Analysis
-
max time kernel
48s -
max time network
149s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
24-07-2020 12:51
Static task
static1
Behavioral task
behavioral1
Sample
5a63e7d371dd69c5625f5b48da426c14.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
5a63e7d371dd69c5625f5b48da426c14.exe
Resource
win10
General
-
Target
5a63e7d371dd69c5625f5b48da426c14.exe
-
Size
43KB
-
MD5
5a63e7d371dd69c5625f5b48da426c14
-
SHA1
63a5bd8b7ed922ad5fe498d2a15a57d1d552055a
-
SHA256
b1bcc54ef15f91d9291357eca02862174bd6158e95813eff1ab0c16ba48ff10e
-
SHA512
a228061433052e64965ee9cdd678bbe2fa18c88b214642176437504b107c97f68912b1760f15b1e56a7bc9d5ac14ddd1bb2dcfdf27958e88e1a5f0db6cfbc767
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 732 IoCs
description pid Process procid_target PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 25 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 25 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 25 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 25 PID 1048 wrote to memory of 1516 1048 cmd.exe 27 PID 1048 wrote to memory of 1516 1048 cmd.exe 27 PID 1048 wrote to memory of 1516 1048 cmd.exe 27 PID 1048 wrote to memory of 1516 1048 cmd.exe 27 PID 388 wrote to memory of 1892 388 5a63e7d371dd69c5625f5b48da426c14.exe 30 PID 388 wrote to memory of 1892 388 5a63e7d371dd69c5625f5b48da426c14.exe 30 PID 388 wrote to memory of 1892 388 5a63e7d371dd69c5625f5b48da426c14.exe 30 PID 388 wrote to memory of 1892 388 5a63e7d371dd69c5625f5b48da426c14.exe 30 PID 388 wrote to memory of 1912 388 5a63e7d371dd69c5625f5b48da426c14.exe 32 PID 388 wrote to memory of 1912 388 5a63e7d371dd69c5625f5b48da426c14.exe 32 PID 388 wrote to memory of 1912 388 5a63e7d371dd69c5625f5b48da426c14.exe 32 PID 388 wrote to memory of 1912 388 5a63e7d371dd69c5625f5b48da426c14.exe 32 PID 388 wrote to memory of 1936 388 5a63e7d371dd69c5625f5b48da426c14.exe 34 PID 388 wrote to memory of 1936 388 5a63e7d371dd69c5625f5b48da426c14.exe 34 PID 388 wrote to memory of 1936 388 5a63e7d371dd69c5625f5b48da426c14.exe 34 PID 388 wrote to memory of 1936 388 5a63e7d371dd69c5625f5b48da426c14.exe 34 PID 388 wrote to memory of 1372 388 5a63e7d371dd69c5625f5b48da426c14.exe 36 PID 388 wrote to memory of 1372 388 5a63e7d371dd69c5625f5b48da426c14.exe 36 PID 388 wrote to memory of 1372 388 5a63e7d371dd69c5625f5b48da426c14.exe 36 PID 388 wrote to memory of 1372 388 5a63e7d371dd69c5625f5b48da426c14.exe 36 PID 388 wrote to memory of 1960 388 5a63e7d371dd69c5625f5b48da426c14.exe 38 PID 388 wrote to memory of 1960 388 5a63e7d371dd69c5625f5b48da426c14.exe 38 PID 388 wrote to memory of 1960 388 5a63e7d371dd69c5625f5b48da426c14.exe 38 PID 388 wrote to memory of 1960 388 5a63e7d371dd69c5625f5b48da426c14.exe 38 PID 1960 wrote to memory of 1816 1960 cmd.exe 40 PID 1960 wrote to memory of 1816 1960 cmd.exe 40 PID 1960 wrote to memory of 1816 1960 cmd.exe 40 PID 1960 wrote to memory of 1816 1960 cmd.exe 40 PID 388 wrote to memory of 1624 388 5a63e7d371dd69c5625f5b48da426c14.exe 41 PID 388 wrote to memory of 1624 388 5a63e7d371dd69c5625f5b48da426c14.exe 41 PID 388 wrote to memory of 1624 388 5a63e7d371dd69c5625f5b48da426c14.exe 41 PID 388 wrote to memory of 1624 388 5a63e7d371dd69c5625f5b48da426c14.exe 41 PID 388 wrote to memory of 1580 388 5a63e7d371dd69c5625f5b48da426c14.exe 43 PID 388 wrote to memory of 1580 388 5a63e7d371dd69c5625f5b48da426c14.exe 43 PID 388 wrote to memory of 1580 388 5a63e7d371dd69c5625f5b48da426c14.exe 43 PID 388 wrote to memory of 1580 388 5a63e7d371dd69c5625f5b48da426c14.exe 43 PID 1580 wrote to memory of 1640 1580 cmd.exe 45 PID 1580 wrote to memory of 1640 1580 cmd.exe 45 PID 1580 wrote to memory of 1640 1580 cmd.exe 45 PID 1580 wrote to memory of 1640 1580 cmd.exe 45 PID 388 wrote to memory of 2008 388 5a63e7d371dd69c5625f5b48da426c14.exe 47 PID 388 wrote to memory of 2008 388 5a63e7d371dd69c5625f5b48da426c14.exe 47 PID 388 wrote to memory of 2008 388 5a63e7d371dd69c5625f5b48da426c14.exe 47 PID 388 wrote to memory of 2008 388 5a63e7d371dd69c5625f5b48da426c14.exe 47 PID 2008 wrote to memory of 868 2008 cmd.exe 49 PID 2008 wrote to memory of 868 2008 cmd.exe 49 PID 2008 wrote to memory of 868 2008 cmd.exe 49 PID 2008 wrote to memory of 868 2008 cmd.exe 49 PID 388 wrote to memory of 1168 388 5a63e7d371dd69c5625f5b48da426c14.exe 50 PID 388 wrote to memory of 1168 388 5a63e7d371dd69c5625f5b48da426c14.exe 50 PID 388 wrote to memory of 1168 388 5a63e7d371dd69c5625f5b48da426c14.exe 50 PID 388 wrote to memory of 1168 388 5a63e7d371dd69c5625f5b48da426c14.exe 50 PID 1168 wrote to memory of 376 1168 cmd.exe 52 PID 1168 wrote to memory of 376 1168 cmd.exe 52 PID 1168 wrote to memory of 376 1168 cmd.exe 52 PID 1168 wrote to memory of 376 1168 cmd.exe 52 PID 388 wrote to memory of 808 388 5a63e7d371dd69c5625f5b48da426c14.exe 53 PID 388 wrote to memory of 808 388 5a63e7d371dd69c5625f5b48da426c14.exe 53 PID 388 wrote to memory of 808 388 5a63e7d371dd69c5625f5b48da426c14.exe 53 PID 388 wrote to memory of 808 388 5a63e7d371dd69c5625f5b48da426c14.exe 53 PID 808 wrote to memory of 892 808 cmd.exe 55 PID 808 wrote to memory of 892 808 cmd.exe 55 PID 808 wrote to memory of 892 808 cmd.exe 55 PID 808 wrote to memory of 892 808 cmd.exe 55 PID 388 wrote to memory of 576 388 5a63e7d371dd69c5625f5b48da426c14.exe 56 PID 388 wrote to memory of 576 388 