exorcist | 027d99aaaa6803a07d07ce0ba1fa66964388129d3b26dcf8621a3310692b0a61

Analysis

max time kernel
146s
max time network
88s
platform
windows7_x64
resource
win7v200722
submitted
24-07-2020 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f188cf267d209a0209a25bda4bb75b86.exe
Size

43KB
MD5

f188cf267d209a0209a25bda4bb75b86
SHA1

3ef4c199d1b5187784f4d709ab8e1cc6901716e8
SHA256

027d99aaaa6803a07d07ce0ba1fa66964388129d3b26dcf8621a3310692b0a61
SHA512

abe64e07cb279dad66df081d0f374f2948fec444872f09fb968de6b74848414ab354c27598475d919d8a48670e4b42a75eadd6392a550fb727d8422324a9c535

Score

10^/10

ransomware persistence exorcist

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:dxvsbnvje	f188cf267d209a0209a25bda4bb75b86.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:oudzwxfzjgvlopxy	f188cf267d209a0209a25bda4bb75b86.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:dxvsbnvje	f188cf267d209a0209a25bda4bb75b86.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:orkjoornvgffpsdex	f188cf267d209a0209a25bda4bb75b86.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:zlnrfdizjwacp	f188cf267d209a0209a25bda4bb75b86.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1496	timeout.exe

Kills process with taskkill 87 IoCs

evasion

pid	Process
656	taskkill.exe
1664	taskkill.exe
848	taskkill.exe
1948	taskkill.exe
1220	taskkill.exe
1992	taskkill.exe
1848	taskkill.exe
744	taskkill.exe
1888	taskkill.exe
1984	taskkill.exe
1732	taskkill.exe
568	taskkill.exe
1688	taskkill.exe
1996	taskkill.exe
276	taskkill.exe
1984	taskkill.exe
1812	taskkill.exe
1768	taskkill.exe
848	taskkill.exe
1376	taskkill.exe
1196	taskkill.exe
368	taskkill.exe
1332	taskkill.exe
1672	taskkill.exe
1428	taskkill.exe
1220	taskkill.exe
1972	taskkill.exe
1796	taskkill.exe
1988	taskkill.exe
1332	taskkill.exe
1484	taskkill.exe
1144	taskkill.exe
1768	taskkill.exe
1952	taskkill.exe
1616	taskkill.exe
1984	taskkill.exe
568	taskkill.exe
744	taskkill.exe
1112	taskkill.exe
1948	taskkill.exe
1260	taskkill.exe
1780	taskkill.exe
1600	taskkill.exe
2040	taskkill.exe
620	taskkill.exe
828	taskkill.exe
1568	taskkill.exe
1892	taskkill.exe
1092	taskkill.exe
1860	taskkill.exe
620	taskkill.exe
1980	taskkill.exe
288	taskkill.exe
1236	taskkill.exe
1936	taskkill.exe
288	taskkill.exe
1616	taskkill.exe
1924	taskkill.exe
1484	taskkill.exe
1520	taskkill.exe
1404	taskkill.exe
1804	taskkill.exe
1600	taskkill.exe
1860	taskkill.exe
1404	taskkill.exe
1192	taskkill.exe
1144	taskkill.exe
1852	taskkill.exe
1260	taskkill.exe
1596	taskkill.exe
1616	taskkill.exe
1972	taskkill.exe
368	taskkill.exe
1936	taskkill.exe
1572	taskkill.exe
1816	taskkill.exe
1756	taskkill.exe
568	taskkill.exe
1596	taskkill.exe
1992	taskkill.exe
1664	taskkill.exe
2036	taskkill.exe
1732	taskkill.exe
1760	taskkill.exe
528	taskkill.exe
796	taskkill.exe
2040	taskkill.exe

Suspicious use of AdjustPrivilegeToken 127 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	848	WMIC.exe
Token: SeSecurityPrivilege	848	WMIC.exe
Token: SeTakeOwnershipPrivilege	848	WMIC.exe
Token: SeLoadDriverPrivilege	848	WMIC.exe
Token: SeSystemProfilePrivilege	848	WMIC.exe
Token: SeSystemtimePrivilege	848	WMIC.exe
Token: SeProfSingleProcessPrivilege	848	WMIC.exe
Token: SeIncBasePriorityPrivilege	848	WMIC.exe
Token: SeCreatePagefilePrivilege	848	WMIC.exe
Token: SeBackupPrivilege	848	WMIC.exe
Token: SeRestorePrivilege	848	WMIC.exe
Token: SeShutdownPrivilege	848	WMIC.exe
Token: SeDebugPrivilege	848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	848	WMIC.exe
Token: SeRemoteShutdownPrivilege	848	WMIC.exe
Token: SeUndockPrivilege	848	WMIC.exe
Token: SeManageVolumePrivilege	848	WMIC.exe
Token: 33	848	WMIC.exe
Token: 34	848	WMIC.exe
Token: 35	848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	848	WMIC.exe
Token: SeSecurityPrivilege	848	WMIC.exe
Token: SeTakeOwnershipPrivilege	848	WMIC.exe
Token: SeLoadDriverPrivilege	848	WMIC.exe
Token: SeSystemProfilePrivilege	848	WMIC.exe
Token: SeSystemtimePrivilege	848	WMIC.exe
Token: SeProfSingleProcessPrivilege	848	WMIC.exe
Token: SeIncBasePriorityPrivilege	848	WMIC.exe
Token: SeCreatePagefilePrivilege	848	WMIC.exe
Token: SeBackupPrivilege	848	WMIC.exe
Token: SeRestorePrivilege	848	WMIC.exe
Token: SeShutdownPrivilege	848	WMIC.exe
Token: SeDebugPrivilege	848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	848	WMIC.exe
Token: SeRemoteShutdownPrivilege	848	WMIC.exe
Token: SeUndockPrivilege	848	WMIC.exe
Token: SeManageVolumePrivilege	848	WMIC.exe
Token: 33	848	WMIC.exe
Token: 34	848	WMIC.exe
Token: 35	848	WMIC.exe
Token: SeBackupPrivilege	1068	vssvc.exe
Token: SeRestorePrivilege	1068	vssvc.exe
Token: SeAuditPrivilege	1068	vssvc.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	848	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	528	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	620	taskkill.exe
Token: SeDebugPrivilege	744	taskkill.exe
Token: SeDebugPrivilege	1220	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	368	taskkill.exe
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	620	taskkill.exe
Token: SeDebugPrivilege	744	taskkill.exe
Token: SeDebugPrivilege	1220	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeDebugPrivilege	276	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1772	vssadmin.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082
Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d.bmp"	f188cf267d209a0209a25bda4bb75b86.exe

