3872	492	cmd.exe	200
PID 492 wrote to memory of 3872	492	cmd.exe	200
PID 492 wrote to memory of 3872	492	cmd.exe	200
PID 2920 wrote to memory of 1656	2920	79385ed97732aee0036e67824de18e28.exe	201
PID 2920 wrote to memory of 1656	2920	79385ed97732aee0036e67824de18e28.exe	201
PID 2920 wrote to memory of 1656	2920	79385ed97732aee0036e67824de18e28.exe	201
PID 1656 wrote to memory of 3516	1656	cmd.exe	203
PID 1656 wrote to memory of 3516	1656	cmd.exe	203
PID 1656 wrote to memory of 3516	1656	cmd.exe	203
PID 2920 wrote to memory of 3968	2920	79385ed97732aee0036e67824de18e28.exe	204
PID 2920 wrote to memory of 3968	2920	79385ed97732aee0036e67824de18e28.exe	204
PID 2920 wrote to memory of 3968	2920	79385ed97732aee0036e67824de18e28.exe	204
PID 3968 wrote to memory of 2412	3968	cmd.exe	206
PID 3968 wrote to memory of 2412	3968	cmd.exe	206
PID 3968 wrote to memory of 2412	3968	cmd.exe	206
PID 2920 wrote to memory of 3288	2920	79385ed97732aee0036e67824de18e28.exe	207
PID 2920 wrote to memory of 3288	2920	79385ed97732aee0036e67824de18e28.exe	207
PID 2920 wrote to memory of 3288	2920	79385ed97732aee0036e67824de18e28.exe	207
PID 3288 wrote to memory of 3212	3288	cmd.exe	209
PID 3288 wrote to memory of 3212	3288	cmd.exe	209
PID 3288 wrote to memory of 3212	3288	cmd.exe	209
PID 2920 wrote to memory of 2324	2920	79385ed97732aee0036e67824de18e28.exe	210
PID 2920 wrote to memory of 2324	2920	79385ed97732aee0036e67824de18e28.exe	210
PID 2920 wrote to memory of 2324	2920	79385ed97732aee0036e67824de18e28.exe	210
PID 2324 wrote to memory of 740	2324	cmd.exe	212
PID 2324 wrote to memory of 740	2324	cmd.exe	212
PID 2324 wrote to memory of 740	2324	cmd.exe	212
PID 2920 wrote to memory of 3840	2920	79385ed97732aee0036e67824de18e28.exe	213
PID 2920 wrote to memory of 3840	2920	79385ed97732aee0036e67824de18e28.exe	213
PID 2920 wrote to memory of 3840	2920	79385ed97732aee0036e67824de18e28.exe	213
PID 3840 wrote to memory of 3376	3840	cmd.exe	215
PID 3840 wrote to memory of 3376	3840	cmd.exe	215
PID 3840 wrote to memory of 3376	3840	cmd.exe	215
PID 2920 wrote to memory of 3800	2920	79385ed97732aee0036e67824de18e28.exe	216
PID 2920 wrote to memory of 3800	2920	79385ed97732aee0036e67824de18e28.exe	216
PID 2920 wrote to memory of 3800	2920	79385ed97732aee0036e67824de18e28.exe	216
PID 3800 wrote to memory of 3036	3800	cmd.exe	218
PID 3800 wrote to memory of 3036	3800	cmd.exe	218
PID 3800 wrote to memory of 3036	3800	cmd.exe	218
PID 2920 wrote to memory of 3336	2920	79385ed97732aee0036e67824de18e28.exe	219
PID 2920 wrote to memory of 3336	2920	79385ed97732aee0036e67824de18e28.exe	219
PID 2920 wrote to memory of 3336	2920	79385ed97732aee0036e67824de18e28.exe	219
PID 3336 wrote to memory of 992	3336	cmd.exe	221
PID 3336 wrote to memory of 992	3336	cmd.exe	221
PID 3336 wrote to memory of 992	3336	cmd.exe	221
PID 2920 wrote to memory of 4016	2920	79385ed97732aee0036e67824de18e28.exe	222
PID 2920 wrote to memory of 4016	2920	79385ed97732aee0036e67824de18e28.exe	222
PID 2920 wrote to memory of 4016	2920	79385ed97732aee0036e67824de18e28.exe	222
PID 4016 wrote to memory of 3168	4016	cmd.exe	224
PID 4016 wrote to memory of 3168	4016	cmd.exe	224
PID 4016 wrote to memory of 3168	4016	cmd.exe	224
PID 2920 wrote to memory of 1000	2920	79385ed97732aee0036e67824de18e28.exe	225
PID 2920 wrote to memory of 1000	2920	79385ed97732aee0036e67824de18e28.exe	225
PID 2920 wrote to memory of 1000	2920	79385ed97732aee0036e67824de18e28.exe	225
PID 1000 wrote to memory of 732	1000	cmd.exe	227
PID 1000 wrote to memory of 732	1000	cmd.exe	227
PID 1000 wrote to memory of 732	1000	cmd.exe	227
PID 2920 wrote to memory of 736	2920	79385ed97732aee0036e67824de18e28.exe	228
PID 2920 wrote to memory of 736	2920	79385ed97732aee0036e67824de18e28.exe	228
PID 2920 wrote to memory of 736	2920	79385ed97732aee0036e67824de18e28.exe	228
PID 736 wrote to memory of 560	736	cmd.exe	230
PID 736 wrote to memory of 560	736	cmd.exe	230
PID 736 wrote to memory of 560	736	cmd.exe	230
PID 2920 wrote to memory of 3556	2920	79385ed97732aee0036e67824de18e28.exe	231
PID 2920 wrote to memory of 3556	2920	79385ed97732aee0036e67824de18e28.exe	231
PID 2920 wrote to memory of 3556	2920	79385ed97732aee0036e67824de18e28.exe	231
PID 3556 wrote to memory of 3396	3556	cmd.exe	233
PID 3556 wrote to memory of 3396	3556	cmd.exe	233
PID 3556 wrote to memory of 3396	3556	cmd.exe	233
PID 2920 wrote to memory of 752	2920	79385ed97732aee0036e67824de18e28.exe	234
PID 2920 wrote to memory of 752	2920	79385ed97732aee0036e67824de18e28.exe	234
PID 2920 wrote to memory of 752	2920	79385ed97732aee0036e67824de18e28.exe	234
PID 752 wrote to memory of 3012	752	cmd.exe	236
PID 752 wrote to memory of 3012	752	cmd.exe	236
PID 752 wrote to memory of 3012	752	cmd.exe	236
