Analysis
-
max time kernel
127s -
max time network
115s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
24-07-2020 12:51
Static task
static1
Behavioral task
behavioral1
Sample
fa4c4ac8b9c1b14951ae8add855f34e8.exe
Resource
win7
Behavioral task
behavioral2
Sample
fa4c4ac8b9c1b14951ae8add855f34e8.exe
Resource
win10v200722
General
-
Target
fa4c4ac8b9c1b14951ae8add855f34e8.exe
-
Size
43KB
-
MD5
fa4c4ac8b9c1b14951ae8add855f34e8
-
SHA1
c5049dbdee3aaaf3a794edda02554789a25389bf
-
SHA256
bf6e5f9d060ebc5bb70144ca6e795bfc249c6590ab9f45e258ec9b5f3d49eeb6
-
SHA512
6d9d53cc430ea73684ec3c2e739d7dc01b7ce601a4a9073b77baf39d1f3e25ccc6d3f50a2e9b8bbaa275b8045cac370163d4e5a6a98aa736ca2c69b9820cee37
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Suspicious use of AdjustPrivilegeToken 129 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2692 WMIC.exe Token: SeSecurityPrivilege 2692 WMIC.exe Token: SeTakeOwnershipPrivilege 2692 WMIC.exe Token: SeLoadDriverPrivilege 2692 WMIC.exe Token: SeSystemProfilePrivilege 2692 WMIC.exe Token: SeSystemtimePrivilege 2692 WMIC.exe Token: SeProfSingleProcessPrivilege 2692 WMIC.exe Token: SeIncBasePriorityPrivilege 2692 WMIC.exe Token: SeCreatePagefilePrivilege 2692 WMIC.exe Token: SeBackupPrivilege 2692 WMIC.exe Token: SeRestorePrivilege 2692 WMIC.exe Token: SeShutdownPrivilege 2692 WMIC.exe Token: SeDebugPrivilege 2692 WMIC.exe Token: SeSystemEnvironmentPrivilege 2692 WMIC.exe Token: SeRemoteShutdownPrivilege 2692 WMIC.exe Token: SeUndockPrivilege 2692 WMIC.exe Token: SeManageVolumePrivilege 2692 WMIC.exe Token: 33 2692 WMIC.exe Token: 34 2692 WMIC.exe Token: 35 2692 WMIC.exe Token: 36 2692 WMIC.exe Token: SeIncreaseQuotaPrivilege 2692 WMIC.exe Token: SeSecurityPrivilege 2692 WMIC.exe Token: SeTakeOwnershipPrivilege 2692 WMIC.exe Token: SeLoadDriverPrivilege 2692 WMIC.exe Token: SeSystemProfilePrivilege 2692 WMIC.exe Token: SeSystemtimePrivilege 2692 WMIC.exe Token: SeProfSingleProcessPrivilege 2692 WMIC.exe Token: SeIncBasePriorityPrivilege 2692 WMIC.exe Token: SeCreatePagefilePrivilege 2692 WMIC.exe Token: SeBackupPrivilege 2692 WMIC.exe Token: SeRestorePrivilege 2692 WMIC.exe Token: SeShutdownPrivilege 2692 WMIC.exe Token: SeDebugPrivilege 2692 WMIC.exe Token: SeSystemEnvironmentPrivilege 2692 WMIC.exe Token: SeRemoteShutdownPrivilege 2692 WMIC.exe Token: SeUndockPrivilege 2692 WMIC.exe Token: SeManageVolumePrivilege 2692 WMIC.exe Token: 33 2692 WMIC.exe Token: 34 2692 WMIC.exe Token: 35 2692 WMIC.exe Token: 36 2692 WMIC.exe Token: SeBackupPrivilege 992 vssvc.exe Token: SeRestorePrivilege 992 vssvc.exe Token: SeAuditPrivilege 992 vssvc.exe Token: SeDebugPrivilege 2648 taskkill.exe Token: SeDebugPrivilege 3692 taskkill.exe Token: SeDebugPrivilege 3328 taskkill.exe Token: SeDebugPrivilege 3572 taskkill.exe Token: SeDebugPrivilege 2824 taskkill.exe Token: SeDebugPrivilege 2804 taskkill.exe Token: SeDebugPrivilege 3556 taskkill.exe Token: SeDebugPrivilege 504 taskkill.exe Token: SeDebugPrivilege 1220 taskkill.exe Token: SeDebugPrivilege 1580 taskkill.exe Token: SeDebugPrivilege 2312 taskkill.exe Token: SeDebugPrivilege 2304 taskkill.exe Token: SeDebugPrivilege 2552 taskkill.exe Token: SeDebugPrivilege 2176 taskkill.exe Token: SeDebugPrivilege 3796 taskkill.exe Token: SeDebugPrivilege 996 taskkill.exe Token: SeDebugPrivilege 3544 taskkill.exe Token: SeDebugPrivilege 3824 taskkill.exe Token: SeDebugPrivilege 3724 taskkill.exe Token: SeDebugPrivilege 852 taskkill.exe Token: SeDebugPrivilege 1096 taskkill.exe Token: SeDebugPrivilege 1460 taskkill.exe Token: SeDebugPrivilege 2300 taskkill.exe Token: SeDebugPrivilege 2576 taskkill.exe Token: SeDebugPrivilege 2644 taskkill.exe Token: SeDebugPrivilege 3860 taskkill.exe Token: SeDebugPrivilege 728 taskkill.exe Token: SeDebugPrivilege 3700 taskkill.exe Token: SeDebugPrivilege 500 taskkill.exe Token: SeDebugPrivilege 3296 taskkill.exe Token: SeDebugPrivilege 1344 taskkill.exe Token: SeDebugPrivilege 1660 taskkill.exe Token: SeDebugPrivilege 1864 taskkill.exe Token: SeDebugPrivilege 3820 taskkill.exe Token: SeDebugPrivilege 3864 taskkill.exe Token: SeDebugPrivilege 3952 taskkill.exe Token: SeDebugPrivilege 996 taskkill.exe Token: SeDebugPrivilege 8 taskkill.exe Token: SeDebugPrivilege 3728 taskkill.exe Token: SeDebugPrivilege 3644 taskkill.exe Token: SeDebugPrivilege 3880 taskkill.exe Token: SeDebugPrivilege 1248 taskkill.exe Token: SeDebugPrivilege 1872 taskkill.exe Token: SeDebugPrivilege 1908 taskkill.exe Token: SeDebugPrivilege 2656 taskkill.exe Token: SeDebugPrivilege 2184 taskkill.exe Token: SeDebugPrivilege 3264 taskkill.exe Token: SeDebugPrivilege 1592 taskkill.exe Token: SeDebugPrivilege 3384 taskkill.exe Token: SeDebugPrivilege 3376 taskkill.exe Token: SeDebugPrivilege 3688 taskkill.exe Token: SeDebugPrivilege 3700 taskkill.exe Token: SeDebugPrivilege 500 taskkill.exe Token: SeDebugPrivilege 3296 taskkill.exe Token: SeDebugPrivilege 1344 taskkill.exe Token: SeDebugPrivilege 1660 taskkill.exe Token: SeDebugPrivilege 1864 taskkill.exe Token: SeDebugPrivilege 3820 taskkill.exe Token: SeDebugPrivilege 3864 taskkill.exe Token: SeDebugPrivilege 3952 taskkill.exe Token: SeDebugPrivilege 996 taskkill.exe Token: SeDebugPrivilege 8 taskkill.exe Token: SeDebugPrivilege 3728 taskkill.exe Token: SeDebugPrivilege 3180 taskkill.exe Token: SeDebugPrivilege 3880 taskkill.exe Token: SeDebugPrivilege 1248 taskkill.exe Token: SeDebugPrivilege 1872 taskkill.exe Token: SeDebugPrivilege 1908 taskkill.exe Token: SeDebugPrivilege 2656 taskkill.exe Token: SeDebugPrivilege 2184 taskkill.exe Token: SeDebugPrivilege 3264 taskkill.exe Token: SeDebugPrivilege 1592 taskkill.exe Token: SeDebugPrivilege 3384 taskkill.exe Token: SeDebugPrivilege 3376 taskkill.exe Token: SeDebugPrivilege 3688 taskkill.exe Token: SeDebugPrivilege 3700 taskkill.exe Token: SeDebugPrivilege 500 taskkill.exe Token: SeDebugPrivilege 3296 taskkill.exe Token: SeDebugPrivilege 1344 taskkill.exe Token: SeDebugPrivilege 1660 taskkill.exe Token: SeDebugPrivilege 1864 taskkill.exe Token: SeDebugPrivilege 3820 taskkill.exe Token: SeDebugPrivilege 3864 taskkill.exe Token: SeDebugPrivilege 3952 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 304 IoCs
pid Process 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe -
Modifies service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2116 vssadmin.exe -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:ukkubcuww fa4c4ac8b9c1b14951ae8add855f34e8.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:fhsbwmembgekrfne fa4c4ac8b9c1b14951ae8add855f34e8.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:ukkubcuww fa4c4ac8b9c1b14951ae8add855f34e8.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:fezlodqangoesitka fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:qyctfshmbwjbs fa4c4ac8b9c1b14951ae8add855f34e8.exe -
Enumerates connected drives 3 TTPs
-
Delays execution with timeout.exe 1 IoCs
pid Process 684 timeout.exe -
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ConnectResume.raw => C:\Users\Admin\Pictures\ConnectResume.raw.jsgXuC fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\ConnectResume.raw.jsgXuC fa4c4ac8b9c1b14951ae8add855f34e8.exe File renamed C:\Users\Admin\Pictures\SendInstall.png => C:\Users\Admin\Pictures\SendInstall.png.jsgXuC fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\RepairWatch.tiff fa4c4ac8b9c1b14951ae8add855f34e8.exe File renamed C:\Users\Admin\Pictures\ResetHide.raw => C:\Users\Admin\Pictures\ResetHide.raw.jsgXuC fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\SubmitRestart.raw.jsgXuC fa4c4ac8b9c1b14951ae8add855f34e8.exe File renamed C:\Users\Admin\Pictures\RepairWatch.tiff => C:\Users\Admin\Pictures\RepairWatch.tiff.jsgXuC fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\ResetHide.raw.jsgXuC fa4c4ac8b9c1b14951ae8add855f34e8.exe File renamed C:\Users\Admin\Pictures\UnprotectFormat.raw => C:\Users\Admin\Pictures\UnprotectFormat.raw.jsgXuC fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\UnprotectFormat.raw.jsgXuC fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\RepairWatch.tiff.jsgXuC fa4c4ac8b9c1b14951ae8add855f34e8.exe File renamed C:\Users\Admin\Pictures\ResumeComplete.crw => C:\Users\Admin\Pictures\ResumeComplete.crw.jsgXuC fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\ResumeComplete.crw.jsgXuC fa4c4ac8b9c1b14951ae8add855f34e8.exe File opened for modification C:\Users\Admin\Pictures\SendInstall.png.jsgXuC fa4c4ac8b9c1b14951ae8add855f34e8.exe File renamed C:\Users\Admin\Pictures\SubmitRestart.raw => C:\Users\Admin\Pictures\SubmitRestart.raw.jsgXuC fa4c4ac8b9c1b14951ae8add855f34e8.exe -
Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
-
Suspicious use of WriteProcessMemory 555 IoCs
description pid Process procid_target PID 3816 wrote to memory of 3448 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 67 PID 3816 wrote to memory of 3448 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 67 PID 3816 wrote to memory of 3448 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 67 PID 3448 wrote to memory of 2692 3448 cmd.exe 69 PID 3448 wrote to memory of 2692 3448 cmd.exe 69 PID 3448 wrote to memory of 2692 3448 cmd.exe 69 PID 3816 wrote to memory of 1032 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 72 PID 3816 wrote to memory of 1032 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 72 PID 3816 wrote to memory of 1032 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 72 PID 3816 wrote to memory of 1252 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 74 PID 3816 wrote to memory of 1252 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 74 PID 3816 wrote to memory of 1252 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 74 PID 3816 wrote to memory of 1460 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 76 PID 3816 wrote to memory of 1460 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 76 PID 3816 wrote to memory of 1460 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 76 PID 3816 wrote to memory of 1660 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 78 PID 3816 wrote to memory of 1660 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 78 PID 3816 wrote to memory of 1660 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 78 PID 3816 wrote to memory of 1864 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 80 PID 3816 wrote to memory of 1864 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 80 PID 3816 wrote to memory of 1864 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 80 PID 1864 wrote to memory of 2116 1864 cmd.exe 82 PID 1864 wrote to memory of 2116 1864 cmd.exe 82 PID 1864 wrote to memory of 2116 1864 cmd.exe 82 PID 3816 wrote to memory of 2304 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 83 PID 3816 wrote to memory of 2304 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 83 PID 3816 wrote to memory of 2304 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 83 PID 3816 wrote to memory of 2580 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 85 PID 3816 wrote to memory of 2580 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 85 PID 3816 wrote to memory of 2580 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 85 PID 2580 wrote to memory of 2648 2580 cmd.exe 87 PID 2580 wrote to memory of 2648 2580 cmd.exe 87 PID 2580 wrote to memory of 2648 2580 cmd.exe 87 PID 3816 wrote to memory of 3828 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 89 PID 3816 wrote to memory of 3828 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 89 PID 3816 wrote to memory of 3828 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 89 PID 3828 wrote to memory of 3692 3828 cmd.exe 91 PID 3828 wrote to memory of 3692 3828 cmd.exe 91 PID 3828 wrote to memory of 3692 3828 cmd.exe 91 PID 3816 wrote to memory of 3800 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 92 PID 3816 wrote to memory of 3800 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 92 PID 3816 wrote to memory of 3800 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 92 PID 3800 wrote to memory of 3328 3800 cmd.exe 94 PID 3800 wrote to memory of 3328 3800 cmd.exe 94 PID 3800 wrote to memory of 3328 3800 cmd.exe 94 PID 3816 wrote to memory of 1544 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 95 PID 3816 wrote to memory of 1544 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 95 PID 3816 wrote to memory of 1544 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 95 PID 1544 wrote to memory of 3572 1544 cmd.exe 97 PID 1544 wrote to memory of 3572 1544 cmd.exe 97 PID 1544 wrote to memory of 3572 1544 cmd.exe 97 PID 3816 wrote to memory of 3376 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 98 PID 3816 wrote to memory of 3376 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 98 PID 3816 wrote to memory of 3376 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 98 PID 3376 wrote to memory of 2824 3376 cmd.exe 100 PID 3376 wrote to memory of 2824 3376 cmd.exe 100 PID 3376 wrote to memory of 2824 3376 cmd.exe 100 PID 3816 wrote to memory of 2732 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 101 PID 3816 wrote to memory of 2732 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 101 PID 3816 wrote to memory of 2732 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 101 PID 2732 wrote to memory of 2804 2732 cmd.exe 103 PID 2732 wrote to memory of 2804 2732 cmd.exe 103 PID 2732 wrote to memory of 2804 2732 cmd.exe 103 PID 3816 wrote to memory of 3552 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 104 PID 3816 wrote to memory of 3552 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 104 PID 3816 wrote to memory of 3552 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 104 PID 3552 wrote to memory of 3556 3552 cmd.exe 106 PID 3552 wrote to memory of 3556 3552 cmd.exe 106 PID 3552 wrote to memory of 3556 3552 cmd.exe 106 PID 3816 wrote to memory of 3004 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 107 PID 3816 wrote to memory of 3004 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 107 PID 3816 wrote to memory of 3004 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 107 PID 3004 wrote to memory of 504 3004 cmd.exe 109 PID 3004 wrote to memory of 504 3004 cmd.exe 109 PID 3004 wrote to memory of 504 3004 cmd.exe 109 PID 3816 wrote to memory of 3296 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 110 PID 3816 wrote to memory of 3296 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 110 PID 3816 wrote to memory of 3296 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 110 PID 3296 wrote to memory of 1220 3296 cmd.exe 112 PID 3296 wrote to memory of 1220 3296 cmd.exe 112 PID 3296 wrote to memory of 1220 3296 cmd.exe 112 PID 3816 wrote to memory of 1344 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 113 PID 3816 wrote to memory of 1344 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 113 PID 3816 wrote to memory of 1344 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 113 PID 1344 wrote to memory of 1580 1344 cmd.exe 115 PID 1344 wrote to memory of 1580 1344 cmd.exe 115 PID 1344 wrote to memory of 1580 1344 cmd.exe 115 PID 3816 wrote to memory of 1660 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 116 PID 3816 wrote to memory of 1660 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 116 PID 3816 wrote to memory of 1660 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 116 PID 1660 wrote to memory of 2312 1660 cmd.exe 118 PID 1660 wrote to memory of 2312 1660 cmd.exe 118 PID 1660 wrote to memory of 2312 1660 cmd.exe 118 PID 3816 wrote to memory of 1864 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 119 PID 3816 wrote to memory of 1864 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 119 PID 3816 wrote to memory of 1864 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 119 PID 1864 wrote to memory of 2304 1864 cmd.exe 121 PID 1864 wrote to memory of 2304 1864 cmd.exe 121 PID 1864 wrote to memory of 2304 1864 cmd.exe 121 PID 3816 wrote to memory of 3820 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 122 PID 3816 wrote to memory of 3820 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 122 PID 3816 wrote to memory of 3820 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 122 PID 3820 wrote to memory of 2552 3820 cmd.exe 124 PID 3820 wrote to memory of 2552 