exorcist | 6db3aae21a6d80857c85f58c4c8b2cf9c6b7f8b8a9ab1d5496d18eaf9bd0bd01

Analysis

max time kernel
17s
max time network
41s
platform
windows10_x64
resource
win10
submitted
24-07-2020 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4009abe9f41da41e48340c96e29d62c.exe
Size

43KB
MD5

f4009abe9f41da41e48340c96e29d62c
SHA1

01636cd2ab7eada533ded51728acd8cd99020c57
SHA256

6db3aae21a6d80857c85f58c4c8b2cf9c6b7f8b8a9ab1d5496d18eaf9bd0bd01
SHA512

4bdd711818c29c01dd532c13c23155ee0450a7f1f3ad7d92c45952f59b8ee947ab5876688e8971dfd094f7f494003106e9ad9b470cf99bccbd53f545900c9a15

Score

10^/10

ransomware exorcist persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 549 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 3896	3236	f4009abe9f41da41e48340c96e29d62c.exe	68
PID 3236 wrote to memory of 3896	3236	f4009abe9f41da41e48340c96e29d62c.exe	68
PID 3236 wrote to memory of 3896	3236	f4009abe9f41da41e48340c96e29d62c.exe	68
PID 3896 wrote to memory of 3904	3896	cmd.exe	70
PID 3896 wrote to memory of 3904	3896	cmd.exe	70
PID 3896 wrote to memory of 3904	3896	cmd.exe	70
PID 3236 wrote to memory of 2908	3236	f4009abe9f41da41e48340c96e29d62c.exe	73
PID 3236 wrote to memory of 2908	3236	f4009abe9f41da41e48340c96e29d62c.exe	73
PID 3236 wrote to memory of 2908	3236	f4009abe9f41da41e48340c96e29d62c.exe	73
PID 3236 wrote to memory of 3916	3236	f4009abe9f41da41e48340c96e29d62c.exe	75
PID 3236 wrote to memory of 3916	3236	f4009abe9f41da41e48340c96e29d62c.exe	75
PID 3236 wrote to memory of 3916	3236	f4009abe9f41da41e48340c96e29d62c.exe	75
PID 3236 wrote to memory of 3952	3236	f4009abe9f41da41e48340c96e29d62c.exe	77
PID 3236 wrote to memory of 3952	3236	f4009abe9f41da41e48340c96e29d62c.exe	77
PID 3236 wrote to memory of 3952	3236	f4009abe9f41da41e48340c96e29d62c.exe	77
PID 3236 wrote to memory of 4056	3236	f4009abe9f41da41e48340c96e29d62c.exe	79
PID 3236 wrote to memory of 4056	3236	f4009abe9f41da41e48340c96e29d62c.exe	79
PID 3236 wrote to memory of 4056	3236	f4009abe9f41da41e48340c96e29d62c.exe	79
PID 3236 wrote to memory of 3692	3236	f4009abe9f41da41e48340c96e29d62c.exe	81
PID 3236 wrote to memory of 3692	3236	f4009abe9f41da41e48340c96e29d62c.exe	81
PID 3236 wrote to memory of 3692	3236	f4009abe9f41da41e48340c96e29d62c.exe	81
PID 3692 wrote to memory of 3772	3692	cmd.exe	83
PID 3692 wrote to memory of 3772	3692	cmd.exe	83
PID 3692 wrote to memory of 3772	3692	cmd.exe	83
PID 3236 wrote to memory of 3360	3236	f4009abe9f41da41e48340c96e29d62c.exe	84
PID 3236 wrote to memory of 3360	3236	f4009abe9f41da41e48340c96e29d62c.exe	84
PID 3236 wrote to memory of 3360	3236	f4009abe9f41da41e48340c96e29d62c.exe	84
PID 3236 wrote to memory of 3508	3236	f4009abe9f41da41e48340c96e29d62c.exe	86
PID 3236 wrote to memory of 3508	3236	f4009abe9f41da41e48340c96e29d62c.exe	86
PID 3236 wrote to memory of 3508	3236	f4009abe9f41da41e48340c96e29d62c.exe	86
PID 3508 wrote to memory of 3968	3508	cmd.exe	88
PID 3508 wrote to memory of 3968	3508	cmd.exe	88
PID 3508 wrote to memory of 3968	3508	cmd.exe	88
PID 3236 wrote to memory of 344	3236	f4009abe9f41da41e48340c96e29d62c.exe	90
PID 3236 wrote to memory of 344	3236	f4009abe9f41da41e48340c96e29d62c.exe	90
PID 3236 wrote to memory of 344	3236	f4009abe9f41da41e48340c96e29d62c.exe	90
PID 344 wrote to memory of 3872	344	cmd.exe	92
PID 344 wrote to memory of 3872	344	cmd.exe	92
PID 344 wrote to memory of 3872	344	cmd.exe	92
PID 3236 wrote to memory of 1624	3236	f4009abe9f41da41e48340c96e29d62c.exe	93
PID 3236 wrote to memory of 1624	3236	f4009abe9f41da41e48340c96e29d62c.exe	93
PID 3236 wrote to memory of 1624	3236	f4009abe9f41da41e48340c96e29d62c.exe	93
PID 1624 wrote to memory of 424	1624	cmd.exe	95
PID 1624 wrote to memory of 424	1624	cmd.exe	95
PID 1624 wrote to memory of 424	1624	cmd.exe	95
PID 3236 wrote to memory of 3768	3236	f4009abe9f41da41e48340c96e29d62c.exe	96
PID 3236 wrote to memory of 3768	3236	f4009abe9f41da41e48340c96e29d62c.exe	96
PID 3236 wrote to memory of 3768	3236	f4009abe9f41da41e48340c96e29d62c.exe	96
PID 3768 wrote to memory of 3068	3768	cmd.exe	98
PID 3768 wrote to memory of 3068	3768	cmd.exe	98
PID 3768 wrote to memory of 3068	3768	cmd.exe	98
PID 3236 wrote to memory of 3944	3236	f4009abe9f41da41e48340c96e29d62c.exe	99
PID 3236 wrote to memory of 3944	3236	f4009abe9f41da41e48340c96e29d62c.exe	99
PID 3236 wrote to memory of 3944	3236	f4009abe9f41da41e48340c96e29d62c.exe	99
PID 3944 wrote to memory of 588	3944	cmd.exe	101
PID 3944 wrote to memory of 588	3944	cmd.exe	101
PID 3944 wrote to memory of 588	3944	cmd.exe	101
PID 3236 wrote to memory of 3940	3236	f4009abe9f41da41e48340c96e29d62c.exe	102
PID 3236 wrote to memory of 3940	3236	f4009abe9f41da41e48340c96e29d62c.exe	102
PID 3236 wrote to memory of 3940	3236	f4009abe9f41da41e48340c96e29d62c.exe	102
PID 3940 wrote to memory of 3844	3940	cmd.exe	104
PID 3940 wrote to memory of 3844	3940	cmd.exe	104
PID 3940 wrote to memory of 3844	3940	cmd.exe	104
PID 3236 wrote to memory of 3536	3236	f4009abe9f41da41e48340c96e29d62c.exe	105
PID 3236 wrote to memory of 3536	3236	f4009abe9f41da41e48340c96e29d62c.exe	105
PID 3236 wrote to memory of 3536	3236	f4009abe9f41da41e48340c96e29d62c.exe	105
PID 3536 wrote to memory of 2192	3536	cmd.exe	107
PID 3536 wrote to memory of 2192	3536	cmd.exe	107
PID 3536 wrote to memory of 2192	3536	cmd.exe	107
PID 3236 wrote to memory of 3784	3236	f4009abe9f41da41e48340c96e29d62c.exe	108
PID 3236 wrote to memory of 3784	3236	f4009abe9f41da41e48340c96e29d62c.exe	108
PID 3236 wrote to memory of 3784	3236	f4009abe9f41da41e48340c96e29d62c.exe	108
PID 3784 wrote to memory of 2052	3784	cmd.exe	110
PID 3784 wrote to memory of 2052	3784	cmd.exe	110
PID 3784 wrote to memory of 2052	3784	cmd.exe	110
PID 3236 wrote to memory of 3292	3236	f4009abe9f41da41e48340c96e29d62c.exe	111
PID 3236 wrote to memory of 3292	3236	f4009abe9f41da41e48340c96e29d62c.exe	111
PID 3236 wrote to memory of 3292	3236	f4009abe9f41da41e48340c96e29d62c.exe	111
PID 3292 wrote to memory of 3448	3292	cmd.exe	113
PID 3292 wrote to memory of 3448	3292	cmd.exe	113