Suspicious use of WriteProcessMemory 740 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1516	1108	f188cf267d209a0209a25bda4bb75b86.exe	25
PID 1108 wrote to memory of 1516	1108	f188cf267d209a0209a25bda4bb75b86.exe	25
PID 1108 wrote to memory of 1516	1108	f188cf267d209a0209a25bda4bb75b86.exe	25
PID 1108 wrote to memory of 1516	1108	f188cf267d209a0209a25bda4bb75b86.exe	25
PID 1516 wrote to memory of 848	1516	cmd.exe	27
PID 1516 wrote to memory of 848	1516	cmd.exe	27
PID 1516 wrote to memory of 848	1516	cmd.exe	27
PID 1516 wrote to memory of 848	1516	cmd.exe	27
PID 1108 wrote to memory of 1688	1108	f188cf267d209a0209a25bda4bb75b86.exe	30
PID 1108 wrote to memory of 1688	1108	f188cf267d209a0209a25bda4bb75b86.exe	30
PID 1108 wrote to memory of 1688	1108	f188cf267d209a0209a25bda4bb75b86.exe	30
PID 1108 wrote to memory of 1688	1108	f188cf267d209a0209a25bda4bb75b86.exe	30
PID 1108 wrote to memory of 1196	1108	f188cf267d209a0209a25bda4bb75b86.exe	32
PID 1108 wrote to memory of 1196	1108	f188cf267d209a0209a25bda4bb75b86.exe	32
PID 1108 wrote to memory of 1196	1108	f188cf267d209a0209a25bda4bb75b86.exe	32
PID 1108 wrote to memory of 1196	1108	f188cf267d209a0209a25bda4bb75b86.exe	32
PID 1108 wrote to memory of 1824	1108	f188cf267d209a0209a25bda4bb75b86.exe	34
PID 1108 wrote to memory of 1824	1108	f188cf267d209a0209a25bda4bb75b86.exe	34
PID 1108 wrote to memory of 1824	1108	f188cf267d209a0209a25bda4bb75b86.exe	34
PID 1108 wrote to memory of 1824	1108	f188cf267d209a0209a25bda4bb75b86.exe	34
PID 1108 wrote to memory of 1848	1108	f188cf267d209a0209a25bda4bb75b86.exe	36
PID 1108 wrote to memory of 1848	1108	f188cf267d209a0209a25bda4bb75b86.exe	36
PID 1108 wrote to memory of 1848	1108	f188cf267d209a0209a25bda4bb75b86.exe	36
PID 1108 wrote to memory of 1848	1108	f188cf267d209a0209a25bda4bb75b86.exe	36
PID 1108 wrote to memory of 1776	1108	f188cf267d209a0209a25bda4bb75b86.exe	38
PID 1108 wrote to memory of 1776	1108	f188cf267d209a0209a25bda4bb75b86.exe	38
PID 1108 wrote to memory of 1776	1108	f188cf267d209a0209a25bda4bb75b86.exe	38
PID 1108 wrote to memory of 1776	1108	f188cf267d209a0209a25bda4bb75b86.exe	38
PID 1776 wrote to memory of 1772	1776	cmd.exe	40
PID 1776 wrote to memory of 1772	1776	cmd.exe	40
PID 1776 wrote to memory of 1772	1776	cmd.exe	40
PID 1776 wrote to memory of 1772	1776	cmd.exe	40
PID 1108 wrote to memory of 772	1108	f188cf267d209a0209a25bda4bb75b86.exe	41
PID 1108 wrote to memory of 772	1108	f188cf267d209a0209a25bda4bb75b86.exe	41
PID 1108 wrote to memory of 772	1108	f188cf267d209a0209a25bda4bb75b86.exe	41
PID 1108 wrote to memory of 772	1108	f188cf267d209a0209a25bda4bb75b86.exe	41
PID 1108 wrote to memory of 892	1108	f188cf267d209a0209a25bda4bb75b86.exe	43
PID 1108 wrote to memory of 892	1108	f188cf267d209a0209a25bda4bb75b86.exe	43
PID 1108 wrote to memory of 892	1108	f188cf267d209a0209a25bda4bb75b86.exe	43
PID 1108 wrote to memory of 892	1108	f188cf267d209a0209a25bda4bb75b86.exe	43
PID 892 wrote to memory of 568	892	cmd.exe	45
PID 892 wrote to memory of 568	892	cmd.exe	45
PID 892 wrote to memory of 568	892	cmd.exe	45
PID 892 wrote to memory of 568	892	cmd.exe	45
PID 1108 wrote to memory of 1596	1108	f188cf267d209a0209a25bda4bb75b86.exe	47
PID 1108 wrote to memory of 1596	1108	f188cf267d209a0209a25bda4bb75b86.exe	47
PID 1108 wrote to memory of 1596	1108	f188cf267d209a0209a25bda4bb75b86.exe	47
PID 1108 wrote to memory of 1596	1108	f188cf267d209a0209a25bda4bb75b86.exe	47
PID 1596 wrote to memory of 1616	1596	cmd.exe	49
PID 1596 wrote to memory of 1616	1596	cmd.exe	49
PID 1596 wrote to memory of 1616	1596	cmd.exe	49
PID 1596 wrote to memory of 1616	1596	cmd.exe	49
PID 1108 wrote to memory of 1936	1108	f188cf267d209a0209a25bda4bb75b86.exe	50
PID 1108 wrote to memory of 1936	1108	f188cf267d209a0209a25bda4bb75b86.exe	50
PID 1108 wrote to memory of 1936	1108	f188cf267d209a0209a25bda4bb75b86.exe	50
PID 1108 wrote to memory of 1936	1108	f188cf267d209a0209a25bda4bb75b86.exe	50
PID 1936 wrote to memory of 1924	1936	cmd.exe	52
PID 1936 wrote to memory of 1924	1936	cmd.exe	52
PID 1936 wrote to memory of 1924	1936	cmd.exe	52
PID 1936 wrote to memory of 1924	1936	cmd.exe	52
PID 1108 wrote to memory of 1996	1108	f188cf267d209a0209a25bda4bb75b86.exe	53
PID 1108 wrote to memory of 1996	1108	f188cf267d209a0209a25bda4bb75b86.exe	53
PID 1108 wrote to memory of 1996	1108	f188cf267d209a0209a25bda4bb75b86.exe	53
PID 1108 wrote to memory of 1996	1108	f188cf267d209a0209a25bda4bb75b86.exe	53
PID 1996 wrote to memory of 1984	1996	cmd.exe	55
PID 1996 wrote to memory of 1984	1996	cmd.exe	55
PID 1996 wrote to memory of 1984	1996	cmd.exe	55
PID 1996 wrote to memory of 1984	1996	cmd.exe	55
PID 1108 wrote to memory of 2040	1108	f188cf267d209a0209a25bda4bb75b86.exe	56
PID 1108 wrote to memory of 2040	1108	f188cf267d209a0209a25bda4bb75b86.exe	56
PID 1108 wrote to memory of 2040	1108	f188cf267d209a0209a25bda4bb75b86.exe	56
PID 1108 wrote to memory of 2040	1108	f188cf267d209a0209a25bda4bb75b86.exe	56
PID 2040 wrote to memory of 1260	2040	cmd.exe	58
PID 2040 wrote to memory of 1260	2040	cmd.exe	58
PID 2040 wrote to memory of 1260	2040	cmd.exe	58
PID 2040 wrote to memory of 1260	2040	cmd.exe	58
PID 1108 wrote to memory of 1492	1108	f188cf267d209a0209a25bda4bb75b86.exe	59
PID 1108 wrote to memory of 1492	1108	f188cf267d209a0209a25bda4bb75b86.exe	59
PID 1108 wrote to memory of 1492	1108	f188cf267d209a0209a25bda4bb75b86.exe	59
PID 1108 wrote to memory of 1492	1108	f188cf267d209a0209a25bda4bb75b86.exe	59
PID 1492 wrote to memory of 1404	1492	cmd.exe	61
PID 1492 wrote to memory of 1404	1492	cmd.exe	61
PID 1492 wrote to memory of 1404	1492	cmd.exe	61
PID 1492 wrote to memory of 1404	1492	cmd.exe	61
PID 1108 wrote to memory of 1664	1108	f188cf267d209a0209a25bda4bb75b86.exe	62
PID 1108 wrote to memory of 1664	1108	f188cf267d209a0209a25bda4bb75b86.exe	62
PID 1108 wrote to memory of 1664	1108	f188cf267d209a0209a25bda4bb75b86.exe	62
PID 1108 wrote to memory of 1664	1108	f188cf267d209a0209a25bda4bb75b86.exe	62
PID 1664 wrote to memory of 848	1664	cmd.exe	64
PID 1664 wrote to memory of 848	1664	cmd.exe	64
PID 1664 wrote to memory of 848	1664	cmd.exe	64
PID 1664 wrote to memory of 848	1664	cmd.exe	64
PID 1108 wrote to memory of 1372	1108	f188cf267d209a0209a25bda4bb75b86.exe	65
PID 1108 wrote to memory of 1372	1108	f188cf267d209a0209a25bda4bb75b86.exe	65
PID 1108 wrote to memory of 1372	1108	f188cf267d209a0209a25bda4bb75b86.exe	65
PID 1108 wrote to memory of 1372	1108	f188cf267d209a0209a25bda4bb75b86.exe	65
PID 1372 wrote to memory of 1192	1372	cmd.exe	67
PID 1372 wrote to memory of 1192	1372	cmd.exe	67
PID 1372 wrote to memory of 1192	1372	cmd.exe	67
PID 1372 wrote to memory of 1192	1372	cmd.exe	67
PID 1108 wrote to memory of 1828	1108	f188cf267d209a0209a25bda4bb75b86.exe	68
PID 1108 wrote to memory of 1828	1108	f188cf267d209a0209a25bda4bb75b86.exe	68
PID 1108 wrote to memory of 1828	1108	f188cf267d209a0209a25bda4bb75b86.exe	68
PID 1108 wrote to memory of 1828	1108	f188cf267d209a0209a25bda4bb75b86.exe	68
PID 1828 wrote to memory of 1732	1828	cmd.exe	70
PID 1828 wrote to memory of 1732	1828	cmd.exe	70
PID 1828 wrote to memory of 1732	1828	cmd.exe	70
PID 1828 wrote to memory of 1732	1828	cmd.exe	70
PID 1108 wrote to memory of 524	1108	f188cf267d209a0209a25bda4bb75b86.exe	71
PID 1108 wrote to memory of 524	1108	f188cf267d209a0209a25bda4bb75b86.exe	71
PID 1108 wrote to memory of 524	1108	f188cf267d209a0209a25bda4bb75b86.exe	71
PID 1108 wrote to memory of 524	1108	f188cf267d209a0209a25bda4bb75b86.exe	71
PID 524 wrote to memory of 1780	524	cmd.exe	73
PID 524 wrote to memory of 1780	524	cmd.exe	73
PID 524 wrote to memory of 1780	524	cmd.exe	73
PID 524 wrote to memory of 1780	524	cmd.exe	73
PID 1108 wrote to memory of 1328	1108	f188cf267d209a0209a25bda4bb75b86.exe	74
PID 1108 wrote to memory of 1328	1108	f188cf267d209a0209a25bda4bb75b86.exe	74
PID 1108 wrote to memory of 1328	1108	f188cf267d209a0209a25bda4bb75b86.exe	74