5a63e7d371dd69c5625f5b48da426c14.exe 56 PID 388 wrote to memory of 576 388 5a63e7d371dd69c5625f5b48da426c14.exe 56 PID 388 wrote to memory of 576 388 5a63e7d371dd69c5625f5b48da426c14.exe 56 PID 576 wrote to memory of 1488 576 cmd.exe 58 PID 576 wrote to memory of 1488 576 cmd.exe 58 PID 576 wrote to memory of 1488 576 cmd.exe 58 PID 576 wrote to memory of 1488 576 cmd.exe 58 PID 388 wrote to memory of 872 388 5a63e7d371dd69c5625f5b48da426c14.exe 59 PID 388 wrote to memory of 872 388 5a63e7d371dd69c5625f5b48da426c14.exe 59 PID 388 wrote to memory of 872 388 5a63e7d371dd69c5625f5b48da426c14.exe 59 PID 388 wrote to memory of 872 388 5a63e7d371dd69c5625f5b48da426c14.exe 59 PID 872 wrote to memory of 1032 872 cmd.exe 61 PID 872 wrote to memory of 1032 872 cmd.exe 61 PID 872 wrote to memory of 1032 872 cmd.exe 61 PID 872 wrote to memory of 1032 872 cmd.exe 61 PID 388 wrote to memory of 1480 388 5a63e7d371dd69c5625f5b48da426c14.exe 62 PID 388 wrote to memory of 1480 388 5a63e7d371dd69c5625f5b48da426c14.exe 62 PID 388 wrote to memory of 1480 388 5a63e7d371dd69c5625f5b48da426c14.exe 62 PID 388 wrote to memory of 1480 388 5a63e7d371dd69c5625f5b48da426c14.exe 62 PID 1480 wrote to memory of 1040 1480 cmd.exe 64 PID 1480 wrote to memory of 1040 1480 cmd.exe 64 PID 1480 wrote to memory of 1040 1480 cmd.exe 64 PID 1480 wrote to memory of 1040 1480 cmd.exe 64 PID 388 wrote to memory of 1904 388 5a63e7d371dd69c5625f5b48da426c14.exe 65 PID 388 wrote to memory of 1904 388 5a63e7d371dd69c5625f5b48da426c14.exe 65 PID 388 wrote to memory of 1904 388 5a63e7d371dd69c5625f5b48da426c14.exe 65 PID 388 wrote to memory of 1904 388 5a63e7d371dd69c5625f5b48da426c14.exe 65 PID 1904 wrote to memory of 1912 1904 cmd.exe 67 PID 1904 wrote to memory of 1912 1904 cmd.exe 67 PID 1904 wrote to memory of 1912 1904 cmd.exe 67 PID 1904 wrote to memory of 1912 1904 cmd.exe 67 PID 388 wrote to memory of 1956 388 5a63e7d371dd69c5625f5b48da426c14.exe 68 PID 388 wrote to memory of 1956 388 5a63e7d371dd69c5625f5b48da426c14.exe 68 PID 388 wrote to memory of 1956 388 5a63e7d371dd69c5625f5b48da426c14.exe 68 PID 388 wrote to memory of 1956 388 5a63e7d371dd69c5625f5b48da426c14.exe 68 PID 1956 wrote to memory of 1828 1956 cmd.exe 70 PID 1956 wrote to memory of 1828 1956 cmd.exe 70 PID 1956 wrote to memory of 1828 1956 cmd.exe 70 PID 1956 wrote to memory of 1828 1956 cmd.exe 70 PID 388 wrote to memory of 1816 388 5a63e7d371dd69c5625f5b48da426c14.exe 71 PID 388 wrote to memory of 1816 388 5a63e7d371dd69c5625f5b48da426c14.exe 71 PID 388 wrote to memory of 1816 388 5a63e7d371dd69c5625f5b48da426c14.exe 71 PID 388 wrote to memory of 1816 388 5a63e7d371dd69c5625f5b48da426c14.exe 71 PID 1816 wrote to memory of 1560 1816 cmd.exe 73 PID 1816 wrote to memory of 1560 1816 cmd.exe 73 PID 1816 wrote to memory of 1560 1816 cmd.exe 73 PID 1816 wrote to memory of 1560 1816 cmd.exe 73 PID 388 wrote to memory of 1992 388 5a63e7d371dd69c5625f5b48da426c14.exe 74 PID 388 wrote to memory of 1992 388 5a63e7d371dd69c5625f5b48da426c14.exe 74 PID 388 wrote to memory of 1992 388 5a63e7d371dd69c5625f5b48da426c14.exe 74 PID 388 wrote to memory of 1992 388 5a63e7d371dd69c5625f5b48da426c14.exe 74 PID 1992 wrote to memory of 1640 1992 cmd.exe 76 PID 1992 wrote to memory of 1640 1992 cmd.exe 76 PID 1992 wrote to memory of 1640 1992 cmd.exe 76 PID 1992 wrote to memory of 1640 1992 cmd.exe 76 PID 388 wrote to memory of 1184 388 5a63e7d371dd69c5625f5b48da426c14.exe 77 PID 388 wrote to memory of 1184 388 5a63e7d371dd69c5625f5b48da426c14.exe 77 PID 388 wrote to memory of 1184 388 5a63e7d371dd69c5625f5b48da426c14.exe 77 PID 388 wrote to memory of 1184 388 5a63e7d371dd69c5625f5b48da426c14.exe 77 PID 1184 wrote to memory of 868 1184 cmd.exe 79 PID 1184 wrote to memory of 868 1184 cmd.exe 79 PID 1184 wrote to memory of 868 1184 cmd.exe 79 PID 1184 wrote to memory of 868 1184 cmd.exe 79 PID 388 wrote to memory of 320 388 5a63e7d371dd69c5625f5b48da426c14.exe 80 PID 388 wrote to memory of 320 388 5a63e7d371dd69c5625f5b48da426c14.exe 80 PID 388 wrote to memory of 320 388 5a63e7d371dd69c5625f5b48da426c14.exe 80 PID 388 wrote to memory of 320 388 5a63e7d371dd69c5625f5b48da426c14.exe 80 PID 320 wrote to memory of 376 320 cmd.exe 82 PID 320 wrote to memory of 376 320 cmd.exe 82 PID 320 wrote to memory of 376 320 cmd.exe 82 PID 320 wrote to memory of 376 320 cmd.exe 82 PID 388 wrote to memory of 1600 388 5a63e7d371dd69c5625f5b48da426c14.exe 83 PID 388 wrote to memory of 1600 388 5a63e7d371dd69c5625f5b48da426c14.exe 83 PID 388 wrote to memory of 1600 388 5a63e7d371dd69c5625f5b48da426c14.exe 83 PID 388 wrote to memory of 1600 388 5a63e7d371dd69c5625f5b48da426c14.exe 83 PID 1600 wrote to memory of 892 1600 cmd.exe 85 PID 1600 wrote to memory of 892 1600 cmd.exe 85 PID 1600 wrote to memory of 892 1600 cmd.exe 85 PID 1600 wrote to memory of 892 1600 cmd.exe 85 PID 388 wrote to memory of 820 388 5a63e7d371dd69c5625f5b48da426c14.exe 86 PID 388 wrote to memory of 820 388 5a63e7d371dd69c5625f5b48da426c14.exe 86 PID 388 wrote to memory of 820 388 5a63e7d371dd69c5625f5b48da426c14.exe 86 PID 388 wrote to memory of 820 388 5a63e7d371dd69c5625f5b48da426c14.exe 86 PID 820 wrote to memory of 1540 820 cmd.exe 88 PID 820 wrote to memory of 1540 820 cmd.exe 88 PID 820 wrote to memory of 1540 820 cmd.exe 88 PID 820 wrote to memory of 1540 820 