PID 3292 wrote to memory of 3448	3292	cmd.exe	113
PID 3236 wrote to memory of 3852	3236	f4009abe9f41da41e48340c96e29d62c.exe	114
PID 3236 wrote to memory of 3852	3236	f4009abe9f41da41e48340c96e29d62c.exe	114
PID 3236 wrote to memory of 3852	3236	f4009abe9f41da41e48340c96e29d62c.exe	114
PID 3852 wrote to memory of 564	3852	cmd.exe	116
PID 3852 wrote to memory of 564	3852	cmd.exe	116
PID 3852 wrote to memory of 564	3852	cmd.exe	116
PID 3236 wrote to memory of 2020	3236	f4009abe9f41da41e48340c96e29d62c.exe	117
PID 3236 wrote to memory of 2020	3236	f4009abe9f41da41e48340c96e29d62c.exe	117
PID 3236 wrote to memory of 2020	3236	f4009abe9f41da41e48340c96e29d62c.exe	117
PID 2020 wrote to memory of 3344	2020	cmd.exe	119
PID 2020 wrote to memory of 3344	2020	cmd.exe	119
PID 2020 wrote to memory of 3344	2020	cmd.exe	119
PID 3236 wrote to memory of 3968	3236	f4009abe9f41da41e48340c96e29d62c.exe	120
PID 3236 wrote to memory of 3968	3236	f4009abe9f41da41e48340c96e29d62c.exe	120
PID 3236 wrote to memory of 3968	3236	f4009abe9f41da41e48340c96e29d62c.exe	120
PID 3968 wrote to memory of 4056	3968	cmd.exe	122
PID 3968 wrote to memory of 4056	3968	cmd.exe	122
PID 3968 wrote to memory of 4056	3968	cmd.exe	122
PID 3236 wrote to memory of 3536	3236	f4009abe9f41da41e48340c96e29d62c.exe	123
PID 3236 wrote to memory of 3536	3236	f4009abe9f41da41e48340c96e29d62c.exe	123
PID 3236 wrote to memory of 3536	3236	f4009abe9f41da41e48340c96e29d62c.exe	123
PID 3536 wrote to memory of 1008	3536	cmd.exe	125
PID 3536 wrote to memory of 1008	3536	cmd.exe	125
PID 3536 wrote to memory of 1008	3536	cmd.exe	125
PID 3236 wrote to memory of 3832	3236	f4009abe9f41da41e48340c96e29d62c.exe	126
PID 3236 wrote to memory of 3832	3236	f4009abe9f41da41e48340c96e29d62c.exe	126
PID 3236 wrote to memory of 3832	3236	f4009abe9f41da41e48340c96e29d62c.exe	126
PID 3832 wrote to memory of 3848	3832	cmd.exe	128
PID 3832 wrote to memory of 3848	3832	cmd.exe	128
PID 3832 wrote to memory of 3848	3832	cmd.exe	128
PID 3236 wrote to memory of 1036	3236	f4009abe9f41da41e48340c96e29d62c.exe	129
PID 3236 wrote to memory of 1036	3236	f4009abe9f41da41e48340c96e29d62c.exe	129
PID 3236 wrote to memory of 1036	3236	f4009abe9f41da41e48340c96e29d62c.exe	129
PID 1036 wrote to memory of 3612	1036	cmd.exe	131
PID 1036 wrote to memory of 3612	1036	cmd.exe	131
PID 1036 wrote to memory of 3612	1036	cmd.exe	131
PID 3236 wrote to memory of 500	3236	f4009abe9f41da41e48340c96e29d62c.exe	132
PID 3236 wrote to memory of 500	3236	f4009abe9f41da41e48340c96e29d62c.exe	132
PID 3236 wrote to memory of 500	3236	f4009abe9f41da41e48340c96e29d62c.exe	132
PID 500 wrote to memory of 1192	500	cmd.exe	134
PID 500 wrote to memory of 1192	500	cmd.exe	134
PID 500 wrote to memory of 1192	500	cmd.exe	134
PID 3236 wrote to memory of 588	3236	f4009abe9f41da41e48340c96e29d62c.exe	135
PID 3236 wrote to memory of 588	3236	f4009abe9f41da41e48340c96e29d62c.exe	135
PID 3236 wrote to memory of 588	3236	f4009abe9f41da41e48340c96e29d62c.exe	135
PID 588 wrote to memory of 3928	588	cmd.exe	137
PID 588 wrote to memory of 3928	588	cmd.exe	137
PID 588 wrote to memory of 3928	588	cmd.exe	137
PID 3236 wrote to memory of 3984	3236	f4009abe9f41da41e48340c96e29d62c.exe	138
PID 3236 wrote to memory of 3984	3236	f4009abe9f41da41e48340c96e29d62c.exe	138
PID 3236 wrote to memory of 3984	3236	f4009abe9f41da41e48340c96e29d62c.exe	138
PID 3984 wrote to memory of 3900	3984	cmd.exe	140
PID 3984 wrote to memory of 3900	3984	cmd.exe	140
PID 3984 wrote to memory of 3900	3984	cmd.exe	140
PID 3236 wrote to memory of 2204	3236	f4009abe9f41da41e48340c96e29d62c.exe	141
PID 3236 wrote to memory of 2204	3236	f4009abe9f41da41e48340c96e29d62c.exe	141
PID 3236 wrote to memory of 2204	3236	f4009abe9f41da41e48340c96e29d62c.exe	141
PID 2204 wrote to memory of 908	2204	cmd.exe	143
PID 2204 wrote to memory of 908	2204	cmd.exe	143
PID 2204 wrote to memory of 908	2204	cmd.exe	143
PID 3236 wrote to memory of 3788	3236	f4009abe9f41da41e48340c96e29d62c.exe	144
PID 3236 wrote to memory of 3788	3236	f4009abe9f41da41e48340c96e29d62c.exe	144
PID 3236 wrote to memory of 3788	3236	f4009abe9f41da41e48340c96e29d62c.exe	144
PID 3788 wrote to memory of 3872	3788	cmd.exe	146
PID 3788 wrote to memory of 3872	3788	cmd.exe	146
PID 3788 wrote to memory of 3872	3788	cmd.exe	146
PID 3236 wrote to memory of 1476	3236	f4009abe9f41da41e48340c96e29d62c.exe	147
PID 3236 wrote to memory of 1476	3236	f4009abe9f41da41e48340c96e29d62c.exe	147
PID 3236 wrote to memory of 1476	3236	f4009abe9f41da41e48340c96e29d62c.exe	147
PID 1476 wrote to memory of 820	1476	cmd.exe	149
PID 1476 wrote to memory of 820	1476	cmd.exe	149
PID 1476 wrote to memory of 820	1476	cmd.exe	149
PID 3236 wrote to memory of 3784	3236	f4009abe9f41da41e48340c96e29d62c.exe	150
PID 3236 wrote to memory of 3784	3236	f4009abe9f41da41e48340c96e29d62c.exe	150
PID 3236 wrote to memory of 3784	3236	f4009abe9f41da41e48340c96e29d62c.exe	150
PID 3784 wrote to memory of 3292	3784	cmd.exe	152
PID 3784 wrote to memory of 3292	3784	cmd.exe	152
PID 3784 wrote to memory of 3292	3784	cmd.exe	152
PID 3236 wrote to memory of 3768	3236	f4009abe9f41da41e48340c96e29d62c.exe	153
PID 3236 wrote to memory of 3768	3236	f4009abe9f41da41e48340c96e29d62c.exe	153
PID 3236 wrote to memory of 3768	3236	f4009abe9f41da41e48340c96e29d62c.exe	153
PID 3768 wrote to memory of 1204	3768	cmd.exe	155
PID 3768 wrote to memory of 1204	3768	cmd.exe	155
PID 3768 wrote to memory of 1204	3768	cmd.exe	155
PID 3236 wrote to memory of 3884	3236	f4009abe9f41da41e48340c96e29d62c.exe	156
PID 3236 wrote to memory of 3884	3236	f4009abe9f41da41e48340c96e29d62c.exe	156
PID 3236 wrote to memory of 3884	3236	f4009abe9f41da41e48340c96e29d62c.exe	156
PID 3884 wrote to memory of 500	3884	cmd.exe	158
PID 3884 wrote to memory of 500	3884	cmd.exe	158
PID 3884 wrote to memory of 500	3884	cmd.exe	158
PID 3236 wrote to memory of 1828	3236	f4009abe9f41da41e48340c96e29d62c.exe	159
PID 3236 wrote to memory of 1828	3236	f4009abe9f41da41e48340c96e29d62c.exe	159
