exorcist | 6db3aae21a6d80857c85f58c4c8b2cf9c6b7f8b8a9ab1d5496d18eaf9bd0bd01

Analysis

max time kernel
17s
max time network
41s
platform
windows10_x64
resource
win10
submitted
24-07-2020 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4009abe9f41da41e48340c96e29d62c.exe
Size

43KB
MD5

f4009abe9f41da41e48340c96e29d62c
SHA1

01636cd2ab7eada533ded51728acd8cd99020c57
SHA256

6db3aae21a6d80857c85f58c4c8b2cf9c6b7f8b8a9ab1d5496d18eaf9bd0bd01
SHA512

4bdd711818c29c01dd532c13c23155ee0450a7f1f3ad7d92c45952f59b8ee947ab5876688e8971dfd094f7f494003106e9ad9b470cf99bccbd53f545900c9a15

Score

10^/10

ransomware exorcist persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 549 IoCs

Processes:

f4009abe9f41da41e48340c96e29d62c.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3236 wrote to memory of 3896	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3896	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3896	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3896 wrote to memory of 3904	3896	cmd.exe	WMIC.exe
PID 3896 wrote to memory of 3904	3896	cmd.exe	WMIC.exe
PID 3896 wrote to memory of 3904	3896	cmd.exe	WMIC.exe
PID 3236 wrote to memory of 2908	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 2908	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 2908	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3916	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3916	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3916	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3952	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3952	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3952	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 4056	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 4056	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 4056	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3692	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3692	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3692	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3692 wrote to memory of 3772	3692	cmd.exe	vssadmin.exe
PID 3692 wrote to memory of 3772	3692	cmd.exe	vssadmin.exe
PID 3692 wrote to memory of 3772	3692	cmd.exe	vssadmin.exe
PID 3236 wrote to memory of 3360	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3360	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3360	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3508	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3508	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3508	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3508 wrote to memory of 3968	3508	cmd.exe	taskkill.exe
PID 3508 wrote to memory of 3968	3508	cmd.exe	taskkill.exe
PID 3508 wrote to memory of 3968	3508	cmd.exe	taskkill.exe
PID 3236 wrote to memory of 344	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 344	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 344	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 344 wrote to memory of 3872	344	cmd.exe	taskkill.exe
PID 344 wrote to memory of 3872	344	cmd.exe	taskkill.exe
PID 344 wrote to memory of 3872	344	cmd.exe	taskkill.exe
PID 3236 wrote to memory of 1624	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 1624	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 1624	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 1624 wrote to memory of 424	1624	cmd.exe	taskkill.exe
PID 1624 wrote to memory of 424	1624	cmd.exe	taskkill.exe
PID 1624 wrote to memory of 424	1624	cmd.exe	taskkill.exe
PID 3236 wrote to memory of 3768	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3768	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3768	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3768 wrote to memory of 3068	3768	cmd.exe	taskkill.exe
PID 3768 wrote to memory of 3068	3768	cmd.exe	taskkill.exe
PID 3768 wrote to memory of 3068	3768	cmd.exe	taskkill.exe
PID 3236 wrote to memory of 3944	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3944	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3944	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3944 wrote to memory of 588	3944	cmd.exe	taskkill.exe
PID 3944 wrote to memory of 588	3944	cmd.exe	taskkill.exe
PID 3944 wrote to memory of 588	3944	cmd.exe	taskkill.exe
PID 3236 wrote to memory of 3940	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3940	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3236 wrote to memory of 3940	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe
PID 3940 wrote to memory of 3844	3940	cmd.exe	taskkill.exe
PID 3940 wrote to memory of 3844	3940	cmd.exe	taskkill.exe
PID 3940 wrote to memory of 3844	3940	cmd.exe	taskkill.exe
PID 3236 wrote to memory of 3536	3236	f4009abe9f41da41e48340c96e29d62c.exe	cmd.exe