3820 cmd.exe 124 PID 3820 wrote to memory of 2552 3820 cmd.exe 124 PID 3816 wrote to memory of 3864 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 125 PID 3816 wrote to memory of 3864 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 125 PID 3816 wrote to memory of 3864 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 125 PID 3864 wrote to memory of 2176 3864 cmd.exe 127 PID 3864 wrote to memory of 2176 3864 cmd.exe 127 PID 3864 wrote to memory of 2176 3864 cmd.exe 127 PID 3816 wrote to memory of 3952 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 128 PID 3816 wrote to memory of 3952 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 128 PID 3816 wrote to memory of 3952 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 128 PID 3952 wrote to memory of 3796 3952 cmd.exe 130 PID 3952 wrote to memory of 3796 3952 cmd.exe 130 PID 3952 wrote to memory of 3796 3952 cmd.exe 130 PID 3816 wrote to memory of 3164 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 131 PID 3816 wrote to memory of 3164 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 131 PID 3816 wrote to memory of 3164 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 131 PID 3164 wrote to memory of 996 3164 cmd.exe 133 PID 3164 wrote to memory of 996 3164 cmd.exe 133 PID 3164 wrote to memory of 996 3164 cmd.exe 133 PID 3816 wrote to memory of 3776 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 134 PID 3816 wrote to memory of 3776 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 134 PID 3816 wrote to memory of 3776 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 134 PID 3776 wrote to memory of 3544 3776 cmd.exe 136 PID 3776 wrote to memory of 3544 3776 cmd.exe 136 PID 3776 wrote to memory of 3544 3776 cmd.exe 136 PID 3816 wrote to memory of 2876 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 137 PID 3816 wrote to memory of 2876 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 137 PID 3816 wrote to memory of 2876 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 137 PID 2876 wrote to memory of 3824 2876 cmd.exe 139 PID 2876 wrote to memory of 3824 2876 cmd.exe 139 PID 2876 wrote to memory of 3824 2876 cmd.exe 139 PID 3816 wrote to memory of 3008 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 140 PID 3816 wrote to memory of 3008 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 140 PID 3816 wrote to memory of 3008 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 140 PID 3008 wrote to memory of 3724 3008 cmd.exe 142 PID 3008 wrote to memory of 3724 3008 cmd.exe 142 PID 3008 wrote to memory of 3724 3008 cmd.exe 142 PID 3816 wrote to memory of 3872 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 143 PID 3816 wrote to memory of 3872 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 143 PID 3816 wrote to memory of 3872 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 143 PID 3872 wrote to memory of 852 3872 cmd.exe 145 PID 3872 wrote to memory of 852 3872 cmd.exe 145 PID 3872 wrote to memory of 852 3872 cmd.exe 145 PID 3816 wrote to memory of 1948 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 146 PID 3816 wrote to memory of 1948 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 146 PID 3816 wrote to memory of 1948 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 146 PID 1948 wrote to memory of 1096 1948 cmd.exe 148 PID 1948 wrote to memory of 1096 1948 cmd.exe 148 PID 1948 wrote to memory of 1096 1948 cmd.exe 148 PID 3816 wrote to memory of 1740 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 149 PID 3816 wrote to memory of 1740 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 149 PID 3816 wrote to memory of 1740 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 149 PID 1740 wrote to memory of 1460 1740 cmd.exe 151 PID 1740 wrote to memory of 1460 1740 cmd.exe 151 PID 1740 wrote to memory of 1460 1740 cmd.exe 151 PID 3816 wrote to memory of 2316 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 152 PID 3816 wrote to memory of 2316 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 152 PID 3816 wrote to memory of 2316 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 152 PID 2316 wrote to memory of 2300 2316 cmd.exe 154 PID 2316 wrote to memory of 2300 2316 cmd.exe 154 PID 2316 wrote to memory of 2300 2316 cmd.exe 154 PID 3816 wrote to memory of 2544 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 155 PID 3816 wrote to memory of 2544 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 155 PID 3816 wrote to memory of 2544 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 155 PID 2544 wrote to memory of 2576 2544 cmd.exe 157 PID 2544 wrote to memory of 2576 2544 cmd.exe 157 PID 2544 wrote to memory of 2576 2544 cmd.exe 157 PID 3816 wrote to memory of 2592 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 158 PID 3816 wrote to memory of 2592 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 158 PID 3816 wrote to memory of 2592 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 158 PID 2592 wrote to memory of 2644 2592 cmd.exe 160 PID 2592 wrote to memory of 2644 2592 cmd.exe 160 PID 2592 wrote to memory of 2644 2592 cmd.exe 160 PID 3816 wrote to memory of 3852 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 161 PID 3816 wrote to memory of 3852 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 161 PID 3816 wrote to memory of 3852 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 161 PID 3852 wrote to memory of 3860 3852 cmd.exe 163 PID 3852 wrote to memory of 3860 3852 cmd.exe 163 PID 3852 wrote to memory of 3860 3852 cmd.exe 163 PID 3816 wrote to memory of 3240 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 164 PID 3816 wrote to memory of 3240 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 164 PID 3816 wrote to memory of 3240 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 164 PID 3240 wrote to memory of 3928 3240 cmd.exe 166 PID 3240 wrote to memory of 3928 3240 cmd.exe 166 PID 3240 wrote to memory of 3928 3240 cmd.exe 166 PID 3816 wrote to memory of 3964 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 167 PID 3816 wrote to memory of 3964 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 167 PID 3816 wrote to memory of 3964 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 167 PID 3964 wrote to memory of 1544 3964 cmd.exe 169 PID 3964 wrote to memory of 1544 3964 cmd.exe 169 PID 3964 wrote to memory of 1544 3964 cmd.exe 169 PID 3816 wrote to memory of 3164 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 170 PID 3816 wrote to memory of 3164 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 170 PID 3816 wrote to memory of 3164 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 170 PID 3164 wrote to memory of 728 3164 cmd.exe 172 PID 3164 wrote to memory of 728 3164 cmd.exe 172 PID 3164 wrote to memory of 728 3164 cmd.exe 172 PID 3816 wrote to memory of 3776 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 173 PID 3816 wrote to memory of 3776 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 173 PID 3816 wrote to memory of 3776 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 173 PID 3776 wrote to memory of 3688 3776 cmd.exe 175 PID 3776 wrote to memory of 3688 3776 cmd.exe 175 PID 3776 wrote to memory of 3688 3776 cmd.exe 175 PID 3816 wrote to memory of 3288 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 176 PID 3816 wrote to memory of 3288 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 176 PID 3816 wrote to memory of 3288 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 176 PID 3288 wrote to memory of 3700 3288 cmd.exe 178 PID 3288 wrote to memory of 3700 3288 cmd.exe 178 PID 3288 wrote to memory of 3700 3288 cmd.exe 178 PID 3816 wrote to memory of 2180 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 179 PID 3816 wrote to memory of 2180 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 179 PID 3816 wrote to memory of 2180 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 179 PID 2180 wrote to memory of 500 2180 cmd.exe 181 PID 2180 wrote to memory of 500 2180 cmd.exe 181 PID 2180 wrote to memory of 500 2180 cmd.exe 181 PID 3816 wrote to memory of 488 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 