PID 3236 wrote to memory of 1828	3236	f4009abe9f41da41e48340c96e29d62c.exe	159
PID 1828 wrote to memory of 3928	1828	cmd.exe	161
PID 1828 wrote to memory of 3928	1828	cmd.exe	161
PID 1828 wrote to memory of 3928	1828	cmd.exe	161
PID 3236 wrote to memory of 4000	3236	f4009abe9f41da41e48340c96e29d62c.exe	162
PID 3236 wrote to memory of 4000	3236	f4009abe9f41da41e48340c96e29d62c.exe	162
PID 3236 wrote to memory of 4000	3236	f4009abe9f41da41e48340c96e29d62c.exe	162
PID 4000 wrote to memory of 3900	4000	cmd.exe	164
PID 4000 wrote to memory of 3900	4000	cmd.exe	164
PID 4000 wrote to memory of 3900	4000	cmd.exe	164
PID 3236 wrote to memory of 3916	3236	f4009abe9f41da41e48340c96e29d62c.exe	165
PID 3236 wrote to memory of 3916	3236	f4009abe9f41da41e48340c96e29d62c.exe	165
PID 3236 wrote to memory of 3916	3236	f4009abe9f41da41e48340c96e29d62c.exe	165
PID 3916 wrote to memory of 1440	3916	cmd.exe	167
PID 3916 wrote to memory of 1440	3916	cmd.exe	167
PID 3916 wrote to memory of 1440	3916	cmd.exe	167
PID 3236 wrote to memory of 2296	3236	f4009abe9f41da41e48340c96e29d62c.exe	168
PID 3236 wrote to memory of 2296	3236	f4009abe9f41da41e48340c96e29d62c.exe	168
PID 3236 wrote to memory of 2296	3236	f4009abe9f41da41e48340c96e29d62c.exe	168
PID 2296 wrote to memory of 1980	2296	cmd.exe	170
PID 2296 wrote to memory of 1980	2296	cmd.exe	170
PID 2296 wrote to memory of 1980	2296	cmd.exe	170
PID 3236 wrote to memory of 2052	3236	f4009abe9f41da41e48340c96e29d62c.exe	171
PID 3236 wrote to memory of 2052	3236	f4009abe9f41da41e48340c96e29d62c.exe	171
PID 3236 wrote to memory of 2052	3236	f4009abe9f41da41e48340c96e29d62c.exe	171
PID 2052 wrote to memory of 3700	2052	cmd.exe	173
PID 2052 wrote to memory of 3700	2052	cmd.exe	173
PID 2052 wrote to memory of 3700	2052	cmd.exe	173
PID 3236 wrote to memory of 1656	3236	f4009abe9f41da41e48340c96e29d62c.exe	174
PID 3236 wrote to memory of 1656	3236	f4009abe9f41da41e48340c96e29d62c.exe	174
PID 3236 wrote to memory of 1656	3236	f4009abe9f41da41e48340c96e29d62c.exe	174
PID 1656 wrote to memory of 3360	1656	cmd.exe	176
PID 1656 wrote to memory of 3360	1656	cmd.exe	176
PID 1656 wrote to memory of 3360	1656	cmd.exe	176
PID 3236 wrote to memory of 1516	3236	f4009abe9f41da41e48340c96e29d62c.exe	177
PID 3236 wrote to memory of 1516	3236	f4009abe9f41da41e48340c96e29d62c.exe	177
PID 3236 wrote to memory of 1516	3236	f4009abe9f41da41e48340c96e29d62c.exe	177
PID 1516 wrote to memory of 3004	1516	cmd.exe	179
PID 1516 wrote to memory of 3004	1516	cmd.exe	179
PID 1516 wrote to memory of 3004	1516	cmd.exe	179
PID 3236 wrote to memory of 3820	3236	f4009abe9f41da41e48340c96e29d62c.exe	180
PID 3236 wrote to memory of 3820	3236	f4009abe9f41da41e48340c96e29d62c.exe	180
PID 3236 wrote to memory of 3820	3236	f4009abe9f41da41e48340c96e29d62c.exe	180
PID 3820 wrote to memory of 1716	3820	cmd.exe	182
PID 3820 wrote to memory of 1716	3820	cmd.exe	182
PID 3820 wrote to memory of 1716	3820	cmd.exe	182
PID 3236 wrote to memory of 1652	3236	f4009abe9f41da41e48340c96e29d62c.exe	183
PID 3236 wrote to memory of 1652	3236	f4009abe9f41da41e48340c96e29d62c.exe	183
PID 3236 wrote to memory of 1652	3236	f4009abe9f41da41e48340c96e29d62c.exe	183
PID 1652 wrote to memory of 1140	1652	cmd.exe	185
PID 1652 wrote to memory of 1140	1652	cmd.exe	185
PID 1652 wrote to memory of 1140	1652	cmd.exe	185
PID 3236 wrote to memory of 1168	3236	f4009abe9f41da41e48340c96e29d62c.exe	186
PID 3236 wrote to memory of 1168	3236	f4009abe9f41da41e48340c96e29d62c.exe	186
PID 3236 wrote to memory of 1168	3236	f4009abe9f41da41e48340c96e29d62c.exe	186
PID 1168 wrote to memory of 640	1168	cmd.exe	188
PID 1168 wrote to memory of 640	1168	cmd.exe	188
PID 1168 wrote to memory of 640	1168	cmd.exe	188
PID 3236 wrote to memory of 648	3236	f4009abe9f41da41e48340c96e29d62c.exe	189
PID 3236 wrote to memory of 648	3236	f4009abe9f41da41e48340c96e29d62c.exe	189
PID 3236 wrote to memory of 648	3236	f4009abe9f41da41e48340c96e29d62c.exe	189
PID 648 wrote to memory of 3924	648	cmd.exe	191
PID 648 wrote to memory of 3924	648	cmd.exe	191
PID 648 wrote to memory of 3924	648	cmd.exe	191
PID 3236 wrote to memory of 3344	3236	f4009abe9f41da41e48340c96e29d62c.exe	192
PID 3236 wrote to memory of 3344	3236	f4009abe9f41da41e48340c96e29d62c.exe	192
PID 3236 wrote to memory of 3344	3236	f4009abe9f41da41e48340c96e29d62c.exe	192
PID 3344 wrote to memory of 344	3344	cmd.exe	194
PID 3344 wrote to memory of 344	3344	cmd.exe	194
PID 3344 wrote to memory of 344	3344	cmd.exe	194
PID 3236 wrote to memory of 2300	3236	f4009abe9f41da41e48340c96e29d62c.exe	195
PID 3236 wrote to memory of 2300	3236	f4009abe9f41da41e48340c96e29d62c.exe	195
PID 3236 wrote to memory of 2300	3236	f4009abe9f41da41e48340c96e29d62c.exe	195
PID 2300 wrote to memory of 1440	2300	cmd.exe	197
PID 2300 wrote to memory of 1440	2300	cmd.exe	197
PID 2300 wrote to memory of 1440	2300	cmd.exe	197
PID 3236 wrote to memory of 2204	3236	f4009abe9f41da41e48340c96e29d62c.exe	198
PID 3236 wrote to memory of 2204	3236	f4009abe9f41da41e48340c96e29d62c.exe	198
PID 3236 wrote to memory of 2204	3236	f4009abe9f41da41e48340c96e29d62c.exe	198
PID 2204 wrote to memory of 1980	2204	cmd.exe	200
PID 2204 wrote to memory of 1980	2204	cmd.exe	200
PID 2204 wrote to memory of 1980	2204	cmd.exe	200
PID 3236 wrote to memory of 3700	3236	f4009abe9f41da41e48340c96e29d62c.exe	201
PID 3236 wrote to memory of 3700	3236	f4009abe9f41da41e48340c96e29d62c.exe	201
PID 3236 wrote to memory of 3700	3236	f4009abe9f41da41e48340c96e29d62c.exe	201
PID 3700 wrote to memory of 2708	3700	cmd.exe	203
PID 3700 wrote to memory of 2708	3700	cmd.exe	203
PID 3700 wrote to memory of 2708	3700	cmd.exe	203
PID 3236 wrote to memory of 868	3236	f4009abe9f41da41e48340c96e29d62c.exe	204
PID 3236 wrote to memory of 868	3236	f4009abe9f41da41e48340c96e29d62c.exe	204
PID 3236 wrote to memory of 868	3236	f4009abe9f41da41e48340c96e29d62c.exe	204
PID 868 wrote to memory of 412	868	cmd.exe	206
PID 868 wrote to memory of 412	868	cmd.exe	206
PID 868 wrote to memory of 412	868	cmd.exe	206