Suspicious use of AdjustPrivilegeToken 129 IoCs

Processes:

WMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3904	WMIC.exe
Token: SeSecurityPrivilege	3904	WMIC.exe
Token: SeTakeOwnershipPrivilege	3904	WMIC.exe
Token: SeLoadDriverPrivilege	3904	WMIC.exe
Token: SeSystemProfilePrivilege	3904	WMIC.exe
Token: SeSystemtimePrivilege	3904	WMIC.exe
Token: SeProfSingleProcessPrivilege	3904	WMIC.exe
Token: SeIncBasePriorityPrivilege	3904	WMIC.exe
Token: SeCreatePagefilePrivilege	3904	WMIC.exe
Token: SeBackupPrivilege	3904	WMIC.exe
Token: SeRestorePrivilege	3904	WMIC.exe
Token: SeShutdownPrivilege	3904	WMIC.exe
Token: SeDebugPrivilege	3904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3904	WMIC.exe
Token: SeRemoteShutdownPrivilege	3904	WMIC.exe
Token: SeUndockPrivilege	3904	WMIC.exe
Token: SeManageVolumePrivilege	3904	WMIC.exe
Token: 33	3904	WMIC.exe
Token: 34	3904	WMIC.exe
Token: 35	3904	WMIC.exe
Token: 36	3904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3904	WMIC.exe
Token: SeSecurityPrivilege	3904	WMIC.exe
Token: SeTakeOwnershipPrivilege	3904	WMIC.exe
Token: SeLoadDriverPrivilege	3904	WMIC.exe
Token: SeSystemProfilePrivilege	3904	WMIC.exe
Token: SeSystemtimePrivilege	3904	WMIC.exe
Token: SeProfSingleProcessPrivilege	3904	WMIC.exe
Token: SeIncBasePriorityPrivilege	3904	WMIC.exe
Token: SeCreatePagefilePrivilege	3904	WMIC.exe
Token: SeBackupPrivilege	3904	WMIC.exe
Token: SeRestorePrivilege	3904	WMIC.exe
Token: SeShutdownPrivilege	3904	WMIC.exe
Token: SeDebugPrivilege	3904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3904	WMIC.exe
Token: SeRemoteShutdownPrivilege	3904	WMIC.exe
Token: SeUndockPrivilege	3904	WMIC.exe
Token: SeManageVolumePrivilege	3904	WMIC.exe
Token: 33	3904	WMIC.exe
Token: 34	3904	WMIC.exe
Token: 35	3904	WMIC.exe
Token: 36	3904	WMIC.exe
Token: SeBackupPrivilege	2572	vssvc.exe
Token: SeRestorePrivilege	2572	vssvc.exe
Token: SeAuditPrivilege	2572	vssvc.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	424	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	588	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	3344	taskkill.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	3612	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	908	taskkill.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

f4009abe9f41da41e48340c96e29d62c.exe

pid	process
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe
3236	f4009abe9f41da41e48340c96e29d62c.exe

Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3772 vssadmin.exe

pid	process
3772	vssadmin.exe

NTFS ADS 5 IoCs

Processes:

f4009abe9f41da41e48340c96e29d62c.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:niouzersmbbef	f4009abe9f41da41e48340c96e29d62c.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:ruwvvoech	f4009abe9f41da41e48340c96e29d62c.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:crecqyosmlwneafy	f4009abe9f41da41e48340c96e29d62c.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:ruwvvoech	f4009abe9f41da41e48340c96e29d62c.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:colmipagylghfdlek	f4009abe9f41da41e48340c96e29d62c.exe