PID 2920 wrote to memory of 3792	2920	79385ed97732aee0036e67824de18e28.exe	237
PID 2920 wrote to memory of 3792	2920	79385ed97732aee0036e67824de18e28.exe	237
PID 2920 wrote to memory of 3792	2920	79385ed97732aee0036e67824de18e28.exe	237
PID 3792 wrote to memory of 2916	3792	cmd.exe	239
PID 3792 wrote to memory of 2916	3792	cmd.exe	239
PID 3792 wrote to memory of 2916	3792	cmd.exe	239
PID 2920 wrote to memory of 3388	2920	79385ed97732aee0036e67824de18e28.exe	240
PID 2920 wrote to memory of 3388	2920	79385ed97732aee0036e67824de18e28.exe	240
PID 2920 wrote to memory of 3388	2920	79385ed97732aee0036e67824de18e28.exe	240
PID 3388 wrote to memory of 488	3388	cmd.exe	242
PID 3388 wrote to memory of 488	3388	cmd.exe	242
PID 3388 wrote to memory of 488	3388	cmd.exe	242
PID 2920 wrote to memory of 68	2920	79385ed97732aee0036e67824de18e28.exe	243
PID 2920 wrote to memory of 68	2920	79385ed97732aee0036e67824de18e28.exe	243
PID 2920 wrote to memory of 68	2920	79385ed97732aee0036e67824de18e28.exe	243
PID 68 wrote to memory of 3348	68	cmd.exe	245
PID 68 wrote to memory of 3348	68	cmd.exe	245
PID 68 wrote to memory of 3348	68	cmd.exe	245
PID 2920 wrote to memory of 3640	2920	79385ed97732aee0036e67824de18e28.exe	246
PID 2920 wrote to memory of 3640	2920	79385ed97732aee0036e67824de18e28.exe	246
PID 2920 wrote to memory of 3640	2920	79385ed97732aee0036e67824de18e28.exe	246
PID 3640 wrote to memory of 3392	3640	cmd.exe	248
PID 3640 wrote to memory of 3392	3640	cmd.exe	248
PID 3640 wrote to memory of 3392	3640	cmd.exe	248
PID 2920 wrote to memory of 3112	2920	79385ed97732aee0036e67824de18e28.exe	249
PID 2920 wrote to memory of 3112	2920	79385ed97732aee0036e67824de18e28.exe	249
PID 2920 wrote to memory of 3112	2920	79385ed97732aee0036e67824de18e28.exe	249
PID 3112 wrote to memory of 3908	3112	cmd.exe	251
PID 3112 wrote to memory of 3908	3112	cmd.exe	251
PID 3112 wrote to memory of 3908	3112	cmd.exe	251
PID 2920 wrote to memory of 3560	2920	79385ed97732aee0036e67824de18e28.exe	252
PID 2920 wrote to memory of 3560	2920	79385ed97732aee0036e67824de18e28.exe	252
PID 2920 wrote to memory of 3560	2920	79385ed97732aee0036e67824de18e28.exe	252
PID 3560 wrote to memory of 2112	3560	cmd.exe	254
PID 3560 wrote to memory of 2112	3560	cmd.exe	254
PID 3560 wrote to memory of 2112	3560	cmd.exe	254
PID 2920 wrote to memory of 2104	2920	79385ed97732aee0036e67824de18e28.exe	255
PID 2920 wrote to memory of 2104	2920	79385ed97732aee0036e67824de18e28.exe	255
PID 2920 wrote to memory of 2104	2920	79385ed97732aee0036e67824de18e28.exe	255
PID 2104 wrote to memory of 1976	2104	cmd.exe	257
PID 2104 wrote to memory of 1976	2104	cmd.exe	257
PID 2104 wrote to memory of 1976	2104	cmd.exe	257
PID 2920 wrote to memory of 3288	2920	79385ed97732aee0036e67824de18e28.exe	258
PID 2920 wrote to memory of 3288	2920	79385ed97732aee0036e67824de18e28.exe	258
PID 2920 wrote to memory of 3288	2920	79385ed97732aee0036e67824de18e28.exe	258
PID 3288 wrote to memory of 2408	3288	cmd.exe	260
PID 3288 wrote to memory of 2408	3288	cmd.exe	260
PID 3288 wrote to memory of 2408	3288	cmd.exe	260
PID 2920 wrote to memory of 1572	2920	79385ed97732aee0036e67824de18e28.exe	261
PID 2920 wrote to memory of 1572	2920	79385ed97732aee0036e67824de18e28.exe	261
PID 2920 wrote to memory of 1572	2920	79385ed97732aee0036e67824de18e28.exe	261
PID 1572 wrote to memory of 3716	1572	cmd.exe	263
PID 1572 wrote to memory of 3716	1572	cmd.exe	263
PID 1572 wrote to memory of 3716	1572	cmd.exe	263
PID 2920 wrote to memory of 2320	2920	79385ed97732aee0036e67824de18e28.exe	264
PID 2920 wrote to memory of 2320	2920	79385ed97732aee0036e67824de18e28.exe	264
PID 2920 wrote to memory of 2320	2920	79385ed97732aee0036e67824de18e28.exe	264
PID 2320 wrote to memory of 3144	2320	cmd.exe	266
PID 2320 wrote to memory of 3144	2320	cmd.exe	266
PID 2320 wrote to memory of 3144	2320	cmd.exe	266
PID 2920 wrote to memory of 3108	2920	79385ed97732aee0036e67824de18e28.exe	267
PID 2920 wrote to memory of 3108	2920	79385ed97732aee0036e67824de18e28.exe	267
PID 2920 wrote to memory of 3108	2920	79385ed97732aee0036e67824de18e28.exe	267
PID 3108 wrote to memory of 3684	3108	cmd.exe	269
PID 3108 wrote to memory of 3684	3108	cmd.exe	269
PID 3108 wrote to memory of 3684	3108	cmd.exe	269
PID 2920 wrote to memory of 4048	2920	79385ed97732aee0036e67824de18e28.exe	270
PID 2920 wrote to memory of 4048	2920	79385ed97732aee0036e67824de18e28.exe	270
PID 2920 wrote to memory of 4048	2920	79385ed97732aee0036e67824de18e28.exe	270
PID 4048 wrote to memory of 3352	4048	cmd.exe	272
PID 4048 wrote to memory of 3352	4048	cmd.exe	272
PID 4048 wrote to memory of 3352	4048	cmd.exe	272
PID 2920 wrote to memory of 416	2920	79385ed97732aee0036e67824de18e28.exe	273