PID 3236 wrote to memory of 2856	3236	f4009abe9f41da41e48340c96e29d62c.exe	207
PID 3236 wrote to memory of 2856	3236	f4009abe9f41da41e48340c96e29d62c.exe	207
PID 3236 wrote to memory of 2856	3236	f4009abe9f41da41e48340c96e29d62c.exe	207
PID 2856 wrote to memory of 3004	2856	cmd.exe	209
PID 2856 wrote to memory of 3004	2856	cmd.exe	209
PID 2856 wrote to memory of 3004	2856	cmd.exe	209
PID 3236 wrote to memory of 3828	3236	f4009abe9f41da41e48340c96e29d62c.exe	210
PID 3236 wrote to memory of 3828	3236	f4009abe9f41da41e48340c96e29d62c.exe	210
PID 3236 wrote to memory of 3828	3236	f4009abe9f41da41e48340c96e29d62c.exe	210
PID 3828 wrote to memory of 1716	3828	cmd.exe	212
PID 3828 wrote to memory of 1716	3828	cmd.exe	212
PID 3828 wrote to memory of 1716	3828	cmd.exe	212
PID 3236 wrote to memory of 2996	3236	f4009abe9f41da41e48340c96e29d62c.exe	213
PID 3236 wrote to memory of 2996	3236	f4009abe9f41da41e48340c96e29d62c.exe	213
PID 3236 wrote to memory of 2996	3236	f4009abe9f41da41e48340c96e29d62c.exe	213
PID 2996 wrote to memory of 656	2996	cmd.exe	215
PID 2996 wrote to memory of 656	2996	cmd.exe	215
PID 2996 wrote to memory of 656	2996	cmd.exe	215
PID 3236 wrote to memory of 1604	3236	f4009abe9f41da41e48340c96e29d62c.exe	216
PID 3236 wrote to memory of 1604	3236	f4009abe9f41da41e48340c96e29d62c.exe	216
PID 3236 wrote to memory of 1604	3236	f4009abe9f41da41e48340c96e29d62c.exe	216
PID 1604 wrote to memory of 652	1604	cmd.exe	218
PID 1604 wrote to memory of 652	1604	cmd.exe	218
PID 1604 wrote to memory of 652	1604	cmd.exe	218
PID 3236 wrote to memory of 508	3236	f4009abe9f41da41e48340c96e29d62c.exe	219
PID 3236 wrote to memory of 508	3236	f4009abe9f41da41e48340c96e29d62c.exe	219
PID 3236 wrote to memory of 508	3236	f4009abe9f41da41e48340c96e29d62c.exe	219
PID 508 wrote to memory of 2472	508	cmd.exe	221
PID 508 wrote to memory of 2472	508	cmd.exe	221
PID 508 wrote to memory of 2472	508	cmd.exe	221
PID 3236 wrote to memory of 3940	3236	f4009abe9f41da41e48340c96e29d62c.exe	222
PID 3236 wrote to memory of 3940	3236	f4009abe9f41da41e48340c96e29d62c.exe	222
PID 3236 wrote to memory of 3940	3236	f4009abe9f41da41e48340c96e29d62c.exe	222
PID 3940 wrote to memory of 908	3940	cmd.exe	224
PID 3940 wrote to memory of 908	3940	cmd.exe	224
PID 3940 wrote to memory of 908	3940	cmd.exe	224
PID 3236 wrote to memory of 4000	3236	f4009abe9f41da41e48340c96e29d62c.exe	225
PID 3236 wrote to memory of 4000	3236	f4009abe9f41da41e48340c96e29d62c.exe	225
PID 3236 wrote to memory of 4000	3236	f4009abe9f41da41e48340c96e29d62c.exe	225
PID 4000 wrote to memory of 3876	4000	cmd.exe	227
PID 4000 wrote to memory of 3876	4000	cmd.exe	227
PID 4000 wrote to memory of 3876	4000	cmd.exe	227
PID 3236 wrote to memory of 1644	3236	f4009abe9f41da41e48340c96e29d62c.exe	228
PID 3236 wrote to memory of 1644	3236	f4009abe9f41da41e48340c96e29d62c.exe	228
PID 3236 wrote to memory of 1644	3236	f4009abe9f41da41e48340c96e29d62c.exe	228
PID 1644 wrote to memory of 1744	1644	cmd.exe	230
PID 1644 wrote to memory of 1744	1644	cmd.exe	230
PID 1644 wrote to memory of 1744	1644	cmd.exe	230
PID 3236 wrote to memory of 2628	3236	f4009abe9f41da41e48340c96e29d62c.exe	231
PID 3236 wrote to memory of 2628	3236	f4009abe9f41da41e48340c96e29d62c.exe	231
PID 3236 wrote to memory of 2628	3236	f4009abe9f41da41e48340c96e29d62c.exe	231
PID 2628 wrote to memory of 3832	2628	cmd.exe	233
PID 2628 wrote to memory of 3832	2628	cmd.exe	233
PID 2628 wrote to memory of 3832	2628	cmd.exe	233
PID 3236 wrote to memory of 408	3236	f4009abe9f41da41e48340c96e29d62c.exe	234
PID 3236 wrote to memory of 408	3236	f4009abe9f41da41e48340c96e29d62c.exe	234
PID 3236 wrote to memory of 408	3236	f4009abe9f41da41e48340c96e29d62c.exe	234
PID 408 wrote to memory of 2820	408	cmd.exe	236
PID 408 wrote to memory of 2820	408	cmd.exe	236
PID 408 wrote to memory of 2820	408	cmd.exe	236
PID 3236 wrote to memory of 3360	3236	f4009abe9f41da41e48340c96e29d62c.exe	237
PID 3236 wrote to memory of 3360	3236	f4009abe9f41da41e48340c96e29d62c.exe	237
PID 3236 wrote to memory of 3360	3236	f4009abe9f41da41e48340c96e29d62c.exe	237
PID 3360 wrote to memory of 1500	3360	cmd.exe	239
PID 3360 wrote to memory of 1500	3360	cmd.exe	239
PID 3360 wrote to memory of 1500	3360	cmd.exe	239
PID 3236 wrote to memory of 3068	3236	f4009abe9f41da41e48340c96e29d62c.exe	240
PID 3236 wrote to memory of 3068	3236	f4009abe9f41da41e48340c96e29d62c.exe	240
PID 3236 wrote to memory of 3068	3236	f4009abe9f41da41e48340c96e29d62c.exe	240
PID 3068 wrote to memory of 812	3068	cmd.exe	242
PID 3068 wrote to memory of 812	3068	cmd.exe	242
PID 3068 wrote to memory of 812	3068	cmd.exe	242
PID 3236 wrote to memory of 1752	3236	f4009abe9f41da41e48340c96e29d62c.exe	243
PID 3236 wrote to memory of 1752	3236	f4009abe9f41da41e48340c96e29d62c.exe	243
PID 3236 wrote to memory of 1752	3236	f4009abe9f41da41e48340c96e29d62c.exe	243
PID 1752 wrote to memory of 1140	1752	cmd.exe	245
PID 1752 wrote to memory of 1140	1752	cmd.exe	245
PID 1752 wrote to memory of 1140	1752	cmd.exe	245
PID 3236 wrote to memory of 500	3236	f4009abe9f41da41e48340c96e29d62c.exe	246
PID 3236 wrote to memory of 500	3236	f4009abe9f41da41e48340c96e29d62c.exe	246
PID 3236 wrote to memory of 500	3236	f4009abe9f41da41e48340c96e29d62c.exe	246
PID 500 wrote to memory of 3844	500	cmd.exe	248
PID 500 wrote to memory of 3844	500	cmd.exe	248
PID 500 wrote to memory of 3844	500	cmd.exe	248
PID 3236 wrote to memory of 1604	3236	f4009abe9f41da41e48340c96e29d62c.exe	249
PID 3236 wrote to memory of 1604	3236	f4009abe9f41da41e48340c96e29d62c.exe	249
PID 3236 wrote to memory of 1604	3236	f4009abe9f41da41e48340c96e29d62c.exe	249
PID 1604 wrote to memory of 3904	1604	cmd.exe	251
PID 1604 wrote to memory of 3904	1604	cmd.exe	251
PID 1604 wrote to memory of 3904	1604	cmd.exe	251
PID 3236 wrote to memory of 508	3236	f4009abe9f41da41e48340c96e29d62c.exe	252
PID 3236 wrote to memory of 508	3236	f4009abe9f41da41e48340c96e29d62c.exe	252
PID 3236 wrote to memory of 508	3236	f4009abe9f41da41e48340c96e29d62c.exe	252
PID 508 wrote to memory of 1380	508	cmd.exe	254