cmd.exe 88 PID 388 wrote to memory of 1216 388 5a63e7d371dd69c5625f5b48da426c14.exe 89 PID 388 wrote to memory of 1216 388 5a63e7d371dd69c5625f5b48da426c14.exe 89 PID 388 wrote to memory of 1216 388 5a63e7d371dd69c5625f5b48da426c14.exe 89 PID 388 wrote to memory of 1216 388 5a63e7d371dd69c5625f5b48da426c14.exe 89 PID 1216 wrote to memory of 1872 1216 cmd.exe 91 PID 1216 wrote to memory of 1872 1216 cmd.exe 91 PID 1216 wrote to memory of 1872 1216 cmd.exe 91 PID 1216 wrote to memory of 1872 1216 cmd.exe 91 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 92 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 92 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 92 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 92 PID 1048 wrote to memory of 1916 1048 cmd.exe 94 PID 1048 wrote to memory of 1916 1048 cmd.exe 94 PID 1048 wrote to memory of 1916 1048 cmd.exe 94 PID 1048 wrote to memory of 1916 1048 cmd.exe 94 PID 388 wrote to memory of 1924 388 5a63e7d371dd69c5625f5b48da426c14.exe 95 PID 388 wrote to memory of 1924 388 5a63e7d371dd69c5625f5b48da426c14.exe 95 PID 388 wrote to memory of 1924 388 5a63e7d371dd69c5625f5b48da426c14.exe 95 PID 388 wrote to memory of 1924 388 5a63e7d371dd69c5625f5b48da426c14.exe 95 PID 1924 wrote to memory of 1376 1924 cmd.exe 97 PID 1924 wrote to memory of 1376 1924 cmd.exe 97 PID 1924 wrote to memory of 1376 1924 cmd.exe 97 PID 1924 wrote to memory of 1376 1924 cmd.exe 97 PID 388 wrote to memory of 1372 388 5a63e7d371dd69c5625f5b48da426c14.exe 98 PID 388 wrote to memory of 1372 388 5a63e7d371dd69c5625f5b48da426c14.exe 98 PID 388 wrote to memory of 1372 388 5a63e7d371dd69c5625f5b48da426c14.exe 98 PID 388 wrote to memory of 1372 388 5a63e7d371dd69c5625f5b48da426c14.exe 98 PID 1372 wrote to memory of 1808 1372 cmd.exe 100 PID 1372 wrote to memory of 1808 1372 cmd.exe 100 PID 1372 wrote to memory of 1808 1372 cmd.exe 100 PID 1372 wrote to memory of 1808 1372 cmd.exe 100 PID 388 wrote to memory of 1980 388 5a63e7d371dd69c5625f5b48da426c14.exe 101 PID 388 wrote to memory of 1980 388 5a63e7d371dd69c5625f5b48da426c14.exe 101 PID 388 wrote to memory of 1980 388 5a63e7d371dd69c5625f5b48da426c14.exe 101 PID 388 wrote to memory of 1980 388 5a63e7d371dd69c5625f5b48da426c14.exe 101 PID 1980 wrote to memory of 1564 1980 cmd.exe 103 PID 1980 wrote to memory of 1564 1980 cmd.exe 103 PID 1980 wrote to memory of 1564 1980 cmd.exe 103 PID 1980 wrote to memory of 1564 1980 cmd.exe 103 PID 388 wrote to memory of 1528 388 5a63e7d371dd69c5625f5b48da426c14.exe 104 PID 388 wrote to memory of 1528 388 5a63e7d371dd69c5625f5b48da426c14.exe 104 PID 388 wrote to memory of 1528 388 5a63e7d371dd69c5625f5b48da426c14.exe 104 PID 388 wrote to memory of 1528 388 5a63e7d371dd69c5625f5b48da426c14.exe 104 PID 1528 wrote to memory of 1620 1528 cmd.exe 106 PID 1528 wrote to memory of 1620 1528 cmd.exe 106 PID 1528 wrote to memory of 1620 1528 cmd.exe 106 PID 1528 wrote to memory of 1620 1528 cmd.exe 106 PID 388 wrote to memory of 1164 388 5a63e7d371dd69c5625f5b48da426c14.exe 107 PID 388 wrote to memory of 1164 388 5a63e7d371dd69c5625f5b48da426c14.exe 107 PID 388 wrote to memory of 1164 388 5a63e7d371dd69c5625f5b48da426c14.exe 107 PID 388 wrote to memory of 1164 388 5a63e7d371dd69c5625f5b48da426c14.exe 107 PID 1164 wrote to memory of 1988 1164 cmd.exe 109 PID 1164 wrote to memory of 1988 1164 cmd.exe 109 PID 1164 wrote to memory of 1988 1164 cmd.exe 109 PID 1164 wrote to memory of 1988 1164 cmd.exe 109 PID 388 wrote to memory of 692 388 5a63e7d371dd69c5625f5b48da426c14.exe 110 PID 388 wrote to memory of 692 388 5a63e7d371dd69c5625f5b48da426c14.exe 110 PID 388 wrote to memory of 692 388 5a63e7d371dd69c5625f5b48da426c14.exe 110 PID 388 wrote to memory of 692 388 5a63e7d371dd69c5625f5b48da426c14.exe 110 PID 692 wrote to memory of 1156 692 cmd.exe 112 PID 692 wrote to memory of 1156 692 cmd.exe 112 PID 692 wrote to memory of 1156 692 cmd.exe 112 PID 692 wrote to memory of 1156 692 cmd.exe 112 PID 388 wrote to memory of 1012 388 5a63e7d371dd69c5625f5b48da426c14.exe 113 PID 388 wrote to memory of 1012 388 5a63e7d371dd69c5625f5b48da426c14.exe 113 PID 388 wrote to memory of 1012 388 5a63e7d371dd69c5625f5b48da426c14.exe 113 PID 388 wrote to memory of 1012 388 5a63e7d371dd69c5625f5b48da426c14.exe 113 PID 1012 wrote to memory of 1584 1012 cmd.exe 115 PID 1012 wrote to memory of 1584 1012 cmd.exe 115 PID 1012 wrote to memory of 1584 1012 cmd.exe 115 PID 1012 wrote to memory of 1584 1012 cmd.exe 115 PID 388 wrote to memory of 1472 388 5a63e7d371dd69c5625f5b48da426c14.exe 116 PID 388 wrote to memory of 1472 388 5a63e7d371dd69c5625f5b48da426c14.exe 116 PID 388 wrote to memory of 1472 388 5a63e7d371dd69c5625f5b48da426c14.exe 116 PID 388 wrote to memory of 1472 388 5a63e7d371dd69c5625f5b48da426c14.exe 116 PID 1472 wrote to memory of 576 1472 cmd.exe 118 PID 1472 wrote to memory of 576 1472 cmd.exe 118 PID 1472 wrote to memory of 576 1472 cmd.exe 118 PID 1472 wrote to memory of 576 1472 cmd.exe 118 PID 388 wrote to memory of 1692 388 5a63e7d371dd69c5625f5b48da426c14.exe 119 PID 388 wrote to memory of 1692 388 5a63e7d371dd69c5625f5b48da426c14.exe 119 PID 388 wrote to memory of 1692 388 5a63e7d371dd69c5625f5b48da426c14.exe 119 PID 388 wrote to memory of 1692 388 5a63e7d371dd69c5625f5b48da426c14.exe 119 PID 1692 wrote to memory of 1044 1692 