Kills process with taskkill 87 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3876	taskkill.exe
3684	taskkill.exe
3796	taskkill.exe
1820	taskkill.exe
2708	taskkill.exe
1500	taskkill.exe
2104	taskkill.exe
3844	taskkill.exe
2192	taskkill.exe
3924	taskkill.exe
812	taskkill.exe
344	taskkill.exe
1716	taskkill.exe
2812	taskkill.exe
1168	taskkill.exe
1716	taskkill.exe
1744	taskkill.exe
2724	taskkill.exe
3004	taskkill.exe
2856	taskkill.exe
3536	taskkill.exe
1660	taskkill.exe
3872	taskkill.exe
3928	taskkill.exe
3700	taskkill.exe
3004	taskkill.exe
2472	taskkill.exe
868	taskkill.exe
3824	taskkill.exe
2628	taskkill.exe
3832	taskkill.exe
3276	taskkill.exe
3092	taskkill.exe
944	taskkill.exe
424	taskkill.exe
908	taskkill.exe
3872	taskkill.exe
1440	taskkill.exe
3904	taskkill.exe
808	taskkill.exe
1008	taskkill.exe
3292	taskkill.exe
1140	taskkill.exe
1444	taskkill.exe
3968	taskkill.exe
3848	taskkill.exe
3900	taskkill.exe
3904	taskkill.exe
508	taskkill.exe
588	taskkill.exe
3344	taskkill.exe
3928	taskkill.exe
3772	taskkill.exe
412	taskkill.exe
2120	taskkill.exe
4056	taskkill.exe
1192	taskkill.exe
640	taskkill.exe
1980	taskkill.exe
1980	taskkill.exe
1140	taskkill.exe
2996	taskkill.exe
2432	taskkill.exe
3068	taskkill.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\f4009abe9f41da41e48340c96e29d62c.exe
"C:\Users\Admin\AppData\Local\Temp\f4009abe9f41da41e48340c96e29d62c.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- NTFS ADS
PID:3236

C:\Windows\SysWOW64\cmd.exe
cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
2⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY DELETE /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\SysWOW64\cmd.exe
cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
2⤵
PID:3916

C:\Windows\SysWOW64\cmd.exe
cmd /C bcdedit.exe /set {default} recoveryenabled No
2⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
cmd /C vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:3772

C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\vssvc.exe
2⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM wxServer*
2⤵
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM wxServer*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3968

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM wxServerView*
2⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM wxServerView*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3872

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sqlmangr*
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sqlmangr*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:424

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM RAgui*
2⤵
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM RAgui*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM supervise*
2⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM supervise*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:588

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Culture*
2⤵
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Culture*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3844

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Defwatch*
2⤵
PID:3536

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Defwatch*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2192

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM winword*
2⤵
PID:3784

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM winword*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBW32*
2⤵
PID:3292

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBW32*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBDBMgr*
2⤵
PID:3852

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBDBMgr*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM qbupdate*
2⤵
PID:2020

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM qbupdate*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3344

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM axlbridge*
2⤵
PID:3968

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM axlbridge*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:4056

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM httpd*
2⤵
PID:3536

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM httpd*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM fdlauncher*
2⤵
PID:3832

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM fdlauncher*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3848

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MsDtSrvr*
2⤵
PID:1036

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MsDtSrvr*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM java*
2⤵
PID:500

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM java*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM 360se*
2⤵
PID:588

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM 360se*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3928

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM 360doctor*
2⤵
PID:3984

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM 360doctor*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3900

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM wdswfsafe*
2⤵
PID:2204

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM wdswfsafe*
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM fdhost*
2⤵
PID:3788

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM fdhost*
3⤵
- Kills process with taskkill
PID:3872

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM GDscan*
2⤵
PID:1476

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM GDscan*
3⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM ZhuDongFangYu*
2⤵
PID:3784

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM ZhuDongFangYu*
3⤵
- Kills process with taskkill
PID:3292

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBDBMgrN*
2⤵
PID:3768

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBDBMgrN*
3⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM mysqld*
2⤵
PID:3884

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM mysqld*
3⤵
PID:500

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM AutodeskDesktopApp*
2⤵
PID:1828

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM AutodeskDesktopApp*
3⤵
- Kills process with taskkill
PID:3928