PID 508 wrote to memory of 1380	508	cmd.exe	254
PID 508 wrote to memory of 1380	508	cmd.exe	254
PID 3236 wrote to memory of 3092	3236	f4009abe9f41da41e48340c96e29d62c.exe	255
PID 3236 wrote to memory of 3092	3236	f4009abe9f41da41e48340c96e29d62c.exe	255
PID 3236 wrote to memory of 3092	3236	f4009abe9f41da41e48340c96e29d62c.exe	255
PID 3092 wrote to memory of 3276	3092	cmd.exe	257
PID 3092 wrote to memory of 3276	3092	cmd.exe	257
PID 3092 wrote to memory of 3276	3092	cmd.exe	257
PID 3236 wrote to memory of 4000	3236	f4009abe9f41da41e48340c96e29d62c.exe	258
PID 3236 wrote to memory of 4000	3236	f4009abe9f41da41e48340c96e29d62c.exe	258
PID 3236 wrote to memory of 4000	3236	f4009abe9f41da41e48340c96e29d62c.exe	258
PID 4000 wrote to memory of 1444	4000	cmd.exe	260
PID 4000 wrote to memory of 1444	4000	cmd.exe	260
PID 4000 wrote to memory of 1444	4000	cmd.exe	260
PID 3236 wrote to memory of 1644	3236	f4009abe9f41da41e48340c96e29d62c.exe	261
PID 3236 wrote to memory of 1644	3236	f4009abe9f41da41e48340c96e29d62c.exe	261
PID 3236 wrote to memory of 1644	3236	f4009abe9f41da41e48340c96e29d62c.exe	261
PID 1644 wrote to memory of 2724	1644	cmd.exe	263
PID 1644 wrote to memory of 2724	1644	cmd.exe	263
PID 1644 wrote to memory of 2724	1644	cmd.exe	263
PID 3236 wrote to memory of 2628	3236	f4009abe9f41da41e48340c96e29d62c.exe	264
PID 3236 wrote to memory of 2628	3236	f4009abe9f41da41e48340c96e29d62c.exe	264
PID 3236 wrote to memory of 2628	3236	f4009abe9f41da41e48340c96e29d62c.exe	264
PID 2628 wrote to memory of 868	2628	cmd.exe	266
PID 2628 wrote to memory of 868	2628	cmd.exe	266
PID 2628 wrote to memory of 868	2628	cmd.exe	266
PID 3236 wrote to memory of 944	3236	f4009abe9f41da41e48340c96e29d62c.exe	267
PID 3236 wrote to memory of 944	3236	f4009abe9f41da41e48340c96e29d62c.exe	267
PID 3236 wrote to memory of 944	3236	f4009abe9f41da41e48340c96e29d62c.exe	267
PID 944 wrote to memory of 2856	944	cmd.exe	269
PID 944 wrote to memory of 2856	944	cmd.exe	269
PID 944 wrote to memory of 2856	944	cmd.exe	269
PID 3236 wrote to memory of 2104	3236	f4009abe9f41da41e48340c96e29d62c.exe	270
PID 3236 wrote to memory of 2104	3236	f4009abe9f41da41e48340c96e29d62c.exe	270
PID 3236 wrote to memory of 2104	3236	f4009abe9f41da41e48340c96e29d62c.exe	270
PID 2104 wrote to memory of 3828	2104	cmd.exe	272
PID 2104 wrote to memory of 3828	2104	cmd.exe	272
PID 2104 wrote to memory of 3828	2104	cmd.exe	272
PID 3236 wrote to memory of 808	3236	f4009abe9f41da41e48340c96e29d62c.exe	273
PID 3236 wrote to memory of 808	3236	f4009abe9f41da41e48340c96e29d62c.exe	273
PID 3236 wrote to memory of 808	3236	f4009abe9f41da41e48340c96e29d62c.exe	273
PID 808 wrote to memory of 2996	808	cmd.exe	275
PID 808 wrote to memory of 2996	808	cmd.exe	275
PID 808 wrote to memory of 2996	808	cmd.exe	275
PID 3236 wrote to memory of 1660	3236	f4009abe9f41da41e48340c96e29d62c.exe	276
PID 3236 wrote to memory of 1660	3236	f4009abe9f41da41e48340c96e29d62c.exe	276
PID 3236 wrote to memory of 1660	3236	f4009abe9f41da41e48340c96e29d62c.exe	276
PID 1660 wrote to memory of 544	1660	cmd.exe	278
PID 1660 wrote to memory of 544	1660	cmd.exe	278
PID 1660 wrote to memory of 544	1660	cmd.exe	278
PID 3236 wrote to memory of 1168	3236	f4009abe9f41da41e48340c96e29d62c.exe	279
PID 3236 wrote to memory of 1168	3236	f4009abe9f41da41e48340c96e29d62c.exe	279
PID 3236 wrote to memory of 1168	3236	f4009abe9f41da41e48340c96e29d62c.exe	279
PID 1168 wrote to memory of 3684	1168	cmd.exe	281
PID 1168 wrote to memory of 3684	1168	cmd.exe	281
PID 1168 wrote to memory of 3684	1168	cmd.exe	281
PID 3236 wrote to memory of 3904	3236	f4009abe9f41da41e48340c96e29d62c.exe	282
PID 3236 wrote to memory of 3904	3236	f4009abe9f41da41e48340c96e29d62c.exe	282
PID 3236 wrote to memory of 3904	3236	f4009abe9f41da41e48340c96e29d62c.exe	282
PID 3904 wrote to memory of 3824	3904	cmd.exe	284
PID 3904 wrote to memory of 3824	3904	cmd.exe	284
PID 3904 wrote to memory of 3824	3904	cmd.exe	284
PID 3236 wrote to memory of 1380	3236	f4009abe9f41da41e48340c96e29d62c.exe	285
PID 3236 wrote to memory of 1380	3236	f4009abe9f41da41e48340c96e29d62c.exe	285
PID 3236 wrote to memory of 1380	3236	f4009abe9f41da41e48340c96e29d62c.exe	285
PID 1380 wrote to memory of 3900	1380	cmd.exe	287
PID 1380 wrote to memory of 3900	1380	cmd.exe	287
PID 1380 wrote to memory of 3900	1380	cmd.exe	287
PID 3236 wrote to memory of 3276	3236	f4009abe9f41da41e48340c96e29d62c.exe	288
PID 3236 wrote to memory of 3276	3236	f4009abe9f41da41e48340c96e29d62c.exe	288
PID 3236 wrote to memory of 3276	3236	f4009abe9f41da41e48340c96e29d62c.exe	288
PID 3276 wrote to memory of 3796	3276	cmd.exe	290
PID 3276 wrote to memory of 3796	3276	cmd.exe	290
PID 3276 wrote to memory of 3796	3276	cmd.exe	290
PID 3236 wrote to memory of 1444	3236	f4009abe9f41da41e48340c96e29d62c.exe	291
PID 3236 wrote to memory of 1444	3236	f4009abe9f41da41e48340c96e29d62c.exe	291
PID 3236 wrote to memory of 1444	3236	f4009abe9f41da41e48340c96e29d62c.exe	291
PID 1444 wrote to memory of 3772	1444	cmd.exe	293
PID 1444 wrote to memory of 3772	1444	cmd.exe	293
PID 1444 wrote to memory of 3772	1444	cmd.exe	293
PID 3236 wrote to memory of 2724	3236	f4009abe9f41da41e48340c96e29d62c.exe	294
PID 3236 wrote to memory of 2724	3236	f4009abe9f41da41e48340c96e29d62c.exe	294
PID 3236 wrote to memory of 2724	3236	f4009abe9f41da41e48340c96e29d62c.exe	294
PID 2724 wrote to memory of 3536	2724	cmd.exe	296
PID 2724 wrote to memory of 3536	2724	cmd.exe	296
PID 2724 wrote to memory of 3536	2724	cmd.exe	296
PID 3236 wrote to memory of 868	3236	f4009abe9f41da41e48340c96e29d62c.exe	297
PID 3236 wrote to memory of 868	3236	f4009abe9f41da41e48340c96e29d62c.exe	297
PID 3236 wrote to memory of 868	3236	f4009abe9f41da41e48340c96e29d62c.exe	297
PID 868 wrote to memory of 2812	868	cmd.exe	299
PID 868 wrote to memory of 2812	868	cmd.exe	299
PID 868 wrote to memory of 2812	868	cmd.exe	299
PID 3236 wrote to memory of 2856	3236	f4009abe9f41da41e48340c96e29d62c.exe	300
PID 3236 wrote to memory of 2856	3236	f4009abe9f41da41e48340c96e29d62c.exe	300