cmd.exe 121 PID 1692 wrote to memory of 1044 1692 cmd.exe 121 PID 1692 wrote to memory of 1044 1692 cmd.exe 121 PID 1692 wrote to memory of 1044 1692 cmd.exe 121 PID 388 wrote to memory of 1892 388 5a63e7d371dd69c5625f5b48da426c14.exe 122 PID 388 wrote to memory of 1892 388 5a63e7d371dd69c5625f5b48da426c14.exe 122 PID 388 wrote to memory of 1892 388 5a63e7d371dd69c5625f5b48da426c14.exe 122 PID 388 wrote to memory of 1892 388 5a63e7d371dd69c5625f5b48da426c14.exe 122 PID 1892 wrote to memory of 1036 1892 cmd.exe 124 PID 1892 wrote to memory of 1036 1892 cmd.exe 124 PID 1892 wrote to memory of 1036 1892 cmd.exe 124 PID 1892 wrote to memory of 1036 1892 cmd.exe 124 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 125 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 125 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 125 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 125 PID 1048 wrote to memory of 1968 1048 cmd.exe 127 PID 1048 wrote to memory of 1968 1048 cmd.exe 127 PID 1048 wrote to memory of 1968 1048 cmd.exe 127 PID 1048 wrote to memory of 1968 1048 cmd.exe 127 PID 388 wrote to memory of 1904 388 5a63e7d371dd69c5625f5b48da426c14.exe 128 PID 388 wrote to memory of 1904 388 5a63e7d371dd69c5625f5b48da426c14.exe 128 PID 388 wrote to memory of 1904 388 5a63e7d371dd69c5625f5b48da426c14.exe 128 PID 388 wrote to memory of 1904 388 5a63e7d371dd69c5625f5b48da426c14.exe 128 PID 1904 wrote to memory of 1924 1904 cmd.exe 130 PID 1904 wrote to memory of 1924 1904 cmd.exe 130 PID 1904 wrote to memory of 1924 1904 cmd.exe 130 PID 1904 wrote to memory of 1924 1904 cmd.exe 130 PID 388 wrote to memory of 1120 388 5a63e7d371dd69c5625f5b48da426c14.exe 131 PID 388 wrote to memory of 1120 388 5a63e7d371dd69c5625f5b48da426c14.exe 131 PID 388 wrote to memory of 1120 388 5a63e7d371dd69c5625f5b48da426c14.exe 131 PID 388 wrote to memory of 1120 388 5a63e7d371dd69c5625f5b48da426c14.exe 131 PID 1120 wrote to memory of 1820 1120 cmd.exe 133 PID 1120 wrote to memory of 1820 1120 cmd.exe 133 PID 1120 wrote to memory of 1820 1120 cmd.exe 133 PID 1120 wrote to memory of 1820 1120 cmd.exe 133 PID 388 wrote to memory of 1816 388 5a63e7d371dd69c5625f5b48da426c14.exe 134 PID 388 wrote to memory of 1816 388 5a63e7d371dd69c5625f5b48da426c14.exe 134 PID 388 wrote to memory of 1816 388 5a63e7d371dd69c5625f5b48da426c14.exe 134 PID 388 wrote to memory of 1816 388 5a63e7d371dd69c5625f5b48da426c14.exe 134 PID 1816 wrote to memory of 1564 1816 cmd.exe 136 PID 1816 wrote to memory of 1564 1816 cmd.exe 136 PID 1816 wrote to memory of 1564 1816 cmd.exe 136 PID 1816 wrote to memory of 1564 1816 cmd.exe 136 PID 388 wrote to memory of 1664 388 5a63e7d371dd69c5625f5b48da426c14.exe 137 PID 388 wrote to memory of 1664 388 5a63e7d371dd69c5625f5b48da426c14.exe 137 PID 388 wrote to memory of 1664 388 5a63e7d371dd69c5625f5b48da426c14.exe 137 PID 388 wrote to memory of 1664 388 5a63e7d371dd69c5625f5b48da426c14.exe 137 PID 1664 wrote to memory of 1620 1664 cmd.exe 139 PID 1664 wrote to memory of 1620 1664 cmd.exe 139 PID 1664 wrote to memory of 1620 1664 cmd.exe 139 PID 1664 wrote to memory of 1620 1664 cmd.exe 139 PID 388 wrote to memory of 1172 388 5a63e7d371dd69c5625f5b48da426c14.exe 140 PID 388 wrote to memory of 1172 388 5a63e7d371dd69c5625f5b48da426c14.exe 140 PID 388 wrote to memory of 1172 388 5a63e7d371dd69c5625f5b48da426c14.exe 140 PID 388 wrote to memory of 1172 388 5a63e7d371dd69c5625f5b48da426c14.exe 140 PID 1172 wrote to memory of 1988 1172 cmd.exe 142 PID 1172 wrote to memory of 1988 1172 cmd.exe 142 PID 1172 wrote to memory of 1988 1172 cmd.exe 142 PID 1172 wrote to memory of 1988 1172 cmd.exe 142 PID 388 wrote to memory of 660 388 5a63e7d371dd69c5625f5b48da426c14.exe 143 PID 388 wrote to memory of 660 388 5a63e7d371dd69c5625f5b48da426c14.exe 143 PID 388 wrote to memory of 660 388 5a63e7d371dd69c5625f5b48da426c14.exe 143 PID 388 wrote to memory of 660 388 5a63e7d371dd69c5625f5b48da426c14.exe 143 PID 660 wrote to memory of 1156 660 cmd.exe 145 PID 660 wrote to memory of 1156 660 cmd.exe 145 PID 660 wrote to memory of 1156 660 cmd.exe 145 PID 660 wrote to memory of 1156 660 cmd.exe 145 PID 388 wrote to memory of 1460 388 5a63e7d371dd69c5625f5b48da426c14.exe 146 PID 388 wrote to memory of 1460 388 5a63e7d371dd69c5625f5b48da426c14.exe 146 PID 388 wrote to memory of 1460 388 5a63e7d371dd69c5625f5b48da426c14.exe 146 PID 388 wrote to memory of 1460 388 5a63e7d371dd69c5625f5b48da426c14.exe 146 PID 1460 wrote to memory of 1584 1460 cmd.exe 148 PID 1460 wrote to memory of 1584 1460 cmd.exe 148 PID 1460 wrote to memory of 1584 1460 cmd.exe 148 PID 1460 wrote to memory of 1584 1460 cmd.exe 148 PID 388 wrote to memory of 1668 388 5a63e7d371dd69c5625f5b48da426c14.exe 149 PID 388 wrote to memory of 1668 388 5a63e7d371dd69c5625f5b48da426c14.exe 149 PID 388 wrote to memory of 1668 388 5a63e7d371dd69c5625f5b48da426c14.exe 149 PID 388 wrote to memory of 1668 388 5a63e7d371dd69c5625f5b48da426c14.exe 149 PID 1668 wrote to memory of 576 1668 cmd.exe 151 PID 1668 wrote to memory of 576 1668 cmd.exe 151 PID 1668 wrote to memory of 576 1668 cmd.exe 151 PID 1668 wrote to memory of 576 1668 cmd.exe 151 PID 388 wrote to memory of 1896 388 5a63e7d371dd69c5625f5b48da426c14.exe 152 PID 388 wrote to memory of 1896 388 5a63e7d371dd69c5625f5b48da426c14.exe 152 PID 388 wrote to