PID 2920 wrote to memory of 416	2920	79385ed97732aee0036e67824de18e28.exe	273
PID 2920 wrote to memory of 416	2920	79385ed97732aee0036e67824de18e28.exe	273
PID 416 wrote to memory of 3872	416	cmd.exe	275
PID 416 wrote to memory of 3872	416	cmd.exe	275
PID 416 wrote to memory of 3872	416	cmd.exe	275
PID 2920 wrote to memory of 3700	2920	79385ed97732aee0036e67824de18e28.exe	276
PID 2920 wrote to memory of 3700	2920	79385ed97732aee0036e67824de18e28.exe	276
PID 2920 wrote to memory of 3700	2920	79385ed97732aee0036e67824de18e28.exe	276
PID 3700 wrote to memory of 3516	3700	cmd.exe	278
PID 3700 wrote to memory of 3516	3700	cmd.exe	278
PID 3700 wrote to memory of 3516	3700	cmd.exe	278
PID 2920 wrote to memory of 692	2920	79385ed97732aee0036e67824de18e28.exe	279
PID 2920 wrote to memory of 692	2920	79385ed97732aee0036e67824de18e28.exe	279
PID 2920 wrote to memory of 692	2920	79385ed97732aee0036e67824de18e28.exe	279
PID 692 wrote to memory of 2412	692	cmd.exe	281
PID 692 wrote to memory of 2412	692	cmd.exe	281
PID 692 wrote to memory of 2412	692	cmd.exe	281
PID 2920 wrote to memory of 508	2920	79385ed97732aee0036e67824de18e28.exe	282
PID 2920 wrote to memory of 508	2920	79385ed97732aee0036e67824de18e28.exe	282
PID 2920 wrote to memory of 508	2920	79385ed97732aee0036e67824de18e28.exe	282
PID 508 wrote to memory of 3212	508	cmd.exe	284
PID 508 wrote to memory of 3212	508	cmd.exe	284
PID 508 wrote to memory of 3212	508	cmd.exe	284
PID 2920 wrote to memory of 492	2920	79385ed97732aee0036e67824de18e28.exe	285
PID 2920 wrote to memory of 492	2920	79385ed97732aee0036e67824de18e28.exe	285
PID 2920 wrote to memory of 492	2920	79385ed97732aee0036e67824de18e28.exe	285
PID 492 wrote to memory of 740	492	cmd.exe	287
PID 492 wrote to memory of 740	492	cmd.exe	287
PID 492 wrote to memory of 740	492	cmd.exe	287
PID 2920 wrote to memory of 1656	2920	79385ed97732aee0036e67824de18e28.exe	288
PID 2920 wrote to memory of 1656	2920	79385ed97732aee0036e67824de18e28.exe	288
PID 2920 wrote to memory of 1656	2920	79385ed97732aee0036e67824de18e28.exe	288
PID 1656 wrote to memory of 3376	1656	cmd.exe	290
PID 1656 wrote to memory of 3376	1656	cmd.exe	290
PID 1656 wrote to memory of 3376	1656	cmd.exe	290
PID 2920 wrote to memory of 3168	2920	79385ed97732aee0036e67824de18e28.exe	291
PID 2920 wrote to memory of 3168	2920	79385ed97732aee0036e67824de18e28.exe	291
PID 2920 wrote to memory of 3168	2920	79385ed97732aee0036e67824de18e28.exe	291
PID 3168 wrote to memory of 3036	3168	cmd.exe	293
PID 3168 wrote to memory of 3036	3168	cmd.exe	293
PID 3168 wrote to memory of 3036	3168	cmd.exe	293
PID 2920 wrote to memory of 3520	2920	79385ed97732aee0036e67824de18e28.exe	294
PID 2920 wrote to memory of 3520	2920	79385ed97732aee0036e67824de18e28.exe	294
PID 2920 wrote to memory of 3520	2920	79385ed97732aee0036e67824de18e28.exe	294
PID 3520 wrote to memory of 992	3520	cmd.exe	296
PID 3520 wrote to memory of 992	3520	cmd.exe	296
PID 3520 wrote to memory of 992	3520	cmd.exe	296
PID 2920 wrote to memory of 2324	2920	79385ed97732aee0036e67824de18e28.exe	297
PID 2920 wrote to memory of 2324	2920	79385ed97732aee0036e67824de18e28.exe	297
PID 2920 wrote to memory of 2324	2920	79385ed97732aee0036e67824de18e28.exe	297
PID 2324 wrote to memory of 3684	2324	cmd.exe	299
PID 2324 wrote to memory of 3684	2324	cmd.exe	299
PID 2324 wrote to memory of 3684	2324	cmd.exe	299
PID 2920 wrote to memory of 976	2920	79385ed97732aee0036e67824de18e28.exe	300
PID 2920 wrote to memory of 976	2920	79385ed97732aee0036e67824de18e28.exe	300
PID 2920 wrote to memory of 976	2920	79385ed97732aee0036e67824de18e28.exe	300
PID 976 wrote to memory of 3352	976	cmd.exe	302
PID 976 wrote to memory of 3352	976	cmd.exe	302
PID 976 wrote to memory of 3352	976	cmd.exe	302
PID 2920 wrote to memory of 1460	2920	79385ed97732aee0036e67824de18e28.exe	303
PID 2920 wrote to memory of 1460	2920	79385ed97732aee0036e67824de18e28.exe	303
PID 2920 wrote to memory of 1460	2920	79385ed97732aee0036e67824de18e28.exe	303
PID 1460 wrote to memory of 3872	1460	cmd.exe	305
PID 1460 wrote to memory of 3872	1460	cmd.exe	305
PID 1460 wrote to memory of 3872	1460	cmd.exe	305
PID 2920 wrote to memory of 980	2920	79385ed97732aee0036e67824de18e28.exe	306
PID 2920 wrote to memory of 980	2920	79385ed97732aee0036e67824de18e28.exe	306
PID 2920 wrote to memory of 980	2920	79385ed97732aee0036e67824de18e28.exe	306
PID 980 wrote to memory of 3516	980	cmd.exe	308
PID 980 wrote to memory of 3516	980	cmd.exe	308
PID 980 wrote to memory of 3516	980	cmd.exe	308
PID 2920 wrote to memory of 3708	2920	79385ed97732aee0036e67824de18e28.exe	309
PID 2920 wrote to memory of 3708	2920	79385ed97732aee0036e67824de18e28.exe	309
PID 2920 wrote to memory of 3708	2920	79385ed97732aee0036e67824de18e28.exe	309