182 PID 3816 wrote to memory of 488 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 182 PID 3816 wrote to memory of 488 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 182 PID 488 wrote to memory of 3296 488 cmd.exe 184 PID 488 wrote to memory of 3296 488 cmd.exe 184 PID 488 wrote to memory of 3296 488 cmd.exe 184 PID 3816 wrote to memory of 1032 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 185 PID 3816 wrote to memory of 1032 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 185 PID 3816 wrote to memory of 1032 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 185 PID 1032 wrote to memory of 1344 1032 cmd.exe 187 PID 1032 wrote to memory of 1344 1032 cmd.exe 187 PID 1032 wrote to memory of 1344 1032 cmd.exe 187 PID 3816 wrote to memory of 1560 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 188 PID 3816 wrote to memory of 1560 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 188 PID 3816 wrote to memory of 1560 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 188 PID 1560 wrote to memory of 1660 1560 cmd.exe 190 PID 1560 wrote to memory of 1660 1560 cmd.exe 190 PID 1560 wrote to memory of 1660 1560 cmd.exe 190 PID 3816 wrote to memory of 2296 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 191 PID 3816 wrote to memory of 2296 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 191 PID 3816 wrote to memory of 2296 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 191 PID 2296 wrote to memory of 1864 2296 cmd.exe 193 PID 2296 wrote to memory of 1864 2296 cmd.exe 193 PID 2296 wrote to memory of 1864 2296 cmd.exe 193 PID 3816 wrote to memory of 2392 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 194 PID 3816 wrote to memory of 2392 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 194 PID 3816 wrote to memory of 2392 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 194 PID 2392 wrote to memory of 3820 2392 cmd.exe 196 PID 2392 wrote to memory of 3820 2392 cmd.exe 196 PID 2392 wrote to memory of 3820 2392 cmd.exe 196 PID 3816 wrote to memory of 2564 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 197 PID 3816 wrote to memory of 2564 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 197 PID 3816 wrote to memory of 2564 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 197 PID 2564 wrote to memory of 3864 2564 cmd.exe 199 PID 2564 wrote to memory of 3864 2564 cmd.exe 199 PID 2564 wrote to memory of 3864 2564 cmd.exe 199 PID 3816 wrote to memory of 3856 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 200 PID 3816 wrote to memory of 3856 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 200 PID 3816 wrote to memory of 3856 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 200 PID 3856 wrote to memory of 3952 3856 cmd.exe 202 PID 3856 wrote to memory of 3952 3856 cmd.exe 202 PID 3856 wrote to memory of 3952 3856 cmd.exe 202 PID 3816 wrote to memory of 3240 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 203 PID 3816 wrote to memory of 3240 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 203 PID 3816 wrote to memory of 3240 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 203 PID 3240 wrote to memory of 996 3240 cmd.exe 205 PID 3240 wrote to memory of 996 3240 cmd.exe 205 PID 3240 wrote to memory of 996 3240 cmd.exe 205 PID 3816 wrote to memory of 3420 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 206 PID 3816 wrote to memory of 3420 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 206 PID 3816 wrote to memory of 3420 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 206 PID 3420 wrote to memory of 8 3420 cmd.exe 208 PID 3420 wrote to memory of 8 3420 cmd.exe 208 PID 3420 wrote to memory of 8 3420 cmd.exe 208 PID 3816 wrote to memory of 3320 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 209 PID 3816 wrote to memory of 3320 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 209 PID 3816 wrote to memory of 3320 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 209 PID 3320 wrote to memory of 3728 3320 cmd.exe 211 PID 3320 wrote to memory of 3728 3320 cmd.exe 211 PID 3320 wrote to memory of 3728 3320 cmd.exe 211 PID 3816 wrote to memory of 576 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 212 PID 3816 wrote to memory of 576 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 212 PID 3816 wrote to memory of 576 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 212 PID 576 wrote to memory of 3644 576 cmd.exe 214 PID 576 wrote to memory of 3644 576 cmd.exe 214 PID 576 wrote to memory of 3644 576 cmd.exe 214 PID 3816 wrote to memory of 1240 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 215 PID 3816 wrote to memory of 1240 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 215 PID 3816 wrote to memory of 1240 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 215 PID 1240 wrote to memory of 3880 1240 cmd.exe 217 PID 1240 wrote to memory of 3880 1240 cmd.exe 217 PID 1240 wrote to memory of 3880 1240 cmd.exe 217 PID 3816 wrote to memory of 1500 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 218 PID 3816 wrote to memory of 1500 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 218 PID 3816 wrote to memory of 1500 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 218 PID 1500 wrote to memory of 1248 1500 cmd.exe 220 PID 1500 wrote to memory of 1248 1500 cmd.exe 220 PID 1500 wrote to memory of 1248 1500 cmd.exe 220 PID 3816 wrote to memory of 1716 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 221 PID 3816 wrote to memory of 1716 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 221 PID 3816 wrote to memory of 1716 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 221 PID 1716 wrote to memory of 1872 1716 cmd.exe 223 PID 1716 wrote to memory of 1872 1716 cmd.exe 223 PID 1716 wrote to memory of 1872 1716 cmd.exe 223 PID 3816 wrote to memory of 1780 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 224 PID 3816 wrote to memory of 1780 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 224 PID 3816 wrote to memory of 1780 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 224 PID 1780 wrote to memory of 1908 1780 cmd.exe 226 PID 1780 wrote to memory of 1908 1780 cmd.exe 226 PID 1780 wrote to memory of 1908 1780 cmd.exe 226 PID 3816 wrote to memory of 3412 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 227 PID 3816 wrote to memory of 3412 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 227 PID 3816 wrote to memory of 3412 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 227 PID 3412 wrote to memory of 2656 3412 cmd.exe 229 PID 3412 wrote to memory of 2656 3412 cmd.exe 229 PID 3412 wrote to memory of 2656 3412 cmd.exe 229 PID 3816 wrote to memory of 3916 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 230 PID 3816 wrote to memory of 3916 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 230 PID 3816 wrote to memory of 3916 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 230 PID 3916 wrote to memory of 2184 3916 cmd.exe 232 PID 3916 wrote to memory of 2184 3916 cmd.exe 232 PID 3916 wrote to memory of 2184 3916 cmd.exe 232 PID 3816 wrote to memory of 3948 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 233 PID 3816 wrote to memory of 3948 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 233 PID 3816 wrote to memory of 3948 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 233 PID 3948 wrote to memory of 3264 3948 cmd.exe 235 PID 3948 wrote to memory of 3264 3948 cmd.exe 235 PID 3948 wrote to memory of 3264 3948 cmd.exe 235 PID 3816 wrote to memory of 3328 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 236 PID 3816 wrote to memory of 3328 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 236 PID 3816 wrote to memory of 3328 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 236 PID 3328 wrote to memory of 1592 3328 cmd.exe 238 PID 3328 wrote to memory of 1592 3328 cmd.exe 238 PID 3328 wrote to memory of 1592 3328 cmd.exe 238 PID 3816 wrote to memory of 3196 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 239 PID 3816 wrote to memory of 3196 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 239 PID 3816 wrote to memory of 3196 