memory of 1896 388 5a63e7d371dd69c5625f5b48da426c14.exe 152 PID 388 wrote to memory of 1896 388 5a63e7d371dd69c5625f5b48da426c14.exe 152 PID 1896 wrote to memory of 1044 1896 cmd.exe 154 PID 1896 wrote to memory of 1044 1896 cmd.exe 154 PID 1896 wrote to memory of 1044 1896 cmd.exe 154 PID 1896 wrote to memory of 1044 1896 cmd.exe 154 PID 388 wrote to memory of 1900 388 5a63e7d371dd69c5625f5b48da426c14.exe 155 PID 388 wrote to memory of 1900 388 5a63e7d371dd69c5625f5b48da426c14.exe 155 PID 388 wrote to memory of 1900 388 5a63e7d371dd69c5625f5b48da426c14.exe 155 PID 388 wrote to memory of 1900 388 5a63e7d371dd69c5625f5b48da426c14.exe 155 PID 1900 wrote to memory of 1892 1900 cmd.exe 157 PID 1900 wrote to memory of 1892 1900 cmd.exe 157 PID 1900 wrote to memory of 1892 1900 cmd.exe 157 PID 1900 wrote to memory of 1892 1900 cmd.exe 157 PID 388 wrote to memory of 1948 388 5a63e7d371dd69c5625f5b48da426c14.exe 158 PID 388 wrote to memory of 1948 388 5a63e7d371dd69c5625f5b48da426c14.exe 158 PID 388 wrote to memory of 1948 388 5a63e7d371dd69c5625f5b48da426c14.exe 158 PID 388 wrote to memory of 1948 388 5a63e7d371dd69c5625f5b48da426c14.exe 158 PID 1948 wrote to memory of 1960 1948 cmd.exe 160 PID 1948 wrote to memory of 1960 1948 cmd.exe 160 PID 1948 wrote to memory of 1960 1948 cmd.exe 160 PID 1948 wrote to memory of 1960 1948 cmd.exe 160 PID 388 wrote to memory of 1932 388 5a63e7d371dd69c5625f5b48da426c14.exe 161 PID 388 wrote to memory of 1932 388 5a63e7d371dd69c5625f5b48da426c14.exe 161 PID 388 wrote to memory of 1932 388 5a63e7d371dd69c5625f5b48da426c14.exe 161 PID 388 wrote to memory of 1932 388 5a63e7d371dd69c5625f5b48da426c14.exe 161 PID 1932 wrote to memory of 1616 1932 cmd.exe 163 PID 1932 wrote to memory of 1616 1932 cmd.exe 163 PID 1932 wrote to memory of 1616 1932 cmd.exe 163 PID 1932 wrote to memory of 1616 1932 cmd.exe 163 PID 388 wrote to memory of 1552 388 5a63e7d371dd69c5625f5b48da426c14.exe 164 PID 388 wrote to memory of 1552 388 5a63e7d371dd69c5625f5b48da426c14.exe 164 PID 388 wrote to memory of 1552 388 5a63e7d371dd69c5625f5b48da426c14.exe 164 PID 388 wrote to memory of 1552 388 5a63e7d371dd69c5625f5b48da426c14.exe 164 PID 1552 wrote to memory of 1568 1552 cmd.exe 166 PID 1552 wrote to memory of 1568 1552 cmd.exe 166 PID 1552 wrote to memory of 1568 1552 cmd.exe 166 PID 1552 wrote to memory of 1568 1552 cmd.exe 166 PID 388 wrote to memory of 1556 388 5a63e7d371dd69c5625f5b48da426c14.exe 167 PID 388 wrote to memory of 1556 388 5a63e7d371dd69c5625f5b48da426c14.exe 167 PID 388 wrote to memory of 1556 388 5a63e7d371dd69c5625f5b48da426c14.exe 167 PID 388 wrote to memory of 1556 388 5a63e7d371dd69c5625f5b48da426c14.exe 167 PID 1556 wrote to memory of 1580 1556 cmd.exe 169 PID 1556 wrote to memory of 1580 1556 cmd.exe 169 PID 1556 wrote to memory of 1580 1556 cmd.exe 169 PID 1556 wrote to memory of 1580 1556 cmd.exe 169 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 170 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 170 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 170 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 170 PID 1264 wrote to memory of 844 1264 cmd.exe 172 PID 1264 wrote to memory of 844 1264 cmd.exe 172 PID 1264 wrote to memory of 844 1264 cmd.exe 172 PID 1264 wrote to memory of 844 1264 cmd.exe 172 PID 388 wrote to memory of 860 388 5a63e7d371dd69c5625f5b48da426c14.exe 173 PID 388 wrote to memory of 860 388 5a63e7d371dd69c5625f5b48da426c14.exe 173 PID 388 wrote to memory of 860 388 5a63e7d371dd69c5625f5b48da426c14.exe 173 PID 388 wrote to memory of 860 388 5a63e7d371dd69c5625f5b48da426c14.exe 173 PID 860 wrote to memory of 1428 860 cmd.exe 175 PID 860 wrote to memory of 1428 860 cmd.exe 175 PID 860 wrote to memory of 1428 860 cmd.exe 175 PID 860 wrote to memory of 1428 860 cmd.exe 175 PID 388 wrote to memory of 1604 388 5a63e7d371dd69c5625f5b48da426c14.exe 176 PID 388 wrote to memory of 1604 388 5a63e7d371dd69c5625f5b48da426c14.exe 176 PID 388 wrote to memory of 1604 388 5a63e7d371dd69c5625f5b48da426c14.exe 176 PID 388 wrote to memory of 1604 388 5a63e7d371dd69c5625f5b48da426c14.exe 176 PID 1604 wrote to memory of 808 1604 cmd.exe 178 PID 1604 wrote to memory of 808 1604 cmd.exe 178 PID 1604 wrote to memory of 808 1604 cmd.exe 178 PID 1604 wrote to memory of 808 1604 cmd.exe 178 PID 388 wrote to memory of 816 388 5a63e7d371dd69c5625f5b48da426c14.exe 179 PID 388 wrote to memory of 816 388 5a63e7d371dd69c5625f5b48da426c14.exe 179 PID 388 wrote to memory of 816 388 5a63e7d371dd69c5625f5b48da426c14.exe 179 PID 388 wrote to memory of 816 388 5a63e7d371dd69c5625f5b48da426c14.exe 179 PID 816 wrote to memory of 1472 816 cmd.exe 181 PID 816 wrote to memory of 1472 816 cmd.exe 181 PID 816 wrote to memory of 1472 816 cmd.exe 181 PID 816 wrote to memory of 1472 816 cmd.exe 181 PID 388 wrote to memory of 1880 388 5a63e7d371dd69c5625f5b48da426c14.exe 182 PID 388 wrote to memory of 1880 388 5a63e7d371dd69c5625f5b48da426c14.exe 182 PID 388 wrote to memory of 1880 388 5a63e7d371dd69c5625f5b48da426c14.exe 182 PID 388 wrote to memory of 1880 388 5a63e7d371dd69c5625f5b48da426c14.exe 182 PID 1880 wrote to memory of 1504 1880 cmd.exe 184 PID 1880 wrote to memory of 1504 1880 cmd.exe 184 PID 1880 wrote to memory of 1504 1880 cmd.exe 184 PID 1880 wrote to memory of 1504 1880 cmd.exe 184 PID 388 wrote