PID 3708 wrote to memory of 2412	3708	cmd.exe	311
PID 3708 wrote to memory of 2412	3708	cmd.exe	311
PID 3708 wrote to memory of 2412	3708	cmd.exe	311
PID 2920 wrote to memory of 2860	2920	79385ed97732aee0036e67824de18e28.exe	312
PID 2920 wrote to memory of 2860	2920	79385ed97732aee0036e67824de18e28.exe	312
PID 2920 wrote to memory of 2860	2920	79385ed97732aee0036e67824de18e28.exe	312
PID 2860 wrote to memory of 3840	2860	cmd.exe	314
PID 2860 wrote to memory of 3840	2860	cmd.exe	314
PID 2860 wrote to memory of 3840	2860	cmd.exe	314
PID 2920 wrote to memory of 1572	2920	79385ed97732aee0036e67824de18e28.exe	315
PID 2920 wrote to memory of 1572	2920	79385ed97732aee0036e67824de18e28.exe	315
PID 2920 wrote to memory of 1572	2920	79385ed97732aee0036e67824de18e28.exe	315
PID 1572 wrote to memory of 3688	1572	cmd.exe	317
PID 1572 wrote to memory of 3688	1572	cmd.exe	317
PID 1572 wrote to memory of 3688	1572	cmd.exe	317
PID 2920 wrote to memory of 732	2920	79385ed97732aee0036e67824de18e28.exe	318
PID 2920 wrote to memory of 732	2920	79385ed97732aee0036e67824de18e28.exe	318
PID 2920 wrote to memory of 732	2920	79385ed97732aee0036e67824de18e28.exe	318
PID 732 wrote to memory of 412	732	cmd.exe	320
PID 732 wrote to memory of 412	732	cmd.exe	320
PID 732 wrote to memory of 412	732	cmd.exe	320
PID 2920 wrote to memory of 3872	2920	79385ed97732aee0036e67824de18e28.exe	321
PID 2920 wrote to memory of 3872	2920	79385ed97732aee0036e67824de18e28.exe	321
PID 2920 wrote to memory of 3872	2920	79385ed97732aee0036e67824de18e28.exe	321
PID 3872 wrote to memory of 496	3872	cmd.exe	323
PID 3872 wrote to memory of 496	3872	cmd.exe	323
PID 3872 wrote to memory of 496	3872	cmd.exe	323
PID 2920 wrote to memory of 3036	2920	79385ed97732aee0036e67824de18e28.exe	324
PID 2920 wrote to memory of 3036	2920	79385ed97732aee0036e67824de18e28.exe	324
PID 2920 wrote to memory of 3036	2920	79385ed97732aee0036e67824de18e28.exe	324
PID 3036 wrote to memory of 980	3036	cmd.exe	326
PID 3036 wrote to memory of 980	3036	cmd.exe	326
PID 3036 wrote to memory of 980	3036	cmd.exe	326
PID 2920 wrote to memory of 636	2920	79385ed97732aee0036e67824de18e28.exe	327
PID 2920 wrote to memory of 636	2920	79385ed97732aee0036e67824de18e28.exe	327
PID 2920 wrote to memory of 636	2920	79385ed97732aee0036e67824de18e28.exe	327
PID 636 wrote to memory of 2412	636	cmd.exe	329
PID 636 wrote to memory of 2412	636	cmd.exe	329
PID 636 wrote to memory of 2412	636	cmd.exe	329
PID 2920 wrote to memory of 3968	2920	79385ed97732aee0036e67824de18e28.exe	330
PID 2920 wrote to memory of 3968	2920	79385ed97732aee0036e67824de18e28.exe	330
PID 2920 wrote to memory of 3968	2920	79385ed97732aee0036e67824de18e28.exe	330
PID 3968 wrote to memory of 1436	3968	cmd.exe	332
PID 3968 wrote to memory of 1436	3968	cmd.exe	332
PID 3968 wrote to memory of 1436	3968	cmd.exe	332
PID 2920 wrote to memory of 4024	2920	79385ed97732aee0036e67824de18e28.exe	333
PID 2920 wrote to memory of 4024	2920	79385ed97732aee0036e67824de18e28.exe	333
PID 2920 wrote to memory of 4024	2920	79385ed97732aee0036e67824de18e28.exe	333
PID 4024 wrote to memory of 2924	4024	cmd.exe	335
PID 4024 wrote to memory of 2924	4024	cmd.exe	335
PID 4024 wrote to memory of 2924	4024	cmd.exe	335
PID 2920 wrote to memory of 2980	2920	79385ed97732aee0036e67824de18e28.exe	336
PID 2920 wrote to memory of 2980	2920	79385ed97732aee0036e67824de18e28.exe	336
PID 2920 wrote to memory of 2980	2920	79385ed97732aee0036e67824de18e28.exe	336
PID 2980 wrote to memory of 3032	2980	cmd.exe	338
PID 2980 wrote to memory of 3032	2980	cmd.exe	338
PID 2980 wrote to memory of 3032	2980	cmd.exe	338
PID 2920 wrote to memory of 2320	2920	79385ed97732aee0036e67824de18e28.exe	339
PID 2920 wrote to memory of 2320	2920	79385ed97732aee0036e67824de18e28.exe	339
PID 2920 wrote to memory of 2320	2920	79385ed97732aee0036e67824de18e28.exe	339
PID 2320 wrote to memory of 3440	2320	cmd.exe	341
PID 2320 wrote to memory of 3440	2320	cmd.exe	341
PID 2320 wrote to memory of 3440	2320	cmd.exe	341
PID 2920 wrote to memory of 3112	2920	79385ed97732aee0036e67824de18e28.exe	342
PID 2920 wrote to memory of 3112	2920	79385ed97732aee0036e67824de18e28.exe	342
PID 2920 wrote to memory of 3112	2920	79385ed97732aee0036e67824de18e28.exe	342
PID 3112 wrote to memory of 996	3112	cmd.exe	344
PID 3112 wrote to memory of 996	3112	cmd.exe	344
PID 3112 wrote to memory of 996	3112	cmd.exe	344
PID 2920 wrote to memory of 3560	2920	79385ed97732aee0036e67824de18e28.exe	345
PID 2920 wrote to memory of 3560	2920	79385ed97732aee0036e67824de18e28.exe	345
PID 2920 wrote to memory of 3560	2920	79385ed97732aee0036e67824de18e28.exe	345
PID 3560 wrote to memory of 3516	3560	cmd.exe	347
PID 3560 wrote to memory of 3516	3560	cmd.exe	347