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 239 PID 3196 wrote to memory of 3384 3196 cmd.exe 241 PID 3196 wrote to memory of 3384 3196 cmd.exe 241 PID 3196 wrote to memory of 3384 3196 cmd.exe 241 PID 3816 wrote to memory of 3612 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 242 PID 3816 wrote to memory of 3612 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 242 PID 3816 wrote to memory of 3612 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 242 PID 3612 wrote to memory of 3376 3612 cmd.exe 244 PID 3612 wrote to memory of 3376 3612 cmd.exe 244 PID 3612 wrote to memory of 3376 3612 cmd.exe 244 PID 3816 wrote to memory of 3776 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 245 PID 3816 wrote to memory of 3776 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 245 PID 3816 wrote to memory of 3776 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 245 PID 3776 wrote to memory of 3688 3776 cmd.exe 247 PID 3776 wrote to memory of 3688 3776 cmd.exe 247 PID 3776 wrote to memory of 3688 3776 cmd.exe 247 PID 3816 wrote to memory of 3288 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 248 PID 3816 wrote to memory of 3288 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 248 PID 3816 wrote to memory of 3288 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 248 PID 3288 wrote to memory of 3700 3288 cmd.exe 250 PID 3288 wrote to memory of 3700 3288 cmd.exe 250 PID 3288 wrote to memory of 3700 3288 cmd.exe 250 PID 3816 wrote to memory of 2180 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 251 PID 3816 wrote to memory of 2180 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 251 PID 3816 wrote to memory of 2180 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 251 PID 2180 wrote to memory of 500 2180 cmd.exe 253 PID 2180 wrote to memory of 500 2180 cmd.exe 253 PID 2180 wrote to memory of 500 2180 cmd.exe 253 PID 3816 wrote to memory of 488 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 254 PID 3816 wrote to memory of 488 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 254 PID 3816 wrote to memory of 488 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 254 PID 488 wrote to memory of 3296 488 cmd.exe 256 PID 488 wrote to memory of 3296 488 cmd.exe 256 PID 488 wrote to memory of 3296 488 cmd.exe 256 PID 3816 wrote to memory of 1032 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 257 PID 3816 wrote to memory of 1032 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 257 PID 3816 wrote to memory of 1032 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 257 PID 1032 wrote to memory of 1344 1032 cmd.exe 259 PID 1032 wrote to memory of 1344 1032 cmd.exe 259 PID 1032 wrote to memory of 1344 1032 cmd.exe 259 PID 3816 wrote to memory of 1560 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 260 PID 3816 wrote to memory of 1560 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 260 PID 3816 wrote to memory of 1560 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 260 PID 1560 wrote to memory of 1660 1560 cmd.exe 262 PID 1560 wrote to memory of 1660 1560 cmd.exe 262 PID 1560 wrote to memory of 1660 1560 cmd.exe 262 PID 3816 wrote to memory of 2296 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 263 PID 3816 wrote to memory of 2296 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 263 PID 3816 wrote to memory of 2296 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 263 PID 2296 wrote to memory of 1864 2296 cmd.exe 265 PID 2296 wrote to memory of 1864 2296 cmd.exe 265 PID 2296 wrote to memory of 1864 2296 cmd.exe 265 PID 3816 wrote to memory of 2392 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 266 PID 3816 wrote to memory of 2392 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 266 PID 3816 wrote to memory of 2392 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 266 PID 2392 wrote to memory of 3820 2392 cmd.exe 268 PID 2392 wrote to memory of 3820 2392 cmd.exe 268 PID 2392 wrote to memory of 3820 2392 cmd.exe 268 PID 3816 wrote to memory of 2564 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 269 PID 3816 wrote to memory of 2564 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 269 PID 3816 wrote to memory of 2564 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 269 PID 2564 wrote to memory of 3864 2564 cmd.exe 271 PID 2564 wrote to memory of 3864 2564 cmd.exe 271 PID 2564 wrote to memory of 3864 2564 cmd.exe 271 PID 3816 wrote to memory of 3856 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 272 PID 3816 wrote to memory of 3856 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 272 PID 3816 wrote to memory of 3856 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 272 PID 3856 wrote to memory of 3952 3856 cmd.exe 274 PID 3856 wrote to memory of 3952 3856 cmd.exe 274 PID 3856 wrote to memory of 3952 3856 cmd.exe 274 PID 3816 wrote to memory of 3240 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 275 PID 3816 wrote to memory of 3240 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 275 PID 3816 wrote to memory of 3240 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 275 PID 3240 wrote to memory of 996 3240 cmd.exe 277 PID 3240 wrote to memory of 996 3240 cmd.exe 277 PID 3240 wrote to memory of 996 3240 cmd.exe 277 PID 3816 wrote to memory of 3420 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 278 PID 3816 wrote to memory of 3420 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 278 PID 3816 wrote to memory of 3420 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 278 PID 3420 wrote to memory of 8 3420 cmd.exe 280 PID 3420 wrote to memory of 8 3420 cmd.exe 280 PID 3420 wrote to memory of 8 3420 cmd.exe 280 PID 3816 wrote to memory of 3320 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 281 PID 3816 wrote to memory of 3320 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 281 PID 3816 wrote to memory of 3320 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 281 PID 3320 wrote to memory of 3728 3320 cmd.exe 283 PID 3320 wrote to memory of 3728 3320 cmd.exe 283 PID 3320 wrote to memory of 3728 3320 cmd.exe 283 PID 3816 wrote to memory of 576 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 284 PID 3816 wrote to memory of 576 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 284 PID 3816 wrote to memory of 576 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 284 PID 576 wrote to memory of 3180 576 cmd.exe 286 PID 576 wrote to memory of 3180 576 cmd.exe 286 PID 576 wrote to memory of 3180 576 cmd.exe 286 PID 3816 wrote to memory of 1240 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 287 PID 3816 wrote to memory of 1240 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 287 PID 3816 wrote to memory of 1240 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 287 PID 1240 wrote to memory of 3880 1240 cmd.exe 289 PID 1240 wrote to memory of 3880 1240 cmd.exe 289 PID 1240 wrote to memory of 3880 1240 cmd.exe 289 PID 3816 wrote to memory of 1500 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 290 PID 3816 wrote to memory of 1500 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 290 PID 3816 wrote to memory of 1500 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 290 PID 1500 wrote to memory of 1248 1500 cmd.exe 292 PID 1500 wrote to memory of 1248 1500 cmd.exe 292 PID 1500 wrote to memory of 1248 1500 cmd.exe 292 PID 3816 wrote to memory of 1716 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 293 PID 3816 wrote to memory of 1716 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 293 PID 3816 wrote to memory of 1716 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 293 PID 1716 wrote to memory of 1872 1716 cmd.exe 295 PID 1716 wrote to memory of 1872 1716 cmd.exe 295 PID 1716 wrote to memory of 1872 1716 cmd.exe 295 PID 3816 wrote to memory of 1780 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 296 PID 3816 wrote to memory of 1780 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 296 PID 3816 wrote to memory of 1780 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 296 PID 1780 wrote to memory of 1908 1780 cmd.exe 298 PID 1780 wrote to memory of 1908 1780 cmd.exe 298 PID 1780 wrote