to memory of 1036 388 5a63e7d371dd69c5625f5b48da426c14.exe 185 PID 388 wrote to memory of 1036 388 5a63e7d371dd69c5625f5b48da426c14.exe 185 PID 388 wrote to memory of 1036 388 5a63e7d371dd69c5625f5b48da426c14.exe 185 PID 388 wrote to memory of 1036 388 5a63e7d371dd69c5625f5b48da426c14.exe 185 PID 1036 wrote to memory of 1928 1036 cmd.exe 187 PID 1036 wrote to memory of 1928 1036 cmd.exe 187 PID 1036 wrote to memory of 1928 1036 cmd.exe 187 PID 1036 wrote to memory of 1928 1036 cmd.exe 187 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 188 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 188 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 188 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 188 PID 1048 wrote to memory of 1828 1048 cmd.exe 190 PID 1048 wrote to memory of 1828 1048 cmd.exe 190 PID 1048 wrote to memory of 1828 1048 cmd.exe 190 PID 1048 wrote to memory of 1828 1048 cmd.exe 190 PID 388 wrote to memory of 1904 388 5a63e7d371dd69c5625f5b48da426c14.exe 191 PID 388 wrote to memory of 1904 388 5a63e7d371dd69c5625f5b48da426c14.exe 191 PID 388 wrote to memory of 1904 388 5a63e7d371dd69c5625f5b48da426c14.exe 191 PID 388 wrote to memory of 1904 388 5a63e7d371dd69c5625f5b48da426c14.exe 191 PID 1904 wrote to memory of 1820 1904 cmd.exe 193 PID 1904 wrote to memory of 1820 1904 cmd.exe 193 PID 1904 wrote to memory of 1820 1904 cmd.exe 193 PID 1904 wrote to memory of 1820 1904 cmd.exe 193 PID 388 wrote to memory of 1980 388 5a63e7d371dd69c5625f5b48da426c14.exe 194 PID 388 wrote to memory of 1980 388 5a63e7d371dd69c5625f5b48da426c14.exe 194 PID 388 wrote to memory of 1980 388 5a63e7d371dd69c5625f5b48da426c14.exe 194 PID 388 wrote to memory of 1980 388 5a63e7d371dd69c5625f5b48da426c14.exe 194 PID 1980 wrote to memory of 1564 1980 cmd.exe 196 PID 1980 wrote to memory of 1564 1980 cmd.exe 196 PID 1980 wrote to memory of 1564 1980 cmd.exe 196 PID 1980 wrote to memory of 1564 1980 cmd.exe 196 PID 388 wrote to memory of 1996 388 5a63e7d371dd69c5625f5b48da426c14.exe 197 PID 388 wrote to memory of 1996 388 5a63e7d371dd69c5625f5b48da426c14.exe 197 PID 388 wrote to memory of 1996 388 5a63e7d371dd69c5625f5b48da426c14.exe 197 PID 388 wrote to memory of 1996 388 5a63e7d371dd69c5625f5b48da426c14.exe 197 PID 1996 wrote to memory of 1772 1996 cmd.exe 199 PID 1996 wrote to memory of 1772 1996 cmd.exe 199 PID 1996 wrote to memory of 1772 1996 cmd.exe 199 PID 1996 wrote to memory of 1772 1996 cmd.exe 199 PID 388 wrote to memory of 568 388 5a63e7d371dd69c5625f5b48da426c14.exe 200 PID 388 wrote to memory of 568 388 5a63e7d371dd69c5625f5b48da426c14.exe 200 PID 388 wrote to memory of 568 388 5a63e7d371dd69c5625f5b48da426c14.exe 200 PID 388 wrote to memory of 568 388 5a63e7d371dd69c5625f5b48da426c14.exe 200 PID 568 wrote to memory of 1172 568 cmd.exe 202 PID 568 wrote to memory of 1172 568 cmd.exe 202 PID 568 wrote to memory of 1172 568 cmd.exe 202 PID 568 wrote to memory of 1172 568 cmd.exe 202 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 203 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 203 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 203 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 203 PID 1264 wrote to memory of 524 1264 cmd.exe 205 PID 1264 wrote to memory of 524 1264 cmd.exe 205 PID 1264 wrote to memory of 524 1264 cmd.exe 205 PID 1264 wrote to memory of 524 1264 cmd.exe 205 PID 388 wrote to memory of 852 388 5a63e7d371dd69c5625f5b48da426c14.exe 206 PID 388 wrote to memory of 852 388 5a63e7d371dd69c5625f5b48da426c14.exe 206 PID 388 wrote to memory of 852 388 5a63e7d371dd69c5625f5b48da426c14.exe 206 PID 388 wrote to memory of 852 388 5a63e7d371dd69c5625f5b48da426c14.exe 206 PID 852 wrote to memory of 364 852 cmd.exe 208 PID 852 wrote to memory of 364 852 cmd.exe 208 PID 852 wrote to memory of 364 852 cmd.exe 208 PID 852 wrote to memory of 364 852 cmd.exe 208 PID 388 wrote to memory of 1604 388 5a63e7d371dd69c5625f5b48da426c14.exe 209 PID 388 wrote to memory of 1604 388 5a63e7d371dd69c5625f5b48da426c14.exe 209 PID 388 wrote to memory of 1604 388 5a63e7d371dd69c5625f5b48da426c14.exe 209 PID 388 wrote to memory of 1604 388 5a63e7d371dd69c5625f5b48da426c14.exe 209 PID 1604 wrote to memory of 1668 1604 cmd.exe 211 PID 1604 wrote to memory of 1668 1604 cmd.exe 211 PID 1604 wrote to memory of 1668 1604 cmd.exe 211 PID 1604 wrote to memory of 1668 1604 cmd.exe 211 PID 388 wrote to memory of 1872 388 5a63e7d371dd69c5625f5b48da426c14.exe 212 PID 388 wrote to memory of 1872 388 5a63e7d371dd69c5625f5b48da426c14.exe 212 PID 388 wrote to memory of 1872 388 5a63e7d371dd69c5625f5b48da426c14.exe 212 PID 388 wrote to memory of 1872 388 5a63e7d371dd69c5625f5b48da426c14.exe 212 PID 1872 wrote to memory of 1216 1872 cmd.exe 214 PID 1872 wrote to memory of 1216 1872 cmd.exe 214 PID 1872 wrote to memory of 1216 1872 cmd.exe 214 PID 1872 wrote to memory of 1216 1872 cmd.exe 214 PID 388 wrote to memory of 1508 388 5a63e7d371dd69c5625f5b48da426c14.exe 215 PID 388 wrote to memory of 1508 388 5a63e7d371dd69c5625f5b48da426c14.exe 215 PID 388 wrote to memory of 1508 388 5a63e7d371dd69c5625f5b48da426c14.exe 215 PID 388 wrote to memory of 1508 388 5a63e7d371dd69c5625f5b48da426c14.exe 215 PID 1508 wrote to memory of 1900 1508 cmd.exe 217 PID 1508 wrote to memory of 1900 1508 cmd.exe 217 PID 1508 wrote to memory