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM acwebbrowser*
2⤵
PID:4000

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM acwebbrowser*
3⤵
PID:3900

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Creative Cloud*
2⤵
PID:3916

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Creative Cloud*
3⤵
- Kills process with taskkill
PID:1440

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Adobe Desktop Service*
2⤵
PID:2296

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Adobe Desktop Service*
3⤵
- Kills process with taskkill
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM CoreSync*
2⤵
PID:2052

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM CoreSync*
3⤵
- Kills process with taskkill
PID:3700

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Adobe CEF Helper*
2⤵
PID:1656

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Adobe CEF Helper*
3⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM node*
2⤵
PID:1516

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM node*
3⤵
- Kills process with taskkill
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM AdobeIPCBroker*
2⤵
PID:3820

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM AdobeIPCBroker*
3⤵
- Kills process with taskkill
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sync-taskbar*
2⤵
PID:1652

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sync-taskbar*
3⤵
- Kills process with taskkill
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sync-worker*
2⤵
PID:1168

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sync-worker*
3⤵
- Kills process with taskkill
PID:640

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM InputPersonalization*
2⤵
PID:648

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM InputPersonalization*
3⤵
- Kills process with taskkill
PID:3924

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM AdobeCollabSync*
2⤵
PID:3344

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM AdobeCollabSync*
3⤵
- Kills process with taskkill
PID:344

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM BrCtrlCntr*
2⤵
PID:2300

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM BrCtrlCntr*
3⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM BrCcUxSys*
2⤵
PID:2204

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM BrCcUxSys*
3⤵
- Kills process with taskkill
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SimplyConnectionManager*
2⤵
PID:3700

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SimplyConnectionManager*
3⤵
- Kills process with taskkill
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
2⤵
PID:868

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Simply.SystemTrayIcon*
3⤵
- Kills process with taskkill
PID:412

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM fbguard*
2⤵
PID:2856

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM fbguard*
3⤵
- Kills process with taskkill
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM fbserver*
2⤵
PID:3828

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM fbserver*
3⤵
- Kills process with taskkill
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM ONENOTEM*
2⤵
PID:2996

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM ONENOTEM*
3⤵
PID:656

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM wrapper*
2⤵
PID:1604

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM wrapper*
3⤵
PID:652

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM DefWatch*
2⤵
PID:508

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM DefWatch*
3⤵
- Kills process with taskkill
PID:2472

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM ccEvtMgr*
2⤵
PID:3940

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM ccEvtMgr*
3⤵
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM ccSetMgr*
2⤵
PID:4000

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM ccSetMgr*
3⤵
- Kills process with taskkill
PID:3876

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SavRoam*
2⤵
PID:1644

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SavRoam*
3⤵
- Kills process with taskkill
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Sqlservr*
2⤵
PID:2628

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Sqlservr*
3⤵
- Kills process with taskkill
PID:3832

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sqlagent*
2⤵
PID:408

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sqlagent*
3⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sqladhlp*
2⤵
PID:3360

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sqladhlp*
3⤵
- Kills process with taskkill
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Culserver*
2⤵
PID:3068

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Culserver*
3⤵
- Kills process with taskkill
PID:812

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM RTVscan*
2⤵
PID:1752

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM RTVscan*
3⤵
- Kills process with taskkill
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sqlbrowser*
2⤵
PID:500

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sqlbrowser*
3⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLADHLP*
2⤵
PID:1604

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLADHLP*
3⤵
- Kills process with taskkill
PID:3904

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBIDPService*
2⤵
PID:508

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBIDPService*
3⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
2⤵
PID:3092

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Intuit.QuickBooks.FCS*
3⤵
- Kills process with taskkill
PID:3276

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBCFMonitorService*
2⤵
PID:4000

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBCFMonitorService*
3⤵
- Kills process with taskkill
PID:1444