PID 3236 wrote to memory of 2856	3236	f4009abe9f41da41e48340c96e29d62c.exe	300
PID 2856 wrote to memory of 2120	2856	cmd.exe	302
PID 2856 wrote to memory of 2120	2856	cmd.exe	302
PID 2856 wrote to memory of 2120	2856	cmd.exe	302
PID 3236 wrote to memory of 3828	3236	f4009abe9f41da41e48340c96e29d62c.exe	303
PID 3236 wrote to memory of 3828	3236	f4009abe9f41da41e48340c96e29d62c.exe	303
PID 3236 wrote to memory of 3828	3236	f4009abe9f41da41e48340c96e29d62c.exe	303
PID 3828 wrote to memory of 3692	3828	cmd.exe	305
PID 3828 wrote to memory of 3692	3828	cmd.exe	305
PID 3828 wrote to memory of 3692	3828	cmd.exe	305
PID 3236 wrote to memory of 2996	3236	f4009abe9f41da41e48340c96e29d62c.exe	306
PID 3236 wrote to memory of 2996	3236	f4009abe9f41da41e48340c96e29d62c.exe	306
PID 3236 wrote to memory of 2996	3236	f4009abe9f41da41e48340c96e29d62c.exe	306
PID 2996 wrote to memory of 1820	2996	cmd.exe	308
PID 2996 wrote to memory of 1820	2996	cmd.exe	308
PID 2996 wrote to memory of 1820	2996	cmd.exe	308
PID 3236 wrote to memory of 544	3236	f4009abe9f41da41e48340c96e29d62c.exe	309
PID 3236 wrote to memory of 544	3236	f4009abe9f41da41e48340c96e29d62c.exe	309
PID 3236 wrote to memory of 544	3236	f4009abe9f41da41e48340c96e29d62c.exe	309
PID 544 wrote to memory of 2432	544	cmd.exe	311
PID 544 wrote to memory of 2432	544	cmd.exe	311
PID 544 wrote to memory of 2432	544	cmd.exe	311
PID 3236 wrote to memory of 3684	3236	f4009abe9f41da41e48340c96e29d62c.exe	312
PID 3236 wrote to memory of 3684	3236	f4009abe9f41da41e48340c96e29d62c.exe	312
PID 3236 wrote to memory of 3684	3236	f4009abe9f41da41e48340c96e29d62c.exe	312
PID 3684 wrote to memory of 1604	3684	cmd.exe	314
PID 3684 wrote to memory of 1604	3684	cmd.exe	314
PID 3684 wrote to memory of 1604	3684	cmd.exe	314
PID 3236 wrote to memory of 3824	3236	f4009abe9f41da41e48340c96e29d62c.exe	315
PID 3236 wrote to memory of 3824	3236	f4009abe9f41da41e48340c96e29d62c.exe	315
PID 3236 wrote to memory of 3824	3236	f4009abe9f41da41e48340c96e29d62c.exe	315
PID 3824 wrote to memory of 508	3824	cmd.exe	317
PID 3824 wrote to memory of 508	3824	cmd.exe	317
PID 3824 wrote to memory of 508	3824	cmd.exe	317
PID 3236 wrote to memory of 3900	3236	f4009abe9f41da41e48340c96e29d62c.exe	318
PID 3236 wrote to memory of 3900	3236	f4009abe9f41da41e48340c96e29d62c.exe	318
PID 3236 wrote to memory of 3900	3236	f4009abe9f41da41e48340c96e29d62c.exe	318
PID 3900 wrote to memory of 3092	3900	cmd.exe	320
PID 3900 wrote to memory of 3092	3900	cmd.exe	320
PID 3900 wrote to memory of 3092	3900	cmd.exe	320
PID 3236 wrote to memory of 3796	3236	f4009abe9f41da41e48340c96e29d62c.exe	321
PID 3236 wrote to memory of 3796	3236	f4009abe9f41da41e48340c96e29d62c.exe	321
PID 3236 wrote to memory of 3796	3236	f4009abe9f41da41e48340c96e29d62c.exe	321
PID 3796 wrote to memory of 4000	3796	cmd.exe	323
PID 3796 wrote to memory of 4000	3796	cmd.exe	323
PID 3796 wrote to memory of 4000	3796	cmd.exe	323
PID 3236 wrote to memory of 3772	3236	f4009abe9f41da41e48340c96e29d62c.exe	324
PID 3236 wrote to memory of 3772	3236	f4009abe9f41da41e48340c96e29d62c.exe	324
PID 3236 wrote to memory of 3772	3236	f4009abe9f41da41e48340c96e29d62c.exe	324
PID 3772 wrote to memory of 1644	3772	cmd.exe	326
PID 3772 wrote to memory of 1644	3772	cmd.exe	326
PID 3772 wrote to memory of 1644	3772	cmd.exe	326
PID 3236 wrote to memory of 3536	3236	f4009abe9f41da41e48340c96e29d62c.exe	327
PID 3236 wrote to memory of 3536	3236	f4009abe9f41da41e48340c96e29d62c.exe	327
PID 3236 wrote to memory of 3536	3236	f4009abe9f41da41e48340c96e29d62c.exe	327
PID 3536 wrote to memory of 2628	3536	cmd.exe	329
PID 3536 wrote to memory of 2628	3536	cmd.exe	329
PID 3536 wrote to memory of 2628	3536	cmd.exe	329
PID 3236 wrote to memory of 2812	3236	f4009abe9f41da41e48340c96e29d62c.exe	330
PID 3236 wrote to memory of 2812	3236	f4009abe9f41da41e48340c96e29d62c.exe	330
PID 3236 wrote to memory of 2812	3236	f4009abe9f41da41e48340c96e29d62c.exe	330
PID 2812 wrote to memory of 944	2812	cmd.exe	332
PID 2812 wrote to memory of 944	2812	cmd.exe	332
PID 2812 wrote to memory of 944	2812	cmd.exe	332
PID 3236 wrote to memory of 2120	3236	f4009abe9f41da41e48340c96e29d62c.exe	333
PID 3236 wrote to memory of 2120	3236	f4009abe9f41da41e48340c96e29d62c.exe	333
PID 3236 wrote to memory of 2120	3236	f4009abe9f41da41e48340c96e29d62c.exe	333
PID 2120 wrote to memory of 2104	2120	cmd.exe	335
PID 2120 wrote to memory of 2104	2120	cmd.exe	335
PID 2120 wrote to memory of 2104	2120	cmd.exe	335
PID 3236 wrote to memory of 3692	3236	f4009abe9f41da41e48340c96e29d62c.exe	336
PID 3236 wrote to memory of 3692	3236	f4009abe9f41da41e48340c96e29d62c.exe	336
PID 3236 wrote to memory of 3692	3236	f4009abe9f41da41e48340c96e29d62c.exe	336
PID 3692 wrote to memory of 808	3692	cmd.exe	338
PID 3692 wrote to memory of 808	3692	cmd.exe	338
PID 3692 wrote to memory of 808	3692	cmd.exe	338
PID 3236 wrote to memory of 1820	3236	f4009abe9f41da41e48340c96e29d62c.exe	339
PID 3236 wrote to memory of 1820	3236	f4009abe9f41da41e48340c96e29d62c.exe	339
PID 3236 wrote to memory of 1820	3236	f4009abe9f41da41e48340c96e29d62c.exe	339
PID 1820 wrote to memory of 1660	1820	cmd.exe	341
PID 1820 wrote to memory of 1660	1820	cmd.exe	341
PID 1820 wrote to memory of 1660	1820	cmd.exe	341
PID 3236 wrote to memory of 2432	3236	f4009abe9f41da41e48340c96e29d62c.exe	342
PID 3236 wrote to memory of 2432	3236	f4009abe9f41da41e48340c96e29d62c.exe	342
PID 3236 wrote to memory of 2432	3236	f4009abe9f41da41e48340c96e29d62c.exe	342
PID 2432 wrote to memory of 1168	2432	cmd.exe	344
PID 2432 wrote to memory of 1168	2432	cmd.exe	344
PID 2432 wrote to memory of 1168	2432	cmd.exe	344
PID 3236 wrote to memory of 1604	3236	f4009abe9f41da41e48340c96e29d62c.exe	345
PID 3236 wrote to memory of 1604	3236	f4009abe9f41da41e48340c96e29d62c.exe	345
PID 3236 wrote to memory of 1604	3236	f4009abe9f41da41e48340c96e29d62c.exe	345
PID 1604 wrote to memory of 3904	1604	cmd.exe	347
PID 1604 wrote to memory of 3904	1604	cmd.exe	347
PID 1604 wrote to memory of 3904	1604	cmd.exe	347