PID 1108 wrote to memory of 1328	1108	f188cf267d209a0209a25bda4bb75b86.exe	74
PID 1328 wrote to memory of 1672	1328	cmd.exe	76
PID 1328 wrote to memory of 1672	1328	cmd.exe	76
PID 1328 wrote to memory of 1672	1328	cmd.exe	76
PID 1328 wrote to memory of 1672	1328	cmd.exe	76
PID 1108 wrote to memory of 1588	1108	f188cf267d209a0209a25bda4bb75b86.exe	77
PID 1108 wrote to memory of 1588	1108	f188cf267d209a0209a25bda4bb75b86.exe	77
PID 1108 wrote to memory of 1588	1108	f188cf267d209a0209a25bda4bb75b86.exe	77
PID 1108 wrote to memory of 1588	1108	f188cf267d209a0209a25bda4bb75b86.exe	77
PID 1588 wrote to memory of 1568	1588	cmd.exe	79
PID 1588 wrote to memory of 1568	1588	cmd.exe	79
PID 1588 wrote to memory of 1568	1588	cmd.exe	79
PID 1588 wrote to memory of 1568	1588	cmd.exe	79
PID 1108 wrote to memory of 1928	1108	f188cf267d209a0209a25bda4bb75b86.exe	80
PID 1108 wrote to memory of 1928	1108	f188cf267d209a0209a25bda4bb75b86.exe	80
PID 1108 wrote to memory of 1928	1108	f188cf267d209a0209a25bda4bb75b86.exe	80
PID 1108 wrote to memory of 1928	1108	f188cf267d209a0209a25bda4bb75b86.exe	80
PID 1928 wrote to memory of 1892	1928	cmd.exe	82
PID 1928 wrote to memory of 1892	1928	cmd.exe	82
PID 1928 wrote to memory of 1892	1928	cmd.exe	82
PID 1928 wrote to memory of 1892	1928	cmd.exe	82
PID 1108 wrote to memory of 2004	1108	f188cf267d209a0209a25bda4bb75b86.exe	83
PID 1108 wrote to memory of 2004	1108	f188cf267d209a0209a25bda4bb75b86.exe	83
PID 1108 wrote to memory of 2004	1108	f188cf267d209a0209a25bda4bb75b86.exe	83
PID 1108 wrote to memory of 2004	1108	f188cf267d209a0209a25bda4bb75b86.exe	83
PID 2004 wrote to memory of 1952	2004	cmd.exe	85
PID 2004 wrote to memory of 1952	2004	cmd.exe	85
PID 2004 wrote to memory of 1952	2004	cmd.exe	85
PID 2004 wrote to memory of 1952	2004	cmd.exe	85
PID 1108 wrote to memory of 828	1108	f188cf267d209a0209a25bda4bb75b86.exe	86
PID 1108 wrote to memory of 828	1108	f188cf267d209a0209a25bda4bb75b86.exe	86
PID 1108 wrote to memory of 828	1108	f188cf267d209a0209a25bda4bb75b86.exe	86
PID 1108 wrote to memory of 828	1108	f188cf267d209a0209a25bda4bb75b86.exe	86
PID 828 wrote to memory of 1144	828	cmd.exe	88
PID 828 wrote to memory of 1144	828	cmd.exe	88
PID 828 wrote to memory of 1144	828	cmd.exe	88
PID 828 wrote to memory of 1144	828	cmd.exe	88
PID 1108 wrote to memory of 1504	1108	f188cf267d209a0209a25bda4bb75b86.exe	89
PID 1108 wrote to memory of 1504	1108	f188cf267d209a0209a25bda4bb75b86.exe	89
PID 1108 wrote to memory of 1504	1108	f188cf267d209a0209a25bda4bb75b86.exe	89
PID 1108 wrote to memory of 1504	1108	f188cf267d209a0209a25bda4bb75b86.exe	89
PID 1504 wrote to memory of 288	1504	cmd.exe	91
PID 1504 wrote to memory of 288	1504	cmd.exe	91
PID 1504 wrote to memory of 288	1504	cmd.exe	91
PID 1504 wrote to memory of 288	1504	cmd.exe	91
PID 1108 wrote to memory of 1604	1108	f188cf267d209a0209a25bda4bb75b86.exe	92
PID 1108 wrote to memory of 1604	1108	f188cf267d209a0209a25bda4bb75b86.exe	92
PID 1108 wrote to memory of 1604	1108	f188cf267d209a0209a25bda4bb75b86.exe	92
PID 1108 wrote to memory of 1604	1108	f188cf267d209a0209a25bda4bb75b86.exe	92
PID 1604 wrote to memory of 1520	1604	cmd.exe	94
PID 1604 wrote to memory of 1520	1604	cmd.exe	94
PID 1604 wrote to memory of 1520	1604	cmd.exe	94
PID 1604 wrote to memory of 1520	1604	cmd.exe	94
PID 1108 wrote to memory of 1688	1108	f188cf267d209a0209a25bda4bb75b86.exe	95
PID 1108 wrote to memory of 1688	1108	f188cf267d209a0209a25bda4bb75b86.exe	95
PID 1108 wrote to memory of 1688	1108	f188cf267d209a0209a25bda4bb75b86.exe	95
PID 1108 wrote to memory of 1688	1108	f188cf267d209a0209a25bda4bb75b86.exe	95
PID 1688 wrote to memory of 1812	1688	cmd.exe	97
PID 1688 wrote to memory of 1812	1688	cmd.exe	97
PID 1688 wrote to memory of 1812	1688	cmd.exe	97
PID 1688 wrote to memory of 1812	1688	cmd.exe	97
PID 1108 wrote to memory of 1840	1108	f188cf267d209a0209a25bda4bb75b86.exe	98
PID 1108 wrote to memory of 1840	1108	f188cf267d209a0209a25bda4bb75b86.exe	98
PID 1108 wrote to memory of 1840	1108	f188cf267d209a0209a25bda4bb75b86.exe	98
PID 1108 wrote to memory of 1840	1108	f188cf267d209a0209a25bda4bb75b86.exe	98
PID 1840 wrote to memory of 1768	1840	cmd.exe	100
PID 1840 wrote to memory of 1768	1840	cmd.exe	100
PID 1840 wrote to memory of 1768	1840	cmd.exe	100
PID 1840 wrote to memory of 1768	1840	cmd.exe	100
PID 1108 wrote to memory of 1764	1108	f188cf267d209a0209a25bda4bb75b86.exe	101
PID 1108 wrote to memory of 1764	1108	f188cf267d209a0209a25bda4bb75b86.exe	101
PID 1108 wrote to memory of 1764	1108	f188cf267d209a0209a25bda4bb75b86.exe	101
PID 1108 wrote to memory of 1764	1108	f188cf267d209a0209a25bda4bb75b86.exe	101
PID 1764 wrote to memory of 528	1764	cmd.exe	103
PID 1764 wrote to memory of 528	1764	cmd.exe	103
PID 1764 wrote to memory of 528	1764	cmd.exe	103
PID 1764 wrote to memory of 528	1764	cmd.exe	103
PID 1108 wrote to memory of 1528	1108	f188cf267d209a0209a25bda4bb75b86.exe	104
PID 1108 wrote to memory of 1528	1108	f188cf267d209a0209a25bda4bb75b86.exe	104
PID 1108 wrote to memory of 1528	1108	f188cf267d209a0209a25bda4bb75b86.exe	104
PID 1108 wrote to memory of 1528	1108	f188cf267d209a0209a25bda4bb75b86.exe	104
PID 1528 wrote to memory of 568	1528	cmd.exe	106
PID 1528 wrote to memory of 568	1528	cmd.exe	106
PID 1528 wrote to memory of 568	1528	cmd.exe	106
PID 1528 wrote to memory of 568	1528	cmd.exe	106
PID 1108 wrote to memory of 1580	1108	f188cf267d209a0209a25bda4bb75b86.exe	107
PID 1108 wrote to memory of 1580	1108	f188cf267d209a0209a25bda4bb75b86.exe	107
PID 1108 wrote to memory of 1580	1108	f188cf267d209a0209a25bda4bb75b86.exe	107
PID 1108 wrote to memory of 1580	1108	f188cf267d209a0209a25bda4bb75b86.exe	107
PID 1580 wrote to memory of 1616	1580	cmd.exe	109
PID 1580 wrote to memory of 1616	1580	cmd.exe	109
PID 1580 wrote to memory of 1616	1580	cmd.exe	109
PID 1580 wrote to memory of 1616	1580	cmd.exe	109
PID 1108 wrote to memory of 1884	1108	f188cf267d209a0209a25bda4bb75b86.exe	110
PID 1108 wrote to memory of 1884	1108	f188cf267d209a0209a25bda4bb75b86.exe	110
PID 1108 wrote to memory of 1884	1108	f188cf267d209a0209a25bda4bb75b86.exe	110
PID 1108 wrote to memory of 1884	1108	f188cf267d209a0209a25bda4bb75b86.exe	110
PID 1884 wrote to memory of 1948	1884	cmd.exe	112
PID 1884 wrote to memory of 1948	1884	cmd.exe	112
PID 1884 wrote to memory of 1948	1884	cmd.exe	112
PID 1884 wrote to memory of 1948	1884	cmd.exe	112
PID 1108 wrote to memory of 1972	1108	f188cf267d209a0209a25bda4bb75b86.exe	113
PID 1108 wrote to memory of 1972	1108	f188cf267d209a0209a25bda4bb75b86.exe	113
PID 1108 wrote to memory of 1972	1108	f188cf267d209a0209a25bda4bb75b86.exe	113
PID 1108 wrote to memory of 1972	1108	f188cf267d209a0209a25bda4bb75b86.exe	113
PID 1972 wrote to memory of 1984	1972	cmd.exe	115
PID 1972 wrote to memory of 1984	1972	cmd.exe	115
PID 1972 wrote to memory of 1984	1972	cmd.exe	115
PID 1972 wrote to memory of 1984	1972	cmd.exe	115
PID 1108 wrote to memory of 1080	1108	f188cf267d209a0209a25bda4bb75b86.exe	116
PID 1108 wrote to memory of 1080	1108	f188cf267d209a0209a25bda4bb75b86.exe	116
PID 1108 wrote to memory of 1080	1108	f188cf267d209a0209a25bda4bb75b86.exe	116
PID 1108 wrote to memory of 1080	1108	f188cf267d209a0209a25bda4bb75b86.exe	116
PID 1080 wrote to memory of 1236	1080	cmd.exe	118
PID 1080 wrote to memory of 1236	1080	cmd.exe	118
PID 1080 wrote to memory of 1236	1080	cmd.exe	118
PID 1080 wrote to memory of 1236	1080	cmd.exe	118
PID 1108 wrote to memory of 1428	1108	f188cf267d209a0209a25bda4bb75b86.exe	119
PID 1108 wrote to memory of 1428	1108	f188cf267d209a0209a25bda4bb75b86.exe	119
PID 1108 wrote to memory of 1428	1108	f188cf267d209a0209a25bda4bb75b86.exe	119
PID 1108 wrote to memory of 1428	1108	f188cf267d209a0209a25bda4bb75b86.exe	119
PID 1428 wrote to memory of 1404	1428	cmd.exe	121
PID 1428 wrote to memory of 1404	1428	cmd.exe	121
PID 1428 wrote to memory of 1404	1428	cmd.exe	121
PID 1428 wrote to memory of 1404	1428	cmd.exe	121