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sqlwriter*
2⤵
PID:1644

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sqlwriter*
3⤵
- Kills process with taskkill
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM msmdsrv*
2⤵
PID:2628

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM msmdsrv*
3⤵
- Kills process with taskkill
PID:868

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM tomcat6*
2⤵
PID:944

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM tomcat6*
3⤵
- Kills process with taskkill
PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM zhudongfangyu*
2⤵
PID:2104

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM zhudongfangyu*
3⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM vmware-usbarbitator64*
2⤵
PID:808

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM vmware-usbarbitator64*
3⤵
- Kills process with taskkill
PID:2996

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM vmware-converter*
2⤵
PID:1660

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM vmware-converter*
3⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM dbsrv12*
2⤵
PID:1168

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM dbsrv12*
3⤵
- Kills process with taskkill
PID:3684

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM dbeng8*
2⤵
PID:3904

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM dbeng8*
3⤵
- Kills process with taskkill
PID:3824

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
2⤵
PID:1380

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##WID*
3⤵
PID:3900

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
2⤵
PID:3276

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$VEEAMSQL2012*
3⤵
- Kills process with taskkill
PID:3796

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
2⤵
PID:1444

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
3⤵
- Kills process with taskkill
PID:3772

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLBrowser*
2⤵
PID:2724

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLBrowser*
3⤵
- Kills process with taskkill
PID:3536

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLWriter*
2⤵
PID:868

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLWriter*
3⤵
- Kills process with taskkill
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM FishbowlMySQL*
2⤵
PID:2856

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM FishbowlMySQL*
3⤵
- Kills process with taskkill
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
2⤵
PID:3828

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##WID*
3⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MySQL57*
2⤵
PID:2996

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MySQL57*
3⤵
- Kills process with taskkill
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
2⤵
PID:544

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
3⤵
- Kills process with taskkill
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
2⤵
PID:3684

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQLServerADHelper100*
3⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
2⤵
PID:3824

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
3⤵
- Kills process with taskkill
PID:508

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM msftesql-Exchange*
2⤵
PID:3900

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM msftesql-Exchange*
3⤵
- Kills process with taskkill
PID:3092

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
2⤵
PID:3796

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
3⤵
PID:4000

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
2⤵
PID:3772

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$SBSMONITORING*
3⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
2⤵
PID:3536

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:2628

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
2⤵
PID:2812

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
3⤵
- Kills process with taskkill
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
2⤵
PID:2120

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
2⤵
PID:3692

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLAgent$SBSMONITORING*
3⤵
- Kills process with taskkill
PID:808

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
2⤵
PID:1820

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLAgent$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBFCService*
2⤵
PID:2432

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBFCService*
3⤵
- Kills process with taskkill
PID:1168

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBVSS*
2⤵
PID:1604

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBVSS*
3⤵
- Kills process with taskkill
PID:3904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:2572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/344-11-0x0000000000000000-mapping.dmp

Download
memory/344-80-0x0000000000000000-mapping.dmp

Download
memory/408-107-0x0000000000000000-mapping.dmp

Download
memory/412-88-0x0000000000000000-mapping.dmp

Download
memory/424-14-0x0000000000000000-mapping.dmp

Download
memory/500-56-0x0000000000000000-mapping.dmp

Download
memory/500-115-0x0000000000000000-mapping.dmp

Download
memory/500-39-0x0000000000000000-mapping.dmp

Download
memory/508-97-0x0000000000000000-mapping.dmp

Download
memory/508-162-0x0000000000000000-mapping.dmp

Download
memory/508-119-0x0000000000000000-mapping.dmp

Download
memory/544-136-0x0000000000000000-mapping.dmp

Download
memory/544-157-0x0000000000000000-mapping.dmp

Download
memory/564-28-0x0000000000000000-mapping.dmp

Download
memory/588-18-0x0000000000000000-mapping.dmp

Download
memory/588-41-0x0000000000000000-mapping.dmp

Download
memory/640-76-0x0000000000000000-mapping.dmp

Download
memory/648-77-0x0000000000000000-mapping.dmp

Download
memory/652-96-0x0000000000000000-mapping.dmp

Download
memory/656-94-0x0000000000000000-mapping.dmp

Download
memory/808-133-0x0000000000000000-mapping.dmp

Download
memory/808-176-0x0000000000000000-mapping.dmp

Download
memory/812-112-0x0000000000000000-mapping.dmp

Download
memory/820-50-0x0000000000000000-mapping.dmp

Download
memory/868-149-0x0000000000000000-mapping.dmp

Download
memory/868-128-0x0000000000000000-mapping.dmp

Download
memory/868-87-0x0000000000000000-mapping.dmp

Download
memory/908-100-0x0000000000000000-mapping.dmp

Download
memory/908-46-0x0000000000000000-mapping.dmp

Download
memory/944-172-0x0000000000000000-mapping.dmp

Download
memory/944-129-0x0000000000000000-mapping.dmp

Download
memory/1008-34-0x0000000000000000-mapping.dmp

Download
memory/1036-37-0x0000000000000000-mapping.dmp

Download
memory/1140-74-0x0000000000000000-mapping.dmp

Download
memory/1140-114-0x0000000000000000-mapping.dmp

Download
memory/1168-137-0x0000000000000000-mapping.dmp

Download
memory/1168-75-0x0000000000000000-mapping.dmp

Download
memory/1168-180-0x0000000000000000-mapping.dmp

Download
memory/1192-40-0x0000000000000000-mapping.dmp

Download
memory/1204-54-0x0000000000000000-mapping.dmp

Download
memory/1380-120-0x0000000000000000-mapping.dmp

Download
memory/1380-141-0x0000000000000000-mapping.dmp

Download
memory/1440-82-0x0000000000000000-mapping.dmp

Download
memory/1440-62-0x0000000000000000-mapping.dmp

Download
memory/1444-124-0x0000000000000000-mapping.dmp

Download
memory/1444-145-0x0000000000000000-mapping.dmp

Download
memory/1476-49-0x0000000000000000-mapping.dmp

Download
memory/1500-110-0x0000000000000000-mapping.dmp

Download
memory/1516-69-0x0000000000000000-mapping.dmp

Download
memory/1604-117-0x0000000000000000-mapping.dmp

Download
memory/1604-181-0x0000000000000000-mapping.dmp

Download
memory/1604-160-0x0000000000000000-mapping.dmp

Download
memory/1604-95-0x0000000000000000-mapping.dmp

Download
memory/1624-13-0x0000000000000000-mapping.dmp

Download
memory/1644-125-0x0000000000000000-mapping.dmp

Download
memory/1644-103-0x0000000000000000-mapping.dmp

Download
memory/1644-168-0x0000000000000000-mapping.dmp

Download
memory/1652-73-0x0000000000000000-mapping.dmp

Download
memory/1656-67-0x0000000000000000-mapping.dmp

Download
memory/1660-178-0x0000000000000000-mapping.dmp

Download
memory/1660-135-0x0000000000000000-mapping.dmp

Download
memory/1716-92-0x0000000000000000-mapping.dmp