of 1900 1508 cmd.exe 217 PID 1508 wrote to memory of 1900 1508 cmd.exe 217 PID 388 wrote to memory of 1912 388 5a63e7d371dd69c5625f5b48da426c14.exe 218 PID 388 wrote to memory of 1912 388 5a63e7d371dd69c5625f5b48da426c14.exe 218 PID 388 wrote to memory of 1912 388 5a63e7d371dd69c5625f5b48da426c14.exe 218 PID 388 wrote to memory of 1912 388 5a63e7d371dd69c5625f5b48da426c14.exe 218 PID 1912 wrote to memory of 636 1912 cmd.exe 220 PID 1912 wrote to memory of 636 1912 cmd.exe 220 PID 1912 wrote to memory of 636 1912 cmd.exe 220 PID 1912 wrote to memory of 636 1912 cmd.exe 220 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 221 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 221 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 221 PID 388 wrote to memory of 1048 388 5a63e7d371dd69c5625f5b48da426c14.exe 221 PID 1048 wrote to memory of 1616 1048 cmd.exe 223 PID 1048 wrote to memory of 1616 1048 cmd.exe 223 PID 1048 wrote to memory of 1616 1048 cmd.exe 223 PID 1048 wrote to memory of 1616 1048 cmd.exe 223 PID 388 wrote to memory of 1736 388 5a63e7d371dd69c5625f5b48da426c14.exe 224 PID 388 wrote to memory of 1736 388 5a63e7d371dd69c5625f5b48da426c14.exe 224 PID 388 wrote to memory of 1736 388 5a63e7d371dd69c5625f5b48da426c14.exe 224 PID 388 wrote to memory of 1736 388 5a63e7d371dd69c5625f5b48da426c14.exe 224 PID 1736 wrote to memory of 1976 1736 cmd.exe 226 PID 1736 wrote to memory of 1976 1736 cmd.exe 226 PID 1736 wrote to memory of 1976 1736 cmd.exe 226 PID 1736 wrote to memory of 1976 1736 cmd.exe 226 PID 388 wrote to memory of 1980 388 5a63e7d371dd69c5625f5b48da426c14.exe 227 PID 388 wrote to memory of 1980 388 5a63e7d371dd69c5625f5b48da426c14.exe 227 PID 388 wrote to memory of 1980 388 5a63e7d371dd69c5625f5b48da426c14.exe 227 PID 388 wrote to memory of 1980 388 5a63e7d371dd69c5625f5b48da426c14.exe 227 PID 1980 wrote to memory of 1444 1980 cmd.exe 229 PID 1980 wrote to memory of 1444 1980 cmd.exe 229 PID 1980 wrote to memory of 1444 1980 cmd.exe 229 PID 1980 wrote to memory of 1444 1980 cmd.exe 229 PID 388 wrote to memory of 1588 388 5a63e7d371dd69c5625f5b48da426c14.exe 230 PID 388 wrote to memory of 1588 388 5a63e7d371dd69c5625f5b48da426c14.exe 230 PID 388 wrote to memory of 1588 388 5a63e7d371dd69c5625f5b48da426c14.exe 230 PID 388 wrote to memory of 1588 388 5a63e7d371dd69c5625f5b48da426c14.exe 230 PID 1588 wrote to memory of 1028 1588 cmd.exe 232 PID 1588 wrote to memory of 1028 1588 cmd.exe 232 PID 1588 wrote to memory of 1028 1588 cmd.exe 232 PID 1588 wrote to memory of 1028 1588 cmd.exe 232 PID 388 wrote to memory of 568 388 5a63e7d371dd69c5625f5b48da426c14.exe 233 PID 388 wrote to memory of 568 388 5a63e7d371dd69c5625f5b48da426c14.exe 233 PID 388 wrote to memory of 568 388 5a63e7d371dd69c5625f5b48da426c14.exe 233 PID 388 wrote to memory of 568 388 5a63e7d371dd69c5625f5b48da426c14.exe 233 PID 568 wrote to memory of 860 568 cmd.exe 235 PID 568 wrote to memory of 860 568 cmd.exe 235 PID 568 wrote to memory of 860 568 cmd.exe 235 PID 568 wrote to memory of 860 568 cmd.exe 235 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 236 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 236 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 236 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 236 PID 1264 wrote to memory of 1492 1264 cmd.exe 238 PID 1264 wrote to memory of 1492 1264 cmd.exe 238 PID 1264 wrote to memory of 1492 1264 cmd.exe 238 PID 1264 wrote to memory of 1492 1264 cmd.exe 238 PID 388 wrote to memory of 680 388 5a63e7d371dd69c5625f5b48da426c14.exe 239 PID 388 wrote to memory of 680 388 5a63e7d371dd69c5625f5b48da426c14.exe 239 PID 388 wrote to memory of 680 388 5a63e7d371dd69c5625f5b48da426c14.exe 239 PID 388 wrote to memory of 680 388 5a63e7d371dd69c5625f5b48da426c14.exe 239 PID 680 wrote to memory of 612 680 cmd.exe 241 PID 680 wrote to memory of 612 680 cmd.exe 241 PID 680 wrote to memory of 612 680 cmd.exe 241 PID 680 wrote to memory of 612 680 cmd.exe 241 PID 388 wrote to memory of 1548 388 5a63e7d371dd69c5625f5b48da426c14.exe 242 PID 388 wrote to memory of 1548 388 5a63e7d371dd69c5625f5b48da426c14.exe 242 PID 388 wrote to memory of 1548 388 5a63e7d371dd69c5625f5b48da426c14.exe 242 PID 388 wrote to memory of 1548 388 5a63e7d371dd69c5625f5b48da426c14.exe 242 PID 1548 wrote to memory of 1880 1548 cmd.exe 244 PID 1548 wrote to memory of 1880 1548 cmd.exe 244 PID 1548 wrote to memory of 1880 1548 cmd.exe 244 PID 1548 wrote to memory of 1880 1548 cmd.exe 244 PID 388 wrote to memory of 1872 388 5a63e7d371dd69c5625f5b48da426c14.exe 245 PID 388 wrote to memory of 1872 388 5a63e7d371dd69c5625f5b48da426c14.exe 245 PID 388 wrote to memory of 1872 388 5a63e7d371dd69c5625f5b48da426c14.exe 245 PID 388 wrote to memory of 1872 388 5a63e7d371dd69c5625f5b48da426c14.exe 245 PID 1872 wrote to memory of 1920 1872 cmd.exe 247 PID 1872 wrote to memory of 1920 1872 cmd.exe 247 PID 1872 wrote to memory of 1920 1872 cmd.exe 247 PID 1872 wrote to memory of 1920 1872 cmd.exe 247 PID 388 wrote to memory of 1888 388 5a63e7d371dd69c5625f5b48da426c14.exe 248 PID 388 wrote to memory of 1888 388 5a63e7d371dd69c5625f5b48da426c14.exe 248 PID 388 wrote to memory of 1888 388 5a63e7d371dd69c5625f5b48da426c14.exe 248 PID 388 wrote to memory of 1888 388 5a63e7d371dd69c5625f5b48da426c14.exe 248 PID 1888 wrote to memory