to memory of 1908 1780 cmd.exe 298 PID 3816 wrote to memory of 3412 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 299 PID 3816 wrote to memory of 3412 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 299 PID 3816 wrote to memory of 3412 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 299 PID 3412 wrote to memory of 2656 3412 cmd.exe 301 PID 3412 wrote to memory of 2656 3412 cmd.exe 301 PID 3412 wrote to memory of 2656 3412 cmd.exe 301 PID 3816 wrote to memory of 3916 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 302 PID 3816 wrote to memory of 3916 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 302 PID 3816 wrote to memory of 3916 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 302 PID 3916 wrote to memory of 2184 3916 cmd.exe 304 PID 3916 wrote to memory of 2184 3916 cmd.exe 304 PID 3916 wrote to memory of 2184 3916 cmd.exe 304 PID 3816 wrote to memory of 3948 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 305 PID 3816 wrote to memory of 3948 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 305 PID 3816 wrote to memory of 3948 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 305 PID 3948 wrote to memory of 3264 3948 cmd.exe 307 PID 3948 wrote to memory of 3264 3948 cmd.exe 307 PID 3948 wrote to memory of 3264 3948 cmd.exe 307 PID 3816 wrote to memory of 3328 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 308 PID 3816 wrote to memory of 3328 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 308 PID 3816 wrote to memory of 3328 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 308 PID 3328 wrote to memory of 1592 3328 cmd.exe 310 PID 3328 wrote to memory of 1592 3328 cmd.exe 310 PID 3328 wrote to memory of 1592 3328 cmd.exe 310 PID 3816 wrote to memory of 3196 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 311 PID 3816 wrote to memory of 3196 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 311 PID 3816 wrote to memory of 3196 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 311 PID 3196 wrote to memory of 3384 3196 cmd.exe 313 PID 3196 wrote to memory of 3384 3196 cmd.exe 313 PID 3196 wrote to memory of 3384 3196 cmd.exe 313 PID 3816 wrote to memory of 3612 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 314 PID 3816 wrote to memory of 3612 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 314 PID 3816 wrote to memory of 3612 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 314 PID 3612 wrote to memory of 3376 3612 cmd.exe 316 PID 3612 wrote to memory of 3376 3612 cmd.exe 316 PID 3612 wrote to memory of 3376 3612 cmd.exe 316 PID 3816 wrote to memory of 3776 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 317 PID 3816 wrote to memory of 3776 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 317 PID 3816 wrote to memory of 3776 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 317 PID 3776 wrote to memory of 3688 3776 cmd.exe 319 PID 3776 wrote to memory of 3688 3776 cmd.exe 319 PID 3776 wrote to memory of 3688 3776 cmd.exe 319 PID 3816 wrote to memory of 3288 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 320 PID 3816 wrote to memory of 3288 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 320 PID 3816 wrote to memory of 3288 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 320 PID 3288 wrote to memory of 3700 3288 cmd.exe 322 PID 3288 wrote to memory of 3700 3288 cmd.exe 322 PID 3288 wrote to memory of 3700 3288 cmd.exe 322 PID 3816 wrote to memory of 2180 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 323 PID 3816 wrote to memory of 2180 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 323 PID 3816 wrote to memory of 2180 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 323 PID 2180 wrote to memory of 500 2180 cmd.exe 325 PID 2180 wrote to memory of 500 2180 cmd.exe 325 PID 2180 wrote to memory of 500 2180 cmd.exe 325 PID 3816 wrote to memory of 488 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 326 PID 3816 wrote to memory of 488 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 326 PID 3816 wrote to memory of 488 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 326 PID 488 wrote to memory of 3296 488 cmd.exe 328 PID 488 wrote to memory of 3296 488 cmd.exe 328 PID 488 wrote to memory of 3296 488 cmd.exe 328 PID 3816 wrote to memory of 1032 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 329 PID 3816 wrote to memory of 1032 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 329 PID 3816 wrote to memory of 1032 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 329 PID 1032 wrote to memory of 1344 1032 cmd.exe 331 PID 1032 wrote to memory of 1344 1032 cmd.exe 331 PID 1032 wrote to memory of 1344 1032 cmd.exe 331 PID 3816 wrote to memory of 1560 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 332 PID 3816 wrote to memory of 1560 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 332 PID 3816 wrote to memory of 1560 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 332 PID 1560 wrote to memory of 1660 1560 cmd.exe 334 PID 1560 wrote to memory of 1660 1560 cmd.exe 334 PID 1560 wrote to memory of 1660 1560 cmd.exe 334 PID 3816 wrote to memory of 2296 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 335 PID 3816 wrote to memory of 2296 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 335 PID 3816 wrote to memory of 2296 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 335 PID 2296 wrote to memory of 1864 2296 cmd.exe 337 PID 2296 wrote to memory of 1864 2296 cmd.exe 337 PID 2296 wrote to memory of 1864 2296 cmd.exe 337 PID 3816 wrote to memory of 2392 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 338 PID 3816 wrote to memory of 2392 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 338 PID 3816 wrote to memory of 2392 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 338 PID 2392 wrote to memory of 3820 2392 cmd.exe 340 PID 2392 wrote to memory of 3820 2392 cmd.exe 340 PID 2392 wrote to memory of 3820 2392 cmd.exe 340 PID 3816 wrote to memory of 2564 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 341 PID 3816 wrote to memory of 2564 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 341 PID 3816 wrote to memory of 2564 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 341 PID 2564 wrote to memory of 3864 2564 cmd.exe 343 PID 2564 wrote to memory of 3864 2564 cmd.exe 343 PID 2564 wrote to memory of 3864 2564 cmd.exe 343 PID 3816 wrote to memory of 3856 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 344 PID 3816 wrote to memory of 3856 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 344 PID 3816 wrote to memory of 3856 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 344 PID 3856 wrote to memory of 3952 3856 cmd.exe 346 PID 3856 wrote to memory of 3952 3856 cmd.exe 346 PID 3856 wrote to memory of 3952 3856 cmd.exe 346 PID 3816 wrote to memory of 3264 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 355 PID 3816 wrote to memory of 3264 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 355 PID 3816 wrote to memory of 3264 3816 fa4c4ac8b9c1b14951ae8add855f34e8.exe 355 PID 3264 wrote to memory of 684 3264 cmd.exe 357 PID 3264 wrote to memory of 684 3264 cmd.exe 357 PID 3264 wrote to memory of 684 3264 cmd.exe 357 -
Kills process with taskkill 87 IoCs