Download
memory/1716-72-0x0000000000000000-mapping.dmp

Download
memory/1744-104-0x0000000000000000-mapping.dmp

Download
memory/1752-113-0x0000000000000000-mapping.dmp

Download
memory/1820-177-0x0000000000000000-mapping.dmp

Download
memory/1820-156-0x0000000000000000-mapping.dmp

Download
memory/1828-57-0x0000000000000000-mapping.dmp

Download
memory/1980-64-0x0000000000000000-mapping.dmp

Download
memory/1980-84-0x0000000000000000-mapping.dmp

Download
memory/2020-29-0x0000000000000000-mapping.dmp

Download
memory/2052-65-0x0000000000000000-mapping.dmp

Download
memory/2052-24-0x0000000000000000-mapping.dmp

Download
memory/2104-131-0x0000000000000000-mapping.dmp

Download
memory/2104-174-0x0000000000000000-mapping.dmp

Download
memory/2120-173-0x0000000000000000-mapping.dmp

Download
memory/2120-152-0x0000000000000000-mapping.dmp

Download
memory/2192-22-0x0000000000000000-mapping.dmp

Download
memory/2204-45-0x0000000000000000-mapping.dmp

Download
memory/2204-83-0x0000000000000000-mapping.dmp

Download
memory/2296-63-0x0000000000000000-mapping.dmp

Download
memory/2300-81-0x0000000000000000-mapping.dmp

Download
memory/2432-158-0x0000000000000000-mapping.dmp

Download
memory/2432-179-0x0000000000000000-mapping.dmp

Download
memory/2472-98-0x0000000000000000-mapping.dmp

Download
memory/2628-170-0x0000000000000000-mapping.dmp

Download
memory/2628-105-0x0000000000000000-mapping.dmp

Download
memory/2628-127-0x0000000000000000-mapping.dmp

Download
memory/2708-86-0x0000000000000000-mapping.dmp

Download
memory/2724-147-0x0000000000000000-mapping.dmp

Download
memory/2724-126-0x0000000000000000-mapping.dmp

Download
memory/2812-171-0x0000000000000000-mapping.dmp

Download
memory/2812-150-0x0000000000000000-mapping.dmp

Download
memory/2820-108-0x0000000000000000-mapping.dmp

Download
memory/2856-89-0x0000000000000000-mapping.dmp

Download
memory/2856-130-0x0000000000000000-mapping.dmp

Download
memory/2856-151-0x0000000000000000-mapping.dmp

Download
memory/2908-2-0x0000000000000000-mapping.dmp

Download
memory/2996-93-0x0000000000000000-mapping.dmp

Download
memory/2996-155-0x0000000000000000-mapping.dmp

Download
memory/2996-134-0x0000000000000000-mapping.dmp

Download
memory/3004-90-0x0000000000000000-mapping.dmp

Download
memory/3004-70-0x0000000000000000-mapping.dmp

Download
memory/3068-16-0x0000000000000000-mapping.dmp

Download
memory/3068-111-0x0000000000000000-mapping.dmp

Download
memory/3092-164-0x0000000000000000-mapping.dmp

Download
memory/3092-121-0x0000000000000000-mapping.dmp

Download
memory/3276-143-0x0000000000000000-mapping.dmp

Download
memory/3276-122-0x0000000000000000-mapping.dmp

Download
memory/3292-52-0x0000000000000000-mapping.dmp

Download
memory/3292-25-0x0000000000000000-mapping.dmp

Download
memory/3344-30-0x0000000000000000-mapping.dmp

Download
memory/3344-79-0x0000000000000000-mapping.dmp

Download
memory/3360-109-0x0000000000000000-mapping.dmp

Download
memory/3360-8-0x0000000000000000-mapping.dmp

Download
memory/3360-68-0x0000000000000000-mapping.dmp

Download
memory/3448-26-0x0000000000000000-mapping.dmp

Download
memory/3508-9-0x0000000000000000-mapping.dmp

Download
memory/3536-169-0x0000000000000000-mapping.dmp

Download
memory/3536-21-0x0000000000000000-mapping.dmp

Download
memory/3536-148-0x0000000000000000-mapping.dmp

Download
memory/3536-33-0x0000000000000000-mapping.dmp

Download