PID 3560 wrote to memory of 3516	3560	cmd.exe	347
PID 2920 wrote to memory of 1912	2920	79385ed97732aee0036e67824de18e28.exe	355
PID 2920 wrote to memory of 1912	2920	79385ed97732aee0036e67824de18e28.exe	355
PID 2920 wrote to memory of 1912	2920	79385ed97732aee0036e67824de18e28.exe	355
PID 1912 wrote to memory of 3112	1912	cmd.exe	357
PID 1912 wrote to memory of 3112	1912	cmd.exe	357
PID 1912 wrote to memory of 3112	1912	cmd.exe	357

Suspicious use of AdjustPrivilegeToken 129 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3824	WMIC.exe
Token: SeSecurityPrivilege	3824	WMIC.exe
Token: SeTakeOwnershipPrivilege	3824	WMIC.exe
Token: SeLoadDriverPrivilege	3824	WMIC.exe
Token: SeSystemProfilePrivilege	3824	WMIC.exe
Token: SeSystemtimePrivilege	3824	WMIC.exe
Token: SeProfSingleProcessPrivilege	3824	WMIC.exe
Token: SeIncBasePriorityPrivilege	3824	WMIC.exe
Token: SeCreatePagefilePrivilege	3824	WMIC.exe
Token: SeBackupPrivilege	3824	WMIC.exe
Token: SeRestorePrivilege	3824	WMIC.exe
Token: SeShutdownPrivilege	3824	WMIC.exe
Token: SeDebugPrivilege	3824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3824	WMIC.exe
Token: SeRemoteShutdownPrivilege	3824	WMIC.exe
Token: SeUndockPrivilege	3824	WMIC.exe
Token: SeManageVolumePrivilege	3824	WMIC.exe
Token: 33	3824	WMIC.exe
Token: 34	3824	WMIC.exe
Token: 35	3824	WMIC.exe
Token: 36	3824	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3824	WMIC.exe
Token: SeSecurityPrivilege	3824	WMIC.exe
Token: SeTakeOwnershipPrivilege	3824	WMIC.exe
Token: SeLoadDriverPrivilege	3824	WMIC.exe
Token: SeSystemProfilePrivilege	3824	WMIC.exe
Token: SeSystemtimePrivilege	3824	WMIC.exe
Token: SeProfSingleProcessPrivilege	3824	WMIC.exe
Token: SeIncBasePriorityPrivilege	3824	WMIC.exe
Token: SeCreatePagefilePrivilege	3824	WMIC.exe
Token: SeBackupPrivilege	3824	WMIC.exe
Token: SeRestorePrivilege	3824	WMIC.exe
Token: SeShutdownPrivilege	3824	WMIC.exe
Token: SeDebugPrivilege	3824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3824	WMIC.exe
Token: SeRemoteShutdownPrivilege	3824	WMIC.exe
Token: SeUndockPrivilege	3824	WMIC.exe
Token: SeManageVolumePrivilege	3824	WMIC.exe
Token: 33	3824	WMIC.exe
Token: 34	3824	WMIC.exe
Token: 35	3824	WMIC.exe
Token: 36	3824	WMIC.exe
Token: SeBackupPrivilege	3224	vssvc.exe
Token: SeRestorePrivilege	3224	vssvc.exe
Token: SeAuditPrivilege	3224	vssvc.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	736	taskkill.exe
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	3348	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	68	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	736	taskkill.exe
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	3348	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	68	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	3288	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	3108	taskkill.exe
Token: SeDebugPrivilege	3388	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	732	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	3716	taskkill.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	3684	taskkill.exe
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	3212	taskkill.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	3376	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	732	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	3396	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	3348	taskkill.exe
Token: SeDebugPrivilege	3392	taskkill.exe
Token: SeDebugPrivilege	3908	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	3716	taskkill.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	3684	taskkill.exe
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	3212	taskkill.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	3376	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	3684	taskkill.exe
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	3840	taskkill.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	412	taskkill.exe
Token: SeDebugPrivilege	496	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	1436	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe

Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\MeasureUninstall.tiff.rbUGGk	79385ed97732aee0036e67824de18e28.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureUninstall.tiff	79385ed97732aee0036e67824de18e28.exe
File renamed	C:\Users\Admin\Pictures\MeasureUninstall.tiff => C:\Users\Admin\Pictures\MeasureUninstall.tiff.rbUGGk	79385ed97732aee0036e67824de18e28.exe

C:\Users\Admin\AppData\Local\Temp\79385ed97732aee0036e67824de18e28.exe
"C:\Users\Admin\AppData\Local\Temp\79385ed97732aee0036e67824de18e28.exe"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Modifies extensions of user files
PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY DELETE /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3824
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:3352
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  PID:3388
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} recoveryenabled No
  2⤵
  PID:3336
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\vssvc.exe
  2⤵
  PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServer*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3640
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServerView*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServerView*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlmangr*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlmangr*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RAgui*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RAgui*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3144
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM supervise*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM supervise*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culture*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culture*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3556
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Defwatch*
  2⤵
  PID:3760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Defwatch*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM winword*
  2⤵
  PID:3828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM winword*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3348
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBW32*
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBW32*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgr*
  2⤵
  PID:732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:68
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM qbupdate*
  2⤵
  PID:752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM qbupdate*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3640
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM axlbridge*
  2⤵
  PID:3800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM axlbridge*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM httpd*
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM httpd*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdlauncher*
  2⤵
  PID:1000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdlauncher*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3144
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MsDtSrvr*
  2⤵
  PID:2112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MsDtSrvr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM java*
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM java*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3556
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360se*
  2⤵
  PID:3708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360se*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360doctor*
  2⤵
  PID:3908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360doctor*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3348
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wdswfsafe*
  2⤵
  PID:3380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wdswfsafe*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdhost*
  2⤵
  PID:3972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdhost*
    3⤵
    PID:68
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM GDscan*
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM GDscan*
    3⤵
    - Kills process with taskkill
    PID:3640
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ZhuDongFangYu*
  2⤵
  PID:980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ZhuDongFangYu*
    3⤵
    - Kills process with taskkill
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgrN*
  2⤵
  PID:3708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgrN*
    3⤵
    - Kills process with taskkill
    PID:3288
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM mysqld*
  2⤵
  PID:3908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM mysqld*
    3⤵
    - Kills process with taskkill
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AutodeskDesktopApp*
  2⤵
  PID:3380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AutodeskDesktopApp*
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM acwebbrowser*
  2⤵
  PID:3972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM acwebbrowser*
    3⤵
    PID:3108
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Creative Cloud*
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Creative Cloud*
    3⤵
    - Kills process with taskkill