PID 1108 wrote to memory of 992	1108	f188cf267d209a0209a25bda4bb75b86.exe	122
PID 1108 wrote to memory of 992	1108	f188cf267d209a0209a25bda4bb75b86.exe	122
PID 1108 wrote to memory of 992	1108	f188cf267d209a0209a25bda4bb75b86.exe	122
PID 1108 wrote to memory of 992	1108	f188cf267d209a0209a25bda4bb75b86.exe	122
PID 992 wrote to memory of 848	992	cmd.exe	124
PID 992 wrote to memory of 848	992	cmd.exe	124
PID 992 wrote to memory of 848	992	cmd.exe	124
PID 992 wrote to memory of 848	992	cmd.exe	124
PID 1108 wrote to memory of 792	1108	f188cf267d209a0209a25bda4bb75b86.exe	125
PID 1108 wrote to memory of 792	1108	f188cf267d209a0209a25bda4bb75b86.exe	125
PID 1108 wrote to memory of 792	1108	f188cf267d209a0209a25bda4bb75b86.exe	125
PID 1108 wrote to memory of 792	1108	f188cf267d209a0209a25bda4bb75b86.exe	125
PID 792 wrote to memory of 1196	792	cmd.exe	127
PID 792 wrote to memory of 1196	792	cmd.exe	127
PID 792 wrote to memory of 1196	792	cmd.exe	127
PID 792 wrote to memory of 1196	792	cmd.exe	127
PID 1108 wrote to memory of 1192	1108	f188cf267d209a0209a25bda4bb75b86.exe	128
PID 1108 wrote to memory of 1192	1108	f188cf267d209a0209a25bda4bb75b86.exe	128
PID 1108 wrote to memory of 1192	1108	f188cf267d209a0209a25bda4bb75b86.exe	128
PID 1108 wrote to memory of 1192	1108	f188cf267d209a0209a25bda4bb75b86.exe	128
PID 1192 wrote to memory of 1688	1192	cmd.exe	130
PID 1192 wrote to memory of 1688	1192	cmd.exe	130
PID 1192 wrote to memory of 1688	1192	cmd.exe	130
PID 1192 wrote to memory of 1688	1192	cmd.exe	130
PID 1108 wrote to memory of 1836	1108	f188cf267d209a0209a25bda4bb75b86.exe	131
PID 1108 wrote to memory of 1836	1108	f188cf267d209a0209a25bda4bb75b86.exe	131
PID 1108 wrote to memory of 1836	1108	f188cf267d209a0209a25bda4bb75b86.exe	131
PID 1108 wrote to memory of 1836	1108	f188cf267d209a0209a25bda4bb75b86.exe	131
PID 1836 wrote to memory of 368	1836	cmd.exe	133
PID 1836 wrote to memory of 368	1836	cmd.exe	133
PID 1836 wrote to memory of 368	1836	cmd.exe	133
PID 1836 wrote to memory of 368	1836	cmd.exe	133
PID 1108 wrote to memory of 1760	1108	f188cf267d209a0209a25bda4bb75b86.exe	134
PID 1108 wrote to memory of 1760	1108	f188cf267d209a0209a25bda4bb75b86.exe	134
PID 1108 wrote to memory of 1760	1108	f188cf267d209a0209a25bda4bb75b86.exe	134
PID 1108 wrote to memory of 1760	1108	f188cf267d209a0209a25bda4bb75b86.exe	134
PID 1760 wrote to memory of 796	1760	cmd.exe	136
PID 1760 wrote to memory of 796	1760	cmd.exe	136
PID 1760 wrote to memory of 796	1760	cmd.exe	136
PID 1760 wrote to memory of 796	1760	cmd.exe	136
PID 1108 wrote to memory of 536	1108	f188cf267d209a0209a25bda4bb75b86.exe	137
PID 1108 wrote to memory of 536	1108	f188cf267d209a0209a25bda4bb75b86.exe	137
PID 1108 wrote to memory of 536	1108	f188cf267d209a0209a25bda4bb75b86.exe	137
PID 1108 wrote to memory of 536	1108	f188cf267d209a0209a25bda4bb75b86.exe	137
PID 536 wrote to memory of 1332	536	cmd.exe	139
PID 536 wrote to memory of 1332	536	cmd.exe	139
PID 536 wrote to memory of 1332	536	cmd.exe	139
PID 536 wrote to memory of 1332	536	cmd.exe	139
PID 1108 wrote to memory of 1560	1108	f188cf267d209a0209a25bda4bb75b86.exe	140
PID 1108 wrote to memory of 1560	1108	f188cf267d209a0209a25bda4bb75b86.exe	140
PID 1108 wrote to memory of 1560	1108	f188cf267d209a0209a25bda4bb75b86.exe	140
PID 1108 wrote to memory of 1560	1108	f188cf267d209a0209a25bda4bb75b86.exe	140
PID 1560 wrote to memory of 1600	1560	cmd.exe	142
PID 1560 wrote to memory of 1600	1560	cmd.exe	142
PID 1560 wrote to memory of 1600	1560	cmd.exe	142
PID 1560 wrote to memory of 1600	1560	cmd.exe	142
PID 1108 wrote to memory of 1964	1108	f188cf267d209a0209a25bda4bb75b86.exe	143
PID 1108 wrote to memory of 1964	1108	f188cf267d209a0209a25bda4bb75b86.exe	143
PID 1108 wrote to memory of 1964	1108	f188cf267d209a0209a25bda4bb75b86.exe	143
PID 1108 wrote to memory of 1964	1108	f188cf267d209a0209a25bda4bb75b86.exe	143
PID 1964 wrote to memory of 1936	1964	cmd.exe	145
PID 1964 wrote to memory of 1936	1964	cmd.exe	145
PID 1964 wrote to memory of 1936	1964	cmd.exe	145
PID 1964 wrote to memory of 1936	1964	cmd.exe	145
PID 1108 wrote to memory of 1960	1108	f188cf267d209a0209a25bda4bb75b86.exe	146
PID 1108 wrote to memory of 1960	1108	f188cf267d209a0209a25bda4bb75b86.exe	146
PID 1108 wrote to memory of 1960	1108	f188cf267d209a0209a25bda4bb75b86.exe	146
PID 1108 wrote to memory of 1960	1108	f188cf267d209a0209a25bda4bb75b86.exe	146
PID 1960 wrote to memory of 1988	1960	cmd.exe	148
PID 1960 wrote to memory of 1988	1960	cmd.exe	148
PID 1960 wrote to memory of 1988	1960	cmd.exe	148
PID 1960 wrote to memory of 1988	1960	cmd.exe	148
PID 1108 wrote to memory of 608	1108	f188cf267d209a0209a25bda4bb75b86.exe	149
PID 1108 wrote to memory of 608	1108	f188cf267d209a0209a25bda4bb75b86.exe	149
PID 1108 wrote to memory of 608	1108	f188cf267d209a0209a25bda4bb75b86.exe	149
PID 1108 wrote to memory of 608	1108	f188cf267d209a0209a25bda4bb75b86.exe	149
PID 608 wrote to memory of 2040	608	cmd.exe	151
PID 608 wrote to memory of 2040	608	cmd.exe	151
PID 608 wrote to memory of 2040	608	cmd.exe	151
PID 608 wrote to memory of 2040	608	cmd.exe	151
PID 1108 wrote to memory of 272	1108	f188cf267d209a0209a25bda4bb75b86.exe	152
PID 1108 wrote to memory of 272	1108	f188cf267d209a0209a25bda4bb75b86.exe	152
PID 1108 wrote to memory of 272	1108	f188cf267d209a0209a25bda4bb75b86.exe	152
PID 1108 wrote to memory of 272	1108	f188cf267d209a0209a25bda4bb75b86.exe	152
PID 272 wrote to memory of 1484	272	cmd.exe	154
PID 272 wrote to memory of 1484	272	cmd.exe	154
PID 272 wrote to memory of 1484	272	cmd.exe	154
PID 272 wrote to memory of 1484	272	cmd.exe	154
PID 1108 wrote to memory of 1516	1108	f188cf267d209a0209a25bda4bb75b86.exe	155
PID 1108 wrote to memory of 1516	1108	f188cf267d209a0209a25bda4bb75b86.exe	155
PID 1108 wrote to memory of 1516	1108	f188cf267d209a0209a25bda4bb75b86.exe	155
PID 1108 wrote to memory of 1516	1108	f188cf267d209a0209a25bda4bb75b86.exe	155
PID 1516 wrote to memory of 1664	1516	cmd.exe	157
PID 1516 wrote to memory of 1664	1516	cmd.exe	157
PID 1516 wrote to memory of 1664	1516	cmd.exe	157
PID 1516 wrote to memory of 1664	1516	cmd.exe	157
PID 1108 wrote to memory of 1820	1108	f188cf267d209a0209a25bda4bb75b86.exe	158
PID 1108 wrote to memory of 1820	1108	f188cf267d209a0209a25bda4bb75b86.exe	158
PID 1108 wrote to memory of 1820	1108	f188cf267d209a0209a25bda4bb75b86.exe	158
PID 1108 wrote to memory of 1820	1108	f188cf267d209a0209a25bda4bb75b86.exe	158
PID 1820 wrote to memory of 1860	1820	cmd.exe	160
PID 1820 wrote to memory of 1860	1820	cmd.exe	160
PID 1820 wrote to memory of 1860	1820	cmd.exe	160
PID 1820 wrote to memory of 1860	1820	cmd.exe	160
PID 1108 wrote to memory of 1808	1108	f188cf267d209a0209a25bda4bb75b86.exe	161
PID 1108 wrote to memory of 1808	1108	f188cf267d209a0209a25bda4bb75b86.exe	161
PID 1108 wrote to memory of 1808	1108	f188cf267d209a0209a25bda4bb75b86.exe	161
PID 1108 wrote to memory of 1808	1108	f188cf267d209a0209a25bda4bb75b86.exe	161
PID 1808 wrote to memory of 620	1808	cmd.exe	163
PID 1808 wrote to memory of 620	1808	cmd.exe	163
PID 1808 wrote to memory of 620	1808	cmd.exe	163
PID 1808 wrote to memory of 620	1808	cmd.exe	163
PID 1108 wrote to memory of 1772	1108	f188cf267d209a0209a25bda4bb75b86.exe	164
PID 1108 wrote to memory of 1772	1108	f188cf267d209a0209a25bda4bb75b86.exe	164
PID 1108 wrote to memory of 1772	1108	f188cf267d209a0209a25bda4bb75b86.exe	164
PID 1108 wrote to memory of 1772	1108	f188cf267d209a0209a25bda4bb75b86.exe	164
PID 1772 wrote to memory of 744	1772	cmd.exe	166
PID 1772 wrote to memory of 744	1772	cmd.exe	166
PID 1772 wrote to memory of 744	1772	cmd.exe	166
PID 1772 wrote to memory of 744	1772	cmd.exe	166
PID 1108 wrote to memory of 1336	1108	f188cf267d209a0209a25bda4bb75b86.exe	167
PID 1108 wrote to memory of 1336	1108	f188cf267d209a0209a25bda4bb75b86.exe	167
PID 1108 wrote to memory of 1336	1108	f188cf267d209a0209a25bda4bb75b86.exe	167
PID 1108 wrote to memory of 1336	1108	f188cf267d209a0209a25bda4bb75b86.exe	167