Suspicious use of AdjustPrivilegeToken 129 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3904	WMIC.exe
Token: SeSecurityPrivilege	3904	WMIC.exe
Token: SeTakeOwnershipPrivilege	3904	WMIC.exe
Token: SeLoadDriverPrivilege	3904	WMIC.exe
Token: SeSystemProfilePrivilege	3904	WMIC.exe
Token: SeSystemtimePrivilege	3904	WMIC.exe
Token: SeProfSingleProcessPrivilege	3904	WMIC.exe
Token: SeIncBasePriorityPrivilege	3904	WMIC.exe
Token: SeCreatePagefilePrivilege	3904	WMIC.exe
Token: SeBackupPrivilege	3904	WMIC.exe
Token: SeRestorePrivilege	3904	WMIC.exe
Token: SeShutdownPrivilege	3904	WMIC.exe
Token: SeDebugPrivilege	3904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3904	WMIC.exe
Token: SeRemoteShutdownPrivilege	3904	WMIC.exe
Token: SeUndockPrivilege	3904	WMIC.exe
Token: SeManageVolumePrivilege	3904	WMIC.exe
Token: 33	3904	WMIC.exe
Token: 34	3904	WMIC.exe
Token: 35	3904	WMIC.exe
Token: 36	3904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3904	WMIC.exe
Token: SeSecurityPrivilege	3904	WMIC.exe
Token: SeTakeOwnershipPrivilege	3904	WMIC.exe
Token: SeLoadDriverPrivilege	3904	WMIC.exe
Token: SeSystemProfilePrivilege	3904	WMIC.exe
Token: SeSystemtimePrivilege	3904	WMIC.exe
Token: SeProfSingleProcessPrivilege	3904	WMIC.exe
Token: SeIncBasePriorityPrivilege	3904	WMIC.exe
Token: SeCreatePagefilePrivilege	3904	WMIC.exe
Token: SeBackupPrivilege	3904	WMIC.exe
Token: SeRestorePrivilege	3904	WMIC.exe
Token: SeShutdownPrivilege	3904	WMIC.exe
Token: SeDebugPrivilege	3904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3904	WMIC.exe
Token: SeRemoteShutdownPrivilege	3904	WMIC.exe
Token: SeUndockPrivilege	3904	WMIC.exe
Token: SeManageVolumePrivilege	3904	WMIC.exe
Token: 33	3904	WMIC.exe
Token: 34	3904	WMIC.exe
Token: 35	3904	WMIC.exe
Token: 36	3904	WMIC.exe
Token: SeBackupPrivilege	2572	vssvc.exe
Token: SeRestorePrivilege	2572	vssvc.exe
Token: SeAuditPrivilege	2572	vssvc.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	424	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	588	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	3344	taskkill.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	3612	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	3292	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	500	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1140	taskkill.exe
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeDebugPrivilege	3924	taskkill.exe
Token: SeDebugPrivilege	344	taskkill.exe
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	412	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	812	taskkill.exe
Token: SeDebugPrivilege	1140	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeDebugPrivilege	3276	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	3828	taskkill.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeDebugPrivilege	544	taskkill.exe
Token: SeDebugPrivilege	3684	taskkill.exe
Token: SeDebugPrivilege	3824	taskkill.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeDebugPrivilege	3536	taskkill.exe
Token: SeDebugPrivilege	2812	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	508	taskkill.exe
Token: SeDebugPrivilege	3092	taskkill.exe
Token: SeDebugPrivilege	4000	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	808	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe

Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3772	vssadmin.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:niouzersmbbef	f4009abe9f41da41e48340c96e29d62c.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:ruwvvoech	f4009abe9f41da41e48340c96e29d62c.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:crecqyosmlwneafy	f4009abe9f41da41e48340c96e29d62c.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:ruwvvoech	f4009abe9f41da41e48340c96e29d62c.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:colmipagylghfdlek	f4009abe9f41da41e48340c96e29d62c.exe

Kills process with taskkill 87 IoCs

evasion

pid	Process
3876	taskkill.exe
3684	taskkill.exe
3796	taskkill.exe
1820	taskkill.exe
2708	taskkill.exe
1500	taskkill.exe
2104	taskkill.exe
3844	taskkill.exe
2192	taskkill.exe
3924	taskkill.exe
812	taskkill.exe
344	taskkill.exe
1716	taskkill.exe
2812	taskkill.exe
1168	taskkill.exe
1716	taskkill.exe
1744	taskkill.exe
2724	taskkill.exe
3004	taskkill.exe
2856	taskkill.exe
3536	taskkill.exe
1660	taskkill.exe
3872	taskkill.exe
3928	taskkill.exe
3700	taskkill.exe
3004	taskkill.exe
2472	taskkill.exe
868	taskkill.exe
3824	taskkill.exe
2628	taskkill.exe
3832	taskkill.exe
3276	taskkill.exe
3092	taskkill.exe
944	taskkill.exe
424	taskkill.exe
908	taskkill.exe
3872	taskkill.exe
1440	taskkill.exe
3904	taskkill.exe
808	taskkill.exe
1008	taskkill.exe
3292	taskkill.exe
1140	taskkill.exe
1444	taskkill.exe
3968	taskkill.exe
3848	taskkill.exe
3900	taskkill.exe
3904	taskkill.exe
508	taskkill.exe
588	taskkill.exe
3344	taskkill.exe
3928	taskkill.exe
3772	taskkill.exe
412	taskkill.exe
2120	taskkill.exe
4056	taskkill.exe
1192	taskkill.exe
640	taskkill.exe
1980	taskkill.exe
1980	taskkill.exe
1140	taskkill.exe
2996	taskkill.exe
2432	taskkill.exe
3068	taskkill.exe
564	taskkill.exe
500	taskkill.exe
3900	taskkill.exe
1440	taskkill.exe
2820	taskkill.exe
3844	taskkill.exe
1380	taskkill.exe
2052	taskkill.exe
3612	taskkill.exe
820	taskkill.exe
3360	taskkill.exe
544	taskkill.exe
3900	taskkill.exe
3692	taskkill.exe
4000	taskkill.exe
908	taskkill.exe
1644	taskkill.exe
3448	taskkill.exe
1204	taskkill.exe
656	taskkill.exe
652	taskkill.exe
3828	taskkill.exe
1604	taskkill.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\f4009abe9f41da41e48340c96e29d62c.exe
"C:\Users\Admin\AppData\Local\Temp\f4009abe9f41da41e48340c96e29d62c.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- NTFS ADS
PID:3236
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY DELETE /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3904
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:2908
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  PID:3916
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} recoveryenabled No
  2⤵
  PID:3952
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:4056
- C:\Windows\SysWOW64\cmd.exe
  cmd /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3772
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\vssvc.exe
  2⤵
  PID:3360
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServer*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServerView*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServerView*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlmangr*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlmangr*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:424
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RAgui*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RAgui*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM supervise*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM supervise*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:588
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culture*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culture*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3844
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Defwatch*
  2⤵
  PID:3536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Defwatch*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM winword*
  2⤵
  PID:3784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM winword*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBW32*
  2⤵
  PID:3292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBW32*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgr*
  2⤵
  PID:3852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgr*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM qbupdate*
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM qbupdate*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM axlbridge*
  2⤵
  PID:3968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM axlbridge*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:4056
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM httpd*
  2⤵
  PID:3536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM httpd*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdlauncher*
  2⤵
  PID:3832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdlauncher*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3848
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MsDtSrvr*
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MsDtSrvr*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM java*
  2⤵
  PID:500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM java*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360se*
  2⤵
  PID:588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360se*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3928
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360doctor*
  2⤵
  PID:3984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360doctor*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:3900
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wdswfsafe*
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wdswfsafe*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Kills process with taskkill
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdhost*
  2⤵
  PID:3788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdhost*
    3⤵
    - Kills process with taskkill
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM GDscan*
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM GDscan*
    3⤵
    PID:820
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ZhuDongFangYu*
  2⤵
  PID:3784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ZhuDongFangYu*
    3⤵
    - Kills process with taskkill
    PID:3292
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgrN*
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgrN*
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM mysqld*
  2⤵
  PID:3884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM mysqld*
    3⤵
    PID:500
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AutodeskDesktopApp*
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AutodeskDesktopApp*
    3⤵
    - Kills process with taskkill
    PID:3928
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM acwebbrowser*
  2⤵
  PID:4000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM acwebbrowser*
    3⤵
    PID:3900
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Creative Cloud*
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Creative Cloud*
    3⤵
    - Kills process with taskkill
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe Desktop Service*
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe Desktop Service*
    3⤵
    - Kills process with taskkill
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM CoreSync*
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM CoreSync*
    3⤵
    - Kills process with taskkill
    PID:3700
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe CEF Helper*
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe CEF Helper*
    3⤵
    PID:3360
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM node*
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM node*
    3⤵
    - Kills process with taskkill
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeIPCBroker*
  2⤵
  PID:3820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeIPCBroker*
    3⤵
    - Kills process with taskkill
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-taskbar*
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-taskbar*
    3⤵
    - Kills process with taskkill
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-worker*
  2⤵
  PID:1168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-worker*
    3⤵
    - Kills process with taskkill
    PID:640
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM InputPersonalization*
  2⤵
  PID:648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM InputPersonalization*
    3⤵
    - Kills process with taskkill
    PID:3924
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeCollabSync*
  2⤵
  PID:3344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeCollabSync*
    3⤵
    - Kills process with taskkill
    PID:344
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCtrlCntr*
  2⤵
  PID:2300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCtrlCntr*
    3⤵
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCcUxSys*
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCcUxSys*
    3⤵
    - Kills process with taskkill
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SimplyConnectionManager*
  2⤵
  PID:3700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SimplyConnectionManager*
    3⤵
    - Kills process with taskkill
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
  2⤵
  PID:868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Simply.SystemTrayIcon*
    3⤵
    - Kills process with taskkill
    PID:412
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbguard*
  2⤵
  PID:2856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbguard*
    3⤵
    - Kills process with taskkill
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbserver*
  2⤵
  PID:3828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbserver*
    3⤵
    - Kills process with taskkill
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ONENOTEM*
  2⤵
  PID:2996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ONENOTEM*
    3⤵
    PID:656
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wrapper*
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wrapper*
    3⤵
    PID:652
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM DefWatch*
  2⤵
  PID:508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM DefWatch*
    3⤵
    - Kills process with taskkill
    PID:2472
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccEvtMgr*
  2⤵
  PID:3940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccEvtMgr*
    3⤵
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccSetMgr*
  2⤵
  PID:4000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccSetMgr*
    3⤵
    - Kills process with taskkill
    PID:3876
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SavRoam*
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SavRoam*
    3⤵
    - Kills process with taskkill
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Sqlservr*
  2⤵
  PID:2628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Sqlservr*
    3⤵
    - Kills process with taskkill
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlagent*
  2⤵
  PID:408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlagent*
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqladhlp*
  2⤵
  PID:3360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqladhlp*
    3⤵
    - Kills process with taskkill
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culserver*
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culserver*
    3⤵
    - Kills process with taskkill
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RTVscan*
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RTVscan*
    3⤵
    - Kills process with taskkill
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlbrowser*
  2⤵
  PID:500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlbrowser*
    3⤵
    PID:3844
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLADHLP*
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLADHLP*
    3⤵
    - Kills process with taskkill
    PID:3904
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBIDPService*
  2⤵
  PID:508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBIDPService*
    3⤵
    PID:1380
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
  2⤵
  PID:3092
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:3276
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBCFMonitorService*
  2⤵
  PID:4000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBCFMonitorService*
    3⤵
    - Kills process with taskkill
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlwriter*
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlwriter*
    3⤵
    - Kills process with taskkill
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msmdsrv*
  2⤵
  PID:2628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msmdsrv*
    3⤵
    - Kills process with taskkill
    PID:868
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM tomcat6*
  2⤵
  PID:944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM tomcat6*
    3⤵
    - Kills process with taskkill
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM zhudongfangyu*
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM zhudongfangyu*
    3⤵
    PID:3828
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-usbarbitator64*
  2⤵
  PID:808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-usbarbitator64*
    3⤵
    - Kills process with taskkill
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-converter*
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-converter*
    3⤵
    PID:544
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbsrv12*
  2⤵
  PID:1168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbsrv12*
    3⤵
    - Kills process with taskkill
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbeng8*
  2⤵
  PID:3904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbeng8*
    3⤵
    - Kills process with taskkill
    PID:3824
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:1380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    PID:3900
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
  2⤵
  PID:3276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:3796
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:3772
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLBrowser*
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLBrowser*
    3⤵
    - Kills process with taskkill
    PID:3536
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLWriter*
  2⤵
  PID:868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLWriter*
    3⤵
    - Kills process with taskkill
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM FishbowlMySQL*
  2⤵
  PID:2856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM FishbowlMySQL*
    3⤵
    - Kills process with taskkill
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:3828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    PID:3692
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MySQL57*
  2⤵
  PID:2996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MySQL57*
    3⤵
    - Kills process with taskkill
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
  2⤵
  PID:544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
    3⤵
    - Kills process with taskkill
    PID:2432
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
  2⤵
  PID:3684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLServerADHelper100*
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
  2⤵
  PID:3824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
    3⤵
    - Kills process with taskkill
    PID:508
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msftesql-Exchange*
  2⤵
  PID:3900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msftesql-Exchange*
    3⤵
    - Kills process with taskkill
    PID:3092
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
  2⤵
  PID:3796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
    3⤵
    PID:4000
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
  2⤵
  PID:3772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SBSMONITORING*
    3⤵
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
  2⤵
  PID:3536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
  2⤵
  PID:2812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
  2⤵
  PID:2120
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
  2⤵
  PID:3692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:808
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
  2⤵
  PID:1820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBFCService*
  2⤵
  PID:2432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBFCService*
    3⤵
    - Kills process with taskkill
    PID:1168
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBVSS*
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBVSS*
    3⤵
    - Kills process with taskkill
    PID:3904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:2572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads