Analysis
-
max time kernel
124s -
max time network
92s -
platform
windows7_x64 -
resource
win7 -
submitted
24-07-2020 12:51
Static task
static1
Behavioral task
behavioral1
Sample
fa4c4ac8b9c1b14951ae8add855f34e8.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fa4c4ac8b9c1b14951ae8add855f34e8.exe
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
fa4c4ac8b9c1b14951ae8add855f34e8.exe
-
Size
43KB
-
MD5
fa4c4ac8b9c1b14951ae8add855f34e8
-
SHA1
c5049dbdee3aaaf3a794edda02554789a25389bf
-
SHA256
bf6e5f9d060ebc5bb70144ca6e795bfc249c6590ab9f45e258ec9b5f3d49eeb6
-
SHA512
6d9d53cc430ea73684ec3c2e739d7dc01b7ce601a4a9073b77baf39d1f3e25ccc6d3f50a2e9b8bbaa275b8045cac370163d4e5a6a98aa736ca2c69b9820cee37
Score
10/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs
-
Suspicious use of WriteProcessMemory 740 IoCs
description pid Process procid_target PID 1104 wrote to memory of 1304 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 25 PID 1104 wrote to memory of 1304 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 25 PID 1104 wrote to memory of 1304 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 25 PID 1104 wrote to memory of 1304 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 25 PID 1304 wrote to memory of 1476 1304 cmd.exe 27 PID 1304 wrote to memory of 1476 1304 cmd.exe 27 PID 1304 wrote to memory of 1476 1304 cmd.exe 27 PID 1304 wrote to memory of 1476 1304 cmd.exe 27 PID 1104 wrote to memory of 1092 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 30 PID 1104 wrote to memory of 1092 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 30 PID 1104 wrote to memory of 1092 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 30 PID 1104 wrote to memory of 1092 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 30 PID 1104 wrote to memory of 1508 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 32 PID 1104 wrote to memory of 1508 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 32 PID 1104 wrote to memory of 1508 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 32 PID 1104 wrote to memory of 1508 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 32 PID 1104 wrote to memory of 1360 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 34 PID 1104 wrote to memory of 1360 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 34 PID 1104 wrote to memory of 1360 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 34 PID 1104 wrote to memory of 1360 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 34 PID 1104 wrote to memory of 1852 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 36 PID 1104 wrote to memory of 1852 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 36 PID 1104 wrote to memory of 1852 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 36 PID 1104 wrote to memory of 1852 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 36 PID 1104 wrote to memory of 1240 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 38 PID 1104 wrote to memory of 1240 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 38 PID 1104 wrote to memory of 1240 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 38 PID 1104 wrote to memory of 1240 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 38 PID 1240 wrote to memory of 1796 1240 cmd.exe 40 PID 1240 wrote to memory of 1796 1240 cmd.exe 40 PID 1240 wrote to memory of 1796 1240 cmd.exe 40 PID 1240 wrote to memory of 1796 1240 cmd.exe 40 PID 1104 wrote to memory of 1676 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 41 PID 1104 wrote to memory of 1676 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 41 PID 1104 wrote to memory of 1676 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 41 PID 1104 wrote to memory of 1676 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 41 PID 1104 wrote to memory of 1628 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 43 PID 1104 wrote to memory of 1628 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 43 PID 1104 wrote to memory of 1628 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 43 PID 1104 wrote to memory of 1628 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 43 PID 1628 wrote to memory of 1648 1628 cmd.exe 45 PID 1628 wrote to memory of 1648 1628 cmd.exe 45 PID 1628 wrote to memory of 1648 1628 cmd.exe 45 PID 1628 wrote to memory of 1648 1628 cmd.exe 45 PID 1104 wrote to memory of 1924 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 47 PID 1104 wrote to memory of 1924 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 47 PID 1104 wrote to memory of 1924 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 47 PID 1104 wrote to memory of 1924 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 47 PID 1924 wrote to memory of 1976 1924 cmd.exe 49 PID 1924 wrote to memory of 1976 1924 cmd.exe 49 PID 1924 wrote to memory of 1976 1924 cmd.exe 49 PID 1924 wrote to memory of 1976 1924 cmd.exe 49 PID 1104 wrote to memory of 1940 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 50 PID 1104 wrote to memory of 1940 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 50 PID 1104 wrote to memory of 1940 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 50 PID 1104 wrote to memory of 1940 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 50 PID 1940 wrote to memory of 388 1940 cmd.exe 52 PID 1940 wrote to memory of 388 1940 cmd.exe 52 PID 1940 wrote to memory of 388 1940 cmd.exe 52 PID 1940 wrote to memory of 388 1940 cmd.exe 52 PID 1104 wrote to memory of 2020 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 53 PID 1104 wrote to memory of 2020 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 53 PID 1104 wrote to memory of 2020 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 53 PID 1104 wrote to memory of 2020 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 53 PID 2020 wrote to memory of 1480 2020 cmd.exe 55 PID 2020 wrote to memory of 1480 2020 cmd.exe 55 PID 2020 wrote to memory of 1480 2020 cmd.exe 55 PID 2020 wrote to memory of 1480 2020 cmd.exe 55 PID 1104 wrote to memory of 976 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 56 PID 1104 wrote to memory of 976 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 56 PID 1104 wrote to memory of 976 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 56 PID 1104 wrote to memory of 976 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 56 PID 976 wrote to memory of 240 976 cmd.exe 58 PID 976 wrote to memory of 240 976 cmd.exe 58 PID 976 wrote to memory of 240 976 cmd.exe 58 PID 976 wrote to memory of 240 976 cmd.exe 58 PID 1104 wrote to memory of 1408 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 59 PID 1104 wrote to memory of 1408 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 59 PID 1104 wrote to memory of 1408 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 59 PID 1104 wrote to memory of 1408 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 59 PID 1408 wrote to memory of 1092 1408 cmd.exe 61 PID 1408 wrote to memory of 1092 1408 cmd.exe 61 PID 1408 wrote to memory of 1092 1408 cmd.exe 61 PID 1408 wrote to memory of 1092 1408 cmd.exe 61 PID 1104 wrote to memory of 1508 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 62 PID 1104 wrote to memory of 1508 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 62 PID 1104 wrote to memory of 1508 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 62 PID 1104 wrote to memory of 1508 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 62 PID 1508 wrote to memory of 1832 1508 cmd.exe 64 PID 1508 wrote to memory of 1832 1508 cmd.exe 64 PID 1508 wrote to memory of 1832 1508 cmd.exe 64 PID 1508 wrote to memory of 1832 1508 cmd.exe 64 PID 1104 wrote to memory of 1812 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 65 PID 1104 wrote to memory of 1812 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 65 PID 1104 wrote to memory of 1812 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 65 PID 1104 wrote to memory of 1812 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 65 PID 1812 wrote to memory of 1788 1812 cmd.exe 67 PID 1812 wrote to memory of 1788 1812 cmd.exe 67 PID 1812 wrote to memory of 1788 1812 cmd.exe 67 PID 1812 wrote to memory of 1788 1812 cmd.exe 67 PID 1104 wrote to memory of 1664 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 68 PID 1104 wrote to memory of 1664 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 68 PID 1104 wrote to memory of 1664 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 68 PID 1104 wrote to memory of 1664 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 68 PID 1664 wrote to memory of 1576 1664 cmd.exe 70 PID 1664 wrote to memory of 1576 1664 cmd.exe 70 PID 1664 wrote to memory of 1576 1664 cmd.exe 70 PID 1664 wrote to memory of 1576 1664 cmd.exe 70 PID 1104 wrote to memory of 1700 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 71 PID 1104 wrote to memory of 1700 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 71 PID 1104 wrote to memory of 1700 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 71 PID 1104 wrote to memory of 1700 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 71 PID 1700 wrote to memory of 1876 1700 cmd.exe 73 PID 1700 wrote to memory of 1876 1700 cmd.exe 73 PID 1700 wrote to memory of 1876 1700 cmd.exe 73 PID 1700 wrote to memory of 1876 1700 cmd.exe 73 PID 1104 wrote to memory of 1956 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 74 PID 1104 wrote to memory of 1956 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 74 PID 1104 wrote to memory of 1956 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 74 PID 1104 wrote to memory of 1956 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 74 PID 1956 wrote to memory of 1988 1956 cmd.exe 76 PID 1956 wrote to memory of 1988 1956 cmd.exe 76 PID 1956 wrote to memory of 1988 1956 cmd.exe 76 PID 1956 wrote to memory of 1988 1956 cmd.exe 76 PID 1104 wrote to memory of 2040 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 77 PID 1104 wrote to memory of 2040 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 77 PID 1104 wrote to memory of 2040 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 77 PID 1104 wrote to memory of 2040 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 77 PID 2040 wrote to memory of 1076 2040 cmd.exe 79 PID 2040 wrote to memory of 1076 2040 cmd.exe 79 PID 2040 wrote to memory of 1076 2040 cmd.exe 79 PID 2040 wrote to memory of 1076 2040 cmd.exe 79 PID 1104 wrote to memory of 1484 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 80 PID 1104 wrote to memory of 1484 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 80 PID 1104 wrote to memory of 1484 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 80 PID 1104 wrote to memory of 1484 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 80 PID 1484 wrote to memory of 1424 1484 cmd.exe 82 PID 1484 wrote to memory of 1424 1484 cmd.exe 82 PID 1484 wrote to memory of 1424 1484 cmd.exe 82 PID 1484 wrote to memory of 1424 1484 cmd.exe 82 PID 1104 wrote to memory of 1060 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 83 PID 1104 wrote to memory of 1060 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 83 PID 1104 wrote to memory of 1060 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 83 PID 1104 wrote to memory of 1060 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 83 PID 1060 wrote to memory of 1420 1060 cmd.exe 85 PID 1060 wrote to memory of 1420 1060 cmd.exe 85 PID 1060 wrote to memory of 1420 1060 cmd.exe 85 PID 1060 wrote to memory of 1420 1060 cmd.exe 85 PID 1104 wrote to memory of 1520 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 86 PID 1104 wrote to memory of 1520 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 86 PID 1104 wrote to memory of 1520 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 86 PID 1104 wrote to memory of 1520 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 86 PID 1520 wrote to memory of 1836 1520 cmd.exe 88 PID 1520 wrote to memory of 1836 1520 cmd.exe 88 PID 1520 wrote to memory of 1836 1520 cmd.exe 88 PID 1520 wrote to memory of 1836 1520 cmd.exe 88 PID 1104 wrote to memory of 1360 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 89 PID 1104 wrote to memory of 1360 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 89 PID 1104 wrote to memory of 1360 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 89 PID 1104 wrote to memory of 1360 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 89 PID 1360 wrote to memory of 1804 1360 cmd.exe 91 PID 1360 wrote to memory of 1804 1360 cmd.exe 91 PID 1360 wrote to memory of 1804 1360 cmd.exe 91 PID 1360 wrote to memory of 1804 1360 cmd.exe 91 PID 1104 wrote to memory of 1868 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 92 PID 1104 wrote to memory of 1868 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 92 PID 1104 wrote to memory of 1868 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 92 PID 1104 wrote to memory of 1868 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 92 PID 1868 wrote to memory of 1652 1868 cmd.exe 94 PID 1868 wrote to memory of 1652 1868 cmd.exe 94 PID 1868 wrote to memory of 1652 1868 cmd.exe 94 PID 1868 wrote to memory of 1652 1868 cmd.exe 94 PID 1104 wrote to memory of 1548 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 95 PID 1104 wrote to memory of 1548 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 95 PID 1104 wrote to memory of 1548 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 95 PID 1104 wrote to memory of 1548 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 95 PID 1548 wrote to memory of 1632 1548 cmd.exe 97 PID 1548 wrote to memory of 1632 1548 cmd.exe 97 PID 1548 wrote to memory of 1632 1548 cmd.exe 97 PID 1548 wrote to memory of 1632 1548 cmd.exe 97 PID 1104 wrote to memory of 1980 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 98 PID 1104 wrote to memory of 1980 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 98 PID 1104 wrote to memory of 1980 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 98 PID 1104 wrote to memory of 1980 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 98 PID 1980 wrote to memory of 1984 1980 cmd.exe 100 PID 1980 wrote to memory of 1984 1980 cmd.exe 100 PID 1980 wrote to memory of 1984 1980 cmd.exe 100 PID 1980 wrote to memory of 1984 1980 cmd.exe 100 PID 1104 wrote to memory of 2024 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 101 PID 1104 wrote to memory of 2024 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 101 PID 1104 wrote to memory of 2024 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 101 PID 1104 wrote to memory of 2024 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 101 PID 2024 wrote to memory of 1932 2024 cmd.exe 103 PID 2024 wrote to memory of 1932 2024 cmd.exe 103 PID 2024 wrote to memory of 1932 2024 cmd.exe 103 PID 2024 wrote to memory of 1932 2024 cmd.exe 103 PID 1104 wrote to memory of 1468 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 104 PID 1104 wrote to memory of 1468 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 104 PID 1104 wrote to memory of 1468 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 104 PID 1104 wrote to memory of 1468 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 104 PID 1468 wrote to memory of 1196 1468 cmd.exe 106 PID 1468 wrote to memory of 1196 1468 cmd.exe 106 PID 1468 wrote to memory of 1196 1468 cmd.exe 106 PID 1468 wrote to memory of 1196 1468 cmd.exe 106 PID 1104 wrote to memory of 832 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 107 PID 1104 wrote to memory of 832 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 107 PID 1104 wrote to memory of 832 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 107 PID 1104 wrote to memory of 832 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 107 PID 832 wrote to memory of 1416 832 cmd.exe 109 PID 832 wrote to memory of 1416 832 cmd.exe 109 PID 832 wrote to memory of 1416 832 cmd.exe 109 PID 832 wrote to memory of 1416 832 cmd.exe 109 PID 1104 wrote to memory of 1528 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 110 PID 1104 wrote to memory of 1528 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 110 PID 1104 wrote to memory of 1528 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 110 PID 1104 wrote to memory of 1528 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 110 PID 1528 wrote to memory of 1304 1528 cmd.exe 112 PID 1528 wrote to memory of 1304 1528 cmd.exe 112 PID 1528 wrote to memory of 1304 1528 cmd.exe 112 PID 1528 wrote to memory of 1304 1528 cmd.exe 112 PID 1104 wrote to memory of 1376 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 113 PID 1104 wrote to memory of 1376 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 113 PID 1104 wrote to memory of 1376 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 113 PID 1104 wrote to memory of 1376 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 113 PID 1376 wrote to memory of 1824 1376 cmd.exe 115 PID 1376 wrote to memory of 1824 1376 cmd.exe 115 PID 1376 wrote to memory of 1824 1376 cmd.exe 115 PID 1376 wrote to memory of 1824 1376 cmd.exe 115 PID 1104 wrote to memory of 1772 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 116 PID 1104 wrote to memory of 1772 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 116 PID 1104 wrote to memory of 1772 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 116 PID 1104 wrote to memory of 1772 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 116 PID 1772 wrote to memory of 1808 1772 cmd.exe 118 PID 1772 wrote to memory of 1808 1772 cmd.exe 118 PID 1772 wrote to memory of 1808 1772 cmd.exe 118 PID 1772 wrote to memory of 1808 1772 cmd.exe 118 PID 1104 wrote to memory of 1604 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 119 PID 1104 wrote to memory of 1604 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 119 PID 1104 wrote to memory of 1604 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 119 PID 1104 wrote to memory of 1604 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 119 PID 1604 wrote to memory of 1572 1604 cmd.exe 121 PID 1604 wrote to memory of 1572 1604 cmd.exe 121 PID 1604 wrote to memory of 1572 1604 cmd.exe 121 PID 1604 wrote to memory of 1572 1604 cmd.exe 121 PID 1104 wrote to memory of 1668 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 122 PID 1104 wrote to memory of 1668 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 122 PID 1104 wrote to memory of 1668 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 122 PID 1104 wrote to memory of 1668 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 122 PID 1668 wrote to memory of 1648 1668 cmd.exe 124 PID 1668 wrote to memory of 1648 1668 cmd.exe 124 PID 1668 wrote to memory of 1648 1668 cmd.exe 124 PID 1668 wrote to memory of 1648 1668 cmd.exe 124 PID 1104 wrote to memory of 2008 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 125 PID 1104 wrote to memory of 2008 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 125 PID 1104 wrote to memory of 2008 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 125 PID 1104 wrote to memory of 2008 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 125 PID 2008 wrote to memory of 1876 2008 cmd.exe 127 PID 2008 wrote to memory of 1876 2008 cmd.exe 127 PID 2008 wrote to memory of 1876 2008 cmd.exe 127 PID 2008 wrote to memory of 1876 2008 cmd.exe 127 PID 1104 wrote to memory of 1976 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 128 PID 1104 wrote to memory of 1976 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 128 PID 1104 wrote to memory of 1976 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 128 PID 1104 wrote to memory of 1976 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 128 PID 1976 wrote to memory of 1560 1976 cmd.exe 130 PID 1976 wrote to memory of 1560 1976 cmd.exe 130 PID 1976 wrote to memory of 1560 1976 cmd.exe 130 PID 1976 wrote to memory of 1560 1976 cmd.exe 130 PID 1104 wrote to memory of 2004 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 131 PID 1104 wrote to memory of 2004 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 131 PID 1104 wrote to memory of 2004 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 131 PID 1104 wrote to memory of 2004 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 131 PID 2004 wrote to memory of 1552 2004 cmd.exe 133 PID 2004 wrote to memory of 1552 2004 cmd.exe 133 PID 2004 wrote to memory of 1552 2004 cmd.exe 133 PID 2004 wrote to memory of 1552 2004 cmd.exe 133 PID 1104 wrote to memory of 1076 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 134 PID 1104 wrote to memory of 1076 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 134 PID 1104 wrote to memory of 1076 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 134 PID 1104 wrote to memory of 1076 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 134 PID 1076 wrote to memory of 1524 1076 cmd.exe 136 PID 1076 wrote to memory of 1524 1076 cmd.exe 136 PID 1076 wrote to memory of 1524 1076 cmd.exe 136 PID 1076 wrote to memory of 1524 1076 cmd.exe 136 PID 1104 wrote to memory of 2032 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 137 PID 1104 wrote to memory of 2032 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 137 PID 1104 wrote to memory of 2032 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 137 PID 1104 wrote to memory of 2032 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 137 PID 2032 wrote to memory of 1844 2032 cmd.exe 139 PID 2032 wrote to memory of 1844 2032 cmd.exe 139 PID 2032 wrote to memory of 1844 2032 cmd.exe 139 PID 2032 wrote to memory of 1844 2032 cmd.exe 139 PID 1104 wrote to memory of 1420 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 140 PID 1104 wrote to memory of 1420 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 140 PID 1104 wrote to memory of 1420 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 140 PID 1104 wrote to memory of 1420 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 140 PID 1420 wrote to memory of 1800 1420 cmd.exe 142 PID 1420 wrote to memory of 1800 1420 cmd.exe 142 PID 1420 wrote to memory of 1800 1420 cmd.exe 142 PID 1420 wrote to memory of 1800 1420 cmd.exe 142 PID 1104 wrote to memory of 1408 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 143 PID 1104 wrote to memory of 1408 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 143 PID 1104 wrote to memory of 1408 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 143 PID 1104 wrote to memory of 1408 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 143 PID 1408 wrote to memory of 1568 1408 cmd.exe 145 PID 1408 wrote to memory of 1568 1408 cmd.exe 145 PID 1408 wrote to memory of 1568 1408 cmd.exe 145 PID 1408 wrote to memory of 1568 1408 cmd.exe 145 PID 1104 wrote to memory of 1804 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 146 PID 1104 wrote to memory of 1804 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 146 PID 1104 wrote to memory of 1804 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 146 PID 1104 wrote to memory of 1804 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 146 PID 1804 wrote to memory of 1964 1804 cmd.exe 148 PID 1804 wrote to memory of 1964 1804 cmd.exe 148 PID 1804 wrote to memory of 1964 1804 cmd.exe 148 PID 1804 wrote to memory of 1964 1804 cmd.exe 148 PID 1104 wrote to memory of 1652 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 149 PID 1104 wrote to memory of 1652 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 149 PID 1104 wrote to memory of 1652 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 149 PID 1104 wrote to memory of 1652 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 149 PID 1652 wrote to memory of 1072 1652 cmd.exe 151 PID 1652 wrote to memory of 1072 1652 cmd.exe 151 PID 1652 wrote to memory of 1072 1652 cmd.exe 151 PID 1652 wrote to memory of 1072 1652 cmd.exe 151 PID 1104 wrote to memory of 1884 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 152 PID 1104 wrote to memory of 1884 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 152 PID 1104 wrote to memory of 1884 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 152 PID 1104 wrote to memory of 1884 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 152 PID 1884 wrote to memory of 1996 1884 cmd.exe 154 PID 1884 wrote to memory of 1996 1884 cmd.exe 154 PID 1884 wrote to memory of 1996 1884 cmd.exe 154 PID 1884 wrote to memory of 1996 1884 cmd.exe 154 PID 1104 wrote to memory of 2024 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 155 PID 1104 wrote to memory of 2024 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 155 PID 1104 wrote to memory of 2024 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 155 PID 1104 wrote to memory of 2024 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 155 PID 2024 wrote to memory of 1924 2024 cmd.exe 157 PID 2024 wrote to memory of 1924 2024 cmd.exe 157 PID 2024 wrote to memory of 1924 2024 cmd.exe 157 PID 2024 wrote to memory of 1924 2024 cmd.exe 157 PID 1104 wrote to memory of 1476 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 158 PID 1104 wrote to memory of 1476 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 158 PID 1104 wrote to memory of 1476 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 158 PID 1104 wrote to memory of 1476 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 158 PID 1476 wrote to memory of 1940 1476 cmd.exe 160 PID 1476 wrote to memory of 1940 1476 cmd.exe 160 PID 1476 wrote to memory of 1940 1476 cmd.exe 160 PID 1476 wrote to memory of 1940 1476 cmd.exe 160 PID 1104 wrote to memory of 1716 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 161 PID 1104 wrote to memory of 1716 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 161 PID 1104 wrote to memory of 1716 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 161 PID 1104 wrote to memory of 1716 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 161 PID 1716 wrote to memory of 832 1716 cmd.exe 163 PID 1716 wrote to memory of 832 1716 cmd.exe 163 PID 1716 wrote to memory of 832 1716 cmd.exe 163 PID 1716 wrote to memory of 832 1716 cmd.exe 163 PID 1104 wrote to memory of 1356 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 164 PID 1104 wrote to memory of 1356 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 164 PID 1104 wrote to memory of 1356 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 164 PID 1104 wrote to memory of 1356 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 164 PID 1356 wrote to memory of 976 1356 cmd.exe 166 PID 1356 wrote to memory of 976 1356 cmd.exe 166 PID 1356 wrote to memory of 976 1356 cmd.exe 166 PID 1356 wrote to memory of 976 1356 cmd.exe 166 PID 1104 wrote to memory of 268 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 167 PID 1104 wrote to memory of 268 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 167 PID 1104 wrote to memory of 268 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 167 PID 1104 wrote to memory of 268 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 167 PID 268 wrote to memory of 1060 268 cmd.exe 169 PID 268 wrote to memory of 1060 268 cmd.exe 169 PID 268 wrote to memory of 1060 268 cmd.exe 169 PID 268 wrote to memory of 1060 268 cmd.exe 169 PID 1104 wrote to memory of 1660 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 170 PID 1104 wrote to memory of 1660 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 170 PID 1104 wrote to memory of 1660 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 170 PID 1104 wrote to memory of 1660 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 170 PID 1660 wrote to memory of 1376 1660 cmd.exe 172 PID 1660 wrote to memory of 1376 1660 cmd.exe 172 PID 1660 wrote to memory of 1376 1660 cmd.exe 172 PID 1660 wrote to memory of 1376 1660 cmd.exe 172 PID 1104 wrote to memory of 1972 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 173 PID 1104 wrote to memory of 1972 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 173 PID 1104 wrote to memory of 1972 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 173 PID 1104 wrote to memory of 1972 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 173 PID 1972 wrote to memory of 1832 1972 cmd.exe 175 PID 1972 wrote to memory of 1832 1972 cmd.exe 175 PID 1972 wrote to memory of 1832 1972 cmd.exe 175 PID 1972 wrote to memory of 1832 1972 cmd.exe 175 PID 1104 wrote to memory of 1632 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 176 PID 1104 wrote to memory of 1632 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 176 PID 1104 wrote to memory of 1632 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 176 PID 1104 wrote to memory of 1632 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 176 PID 1632 wrote to memory of 1868 1632 cmd.exe 178 PID 1632 wrote to memory of 1868 1632 cmd.exe 178 PID 1632 wrote to memory of 1868 1632 cmd.exe 178 PID 1632 wrote to memory of 1868 1632 cmd.exe 178 PID 1104 wrote to memory of 1488 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 179 PID 1104 wrote to memory of 1488 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 179 PID 1104 wrote to memory of 1488 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 179 PID 1104 wrote to memory of 1488 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 179 PID 1488 wrote to memory of 1700 1488 cmd.exe 181 PID 1488 wrote to memory of 1700 1488 cmd.exe 181 PID 1488 wrote to memory of 1700 1488 cmd.exe 181 PID 1488 wrote to memory of 1700 1488 cmd.exe 181 PID 1104 wrote to memory of 2016 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 182 PID 1104 wrote to memory of 2016 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 182 PID 1104 wrote to memory of 2016 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 182 PID 1104 wrote to memory of 2016 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 182 PID 2016 wrote to memory of 1560 2016 cmd.exe 184 PID 2016 wrote to memory of 1560 2016 cmd.exe 184 PID 2016 wrote to memory of 1560 2016 cmd.exe 184 PID 2016 wrote to memory of 1560 2016 cmd.exe 184 PID 1104 wrote to memory of 1416 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 185 PID 1104 wrote to memory of 1416 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 185 PID 1104 wrote to memory of 1416 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 185 PID 1104 wrote to memory of 1416 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 185 PID 1416 wrote to memory of 1552 1416 cmd.exe 187 PID 1416 wrote to memory of 1552 1416 cmd.exe 187 PID 1416 wrote to memory of 1552 1416 cmd.exe 187 PID 1416 wrote to memory of 1552 1416 cmd.exe 187 PID 1104 wrote to memory of 1304 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 188 PID 1104 wrote to memory of 1304 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 188 PID 1104 wrote to memory of 1304 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 188 PID 1104 wrote to memory of 1304 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 188 PID 1304 wrote to memory of 388 1304 cmd.exe 190 PID 1304 wrote to memory of 388 1304 cmd.exe 190 PID 1304 wrote to memory of 388 1304 cmd.exe 190 PID 1304 wrote to memory of 388 1304 cmd.exe 190 PID 1104 wrote to memory of 1796 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 191 PID 1104 wrote to memory of 1796 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 191 PID 1104 wrote to memory of 1796 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 191 PID 1104 wrote to memory of 1796 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 191 PID 1796 wrote to memory of 976 1796 cmd.exe 193 PID 1796 wrote to memory of 976 1796 cmd.exe 193 PID 1796 wrote to memory of 976 1796 cmd.exe 193 PID 1796 wrote to memory of 976 1796 cmd.exe 193 PID 1104 wrote to memory of 1828 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 194 PID 1104 wrote to memory of 1828 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 194 PID 1104 wrote to memory of 1828 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 194 PID 1104 wrote to memory of 1828 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 194 PID 1828 wrote to memory of 1540 1828 cmd.exe 196 PID 1828 wrote to memory of 1540 1828 cmd.exe 196 PID 1828 wrote to memory of 1540 1828 cmd.exe 196 PID 1828 wrote to memory of 1540 1828 cmd.exe 196 PID 1104 wrote to memory of 1568 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 197 PID 1104 wrote to memory of 1568 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 197 PID 1104 wrote to memory of 1568 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 197 PID 1104 wrote to memory of 1568 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 197 PID 1568 wrote to memory of 1960 1568 cmd.exe 199 PID 1568 wrote to memory of 1960 1568 cmd.exe 199 PID 1568 wrote to memory of 1960 1568 cmd.exe 199 PID 1568 wrote to memory of 1960 1568 cmd.exe 199 PID 1104 wrote to memory of 1964 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 200 PID 1104 wrote to memory of 1964 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 200 PID 1104 wrote to memory of 1964 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 200 PID 1104 wrote to memory of 1964 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 200 PID 1964 wrote to memory of 1648 1964 cmd.exe 202 PID 1964 wrote to memory of 1648 1964 cmd.exe 202 PID 1964 wrote to memory of 1648 1964 cmd.exe 202 PID 1964 wrote to memory of 1648 1964 cmd.exe 202 PID 1104 wrote to memory of 1772 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 203 PID 1104 wrote to memory of 1772 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 203 PID 1104 wrote to memory of 1772 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 203 PID 1104 wrote to memory of 1772 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 203 PID 1772 wrote to memory of 2036 1772 cmd.exe 205 PID 1772 wrote to memory of 2036 1772 cmd.exe 205 PID 1772 wrote to memory of 2036 1772 cmd.exe 205 PID 1772 wrote to memory of 2036 1772 cmd.exe 205 PID 1104 wrote to memory of 1604 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 206 PID 1104 wrote to memory of 1604 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 206 PID 1104 wrote to memory of 1604 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 206 PID 1104 wrote to memory of 1604 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 206 PID 1604 wrote to memory of 1504 1604 cmd.exe 208 PID 1604 wrote to memory of 1504 1604 cmd.exe 208 PID 1604 wrote to memory of 1504 1604 cmd.exe 208 PID 1604 wrote to memory of 1504 1604 cmd.exe 208 PID 1104 wrote to memory of 2044 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 209 PID 1104 wrote to memory of 2044 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 209 PID 1104 wrote to memory of 2044 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 209 PID 1104 wrote to memory of 2044 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 209 PID 2044 wrote to memory of 1816 2044 cmd.exe 211 PID 2044 wrote to memory of 1816 2044 cmd.exe 211 PID 2044 wrote to memory of 1816 2044 cmd.exe 211 PID 2044 wrote to memory of 1816 2044 cmd.exe 211 PID 1104 wrote to memory of 1480 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 212 PID 1104 wrote to memory of 1480 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 212 PID 1104 wrote to memory of 1480 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 212 PID 1104 wrote to memory of 1480 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 212 PID 1480 wrote to memory of 2020 1480 cmd.exe 214 PID 1480 wrote to memory of 2020 1480 cmd.exe 214 PID 1480 wrote to memory of 2020 1480 cmd.exe 214 PID 1480 wrote to memory of 2020 1480 cmd.exe 214 PID 1104 wrote to memory of 240 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 215 PID 1104 wrote to memory of 240 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 215 PID 1104 wrote to memory of 240 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 215 PID 1104 wrote to memory of 240 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 215 PID 240 wrote to memory of 1500 240 cmd.exe 217 PID 240 wrote to memory of 1500 240 cmd.exe 217 PID 240 wrote to memory of 1500 240 cmd.exe 217 PID 240 wrote to memory of 1500 240 cmd.exe 217 PID 1104 wrote to memory of 1236 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 218 PID 1104 wrote to memory of 1236 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 218 PID 1104 wrote to memory of 1236 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 218 PID 1104 wrote to memory of 1236 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 218 PID 1236 wrote to memory of 1356 1236 cmd.exe 220 PID 1236 wrote to memory of 1356 1236 cmd.exe 220 PID 1236 wrote to memory of 1356 1236 cmd.exe 220 PID 1236 wrote to memory of 1356 1236 cmd.exe 220 PID 1104 wrote to memory of 528 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 221 PID 1104 wrote to memory of 528 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 221 PID 1104 wrote to memory of 528 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 221 PID 1104 wrote to memory of 528 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 221 PID 528 wrote to memory of 1060 528 cmd.exe 223 PID 528 wrote to memory of 1060 528 cmd.exe 223 PID 528 wrote to memory of 1060 528 cmd.exe 223 PID 528 wrote to memory of 1060 528 cmd.exe 223 PID 1104 wrote to memory of 1788 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 224 PID 1104 wrote to memory of 1788 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 224 PID 1104 wrote to memory of 1788 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 224 PID 1104 wrote to memory of 1788 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 224 PID 1788 wrote to memory of 1376 1788 cmd.exe 226 PID 1788 wrote to memory of 1376 1788 cmd.exe 226 PID 1788 wrote to memory of 1376 1788 cmd.exe 226 PID 1788 wrote to memory of 1376 1788 cmd.exe 226 PID 1104 wrote to memory of 1576 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 227 PID 1104 wrote to memory of 1576 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 227 PID 1104 wrote to memory of 1576 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 227 PID 1104 wrote to memory of 1576 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 227 PID 1576 wrote to memory of 1664 1576 cmd.exe 229 PID 1576 wrote to memory of 1664 1576 cmd.exe 229 PID 1576 wrote to memory of 1664 1576 cmd.exe 229 PID 1576 wrote to memory of 1664 1576 cmd.exe 229 PID 1104 wrote to memory of 1548 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 230 PID 1104 wrote to memory of 1548 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 230 PID 1104 wrote to memory of 1548 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 230 PID 1104 wrote to memory of 1548 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 230 PID 1548 wrote to memory of 1952 1548 cmd.exe 232 PID 1548 wrote to memory of 1952 1548 cmd.exe 232 PID 1548 wrote to memory of 1952 1548 cmd.exe 232 PID 1548 wrote to memory of 1952 1548 cmd.exe 232 PID 1104 wrote to memory of 1300 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 233 PID 1104 wrote to memory of 1300 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 233 PID 1104 wrote to memory of 1300 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 233 PID 1104 wrote to memory of 1300 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 233 PID 1300 wrote to memory of 524 1300 cmd.exe 235 PID 1300 wrote to memory of 524 1300 cmd.exe 235 PID 1300 wrote to memory of 524 1300 cmd.exe 235 PID 1300 wrote to memory of 524 1300 cmd.exe 235 PID 1104 wrote to memory of 1504 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 236 PID 1104 wrote to memory of 1504 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 236 PID 1104 wrote to memory of 1504 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 236 PID 1104 wrote to memory of 1504 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 236 PID 1504 wrote to memory of 1600 1504 cmd.exe 238 PID 1504 wrote to memory of 1600 1504 cmd.exe 238 PID 1504 wrote to memory of 1600 1504 cmd.exe 238 PID 1504 wrote to memory of 1600 1504 cmd.exe 238 PID 1104 wrote to memory of 1816 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 239 PID 1104 wrote to memory of 1816 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 239 PID 1104 wrote to memory of 1816 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 239 PID 1104 wrote to memory of 1816 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 239 PID 1816 wrote to memory of 1852 1816 cmd.exe 241 PID 1816 wrote to memory of 1852 1816 cmd.exe 241 PID 1816 wrote to memory of 1852 1816 cmd.exe 241 PID 1816 wrote to memory of 1852 1816 cmd.exe 241 PID 1104 wrote to memory of 2020 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 242 PID 1104 wrote to memory of 2020 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 242 PID 1104 wrote to memory of 2020 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 242 PID 1104 wrote to memory of 2020 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 242 PID 2020 wrote to memory of 656 2020 cmd.exe 244 PID 2020 wrote to memory of 656 2020 cmd.exe 244 PID 2020 wrote to memory of 656 2020 cmd.exe 244 PID 2020 wrote to memory of 656 2020 cmd.exe 244 PID 1104 wrote to memory of 1500 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 245 PID 1104 wrote to memory of 1500 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 245 PID 1104 wrote to memory of 1500 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 245 PID 1104 wrote to memory of 1500 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 245 PID 1500 wrote to memory of 764 1500 cmd.exe 247 PID 1500 wrote to memory of 764 1500 cmd.exe 247 PID 1500 wrote to memory of 764 1500 cmd.exe 247 PID 1500 wrote to memory of 764 1500 cmd.exe 247 PID 1104 wrote to memory of 1356 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 248 PID 1104 wrote to memory of 1356 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 248 PID 1104 wrote to memory of 1356 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 248 PID 1104 wrote to memory of 1356 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 248 PID 1356 wrote to memory of 1528 1356 cmd.exe 250 PID 1356 wrote to memory of 1528 1356 cmd.exe 250 PID 1356 wrote to memory of 1528 1356 cmd.exe 250 PID 1356 wrote to memory of 1528 1356 cmd.exe 250 PID 1104 wrote to memory of 1060 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 251 PID 1104 wrote to memory of 1060 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 251 PID 1104 wrote to memory of 1060 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 251 PID 1104 wrote to memory of 1060 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 251 PID 1060 wrote to memory of 1360 1060 cmd.exe 253 PID 1060 wrote to memory of 1360 1060 cmd.exe 253 PID 1060 wrote to memory of 1360 1060 cmd.exe 253 PID 1060 wrote to memory of 1360 1060 cmd.exe 253 PID 1104 wrote to memory of 1376 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 254 PID 1104 wrote to memory of 1376 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 254 PID 1104 wrote to memory of 1376 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 254 PID 1104 wrote to memory of 1376 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 254 PID 1376 wrote to memory of 936 1376 cmd.exe 256 PID 1376 wrote to memory of 936 1376 cmd.exe 256 PID 1376 wrote to memory of 936 1376 cmd.exe 256 PID 1376 wrote to memory of 936 1376 cmd.exe 256 PID 1104 wrote to memory of 1664 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 257 PID 1104 wrote to memory of 1664 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 257 PID 1104 wrote to memory of 1664 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 257 PID 1104 wrote to memory of 1664 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 257 PID 1664 wrote to memory of 1652 1664 cmd.exe 259 PID 1664 wrote to memory of 1652 1664 cmd.exe 259 PID 1664 wrote to memory of 1652 1664 cmd.exe 259 PID 1664 wrote to memory of 1652 1664 cmd.exe 259 PID 1104 wrote to memory of 1952 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 260 PID 1104 wrote to memory of 1952 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 260 PID 1104 wrote to memory of 1952 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 260 PID 1104 wrote to memory of 1952 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 260 PID 1952 wrote to memory of 1884 1952 cmd.exe 262 PID 1952 wrote to memory of 1884 1952 cmd.exe 262 PID 1952 wrote to memory of 1884 1952 cmd.exe 262 PID 1952 wrote to memory of 1884 1952 cmd.exe 262 PID 1104 wrote to memory of 1040 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 263 PID 1104 wrote to memory of 1040 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 263 PID 1104 wrote to memory of 1040 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 263 PID 1104 wrote to memory of 1040 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 263 PID 1040 wrote to memory of 1996 1040 cmd.exe 265 PID 1040 wrote to memory of 1996 1040 cmd.exe 265 PID 1040 wrote to memory of 1996 1040 cmd.exe 265 PID 1040 wrote to memory of 1996 1040 cmd.exe 265 PID 1104 wrote to memory of 1696 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 266 PID 1104 wrote to memory of 1696 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 266 PID 1104 wrote to memory of 1696 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 266 PID 1104 wrote to memory of 1696 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 266 PID 1696 wrote to memory of 2044 1696 cmd.exe 268 PID 1696 wrote to memory of 2044 1696 cmd.exe 268 PID 1696 wrote to memory of 2044 1696 cmd.exe 268 PID 1696 wrote to memory of 2044 1696 cmd.exe 268 PID 1104 wrote to memory of 1476 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 269 PID 1104 wrote to memory of 1476 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 269 PID 1104 wrote to memory of 1476 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 269 PID 1104 wrote to memory of 1476 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 269 PID 1476 wrote to memory of 1480 1476 cmd.exe 271 PID 1476 wrote to memory of 1480 1476 cmd.exe 271 PID 1476 wrote to memory of 1480 1476 cmd.exe 271 PID 1476 wrote to memory of 1480 1476 cmd.exe 271 PID 1104 wrote to memory of 568 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 272 PID 1104 wrote to memory of 568 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 272 PID 1104 wrote to memory of 568 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 272 PID 1104 wrote to memory of 568 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 272 PID 568 wrote to memory of 1304 568 cmd.exe 274 PID 568 wrote to memory of 1304 568 cmd.exe 274 PID 568 wrote to memory of 1304 568 cmd.exe 274 PID 568 wrote to memory of 1304 568 cmd.exe 274 PID 1104 wrote to memory of 240 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 275 PID 1104 wrote to memory of 240 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 275 PID 1104 wrote to memory of 240 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 275 PID 1104 wrote to memory of 240 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 275 PID 240 wrote to memory of 1860 240 cmd.exe 277 PID 240 wrote to memory of 1860 240 cmd.exe 277 PID 240 wrote to memory of 1860 240 cmd.exe 277 PID 240 wrote to memory of 1860 240 cmd.exe 277 PID 1104 wrote to memory of 1800 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 278 PID 1104 wrote to memory of 1800 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 278 PID 1104 wrote to memory of 1800 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 278 PID 1104 wrote to memory of 1800 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 278 PID 1800 wrote to memory of 796 1800 cmd.exe 280 PID 1800 wrote to memory of 796 1800 cmd.exe 280 PID 1800 wrote to memory of 796 1800 cmd.exe 280 PID 1800 wrote to memory of 796 1800 cmd.exe 280 PID 1104 wrote to memory of 1044 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 281 PID 1104 wrote to memory of 1044 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 281 PID 1104 wrote to memory of 1044 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 281 PID 1104 wrote to memory of 1044 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 281 PID 1044 wrote to memory of 1568 1044 cmd.exe 283 PID 1044 wrote to memory of 1568 1044 cmd.exe 283 PID 1044 wrote to memory of 1568 1044 cmd.exe 283 PID 1044 wrote to memory of 1568 1044 cmd.exe 283 PID 1104 wrote to memory of 1660 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 284 PID 1104 wrote to memory of 1660 