PID 1336 wrote to memory of 1220	1336	cmd.exe	169
PID 1336 wrote to memory of 1220	1336	cmd.exe	169
PID 1336 wrote to memory of 1220	1336	cmd.exe	169
PID 1336 wrote to memory of 1220	1336	cmd.exe	169
PID 1108 wrote to memory of 1896	1108	f188cf267d209a0209a25bda4bb75b86.exe	170
PID 1108 wrote to memory of 1896	1108	f188cf267d209a0209a25bda4bb75b86.exe	170
PID 1108 wrote to memory of 1896	1108	f188cf267d209a0209a25bda4bb75b86.exe	170
PID 1108 wrote to memory of 1896	1108	f188cf267d209a0209a25bda4bb75b86.exe	170
PID 1896 wrote to memory of 1596	1896	cmd.exe	172
PID 1896 wrote to memory of 1596	1896	cmd.exe	172
PID 1896 wrote to memory of 1596	1896	cmd.exe	172
PID 1896 wrote to memory of 1596	1896	cmd.exe	172
PID 1108 wrote to memory of 1944	1108	f188cf267d209a0209a25bda4bb75b86.exe	173
PID 1108 wrote to memory of 1944	1108	f188cf267d209a0209a25bda4bb75b86.exe	173
PID 1108 wrote to memory of 1944	1108	f188cf267d209a0209a25bda4bb75b86.exe	173
PID 1108 wrote to memory of 1944	1108	f188cf267d209a0209a25bda4bb75b86.exe	173
PID 1944 wrote to memory of 1992	1944	cmd.exe	175
PID 1944 wrote to memory of 1992	1944	cmd.exe	175
PID 1944 wrote to memory of 1992	1944	cmd.exe	175
PID 1944 wrote to memory of 1992	1944	cmd.exe	175
PID 1108 wrote to memory of 2004	1108	f188cf267d209a0209a25bda4bb75b86.exe	176
PID 1108 wrote to memory of 2004	1108	f188cf267d209a0209a25bda4bb75b86.exe	176
PID 1108 wrote to memory of 2004	1108	f188cf267d209a0209a25bda4bb75b86.exe	176
PID 1108 wrote to memory of 2004	1108	f188cf267d209a0209a25bda4bb75b86.exe	176
PID 2004 wrote to memory of 1972	2004	cmd.exe	178
PID 2004 wrote to memory of 1972	2004	cmd.exe	178
PID 2004 wrote to memory of 1972	2004	cmd.exe	178
PID 2004 wrote to memory of 1972	2004	cmd.exe	178
PID 1108 wrote to memory of 844	1108	f188cf267d209a0209a25bda4bb75b86.exe	179
PID 1108 wrote to memory of 844	1108	f188cf267d209a0209a25bda4bb75b86.exe	179
PID 1108 wrote to memory of 844	1108	f188cf267d209a0209a25bda4bb75b86.exe	179
PID 1108 wrote to memory of 844	1108	f188cf267d209a0209a25bda4bb75b86.exe	179
PID 844 wrote to memory of 1092	844	cmd.exe	181
PID 844 wrote to memory of 1092	844	cmd.exe	181
PID 844 wrote to memory of 1092	844	cmd.exe	181
PID 844 wrote to memory of 1092	844	cmd.exe	181
PID 1108 wrote to memory of 1572	1108	f188cf267d209a0209a25bda4bb75b86.exe	182
PID 1108 wrote to memory of 1572	1108	f188cf267d209a0209a25bda4bb75b86.exe	182
PID 1108 wrote to memory of 1572	1108	f188cf267d209a0209a25bda4bb75b86.exe	182
PID 1108 wrote to memory of 1572	1108	f188cf267d209a0209a25bda4bb75b86.exe	182
PID 1572 wrote to memory of 1428	1572	cmd.exe	184
PID 1572 wrote to memory of 1428	1572	cmd.exe	184
PID 1572 wrote to memory of 1428	1572	cmd.exe	184
PID 1572 wrote to memory of 1428	1572	cmd.exe	184
PID 1108 wrote to memory of 1004	1108	f188cf267d209a0209a25bda4bb75b86.exe	185
PID 1108 wrote to memory of 1004	1108	f188cf267d209a0209a25bda4bb75b86.exe	185
PID 1108 wrote to memory of 1004	1108	f188cf267d209a0209a25bda4bb75b86.exe	185
PID 1108 wrote to memory of 1004	1108	f188cf267d209a0209a25bda4bb75b86.exe	185
PID 1004 wrote to memory of 1804	1004	cmd.exe	187
PID 1004 wrote to memory of 1804	1004	cmd.exe	187
PID 1004 wrote to memory of 1804	1004	cmd.exe	187
PID 1004 wrote to memory of 1804	1004	cmd.exe	187
PID 1108 wrote to memory of 792	1108	f188cf267d209a0209a25bda4bb75b86.exe	188
PID 1108 wrote to memory of 792	1108	f188cf267d209a0209a25bda4bb75b86.exe	188
PID 1108 wrote to memory of 792	1108	f188cf267d209a0209a25bda4bb75b86.exe	188
PID 1108 wrote to memory of 792	1108	f188cf267d209a0209a25bda4bb75b86.exe	188
PID 792 wrote to memory of 1848	792	cmd.exe	190
PID 792 wrote to memory of 1848	792	cmd.exe	190
PID 792 wrote to memory of 1848	792	cmd.exe	190
PID 792 wrote to memory of 1848	792	cmd.exe	190
PID 1108 wrote to memory of 1192	1108	f188cf267d209a0209a25bda4bb75b86.exe	191
PID 1108 wrote to memory of 1192	1108	f188cf267d209a0209a25bda4bb75b86.exe	191
PID 1108 wrote to memory of 1192	1108	f188cf267d209a0209a25bda4bb75b86.exe	191
PID 1108 wrote to memory of 1192	1108	f188cf267d209a0209a25bda4bb75b86.exe	191
PID 1192 wrote to memory of 368	1192	cmd.exe	193
PID 1192 wrote to memory of 368	1192	cmd.exe	193
PID 1192 wrote to memory of 368	1192	cmd.exe	193
PID 1192 wrote to memory of 368	1192	cmd.exe	193
PID 1108 wrote to memory of 1852	1108	f188cf267d209a0209a25bda4bb75b86.exe	194
PID 1108 wrote to memory of 1852	1108	f188cf267d209a0209a25bda4bb75b86.exe	194
PID 1108 wrote to memory of 1852	1108	f188cf267d209a0209a25bda4bb75b86.exe	194
PID 1108 wrote to memory of 1852	1108	f188cf267d209a0209a25bda4bb75b86.exe	194
PID 1852 wrote to memory of 656	1852	cmd.exe	196
PID 1852 wrote to memory of 656	1852	cmd.exe	196
PID 1852 wrote to memory of 656	1852	cmd.exe	196
PID 1852 wrote to memory of 656	1852	cmd.exe	196
PID 1108 wrote to memory of 1348	1108	f188cf267d209a0209a25bda4bb75b86.exe	197
PID 1108 wrote to memory of 1348	1108	f188cf267d209a0209a25bda4bb75b86.exe	197
PID 1108 wrote to memory of 1348	1108	f188cf267d209a0209a25bda4bb75b86.exe	197
PID 1108 wrote to memory of 1348	1108	f188cf267d209a0209a25bda4bb75b86.exe	197
PID 1348 wrote to memory of 1332	1348	cmd.exe	199
PID 1348 wrote to memory of 1332	1348	cmd.exe	199
PID 1348 wrote to memory of 1332	1348	cmd.exe	199
PID 1348 wrote to memory of 1332	1348	cmd.exe	199
PID 1108 wrote to memory of 1556	1108	f188cf267d209a0209a25bda4bb75b86.exe	200
PID 1108 wrote to memory of 1556	1108	f188cf267d209a0209a25bda4bb75b86.exe	200
PID 1108 wrote to memory of 1556	1108	f188cf267d209a0209a25bda4bb75b86.exe	200
PID 1108 wrote to memory of 1556	1108	f188cf267d209a0209a25bda4bb75b86.exe	200
PID 1556 wrote to memory of 1600	1556	cmd.exe	202
PID 1556 wrote to memory of 1600	1556	cmd.exe	202
PID 1556 wrote to memory of 1600	1556	cmd.exe	202
PID 1556 wrote to memory of 1600	1556	cmd.exe	202
PID 1108 wrote to memory of 1924	1108	f188cf267d209a0209a25bda4bb75b86.exe	203
PID 1108 wrote to memory of 1924	1108	f188cf267d209a0209a25bda4bb75b86.exe	203
PID 1108 wrote to memory of 1924	1108	f188cf267d209a0209a25bda4bb75b86.exe	203
PID 1108 wrote to memory of 1924	1108	f188cf267d209a0209a25bda4bb75b86.exe	203
PID 1924 wrote to memory of 1936	1924	cmd.exe	205
PID 1924 wrote to memory of 1936	1924	cmd.exe	205
PID 1924 wrote to memory of 1936	1924	cmd.exe	205
PID 1924 wrote to memory of 1936	1924	cmd.exe	205
PID 1108 wrote to memory of 1976	1108	f188cf267d209a0209a25bda4bb75b86.exe	206
PID 1108 wrote to memory of 1976	1108	f188cf267d209a0209a25bda4bb75b86.exe	206
PID 1108 wrote to memory of 1976	1108	f188cf267d209a0209a25bda4bb75b86.exe	206
PID 1108 wrote to memory of 1976	1108	f188cf267d209a0209a25bda4bb75b86.exe	206
PID 1976 wrote to memory of 1980	1976	cmd.exe	208
PID 1976 wrote to memory of 1980	1976	cmd.exe	208
PID 1976 wrote to memory of 1980	1976	cmd.exe	208
PID 1976 wrote to memory of 1980	1976	cmd.exe	208
PID 1108 wrote to memory of 1260	1108	f188cf267d209a0209a25bda4bb75b86.exe	209
PID 1108 wrote to memory of 1260	1108	f188cf267d209a0209a25bda4bb75b86.exe	209
PID 1108 wrote to memory of 1260	1108	f188cf267d209a0209a25bda4bb75b86.exe	209
PID 1108 wrote to memory of 1260	1108	f188cf267d209a0209a25bda4bb75b86.exe	209
PID 1260 wrote to memory of 2040	1260	cmd.exe	211
PID 1260 wrote to memory of 2040	1260	cmd.exe	211
PID 1260 wrote to memory of 2040	1260	cmd.exe	211
PID 1260 wrote to memory of 2040	1260	cmd.exe	211
PID 1108 wrote to memory of 276	1108	f188cf267d209a0209a25bda4bb75b86.exe	212
PID 1108 wrote to memory of 276	1108	f188cf267d209a0209a25bda4bb75b86.exe	212
PID 1108 wrote to memory of 276	1108	f188cf267d209a0209a25bda4bb75b86.exe	212
PID 1108 wrote to memory of 276	1108	f188cf267d209a0209a25bda4bb75b86.exe	212
PID 276 wrote to memory of 1484	276	cmd.exe	214
PID 276 wrote to memory of 1484	276	cmd.exe	214
PID 276 wrote to memory of 1484	276	cmd.exe	214
PID 276 wrote to memory of 1484	276	cmd.exe	214
PID 1108 wrote to memory of 1796	1108	f188cf267d209a0209a25bda4bb75b86.exe	215
PID 1108 wrote to memory of 1796	1108	f188cf267d209a0209a25bda4bb75b86.exe	215
PID 1108 wrote to memory of 1796	1108	f188cf267d209a0209a25bda4bb75b86.exe	215
PID 1108 wrote to memory of 1796	1108	f188cf267d209a0209a25bda4bb75b86.exe	215
PID 1796 wrote to memory of 1664	1796	cmd.exe	217
PID 1796 wrote to memory of 1664	1796	cmd.exe	217
PID 1796 wrote to memory of 1664	1796	cmd.exe	217
PID 1796 wrote to memory of 1664	1796	cmd.exe	217
PID 1108 wrote to memory of 1732	1108	f188cf267d209a0209a25bda4bb75b86.exe	218
PID 1108 wrote to memory of 1732	1108	f188cf267d209a0209a25bda4bb75b86.exe	218
PID 1108 wrote to memory of 1732	1108	f188cf267d209a0209a25bda4bb75b86.exe	218
PID 1108 wrote to memory of 1732	1108	f188cf267d209a0209a25bda4bb75b86.exe	218
PID 1732 wrote to memory of 1860	1732	cmd.exe	220
PID 1732 wrote to memory of 1860	1732	cmd.exe	220
PID 1732 wrote to memory of 1860	1732	cmd.exe	220
PID 1732 wrote to memory of 1860	1732	cmd.exe	220
PID 1108 wrote to memory of 472	1108	f188cf267d209a0209a25bda4bb75b86.exe	221
PID 1108 wrote to memory of 472	1108	f188cf267d209a0209a25bda4bb75b86.exe	221
PID 1108 wrote to memory of 472	1108	f188cf267d209a0209a25bda4bb75b86.exe	221
PID 1108 wrote to memory of 472	1108	f188cf267d209a0209a25bda4bb75b86.exe	221
PID 472 wrote to memory of 620	472	cmd.exe	223
PID 472 wrote to memory of 620	472	cmd.exe	223
PID 472 wrote to memory of 620	472	cmd.exe	223
PID 472 wrote to memory of 620	472	cmd.exe	223
PID 1108 wrote to memory of 528	1108	f188cf267d209a0209a25bda4bb75b86.exe	224
PID 1108 wrote to memory of 528	1108	f188cf267d209a0209a25bda4bb75b86.exe	224
PID 1108 wrote to memory of 528	1108	f188cf267d209a0209a25bda4bb75b86.exe	224
PID 1108 wrote to memory of 528	1108	f188cf267d209a0209a25bda4bb75b86.exe	224
PID 528 wrote to memory of 744	528	cmd.exe	226
PID 528 wrote to memory of 744	528	cmd.exe	226
PID 528 wrote to memory of 744	528	cmd.exe	226
PID 528 wrote to memory of 744	528	cmd.exe	226
PID 1108 wrote to memory of 568	1108	f188cf267d209a0209a25bda4bb75b86.exe	227
PID 1108 wrote to memory of 568	1108	f188cf267d209a0209a25bda4bb75b86.exe	227
PID 1108 wrote to memory of 568	1108	f188cf267d209a0209a25bda4bb75b86.exe	227
PID 1108 wrote to memory of 568	1108	f188cf267d209a0209a25bda4bb75b86.exe	227
PID 568 wrote to memory of 1220	568	cmd.exe	229
PID 568 wrote to memory of 1220	568	cmd.exe	229
PID 568 wrote to memory of 1220	568	cmd.exe	229
PID 568 wrote to memory of 1220	568	cmd.exe	229
PID 1108 wrote to memory of 1616	1108	f188cf267d209a0209a25bda4bb75b86.exe	230
PID 1108 wrote to memory of 1616	1108	f188cf267d209a0209a25bda4bb75b86.exe	230
PID 1108 wrote to memory of 1616	1108	f188cf267d209a0209a25bda4bb75b86.exe	230
PID 1108 wrote to memory of 1616	1108	f188cf267d209a0209a25bda4bb75b86.exe	230
PID 1616 wrote to memory of 1596	1616	cmd.exe	232
PID 1616 wrote to memory of 1596	1616	cmd.exe	232
PID 1616 wrote to memory of 1596	1616	cmd.exe	232
PID 1616 wrote to memory of 1596	1616	cmd.exe	232
PID 1108 wrote to memory of 1948	1108	f188cf267d209a0209a25bda4bb75b86.exe	233
PID 1108 wrote to memory of 1948	1108	f188cf267d209a0209a25bda4bb75b86.exe	233
PID 1108 wrote to memory of 1948	1108	f188cf267d209a0209a25bda4bb75b86.exe	233
PID 1108 wrote to memory of 1948	1108	f188cf267d209a0209a25bda4bb75b86.exe	233
PID 1948 wrote to memory of 1992	1948	cmd.exe	235
PID 1948 wrote to memory of 1992	1948	cmd.exe	235
PID 1948 wrote to memory of 1992	1948	cmd.exe	235
PID 1948 wrote to memory of 1992	1948	cmd.exe	235
PID 1108 wrote to memory of 1984	1108	f188cf267d209a0209a25bda4bb75b86.exe	236
PID 1108 wrote to memory of 1984	1108	f188cf267d209a0209a25bda4bb75b86.exe	236
PID 1108 wrote to memory of 1984	1108	f188cf267d209a0209a25bda4bb75b86.exe	236
PID 1108 wrote to memory of 1984	1108	f188cf267d209a0209a25bda4bb75b86.exe	236
PID 1984 wrote to memory of 1972	1984	cmd.exe	238
PID 1984 wrote to memory of 1972	1984	cmd.exe	238
PID 1984 wrote to memory of 1972	1984	cmd.exe	238
PID 1984 wrote to memory of 1972	1984	cmd.exe	238
PID 1108 wrote to memory of 828	1108	f188cf267d209a0209a25bda4bb75b86.exe	239
PID 1108 wrote to memory of 828	1108	f188cf267d209a0209a25bda4bb75b86.exe	239
PID 1108 wrote to memory of 828	1108	f188cf267d209a0209a25bda4bb75b86.exe	239
PID 1108 wrote to memory of 828	1108	f188cf267d209a0209a25bda4bb75b86.exe	239
PID 828 wrote to memory of 1144	828	cmd.exe	241
PID 828 wrote to memory of 1144	828	cmd.exe	241
PID 828 wrote to memory of 1144	828	cmd.exe	241
PID 828 wrote to memory of 1144	828	cmd.exe	241
PID 1108 wrote to memory of 1508	1108	f188cf267d209a0209a25bda4bb75b86.exe	242
PID 1108 wrote to memory of 1508	1108	f188cf267d209a0209a25bda4bb75b86.exe	242
PID 1108 wrote to memory of 1508	1108	f188cf267d209a0209a25bda4bb75b86.exe	242
PID 1108 wrote to memory of 1508	1108	f188cf267d209a0209a25bda4bb75b86.exe	242
PID 1508 wrote to memory of 1572	1508	cmd.exe	244
PID 1508 wrote to memory of 1572	1508	cmd.exe	244
PID 1508 wrote to memory of 1572	1508	cmd.exe	244
PID 1508 wrote to memory of 1572	1508	cmd.exe	244
PID 1108 wrote to memory of 1520	1108	f188cf267d209a0209a25bda4bb75b86.exe	245
PID 1108 wrote to memory of 1520	1108	f188cf267d209a0209a25bda4bb75b86.exe	245
PID 1108 wrote to memory of 1520	1108	f188cf267d209a0209a25bda4bb75b86.exe	245
PID 1108 wrote to memory of 1520	1108	f188cf267d209a0209a25bda4bb75b86.exe	245
PID 1520 wrote to memory of 1376	1520	cmd.exe	247
PID 1520 wrote to memory of 1376	1520	cmd.exe	247
PID 1520 wrote to memory of 1376	1520	cmd.exe	247
PID 1520 wrote to memory of 1376	1520	cmd.exe	247
PID 1108 wrote to memory of 1604	1108	f188cf267d209a0209a25bda4bb75b86.exe	248
PID 1108 wrote to memory of 1604	1108	f188cf267d209a0209a25bda4bb75b86.exe	248
PID 1108 wrote to memory of 1604	1108	f188cf267d209a0209a25bda4bb75b86.exe	248
PID 1108 wrote to memory of 1604	1108	f188cf267d209a0209a25bda4bb75b86.exe	248
PID 1604 wrote to memory of 1816	1604	cmd.exe	250
PID 1604 wrote to memory of 1816	1604	cmd.exe	250
PID 1604 wrote to memory of 1816	1604	cmd.exe	250
PID 1604 wrote to memory of 1816	1604	cmd.exe	250
PID 1108 wrote to memory of 1856	1108	f188cf267d209a0209a25bda4bb75b86.exe	251
PID 1108 wrote to memory of 1856	1108	f188cf267d209a0209a25bda4bb75b86.exe	251
PID 1108 wrote to memory of 1856	1108	f188cf267d209a0209a25bda4bb75b86.exe	251
PID 1108 wrote to memory of 1856	1108	f188cf267d209a0209a25bda4bb75b86.exe	251
PID 1856 wrote to memory of 1756	1856	cmd.exe	253
PID 1856 wrote to memory of 1756	1856	cmd.exe	253
PID 1856 wrote to memory of 1756	1856	cmd.exe	253
PID 1856 wrote to memory of 1756	1856	cmd.exe	253
PID 1108 wrote to memory of 1780	1108	f188cf267d209a0209a25bda4bb75b86.exe	254
PID 1108 wrote to memory of 1780	1108	f188cf267d209a0209a25bda4bb75b86.exe	254
PID 1108 wrote to memory of 1780	1108	f188cf267d209a0209a25bda4bb75b86.exe	254
PID 1108 wrote to memory of 1780	1108	f188cf267d209a0209a25bda4bb75b86.exe	254
PID 1780 wrote to memory of 1852	1780	cmd.exe	256
PID 1780 wrote to memory of 1852	1780	cmd.exe	256
PID 1780 wrote to memory of 1852	1780	cmd.exe	256
PID 1780 wrote to memory of 1852	1780	cmd.exe	256
PID 1108 wrote to memory of 1336	1108	f188cf267d209a0209a25bda4bb75b86.exe	257
PID 1108 wrote to memory of 1336	1108	f188cf267d209a0209a25bda4bb75b86.exe	257
PID 1108 wrote to memory of 1336	1108	f188cf267d209a0209a25bda4bb75b86.exe	257
PID 1108 wrote to memory of 1336	1108	f188cf267d209a0209a25bda4bb75b86.exe	257
PID 1336 wrote to memory of 1112	1336	cmd.exe	259
PID 1336 wrote to memory of 1112	1336	cmd.exe	259
PID 1336 wrote to memory of 1112	1336	cmd.exe	259
PID 1336 wrote to memory of 1112	1336	cmd.exe	259
PID 1108 wrote to memory of 1580	1108	f188cf267d209a0209a25bda4bb75b86.exe	260
PID 1108 wrote to memory of 1580	1108	f188cf267d209a0209a25bda4bb75b86.exe	260
PID 1108 wrote to memory of 1580	1108	f188cf267d209a0209a25bda4bb75b86.exe	260
PID 1108 wrote to memory of 1580	1108	f188cf267d209a0209a25bda4bb75b86.exe	260