pid Process 504 taskkill.exe 3824 taskkill.exe 852 taskkill.exe 3296 taskkill.exe 1344 taskkill.exe 3688 taskkill.exe 3952 taskkill.exe 2312 taskkill.exe 1908 taskkill.exe 1592 taskkill.exe 3384 taskkill.exe 3952 taskkill.exe 3296 taskkill.exe 3728 taskkill.exe 2804 taskkill.exe 1580 taskkill.exe 996 taskkill.exe 1460 taskkill.exe 1544 taskkill.exe 500 taskkill.exe 2184 taskkill.exe 2176 taskkill.exe 3724 taskkill.exe 1248 taskkill.exe 1908 taskkill.exe 1592 taskkill.exe 728 taskkill.exe 1344 taskkill.exe 1864 taskkill.exe 996 taskkill.exe 3700 taskkill.exe 2648 taskkill.exe 3860 taskkill.exe 500 taskkill.exe 3644 taskkill.exe 3880 taskkill.exe 3264 taskkill.exe 3296 taskkill.exe 1660 taskkill.exe 1864 taskkill.exe 3820 taskkill.exe 2824 taskkill.exe 8 taskkill.exe 1872 taskkill.exe 3864 taskkill.exe 2656 taskkill.exe 3180 taskkill.exe 2552 taskkill.exe 2576 taskkill.exe 3820 taskkill.exe 8 taskkill.exe 3728 taskkill.exe 1248 taskkill.exe 1872 taskkill.exe 2184 taskkill.exe 3688 taskkill.exe 3864 taskkill.exe 3692 taskkill.exe 3688 taskkill.exe 3864 taskkill.exe 1864 taskkill.exe 3376 taskkill.exe 1344 taskkill.exe 1220 taskkill.exe 1096 taskkill.exe 2300 taskkill.exe 3700 taskkill.exe 3700 taskkill.exe 996 taskkill.exe 3880 taskkill.exe 3556 taskkill.exe 3796 taskkill.exe 2644 taskkill.exe 3928 taskkill.exe 3384 taskkill.exe 3328 taskkill.exe 3572 taskkill.exe 2304 taskkill.exe 3264 taskkill.exe 3376 taskkill.exe 1660 taskkill.exe 500 taskkill.exe 3544 taskkill.exe 1660 taskkill.exe 3820 taskkill.exe 3952 taskkill.exe 2656 taskkill.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d.bmp" fa4c4ac8b9c1b14951ae8add855f34e8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa4c4ac8b9c1b14951ae8add855f34e8.exe"C:\Users\Admin\AppData\Local\Temp\fa4c4ac8b9c1b14951ae8add855f34e8.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- NTFS ADS
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
PID:3816 -
C:\Windows\SysWOW64\cmd.execmd /C wmic.exe SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY DELETE /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵PID:1032
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵PID:1252
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit.exe /set {default} recoveryenabled No2⤵PID:1460
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵PID:1660
-
-
C:\Windows\SysWOW64\cmd.execmd /C vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2116
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C C:\Windows\system32\vssvc.exe2⤵PID:2304
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wxServer*2⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wxServer*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wxServerView*2⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wxServerView*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlmangr*2⤵
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlmangr*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM RAgui*2⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM RAgui*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM supervise*2⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM supervise*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Culture*2⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Culture*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2804
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Defwatch*2⤵PID:3552
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Defwatch*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM winword*2⤵PID:3004
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM winword*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBW32*2⤵PID:3296
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBW32*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1220
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBDBMgr*2⤵PID:1344
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBDBMgr*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM qbupdate*2⤵PID:1660
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM qbupdate*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2312
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM axlbridge*2⤵PID:1864
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM axlbridge*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM httpd*2⤵PID:3820
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM httpd*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2552
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fdlauncher*2⤵PID:3864
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fdlauncher*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2176
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MsDtSrvr*2⤵PID:3952
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MsDtSrvr*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3796
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM java*2⤵PID:3164
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM java*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM 360se*2⤵PID:3776
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM 360se*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM 360doctor*2⤵PID:2876
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM 360doctor*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wdswfsafe*2⤵PID:3008
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wdswfsafe*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fdhost*2⤵PID:3872
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fdhost*3⤵
- Kills process with taskkill
PID:852
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM GDscan*2⤵PID:1948
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM GDscan*3⤵PID:1096
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ZhuDongFangYu*2⤵PID:1740
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ZhuDongFangYu*3⤵
- Kills process with taskkill
PID:1460
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBDBMgrN*2⤵PID:2316
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBDBMgrN*3⤵PID:2300
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM mysqld*2⤵PID:2544
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mysqld*3⤵
- Kills process with taskkill
PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AutodeskDesktopApp*2⤵PID:2592
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AutodeskDesktopApp*3⤵PID:2644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM acwebbrowser*2⤵PID:3852
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM acwebbrowser*3⤵
- Kills process with taskkill
PID:3860
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Creative Cloud*2⤵PID:3240
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Creative Cloud*3⤵PID:3928
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Adobe Desktop Service*2⤵PID:3964
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Adobe Desktop Service*3⤵
- Kills process with taskkill
PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM CoreSync*2⤵PID:3164
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM CoreSync*3⤵
- Kills process with taskkill
PID:728
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Adobe CEF Helper*2⤵PID:3776
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Adobe CEF Helper*3⤵
- Kills process with taskkill
PID:3688
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM node*2⤵PID:3288
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM node*3⤵PID:3700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AdobeIPCBroker*2⤵PID:2180
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AdobeIPCBroker*3⤵
- Kills process with taskkill
PID:500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sync-taskbar*2⤵PID:488
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sync-taskbar*3⤵
- Kills process with taskkill
PID:3296
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sync-worker*2⤵PID:1032
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sync-worker*3⤵
- Kills process with taskkill
PID:1344
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM InputPersonalization*2⤵PID:1560
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM InputPersonalization*3⤵PID:1660
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AdobeCollabSync*2⤵PID:2296
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AdobeCollabSync*3⤵
- Kills process with taskkill
PID:1864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM BrCtrlCntr*2⤵PID:2392
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM BrCtrlCntr*3⤵
- Kills process with taskkill
PID:3820
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM BrCcUxSys*2⤵PID:2564
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM BrCcUxSys*3⤵
- Kills process with taskkill
PID:3864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SimplyConnectionManager*2⤵PID:3856
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SimplyConnectionManager*3⤵
- Kills process with taskkill
PID:3952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Simply.SystemTrayIcon*2⤵PID:3240
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Simply.SystemTrayIcon*3⤵