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 284 PID 1104 wrote to memory of 1660 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 284 PID 1104 wrote to memory of 1660 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 284 PID 1660 wrote to memory of 1648 1660 cmd.exe 286 PID 1660 wrote to memory of 1648 1660 cmd.exe 286 PID 1660 wrote to memory of 1648 1660 cmd.exe 286 PID 1660 wrote to memory of 1648 1660 cmd.exe 286 PID 1104 wrote to memory of 1220 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 287 PID 1104 wrote to memory of 1220 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 287 PID 1104 wrote to memory of 1220 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 287 PID 1104 wrote to memory of 1220 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 287 PID 1220 wrote to memory of 1868 1220 cmd.exe 289 PID 1220 wrote to memory of 1868 1220 cmd.exe 289 PID 1220 wrote to memory of 1868 1220 cmd.exe 289 PID 1220 wrote to memory of 1868 1220 cmd.exe 289 PID 1104 wrote to memory of 932 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 290 PID 1104 wrote to memory of 932 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 290 PID 1104 wrote to memory of 932 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 290 PID 1104 wrote to memory of 932 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 290 PID 932 wrote to memory of 1140 932 cmd.exe 292 PID 932 wrote to memory of 1140 932 cmd.exe 292 PID 932 wrote to memory of 1140 932 cmd.exe 292 PID 932 wrote to memory of 1140 932 cmd.exe 292 PID 1104 wrote to memory of 1196 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 293 PID 1104 wrote to memory of 1196 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 293 PID 1104 wrote to memory of 1196 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 293 PID 1104 wrote to memory of 1196 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 293 PID 1196 wrote to memory of 1932 1196 cmd.exe 295 PID 1196 wrote to memory of 1932 1196 cmd.exe 295 PID 1196 wrote to memory of 1932 1196 cmd.exe 295 PID 1196 wrote to memory of 1932 1196 cmd.exe 295 PID 1104 wrote to memory of 1956 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 296 PID 1104 wrote to memory of 1956 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 296 PID 1104 wrote to memory of 1956 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 296 PID 1104 wrote to memory of 1956 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 296 PID 1956 wrote to memory of 1516 1956 cmd.exe 298 PID 1956 wrote to memory of 1516 1956 cmd.exe 298 PID 1956 wrote to memory of 1516 1956 cmd.exe 298 PID 1956 wrote to memory of 1516 1956 cmd.exe 298 PID 1104 wrote to memory of 1468 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 299 PID 1104 wrote to memory of 1468 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 299 PID 1104 wrote to memory of 1468 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 299 PID 1104 wrote to memory of 1468 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 299 PID 1468 wrote to memory of 1580 1468 cmd.exe 301 PID 1468 wrote to memory of 1580 1468 cmd.exe 301 PID 1468 wrote to memory of 1580 1468 cmd.exe 301 PID 1468 wrote to memory of 1580 1468 cmd.exe 301 PID 1104 wrote to memory of 1052 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 302 PID 1104 wrote to memory of 1052 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 302 PID 1104 wrote to memory of 1052 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 302 PID 1104 wrote to memory of 1052 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 302 PID 1052 wrote to memory of 2020 1052 cmd.exe 304 PID 1052 wrote to memory of 2020 1052 cmd.exe 304 PID 1052 wrote to memory of 2020 1052 cmd.exe 304 PID 1052 wrote to memory of 2020 1052 cmd.exe 304 PID 1104 wrote to memory of 1716 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 310 PID 1104 wrote to memory of 1716 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 310 PID 1104 wrote to memory of 1716 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 310 PID 1104 wrote to memory of 1716 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 310 PID 1716 wrote to memory of 1508 1716 cmd.exe 312 PID 1716 wrote to memory of 1508 1716 cmd.exe 312 PID 1716 wrote to memory of 1508 1716 cmd.exe 312 PID 1716 wrote to memory of 1508 1716 cmd.exe 312 -
Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\RestartConvert.tif => C:\Users\Admin\Pictures\RestartConvert.tif.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\RestoreSubmit.crw.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\WriteUninstall.crw.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe File renamed C:\Users\Admin\Pictures\ImportRead.raw => C:\Users\Admin\Pictures\ImportRead.raw.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\MountRename.tif.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\RestartConvert.tif.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe File renamed C:\Users\Admin\Pictures\RestoreSubmit.crw => C:\Users\Admin\Pictures\RestoreSubmit.crw.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\JoinConnect.tif.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe File renamed C:\Users\Admin\Pictures\SubmitDisconnect.raw => C:\Users\Admin\Pictures\SubmitDisconnect.raw.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\SubmitDisconnect.raw.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\ImportRead.raw.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe File renamed C:\Users\Admin\Pictures\JoinConnect.tif => C:\Users\Admin\Pictures\JoinConnect.tif.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe File renamed C:\Users\Admin\Pictures\MountRename.tif => C:\Users\Admin\Pictures\MountRename.tif.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe File renamed C:\Users\Admin\Pictures\WriteUnblock.crw => C:\Users\Admin\Pictures\WriteUnblock.crw.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\WriteUnblock.crw.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe File renamed C:\Users\Admin\Pictures\WriteUninstall.crw => C:\Users\Admin\Pictures\WriteUninstall.crw.LDlfEQ fa4c4ac8b9c1b14951ae8add855f34e8.exe -
Deletes itself 1 IoCs
pid Process 1716 cmd.exe -
NTFS ADS 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\boot.sys:fhsbwmembgekrfne fa4c4ac8b9c1b14951ae8add855f34e8.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:ukkubcuww fa4c4ac8b9c1b14951ae8add855f34e8.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:fezlodqangoesitka fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:qyctfshmbwjbs fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:ukkubcuww fa4c4ac8b9c1b14951ae8add855f34e8.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d.bmp" fa4c4ac8b9c1b14951ae8add855f34e8.exe -
Modifies service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1796 vssadmin.exe -
Kills process with taskkill 87 IoCs
pid Process 1952 taskkill.exe 1360 taskkill.exe 1480 taskkill.exe 240 taskkill.exe 1060 taskkill.exe 388 taskkill.exe 936 taskkill.exe 1860 taskkill.exe 796 taskkill.exe 1788 taskkill.exe 1416 taskkill.exe 1528 taskkill.exe 1516 taskkill.exe 1876 taskkill.exe 1072 taskkill.exe 1420 taskkill.exe 1568 taskkill.exe 2036 taskkill.exe 1884 taskkill.exe 1832 taskkill.exe 1076 taskkill.exe 1876 taskkill.exe 1868 taskkill.exe 388 taskkill.exe 1092 taskkill.exe 1524 taskkill.exe 1924 taskkill.exe 1504 taskkill.exe 2044 taskkill.exe 1304 taskkill.exe 1648 taskkill.exe 1976 taskkill.exe 1808 taskkill.exe 1868 taskkill.exe 1376 taskkill.exe 1700 taskkill.exe 1560 taskkill.exe 1816 taskkill.exe 1424 taskkill.exe 1552 taskkill.exe 1304 taskkill.exe 1824 taskkill.exe 1800 taskkill.exe 1580 taskkill.exe 1632 taskkill.exe 1984 taskkill.exe 1932 taskkill.exe 1960 taskkill.exe 2020 taskkill.exe 1480 taskkill.exe 1576 taskkill.exe 1940 taskkill.exe 1988 taskkill.exe 1572 taskkill.exe 1356 taskkill.exe 1600 taskkill.exe 1852 taskkill.exe 1568 taskkill.exe 1964 taskkill.exe 1996 taskkill.exe 1844 taskkill.exe 1552 taskkill.exe 1540 taskkill.exe 2020 taskkill.exe 1664 taskkill.exe 1932 taskkill.exe 1652 taskkill.exe 1196 taskkill.exe 1500 taskkill.exe 1560 taskkill.exe 976 taskkill.exe 1060 taskkill.exe 1832 taskkill.exe 1648 taskkill.exe 1376 taskkill.exe 1652 taskkill.exe 1996 taskkill.exe 1648 taskkill.exe 976 taskkill.exe 1140 taskkill.exe 1648 taskkill.exe 832 taskkill.exe 524 taskkill.exe 656 taskkill.exe 764 taskkill.exe 1836 taskkill.exe 1804 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 127 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1476 WMIC.exe Token: SeSecurityPrivilege 1476 WMIC.exe Token: SeTakeOwnershipPrivilege 1476 WMIC.exe Token: SeLoadDriverPrivilege 1476 WMIC.exe Token: SeSystemProfilePrivilege 1476 WMIC.exe Token: SeSystemtimePrivilege 1476 WMIC.exe Token: SeProfSingleProcessPrivilege 1476 WMIC.exe Token: SeIncBasePriorityPrivilege 1476 WMIC.exe Token: SeCreatePagefilePrivilege 1476 WMIC.exe Token: SeBackupPrivilege 1476 WMIC.exe Token: SeRestorePrivilege 1476 WMIC.exe Token: SeShutdownPrivilege 1476 WMIC.exe Token: SeDebugPrivilege 1476 WMIC.exe Token: SeSystemEnvironmentPrivilege 1476 WMIC.exe Token: SeRemoteShutdownPrivilege 1476 WMIC.exe Token: SeUndockPrivilege 1476 WMIC.exe Token: SeManageVolumePrivilege 1476 WMIC.exe Token: 33 1476 WMIC.exe Token: 34 1476 WMIC.exe Token: 35 1476 WMIC.exe Token: SeIncreaseQuotaPrivilege 1476 WMIC.exe Token: SeSecurityPrivilege 1476 WMIC.exe Token: SeTakeOwnershipPrivilege 1476 WMIC.exe Token: SeLoadDriverPrivilege 1476 WMIC.exe Token: SeSystemProfilePrivilege 1476 WMIC.exe Token: SeSystemtimePrivilege 1476 WMIC.exe Token: SeProfSingleProcessPrivilege 1476 WMIC.exe Token: SeIncBasePriorityPrivilege 1476 WMIC.exe Token: SeCreatePagefilePrivilege 1476 WMIC.exe Token: SeBackupPrivilege 1476 WMIC.exe Token: SeRestorePrivilege 1476 WMIC.exe Token: SeShutdownPrivilege 1476 WMIC.exe Token: SeDebugPrivilege 1476 WMIC.exe Token: SeSystemEnvironmentPrivilege 1476 WMIC.exe Token: SeRemoteShutdownPrivilege 1476 WMIC.exe Token: SeUndockPrivilege 1476 WMIC.exe Token: SeManageVolumePrivilege 1476 WMIC.exe Token: 33 1476 WMIC.exe Token: 34 1476 WMIC.exe Token: 35 1476 WMIC.exe Token: SeBackupPrivilege 640 vssvc.exe Token: SeRestorePrivilege 640 vssvc.exe Token: SeAuditPrivilege 640 vssvc.exe Token: SeDebugPrivilege 1648 taskkill.exe Token: SeDebugPrivilege 1976 taskkill.exe Token: SeDebugPrivilege 388 taskkill.exe Token: SeDebugPrivilege 1480 taskkill.exe Token: SeDebugPrivilege 240 taskkill.exe Token: SeDebugPrivilege 1092 taskkill.exe Token: SeDebugPrivilege 1832 taskkill.exe Token: SeDebugPrivilege 1788 taskkill.exe Token: SeDebugPrivilege 1576 taskkill.exe Token: SeDebugPrivilege 1876 taskkill.exe Token: SeDebugPrivilege 1988 taskkill.exe Token: SeDebugPrivilege 1076 taskkill.exe Token: SeDebugPrivilege 1424 taskkill.exe Token: SeDebugPrivilege 1420 taskkill.exe Token: SeDebugPrivilege 1836 taskkill.exe Token: SeDebugPrivilege 1804 taskkill.exe Token: SeDebugPrivilege 1652 taskkill.exe Token: SeDebugPrivilege 1632 taskkill.exe Token: SeDebugPrivilege 1984 taskkill.exe Token: SeDebugPrivilege 1932 taskkill.exe Token: SeDebugPrivilege 1196 taskkill.exe Token: SeDebugPrivilege 1416 taskkill.exe Token: SeDebugPrivilege 1304 taskkill.exe Token: SeDebugPrivilege 1824 taskkill.exe Token: SeDebugPrivilege 1808 taskkill.exe Token: SeDebugPrivilege 1572 taskkill.exe Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 1524 taskkill.exe Token: SeDebugPrivilege 1844 taskkill.exe Token: SeDebugPrivilege 1800 taskkill.exe Token: SeDebugPrivilege 1568 taskkill.exe Token: SeDebugPrivilege 1964 taskkill.exe Token: SeDebugPrivilege 1072 taskkill.exe Token: SeDebugPrivilege 1996 taskkill.exe Token: SeDebugPrivilege 1924 taskkill.exe Token: SeDebugPrivilege 1940 taskkill.exe Token: SeDebugPrivilege 832 taskkill.exe Token: SeDebugPrivilege 976 taskkill.exe Token: SeDebugPrivilege 1060 taskkill.exe Token: SeDebugPrivilege 1376 taskkill.exe Token: SeDebugPrivilege 1832 taskkill.exe Token: SeDebugPrivilege 1868 taskkill.exe Token: SeDebugPrivilege 1700 taskkill.exe Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 1552 taskkill.exe Token: SeDebugPrivilege 388 taskkill.exe Token: SeDebugPrivilege 976 taskkill.exe Token: SeDebugPrivilege 1540 taskkill.exe Token: SeDebugPrivilege 1960 taskkill.exe Token: SeDebugPrivilege 1648 taskkill.exe Token: SeDebugPrivilege 2036 taskkill.exe Token: SeDebugPrivilege 1504 taskkill.exe Token: SeDebugPrivilege 1816 taskkill.exe Token: SeDebugPrivilege 2020 taskkill.exe Token: SeDebugPrivilege 1500 taskkill.exe Token: SeDebugPrivilege 1356 taskkill.exe Token: SeDebugPrivilege 1060 taskkill.exe Token: SeDebugPrivilege 1376 taskkill.exe Token: SeDebugPrivilege 1664 taskkill.exe Token: SeDebugPrivilege 1952 taskkill.exe Token: SeDebugPrivilege 524 taskkill.exe Token: SeDebugPrivilege 1600 taskkill.exe Token: SeDebugPrivilege 1852 taskkill.exe Token: SeDebugPrivilege 656 taskkill.exe Token: SeDebugPrivilege 764 taskkill.exe Token: SeDebugPrivilege 1528 taskkill.exe Token: SeDebugPrivilege 1360 taskkill.exe Token: SeDebugPrivilege 936 taskkill.exe Token: SeDebugPrivilege 1652 taskkill.exe Token: SeDebugPrivilege 1884 taskkill.exe Token: SeDebugPrivilege 1996 taskkill.exe Token: SeDebugPrivilege 2044 taskkill.exe Token: SeDebugPrivilege 1480 taskkill.exe Token: SeDebugPrivilege 1304 taskkill.exe Token: SeDebugPrivilege 1860 taskkill.exe Token: SeDebugPrivilege 796 taskkill.exe Token: SeDebugPrivilege 1568 taskkill.exe Token: SeDebugPrivilege 1648 taskkill.exe Token: SeDebugPrivilege 1868 taskkill.exe Token: SeDebugPrivilege 1140 taskkill.exe Token: SeDebugPrivilege 1932 taskkill.exe Token: SeDebugPrivilege 1516 taskkill.exe Token: SeDebugPrivilege 1580 taskkill.exe Token: SeDebugPrivilege 2020 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 304 IoCs
pid Process 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe 1104 fa4c4ac8b9c1b14951ae8add855f34e8.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1508 timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa4c4ac8b9c1b14951ae8add855f34e8.exe"C:\Users\Admin\AppData\Local\Temp\fa4c4ac8b9c1b14951ae8add855f34e8.exe"1⤵
- Suspicious use of WriteProcessMemory
- Modifies extensions of user files
- NTFS ADS
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
PID:1104 -
C:\Windows\SysWOW64\cmd.execmd /C wmic.exe SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY DELETE /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵PID:1092
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵PID:1508
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit.exe /set {default} recoveryenabled No2⤵PID:1360
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵PID:1852
-
-
C:\Windows\SysWOW64\cmd.execmd /C vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C C:\Windows\system32\vssvc.exe2⤵PID:1676
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wxServer*2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wxServer*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wxServerView*2⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wxServerView*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlmangr*2⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlmangr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:388
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM RAgui*2⤵PID:2020
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM RAgui*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM supervise*2⤵PID:976
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM supervise*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:240
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Culture*2⤵PID:1408
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Culture*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Defwatch*2⤵PID:1508
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Defwatch*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM winword*2⤵PID:1812
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM winword*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBW32*2⤵PID:1664
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBW32*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBDBMgr*2⤵PID:1700
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBDBMgr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM qbupdate*2⤵PID:1956
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM qbupdate*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM axlbridge*2⤵PID:2040
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM axlbridge*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM httpd*2⤵PID:1484
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM httpd*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fdlauncher*2⤵PID:1060
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fdlauncher*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MsDtSrvr*2⤵PID:1520
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MsDtSrvr*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM java*2⤵PID:1360
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM java*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM 360se*2⤵PID:1868
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM 360se*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM 360doctor*2⤵PID:1548
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM 360doctor*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wdswfsafe*2⤵PID:1980
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wdswfsafe*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fdhost*2⤵PID:2024
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fdhost*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM GDscan*2⤵PID:1468
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM GDscan*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ZhuDongFangYu*2⤵PID:832
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ZhuDongFangYu*3⤵
- Kills process with taskkill
PID:1416
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBDBMgrN*2⤵PID:1528
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBDBMgrN*3⤵
- Kills process with taskkill
PID:1304
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM mysqld*2⤵PID:1376
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mysqld*3⤵
- Kills process with taskkill
PID:1824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AutodeskDesktopApp*2⤵PID:1772
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AutodeskDesktopApp*3⤵
- Kills process with taskkill
PID:1808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM acwebbrowser*2⤵PID:1604
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM acwebbrowser*3⤵
- Kills process with taskkill
PID:1572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Creative Cloud*2⤵PID:1668
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Creative Cloud*3⤵PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Adobe Desktop Service*2⤵PID:2008
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Adobe Desktop Service*3⤵
- Kills process with taskkill
PID:1876
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM CoreSync*2⤵PID:1976
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM CoreSync*3⤵PID:1560
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Adobe CEF Helper*2⤵PID:2004
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Adobe CEF Helper*3⤵
- Kills process with taskkill
PID:1552
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM node*2⤵PID:1076