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe Desktop Service*
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe Desktop Service*
    3⤵
    - Kills process with taskkill
    PID:3716
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM CoreSync*
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM CoreSync*
    3⤵
    - Kills process with taskkill
    PID:3388
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe CEF Helper*
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe CEF Helper*
    3⤵
    PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM node*
  2⤵
  PID:692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM node*
    3⤵
    PID:3168
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeIPCBroker*
  2⤵
  PID:1008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeIPCBroker*
    3⤵
    - Kills process with taskkill
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-taskbar*
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-taskbar*
    3⤵
    - Kills process with taskkill
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-worker*
  2⤵
  PID:3440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-worker*
    3⤵
    - Kills process with taskkill
    PID:3716
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM InputPersonalization*
  2⤵
  PID:3700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM InputPersonalization*
    3⤵
    - Kills process with taskkill
    PID:3144
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeCollabSync*
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeCollabSync*
    3⤵
    - Kills process with taskkill
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCtrlCntr*
  2⤵
  PID:508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCtrlCntr*
    3⤵
    - Kills process with taskkill
    PID:3352
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCcUxSys*
  2⤵
  PID:492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCcUxSys*
    3⤵
    - Kills process with taskkill
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SimplyConnectionManager*
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SimplyConnectionManager*
    3⤵
    PID:3516
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
  2⤵
  PID:3968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Simply.SystemTrayIcon*
    3⤵
    - Kills process with taskkill
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbguard*
  2⤵
  PID:3288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbguard*
    3⤵
    - Kills process with taskkill
    PID:3212
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbserver*
  2⤵
  PID:2324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbserver*
    3⤵
    - Kills process with taskkill
    PID:740
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ONENOTEM*
  2⤵
  PID:3840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ONENOTEM*
    3⤵
    - Kills process with taskkill
    PID:3376
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wrapper*
  2⤵
  PID:3800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wrapper*
    3⤵
    - Kills process with taskkill
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM DefWatch*
  2⤵
  PID:3336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM DefWatch*
    3⤵
    - Kills process with taskkill
    PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccEvtMgr*
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    PID:3168
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccSetMgr*
  2⤵
  PID:1000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccSetMgr*
    3⤵
    - Kills process with taskkill
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SavRoam*
  2⤵
  PID:736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SavRoam*
    3⤵
    - Kills process with taskkill
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Sqlservr*
  2⤵
  PID:3556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Sqlservr*
    3⤵
    - Kills process with taskkill
    PID:3396
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlagent*
  2⤵
  PID:752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlagent*
    3⤵
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqladhlp*
  2⤵
  PID:3792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqladhlp*
    3⤵
    - Kills process with taskkill
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culserver*
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culserver*
    3⤵
    - Kills process with taskkill
    PID:488
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RTVscan*
  2⤵
  PID:68
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RTVscan*
    3⤵
    PID:3348
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlbrowser*
  2⤵