- Kills process with taskkill
PID:996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fbguard*2⤵PID:3420
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fbguard*3⤵
- Kills process with taskkill
PID:8
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fbserver*2⤵PID:3320
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fbserver*3⤵
- Kills process with taskkill
PID:3728
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ONENOTEM*2⤵PID:576
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ONENOTEM*3⤵
- Kills process with taskkill
PID:3644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wrapper*2⤵PID:1240
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wrapper*3⤵
- Kills process with taskkill
PID:3880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM DefWatch*2⤵PID:1500
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM DefWatch*3⤵
- Kills process with taskkill
PID:1248
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ccEvtMgr*2⤵PID:1716
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ccEvtMgr*3⤵
- Kills process with taskkill
PID:1872
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ccSetMgr*2⤵PID:1780
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ccSetMgr*3⤵
- Kills process with taskkill
PID:1908
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SavRoam*2⤵PID:3412
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SavRoam*3⤵
- Kills process with taskkill
PID:2656
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Sqlservr*2⤵PID:3916
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Sqlservr*3⤵
- Kills process with taskkill
PID:2184
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlagent*2⤵PID:3948
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlagent*3⤵PID:3264
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqladhlp*2⤵PID:3328
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqladhlp*3⤵
- Kills process with taskkill
PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Culserver*2⤵PID:3196
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Culserver*3⤵
- Kills process with taskkill
PID:3384
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM RTVscan*2⤵PID:3612
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM RTVscan*3⤵PID:3376
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlbrowser*2⤵PID:3776
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlbrowser*3⤵
- Kills process with taskkill
PID:3688
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLADHLP*2⤵PID:3288
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLADHLP*3⤵
- Kills process with taskkill
PID:3700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBIDPService*2⤵PID:2180
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBIDPService*3⤵
- Kills process with taskkill
PID:500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*2⤵PID:488
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Intuit.QuickBooks.FCS*3⤵
- Kills process with taskkill
PID:3296
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBCFMonitorService*2⤵PID:1032
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBCFMonitorService*3⤵
- Kills process with taskkill
PID:1344
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlwriter*2⤵PID:1560
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlwriter*3⤵PID:1660
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msmdsrv*2⤵PID:2296
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msmdsrv*3⤵
- Kills process with taskkill
PID:1864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM tomcat6*2⤵PID:2392
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM tomcat6*3⤵PID:3820
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM zhudongfangyu*2⤵PID:2564
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM zhudongfangyu*3⤵
- Kills process with taskkill
PID:3864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM vmware-usbarbitator64*2⤵PID:3856
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM vmware-usbarbitator64*3⤵PID:3952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM vmware-converter*2⤵PID:3240
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM vmware-converter*3⤵PID:996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM dbsrv12*2⤵PID:3420
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dbsrv12*3⤵
- Kills process with taskkill
PID:8
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM dbeng8*2⤵PID:3320
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dbeng8*3⤵
- Kills process with taskkill
PID:3728
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:576
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵
- Kills process with taskkill
PID:3180
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*2⤵PID:1240
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$VEEAMSQL2012*3⤵PID:3880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*2⤵PID:1500
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$VEEAMSQL2012*3⤵
- Kills process with taskkill
PID:1248
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLBrowser*2⤵PID:1716
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLBrowser*3⤵
- Kills process with taskkill
PID:1872
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLWriter*2⤵PID:1780
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLWriter*3⤵
- Kills process with taskkill
PID:1908
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM FishbowlMySQL*2⤵PID:3412
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM FishbowlMySQL*3⤵PID:2656
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:3916
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵
- Kills process with taskkill
PID:2184
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MySQL57*2⤵PID:3948
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MySQL57*3⤵
- Kills process with taskkill
PID:3264
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*2⤵PID:3328
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLServerADHelper100*2⤵PID:3196
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLServerADHelper100*3⤵PID:3384
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*2⤵PID:3612
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:3376
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msftesql-Exchange*2⤵PID:3776
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msftesql-Exchange*3⤵
- Kills process with taskkill
PID:3688
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*2⤵PID:3288
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##SSEE*3⤵PID:3700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*2⤵PID:2180
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$SBSMONITORING*3⤵PID:500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*2⤵PID:488
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$SHAREPOINT*3⤵
- Kills process with taskkill
PID:3296
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*2⤵PID:1032
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*3⤵
- Kills process with taskkill
PID:1344
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*2⤵PID:1560
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*3⤵
- Kills process with taskkill
PID:1660
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*2⤵PID:2296
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$SBSMONITORING*3⤵
- Kills process with taskkill
PID:1864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*2⤵PID:2392
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$SHAREPOINT*3⤵
- Kills process with taskkill
PID:3820
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBFCService*2⤵PID:2564
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBFCService*3⤵
- Kills process with taskkill
PID:3864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBVSS*2⤵PID:3856
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBVSS*3⤵
- Kills process with taskkill
PID:3952
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C timeout /T 15 /NOBREAK && del "C:\Users\Admin\AppData\Local\Temp\fa4c4ac8b9c1b14951ae8add855f34e8.exe" /F2⤵PID:3264
-
C:\Windows\SysWOW64\timeout.exetimeout /T 15 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:684
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:992