PID 1580 wrote to memory of 1888	1580	cmd.exe	262
PID 1580 wrote to memory of 1888	1580	cmd.exe	262
PID 1580 wrote to memory of 1888	1580	cmd.exe	262
PID 1580 wrote to memory of 1888	1580	cmd.exe	262
PID 1108 wrote to memory of 1956	1108	f188cf267d209a0209a25bda4bb75b86.exe	263
PID 1108 wrote to memory of 1956	1108	f188cf267d209a0209a25bda4bb75b86.exe	263
PID 1108 wrote to memory of 1956	1108	f188cf267d209a0209a25bda4bb75b86.exe	263
PID 1108 wrote to memory of 1956	1108	f188cf267d209a0209a25bda4bb75b86.exe	263
PID 1956 wrote to memory of 1996	1956	cmd.exe	265
PID 1956 wrote to memory of 1996	1956	cmd.exe	265
PID 1956 wrote to memory of 1996	1956	cmd.exe	265
PID 1956 wrote to memory of 1996	1956	cmd.exe	265
PID 1108 wrote to memory of 1152	1108	f188cf267d209a0209a25bda4bb75b86.exe	266
PID 1108 wrote to memory of 1152	1108	f188cf267d209a0209a25bda4bb75b86.exe	266
PID 1108 wrote to memory of 1152	1108	f188cf267d209a0209a25bda4bb75b86.exe	266
PID 1108 wrote to memory of 1152	1108	f188cf267d209a0209a25bda4bb75b86.exe	266
PID 1152 wrote to memory of 2036	1152	cmd.exe	268
PID 1152 wrote to memory of 2036	1152	cmd.exe	268
PID 1152 wrote to memory of 2036	1152	cmd.exe	268
PID 1152 wrote to memory of 2036	1152	cmd.exe	268
PID 1108 wrote to memory of 1492	1108	f188cf267d209a0209a25bda4bb75b86.exe	269
PID 1108 wrote to memory of 1492	1108	f188cf267d209a0209a25bda4bb75b86.exe	269
PID 1108 wrote to memory of 1492	1108	f188cf267d209a0209a25bda4bb75b86.exe	269
PID 1108 wrote to memory of 1492	1108	f188cf267d209a0209a25bda4bb75b86.exe	269
PID 1492 wrote to memory of 1260	1492	cmd.exe	271
PID 1492 wrote to memory of 1260	1492	cmd.exe	271
PID 1492 wrote to memory of 1260	1492	cmd.exe	271
PID 1492 wrote to memory of 1260	1492	cmd.exe	271
PID 1108 wrote to memory of 1428	1108	f188cf267d209a0209a25bda4bb75b86.exe	272
PID 1108 wrote to memory of 1428	1108	f188cf267d209a0209a25bda4bb75b86.exe	272
PID 1108 wrote to memory of 1428	1108	f188cf267d209a0209a25bda4bb75b86.exe	272
PID 1108 wrote to memory of 1428	1108	f188cf267d209a0209a25bda4bb75b86.exe	272
PID 1428 wrote to memory of 276	1428	cmd.exe	274
PID 1428 wrote to memory of 276	1428	cmd.exe	274
PID 1428 wrote to memory of 276	1428	cmd.exe	274
PID 1428 wrote to memory of 276	1428	cmd.exe	274
PID 1108 wrote to memory of 1408	1108	f188cf267d209a0209a25bda4bb75b86.exe	275
PID 1108 wrote to memory of 1408	1108	f188cf267d209a0209a25bda4bb75b86.exe	275
PID 1108 wrote to memory of 1408	1108	f188cf267d209a0209a25bda4bb75b86.exe	275
PID 1108 wrote to memory of 1408	1108	f188cf267d209a0209a25bda4bb75b86.exe	275
PID 1408 wrote to memory of 1796	1408	cmd.exe	277
PID 1408 wrote to memory of 1796	1408	cmd.exe	277
PID 1408 wrote to memory of 1796	1408	cmd.exe	277
PID 1408 wrote to memory of 1796	1408	cmd.exe	277
PID 1108 wrote to memory of 1688	1108	f188cf267d209a0209a25bda4bb75b86.exe	278
PID 1108 wrote to memory of 1688	1108	f188cf267d209a0209a25bda4bb75b86.exe	278
PID 1108 wrote to memory of 1688	1108	f188cf267d209a0209a25bda4bb75b86.exe	278
PID 1108 wrote to memory of 1688	1108	f188cf267d209a0209a25bda4bb75b86.exe	278
PID 1688 wrote to memory of 1732	1688	cmd.exe	280
PID 1688 wrote to memory of 1732	1688	cmd.exe	280
PID 1688 wrote to memory of 1732	1688	cmd.exe	280
PID 1688 wrote to memory of 1732	1688	cmd.exe	280
PID 1108 wrote to memory of 1840	1108	f188cf267d209a0209a25bda4bb75b86.exe	281
PID 1108 wrote to memory of 1840	1108	f188cf267d209a0209a25bda4bb75b86.exe	281
PID 1108 wrote to memory of 1840	1108	f188cf267d209a0209a25bda4bb75b86.exe	281
PID 1108 wrote to memory of 1840	1108	f188cf267d209a0209a25bda4bb75b86.exe	281
PID 1840 wrote to memory of 1768	1840	cmd.exe	283
PID 1840 wrote to memory of 1768	1840	cmd.exe	283
PID 1840 wrote to memory of 1768	1840	cmd.exe	283
PID 1840 wrote to memory of 1768	1840	cmd.exe	283
PID 1108 wrote to memory of 656	1108	f188cf267d209a0209a25bda4bb75b86.exe	284
PID 1108 wrote to memory of 656	1108	f188cf267d209a0209a25bda4bb75b86.exe	284
PID 1108 wrote to memory of 656	1108	f188cf267d209a0209a25bda4bb75b86.exe	284
PID 1108 wrote to memory of 656	1108	f188cf267d209a0209a25bda4bb75b86.exe	284
PID 656 wrote to memory of 1760	656	cmd.exe	286
PID 656 wrote to memory of 1760	656	cmd.exe	286
PID 656 wrote to memory of 1760	656	cmd.exe	286
PID 656 wrote to memory of 1760	656	cmd.exe	286
PID 1108 wrote to memory of 1592	1108	f188cf267d209a0209a25bda4bb75b86.exe	287
PID 1108 wrote to memory of 1592	1108	f188cf267d209a0209a25bda4bb75b86.exe	287
PID 1108 wrote to memory of 1592	1108	f188cf267d209a0209a25bda4bb75b86.exe	287
PID 1108 wrote to memory of 1592	1108	f188cf267d209a0209a25bda4bb75b86.exe	287
PID 1592 wrote to memory of 568	1592	cmd.exe	289
PID 1592 wrote to memory of 568	1592	cmd.exe	289
PID 1592 wrote to memory of 568	1592	cmd.exe	289
PID 1592 wrote to memory of 568	1592	cmd.exe	289
PID 1108 wrote to memory of 1600	1108	f188cf267d209a0209a25bda4bb75b86.exe	290
PID 1108 wrote to memory of 1600	1108	f188cf267d209a0209a25bda4bb75b86.exe	290
PID 1108 wrote to memory of 1600	1108	f188cf267d209a0209a25bda4bb75b86.exe	290
PID 1108 wrote to memory of 1600	1108	f188cf267d209a0209a25bda4bb75b86.exe	290
PID 1600 wrote to memory of 1616	1600	cmd.exe	292
PID 1600 wrote to memory of 1616	1600	cmd.exe	292
PID 1600 wrote to memory of 1616	1600	cmd.exe	292
PID 1600 wrote to memory of 1616	1600	cmd.exe	292
PID 1108 wrote to memory of 1892	1108	f188cf267d209a0209a25bda4bb75b86.exe	293
PID 1108 wrote to memory of 1892	1108	f188cf267d209a0209a25bda4bb75b86.exe	293
PID 1108 wrote to memory of 1892	1108	f188cf267d209a0209a25bda4bb75b86.exe	293
PID 1108 wrote to memory of 1892	1108	f188cf267d209a0209a25bda4bb75b86.exe	293
PID 1892 wrote to memory of 1948	1892	cmd.exe	295
PID 1892 wrote to memory of 1948	1892	cmd.exe	295
PID 1892 wrote to memory of 1948	1892	cmd.exe	295
PID 1892 wrote to memory of 1948	1892	cmd.exe	295
PID 1108 wrote to memory of 1132	1108	f188cf267d209a0209a25bda4bb75b86.exe	296
PID 1108 wrote to memory of 1132	1108	f188cf267d209a0209a25bda4bb75b86.exe	296
PID 1108 wrote to memory of 1132	1108	f188cf267d209a0209a25bda4bb75b86.exe	296
PID 1108 wrote to memory of 1132	1108	f188cf267d209a0209a25bda4bb75b86.exe	296
PID 1132 wrote to memory of 1984	1132	cmd.exe	298
PID 1132 wrote to memory of 1984	1132	cmd.exe	298
PID 1132 wrote to memory of 1984	1132	cmd.exe	298
PID 1132 wrote to memory of 1984	1132	cmd.exe	298
PID 1108 wrote to memory of 1404	1108	f188cf267d209a0209a25bda4bb75b86.exe	299
PID 1108 wrote to memory of 1404	1108	f188cf267d209a0209a25bda4bb75b86.exe	299
PID 1108 wrote to memory of 1404	1108	f188cf267d209a0209a25bda4bb75b86.exe	299
PID 1108 wrote to memory of 1404	1108	f188cf267d209a0209a25bda4bb75b86.exe	299
PID 1404 wrote to memory of 828	1404	cmd.exe	301
PID 1404 wrote to memory of 828	1404	cmd.exe	301
PID 1404 wrote to memory of 828	1404	cmd.exe	301
PID 1404 wrote to memory of 828	1404	cmd.exe	301
PID 1108 wrote to memory of 272	1108	f188cf267d209a0209a25bda4bb75b86.exe	302
PID 1108 wrote to memory of 272	1108	f188cf267d209a0209a25bda4bb75b86.exe	302
PID 1108 wrote to memory of 272	1108	f188cf267d209a0209a25bda4bb75b86.exe	302
PID 1108 wrote to memory of 272	1108	f188cf267d209a0209a25bda4bb75b86.exe	302
PID 272 wrote to memory of 288	272	cmd.exe	304
PID 272 wrote to memory of 288	272	cmd.exe	304
PID 272 wrote to memory of 288	272	cmd.exe	304
PID 272 wrote to memory of 288	272	cmd.exe	304
PID 1108 wrote to memory of 2040	1108	f188cf267d209a0209a25bda4bb75b86.exe	310
PID 1108 wrote to memory of 2040	1108	f188cf267d209a0209a25bda4bb75b86.exe	310
PID 1108 wrote to memory of 2040	1108	f188cf267d209a0209a25bda4bb75b86.exe	310
PID 1108 wrote to memory of 2040	1108	f188cf267d209a0209a25bda4bb75b86.exe	310
PID 2040 wrote to memory of 1496	2040	cmd.exe	312
PID 2040 wrote to memory of 1496	2040	cmd.exe	312
PID 2040 wrote to memory of 1496	2040	cmd.exe	312
PID 2040 wrote to memory of 1496	2040	cmd.exe	312

Suspicious behavior: EnumeratesProcesses 376 IoCs

pid	Process
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe
1108	f188cf267d209a0209a25bda4bb75b86.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SetResize.raw => C:\Users\Admin\Pictures\SetResize.raw.LflKha	f188cf267d209a0209a25bda4bb75b86.exe
File renamed	C:\Users\Admin\Pictures\InstallUnblock.crw => C:\Users\Admin\Pictures\InstallUnblock.crw.LflKha	f188cf267d209a0209a25bda4bb75b86.exe
File opened for modification	C:\Users\Admin\Pictures\InstallUnblock.crw.LflKha	f188cf267d209a0209a25bda4bb75b86.exe
File opened for modification	C:\Users\Admin\Pictures\SetResize.raw.LflKha	f188cf267d209a0209a25bda4bb75b86.exe
File renamed	C:\Users\Admin\Pictures\UseRedo.tif => C:\Users\Admin\Pictures\UseRedo.tif.LflKha	f188cf267d209a0209a25bda4bb75b86.exe
File renamed	C:\Users\Admin\Pictures\CompleteRedo.png => C:\Users\Admin\Pictures\CompleteRedo.png.LflKha	f188cf267d209a0209a25bda4bb75b86.exe
File renamed	C:\Users\Admin\Pictures\DenyApprove.png => C:\Users\Admin\Pictures\DenyApprove.png.LflKha	f188cf267d209a0209a25bda4bb75b86.exe
File opened for modification	C:\Users\Admin\Pictures\UseRedo.tif.LflKha	f188cf267d209a0209a25bda4bb75b86.exe
File opened for modification	C:\Users\Admin\Pictures\CompressNew.raw.LflKha	f188cf267d209a0209a25bda4bb75b86.exe
File opened for modification	C:\Users\Admin\Pictures\DenyApprove.png.LflKha	f188cf267d209a0209a25bda4bb75b86.exe
File renamed	C:\Users\Admin\Pictures\UninstallConnect.tif => C:\Users\Admin\Pictures\UninstallConnect.tif.LflKha	f188cf267d209a0209a25bda4bb75b86.exe
File opened for modification	C:\Users\Admin\Pictures\UninstallConnect.tif.LflKha	f188cf267d209a0209a25bda4bb75b86.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteRedo.png.LflKha	f188cf267d209a0209a25bda4bb75b86.exe
File renamed	C:\Users\Admin\Pictures\CompressNew.raw => C:\Users\Admin\Pictures\CompressNew.raw.LflKha	f188cf267d209a0209a25bda4bb75b86.exe

C:\Users\Admin\AppData\Local\Temp\f188cf267d209a0209a25bda4bb75b86.exe
"C:\Users\Admin\AppData\Local\Temp\f188cf267d209a0209a25bda4bb75b86.exe"
1⤵
- NTFS ADS
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Modifies extensions of user files
PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY DELETE /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  PID:1196
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} recoveryenabled No
  2⤵
  PID:1824
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\vssvc.exe
  2⤵
  PID:772
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServer*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServerView*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServerView*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlmangr*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlmangr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RAgui*
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RAgui*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM supervise*
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM supervise*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culture*
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culture*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Defwatch*
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Defwatch*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM winword*
  2⤵
  PID:1372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM winword*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBW32*
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBW32*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgr*
  2⤵
  PID:524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM qbupdate*
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM qbupdate*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM axlbridge*
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM axlbridge*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM httpd*
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM httpd*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdlauncher*
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdlauncher*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MsDtSrvr*
  2⤵
  PID:828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MsDtSrvr*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM java*
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM java*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:288
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360se*
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360se*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360doctor*
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360doctor*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wdswfsafe*
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wdswfsafe*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdhost*
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdhost*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM GDscan*
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM GDscan*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ZhuDongFangYu*
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ZhuDongFangYu*
    3⤵
    - Kills process with taskkill
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgrN*
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgrN*
    3⤵
    - Kills process with taskkill
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM mysqld*
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM mysqld*
    3⤵
    - Kills process with taskkill
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AutodeskDesktopApp*
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AutodeskDesktopApp*
    3⤵
    - Kills process with taskkill
    PID:1236
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM acwebbrowser*
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM acwebbrowser*
    3⤵
    - Kills process with taskkill
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Creative Cloud*
  2⤵
  PID:992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Creative Cloud*
    3⤵
    - Kills process with taskkill
    PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe Desktop Service*
  2⤵
  PID:792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe Desktop Service*
    3⤵
    - Kills process with taskkill
    PID:1196
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM CoreSync*
  2⤵
  PID:1192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM CoreSync*
    3⤵
    - Kills process with taskkill
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe CEF Helper*
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe CEF Helper*
    3⤵
    - Kills process with taskkill
    PID:368
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM node*
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM node*
    3⤵
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeIPCBroker*
  2⤵
  PID:536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeIPCBroker*
    3⤵
    - Kills process with taskkill
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-taskbar*
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-taskbar*
    3⤵
    - Kills process with taskkill
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-worker*
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-worker*
    3⤵
    - Kills process with taskkill
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM InputPersonalization*
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM InputPersonalization*
    3⤵
    - Kills process with taskkill
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeCollabSync*
  2⤵
  PID:608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeCollabSync*
    3⤵
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCtrlCntr*
  2⤵
  PID:272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCtrlCntr*
    3⤵
    - Kills process with taskkill
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCcUxSys*
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCcUxSys*
    3⤵
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SimplyConnectionManager*
  2⤵
  PID:1820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SimplyConnectionManager*
    3⤵
    - Kills process with taskkill
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Simply.SystemTrayIcon*
    3⤵
    - Kills process with taskkill
    PID:620
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbguard*
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbguard*
    3⤵
    - Kills process with taskkill
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbserver*
  2⤵
  PID:1336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbserver*
    3⤵
    - Kills process with taskkill
    PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ONENOTEM*
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ONENOTEM*
    3⤵
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wrapper*
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wrapper*
    3⤵
    - Kills process with taskkill
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM DefWatch*
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM DefWatch*
    3⤵
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccEvtMgr*
  2⤵
  PID:844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccSetMgr*
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccSetMgr*
    3⤵
    - Kills process with taskkill
    PID:1428
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SavRoam*
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SavRoam*
    3⤵
    - Kills process with taskkill
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Sqlservr*
  2⤵
  PID:792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Sqlservr*
    3⤵
    - Kills process with taskkill
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlagent*
  2⤵
  PID:1192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlagent*
    3⤵
    PID:368
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqladhlp*
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqladhlp*
    3⤵
    - Kills process with taskkill
    PID:656
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culserver*
  2⤵
  PID:1348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culserver*
    3⤵
    - Kills process with taskkill
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RTVscan*
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RTVscan*
    3⤵
    - Kills process with taskkill
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlbrowser*
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlbrowser*
    3⤵
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLADHLP*
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLADHLP*
    3⤵
    - Kills process with taskkill
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBIDPService*
  2⤵
  PID:1260
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBIDPService*
    3⤵
    - Kills process with taskkill
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
  2⤵
  PID:276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBCFMonitorService*
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBCFMonitorService*
    3⤵
    - Kills process with taskkill
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlwriter*
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlwriter*
    3⤵
    - Kills process with taskkill
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msmdsrv*
  2⤵
  PID:472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msmdsrv*
    3⤵
    - Kills process with taskkill
    PID:620
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM tomcat6*
  2⤵
  PID:528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM tomcat6*
    3⤵
    - Kills process with taskkill
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM zhudongfangyu*
  2⤵
  PID:568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-usbarbitator64*
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-usbarbitator64*
    3⤵
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-converter*
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-converter*
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbsrv12*
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbsrv12*
    3⤵
    - Kills process with taskkill
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbeng8*
  2⤵
  PID:828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbeng8*
    3⤵
    - Kills process with taskkill
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:1376
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLBrowser*
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLBrowser*
    3⤵
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLWriter*
  2⤵
  PID:1780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLWriter*
    3⤵
    PID:1852
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM FishbowlMySQL*
  2⤵
  PID:1336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM FishbowlMySQL*
    3⤵
    - Kills process with taskkill
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    - Kills process with taskkill
    PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MySQL57*
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MySQL57*
    3⤵
    - Kills process with taskkill
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLServerADHelper100*
    3⤵
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
    3⤵
    - Kills process with taskkill
    PID:276
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msftesql-Exchange*
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msftesql-Exchange*
    3⤵
    - Kills process with taskkill
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
    3⤵
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
  2⤵
  PID:656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SHAREPOINT*
    3⤵
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
    3⤵
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
  2⤵
  PID:1132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBFCService*
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBFCService*
    3⤵
    - Kills process with taskkill
    PID:828
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBVSS*
  2⤵
  PID:272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBVSS*
    3⤵
    - Kills process with taskkill
    PID:288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /T 15 /NOBREAK && del "C:\Users\Admin\AppData\Local\Temp\f188cf267d209a0209a25bda4bb75b86.exe" /F
  2⤵
  - Deletes itself
  PID:2040
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 15 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:1496