  PID:3640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlbrowser*
    3⤵
    - Kills process with taskkill
    PID:3392
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLADHLP*
  2⤵
  PID:3112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLADHLP*
    3⤵
    - Kills process with taskkill
    PID:3908
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBIDPService*
  2⤵
  PID:3560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBIDPService*
    3⤵
    - Kills process with taskkill
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBCFMonitorService*
  2⤵
  PID:3288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBCFMonitorService*
    3⤵
    - Kills process with taskkill
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlwriter*
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlwriter*
    3⤵
    PID:3716
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msmdsrv*
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msmdsrv*
    3⤵
    PID:3144
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM tomcat6*
  2⤵
  PID:3108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM tomcat6*
    3⤵
    - Kills process with taskkill
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM zhudongfangyu*
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    PID:3352
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-usbarbitator64*
  2⤵
  PID:416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-usbarbitator64*
    3⤵
    - Kills process with taskkill
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-converter*
  2⤵
  PID:3700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-converter*
    3⤵
    PID:3516
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbsrv12*
  2⤵
  PID:692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbsrv12*
    3⤵
    - Kills process with taskkill
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbeng8*
  2⤵
  PID:508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbeng8*
    3⤵
    - Kills process with taskkill
    PID:3212
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    PID:740
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:3376
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
    3⤵
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLBrowser*
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLBrowser*
    3⤵
    PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLWriter*
  2⤵
  PID:2324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLWriter*
    3⤵
    - Kills process with taskkill
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM FishbowlMySQL*
  2⤵
  PID:976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM FishbowlMySQL*
    3⤵
    - Kills process with taskkill
    PID:3352
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:1460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    - Kills process with taskkill
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MySQL57*
  2⤵
  PID:980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MySQL57*
    3⤵
    - Kills process with taskkill
    PID:3516
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
  2⤵
  PID:3708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
    3⤵
    - Kills process with taskkill
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLServerADHelper100*
    3⤵
    - Kills process with taskkill
    PID:3840
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
    3⤵
    PID:3688
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msftesql-Exchange*
  2⤵
  PID:732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msftesql-Exchange*
    3⤵
    PID:412
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
  2⤵
  PID:3872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
    3⤵
    PID:496
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
  2⤵
  PID:3036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SBSMONITORING*
    3⤵
    PID:980
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
  2⤵
  PID:636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
  2⤵
  PID:3968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:3440
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBFCService*
  2⤵
  PID:3112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBFCService*
    3⤵
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBVSS*
  2⤵
  PID:3560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBVSS*
    3⤵
    - Kills process with taskkill
    PID:3516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /T 15 /NOBREAK && del "C:\Users\Admin\AppData\Local\Temp\79385ed97732aee0036e67824de18e28.exe" /F
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 15 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:3112