memory/3612-38-0x0000000000000000-mapping.dmp

Download
memory/3684-159-0x0000000000000000-mapping.dmp

Download
memory/3684-138-0x0000000000000000-mapping.dmp

Download
memory/3692-154-0x0000000000000000-mapping.dmp

Download
memory/3692-175-0x0000000000000000-mapping.dmp

Download
memory/3692-6-0x0000000000000000-mapping.dmp

Download
memory/3700-66-0x0000000000000000-mapping.dmp

Download
memory/3700-85-0x0000000000000000-mapping.dmp

Download
memory/3768-15-0x0000000000000000-mapping.dmp

Download
memory/3768-53-0x0000000000000000-mapping.dmp

Download
memory/3772-167-0x0000000000000000-mapping.dmp

Download
memory/3772-146-0x0000000000000000-mapping.dmp

Download
memory/3772-7-0x0000000000000000-mapping.dmp

Download
memory/3784-23-0x0000000000000000-mapping.dmp

Download
memory/3784-51-0x0000000000000000-mapping.dmp

Download
memory/3788-47-0x0000000000000000-mapping.dmp

Download
memory/3796-165-0x0000000000000000-mapping.dmp

Download
memory/3796-144-0x0000000000000000-mapping.dmp

Download
memory/3820-71-0x0000000000000000-mapping.dmp

Download
memory/3824-140-0x0000000000000000-mapping.dmp

Download
memory/3824-161-0x0000000000000000-mapping.dmp

Download
memory/3828-91-0x0000000000000000-mapping.dmp

Download
memory/3828-132-0x0000000000000000-mapping.dmp

Download
memory/3828-153-0x0000000000000000-mapping.dmp

Download
memory/3832-106-0x0000000000000000-mapping.dmp

Download
memory/3832-35-0x0000000000000000-mapping.dmp

Download
memory/3844-20-0x0000000000000000-mapping.dmp

Download
memory/3844-116-0x0000000000000000-mapping.dmp

Download
memory/3848-36-0x0000000000000000-mapping.dmp

Download
memory/3852-27-0x0000000000000000-mapping.dmp

Download
memory/3872-48-0x0000000000000000-mapping.dmp

Download
memory/3872-12-0x0000000000000000-mapping.dmp

Download
memory/3876-102-0x0000000000000000-mapping.dmp

Download
memory/3884-55-0x0000000000000000-mapping.dmp

Download
memory/3896-0-0x0000000000000000-mapping.dmp

Download
memory/3900-60-0x0000000000000000-mapping.dmp

Download
memory/3900-142-0x0000000000000000-mapping.dmp

Download
memory/3900-163-0x0000000000000000-mapping.dmp

Download
memory/3900-44-0x0000000000000000-mapping.dmp

Download
memory/3904-182-0x0000000000000000-mapping.dmp

Download
memory/3904-139-0x0000000000000000-mapping.dmp

Download
memory/3904-1-0x0000000000000000-mapping.dmp

Download
memory/3904-118-0x0000000000000000-mapping.dmp

Download
memory/3916-3-0x0000000000000000-mapping.dmp

Download
memory/3916-61-0x0000000000000000-mapping.dmp

Download
memory/3924-78-0x0000000000000000-mapping.dmp

Download
memory/3928-58-0x0000000000000000-mapping.dmp

Download
memory/3928-42-0x0000000000000000-mapping.dmp

Download
memory/3940-99-0x0000000000000000-mapping.dmp

Download
memory/3940-19-0x0000000000000000-mapping.dmp

Download
memory/3944-17-0x0000000000000000-mapping.dmp

Download
memory/3952-4-0x0000000000000000-mapping.dmp

Download
memory/3968-31-0x0000000000000000-mapping.dmp

Download
memory/3968-10-0x0000000000000000-mapping.dmp

Download
memory/3984-43-0x0000000000000000-mapping.dmp

Download
memory/4000-123-0x0000000000000000-mapping.dmp

Download
memory/4000-59-0x0000000000000000-mapping.dmp

Download
memory/4000-166-0x0000000000000000-mapping.dmp

Download
memory/4000-101-0x0000000000000000-mapping.dmp

Download
memory/4056-5-0x0000000000000000-mapping.dmp

Download
memory/4056-32-0x0000000000000000-mapping.dmp

Download