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM node*3⤵
- Kills process with taskkill
PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AdobeIPCBroker*2⤵PID:2032
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AdobeIPCBroker*3⤵
- Kills process with taskkill
PID:1844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sync-taskbar*2⤵PID:1420
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sync-taskbar*3⤵
- Kills process with taskkill
PID:1800
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sync-worker*2⤵PID:1408
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sync-worker*3⤵
- Kills process with taskkill
PID:1568
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM InputPersonalization*2⤵PID:1804
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM InputPersonalization*3⤵
- Kills process with taskkill
PID:1964
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AdobeCollabSync*2⤵PID:1652
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AdobeCollabSync*3⤵
- Kills process with taskkill
PID:1072
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM BrCtrlCntr*2⤵PID:1884
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM BrCtrlCntr*3⤵
- Kills process with taskkill
PID:1996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM BrCcUxSys*2⤵PID:2024
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM BrCcUxSys*3⤵
- Kills process with taskkill
PID:1924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SimplyConnectionManager*2⤵PID:1476
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SimplyConnectionManager*3⤵
- Kills process with taskkill
PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Simply.SystemTrayIcon*2⤵PID:1716
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Simply.SystemTrayIcon*3⤵PID:832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fbguard*2⤵PID:1356
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fbguard*3⤵PID:976
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fbserver*2⤵PID:268
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fbserver*3⤵PID:1060
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ONENOTEM*2⤵PID:1660
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ONENOTEM*3⤵
- Kills process with taskkill
PID:1376
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wrapper*2⤵PID:1972
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wrapper*3⤵PID:1832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM DefWatch*2⤵PID:1632
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM DefWatch*3⤵
- Kills process with taskkill
PID:1868
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ccEvtMgr*2⤵PID:1488
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ccEvtMgr*3⤵
- Kills process with taskkill
PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ccSetMgr*2⤵PID:2016
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ccSetMgr*3⤵
- Kills process with taskkill
PID:1560
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SavRoam*2⤵PID:1416
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SavRoam*3⤵
- Kills process with taskkill
PID:1552
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Sqlservr*2⤵PID:1304
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Sqlservr*3⤵
- Kills process with taskkill
PID:388
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlagent*2⤵PID:1796
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlagent*3⤵PID:976
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqladhlp*2⤵PID:1828
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqladhlp*3⤵
- Kills process with taskkill
PID:1540
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Culserver*2⤵PID:1568
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Culserver*3⤵
- Kills process with taskkill
PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM RTVscan*2⤵PID:1964
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM RTVscan*3⤵PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlbrowser*2⤵PID:1772
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlbrowser*3⤵
- Kills process with taskkill
PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLADHLP*2⤵PID:1604
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLADHLP*3⤵
- Kills process with taskkill
PID:1504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBIDPService*2⤵PID:2044
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBIDPService*3⤵
- Kills process with taskkill
PID:1816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*2⤵PID:1480
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Intuit.QuickBooks.FCS*3⤵
- Kills process with taskkill
PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBCFMonitorService*2⤵PID:240
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBCFMonitorService*3⤵PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlwriter*2⤵PID:1236
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlwriter*3⤵
- Kills process with taskkill
PID:1356
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msmdsrv*2⤵PID:528
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msmdsrv*3⤵
- Kills process with taskkill
PID:1060
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM tomcat6*2⤵PID:1788
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM tomcat6*3⤵PID:1376
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM zhudongfangyu*2⤵PID:1576
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM zhudongfangyu*3⤵PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM vmware-usbarbitator64*2⤵PID:1548
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM vmware-usbarbitator64*3⤵
- Kills process with taskkill
PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM vmware-converter*2⤵PID:1300
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM vmware-converter*3⤵PID:524
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM dbsrv12*2⤵PID:1504
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dbsrv12*3⤵
- Kills process with taskkill
PID:1600
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM dbeng8*2⤵PID:1816
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dbeng8*3⤵
- Kills process with taskkill
PID:1852
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:2020
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵PID:656
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*2⤵PID:1500
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$VEEAMSQL2012*3⤵PID:764
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*2⤵PID:1356
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$VEEAMSQL2012*3⤵
- Kills process with taskkill
PID:1528
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLBrowser*2⤵PID:1060
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLBrowser*3⤵
- Kills process with taskkill
PID:1360
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLWriter*2⤵PID:1376
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLWriter*3⤵
- Kills process with taskkill
PID:936
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM FishbowlMySQL*2⤵PID:1664
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM FishbowlMySQL*3⤵PID:1652
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:1952
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵
- Kills process with taskkill
PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MySQL57*2⤵PID:1040
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MySQL57*3⤵PID:1996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*2⤵PID:1696
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:2044
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLServerADHelper100*2⤵PID:1476
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLServerADHelper100*3⤵
- Kills process with taskkill
PID:1480
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*2⤵PID:568
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:1304
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msftesql-Exchange*2⤵PID:240
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msftesql-Exchange*3⤵
- Kills process with taskkill
PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*2⤵PID:1800
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##SSEE*3⤵
- Kills process with taskkill
PID:796
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*2⤵PID:1044
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$SBSMONITORING*3⤵
- Kills process with taskkill
PID:1568
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*2⤵PID:1660
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$SHAREPOINT*3⤵
- Kills process with taskkill
PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*2⤵PID:1220
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*3⤵
- Kills process with taskkill
PID:1868
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*2⤵PID:932
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*3⤵PID:1140
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*2⤵PID:1196
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$SBSMONITORING*3⤵PID:1932
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*2⤵PID:1956
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$SHAREPOINT*3⤵
- Kills process with taskkill
PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBFCService*2⤵PID:1468
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBFCService*3⤵
- Kills process with taskkill
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBVSS*2⤵PID:1052
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBVSS*3⤵
- Kills process with taskkill
PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C timeout /T 15 /NOBREAK && del "C:\Users\Admin\AppData\Local\Temp\fa4c4ac8b9c1b14951ae8add855f34e8.exe" /F2⤵
- Deletes itself
PID:1716 -
C:\Windows\SysWOW64\timeout.exetimeout /T 15 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:1508
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:640