of 1116 1888 cmd.exe 250 PID 1888 wrote to memory of 1116 1888 cmd.exe 250 PID 1888 wrote to memory of 1116 1888 cmd.exe 250 PID 1888 wrote to memory of 1116 1888 cmd.exe 250 PID 388 wrote to memory of 1912 388 5a63e7d371dd69c5625f5b48da426c14.exe 251 PID 388 wrote to memory of 1912 388 5a63e7d371dd69c5625f5b48da426c14.exe 251 PID 388 wrote to memory of 1912 388 5a63e7d371dd69c5625f5b48da426c14.exe 251 PID 388 wrote to memory of 1912 388 5a63e7d371dd69c5625f5b48da426c14.exe 251 PID 1912 wrote to memory of 1824 1912 cmd.exe 253 PID 1912 wrote to memory of 1824 1912 cmd.exe 253 PID 1912 wrote to memory of 1824 1912 cmd.exe 253 PID 1912 wrote to memory of 1824 1912 cmd.exe 253 PID 388 wrote to memory of 1560 388 5a63e7d371dd69c5625f5b48da426c14.exe 254 PID 388 wrote to memory of 1560 388 5a63e7d371dd69c5625f5b48da426c14.exe 254 PID 388 wrote to memory of 1560 388 5a63e7d371dd69c5625f5b48da426c14.exe 254 PID 388 wrote to memory of 1560 388 5a63e7d371dd69c5625f5b48da426c14.exe 254 PID 1560 wrote to memory of 1812 1560 cmd.exe 256 PID 1560 wrote to memory of 1812 1560 cmd.exe 256 PID 1560 wrote to memory of 1812 1560 cmd.exe 256 PID 1560 wrote to memory of 1812 1560 cmd.exe 256 PID 388 wrote to memory of 1736 388 5a63e7d371dd69c5625f5b48da426c14.exe 257 PID 388 wrote to memory of 1736 388 5a63e7d371dd69c5625f5b48da426c14.exe 257 PID 388 wrote to memory of 1736 388 5a63e7d371dd69c5625f5b48da426c14.exe 257 PID 388 wrote to memory of 1736 388 5a63e7d371dd69c5625f5b48da426c14.exe 257 PID 1736 wrote to memory of 1620 1736 cmd.exe 259 PID 1736 wrote to memory of 1620 1736 cmd.exe 259 PID 1736 wrote to memory of 1620 1736 cmd.exe 259 PID 1736 wrote to memory of 1620 1736 cmd.exe 259 PID 388 wrote to memory of 848 388 5a63e7d371dd69c5625f5b48da426c14.exe 260 PID 388 wrote to memory of 848 388 5a63e7d371dd69c5625f5b48da426c14.exe 260 PID 388 wrote to memory of 848 388 5a63e7d371dd69c5625f5b48da426c14.exe 260 PID 388 wrote to memory of 848 388 5a63e7d371dd69c5625f5b48da426c14.exe 260 PID 848 wrote to memory of 1164 848 cmd.exe 262 PID 848 wrote to memory of 1164 848 cmd.exe 262 PID 848 wrote to memory of 1164 848 cmd.exe 262 PID 848 wrote to memory of 1164 848 cmd.exe 262 PID 388 wrote to memory of 1588 388 5a63e7d371dd69c5625f5b48da426c14.exe 263 PID 388 wrote to memory of 1588 388 5a63e7d371dd69c5625f5b48da426c14.exe 263 PID 388 wrote to memory of 1588 388 5a63e7d371dd69c5625f5b48da426c14.exe 263 PID 388 wrote to memory of 1588 388 5a63e7d371dd69c5625f5b48da426c14.exe 263 PID 1588 wrote to memory of 784 1588 cmd.exe 265 PID 1588 wrote to memory of 784 1588 cmd.exe 265 PID 1588 wrote to memory of 784 1588 cmd.exe 265 PID 1588 wrote to memory of 784 1588 cmd.exe 265 PID 388 wrote to memory of 1148 388 5a63e7d371dd69c5625f5b48da426c14.exe 266 PID 388 wrote to memory of 1148 388 5a63e7d371dd69c5625f5b48da426c14.exe 266 PID 388 wrote to memory of 1148 388 5a63e7d371dd69c5625f5b48da426c14.exe 266 PID 388 wrote to memory of 1148 388 5a63e7d371dd69c5625f5b48da426c14.exe 266 PID 1148 wrote to memory of 1012 1148 cmd.exe 268 PID 1148 wrote to memory of 1012 1148 cmd.exe 268 PID 1148 wrote to memory of 1012 1148 cmd.exe 268 PID 1148 wrote to memory of 1012 1148 cmd.exe 268 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 269 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 269 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 269 PID 388 wrote to memory of 1264 388 5a63e7d371dd69c5625f5b48da426c14.exe 269 PID 1264 wrote to memory of 1472 1264 cmd.exe 271 PID 1264 wrote to memory of 1472 1264 cmd.exe 271 PID 1264 wrote to memory of 1472 1264 cmd.exe 271 PID 1264 wrote to memory of 1472 1264 cmd.exe 271 PID 388 wrote to memory of 820 388 5a63e7d371dd69c5625f5b48da426c14.exe 272 PID 388 wrote to memory of 820 388 5a63e7d371dd69c5625f5b48da426c14.exe 272 PID 388 wrote to memory of 820 388 5a63e7d371dd69c5625f5b48da426c14.exe 272 PID 388 wrote to memory of 820 388 5a63e7d371dd69c5625f5b48da426c14.exe 272 PID 820 wrote to memory of 1692 820 cmd.exe 274 PID 820 wrote to memory of 1692 820 cmd.exe 274 PID 820 wrote to memory of 1692 820 cmd.exe 274 PID 820 wrote to memory of 1692 820 cmd.exe 274 PID 388 wrote to memory of 1548 388 5a63e7d371dd69c5625f5b48da426c14.exe 275 PID 388 wrote to memory of 1548 388 5a63e7d371dd69c5625f5b48da426c14.exe 275 PID 388 wrote to memory of 1548 388 5a63e7d371dd69c5625f5b48da426c14.exe 275 PID 388 wrote to memory of 1548 388 5a63e7d371dd69c5625f5b48da426c14.exe 275 PID 1548 wrote to memory of 1892 1548 cmd.exe 277 PID 1548 wrote to memory of 1892 1548 cmd.exe 277 PID 1548 wrote to memory of 1892 1548 cmd.exe 277 PID 1548 wrote to memory of 1892 1548 cmd.exe 277 PID 388 wrote to memory of 1884 388 5a63e7d371dd69c5625f5b48da426c14.exe 278 PID 388 wrote to memory of 1884 388 5a63e7d371dd69c5625f5b48da426c14.exe 278 PID 388 wrote to memory of 1884 388 5a63e7d371dd69c5625f5b48da426c14.exe 278 PID 388 wrote to memory of 1884 388 5a63e7d371dd69c5625f5b48da426c14.exe 278 PID 1884 wrote to memory of 1832 1884 cmd.exe 280 PID 1884 wrote to memory of 1832 1884 cmd.exe 280 PID 1884 wrote to memory of 1832 1884 cmd.exe 280 PID 1884 wrote to memory of 1832 1884 cmd.exe 280 PID 388 wrote to memory of 1888 388 5a63e7d371dd69c5625f5b48da426c14.exe 281 PID 388 wrote to memory of 1888 388 5a63e7d371dd69c5625f5b48da426c14.exe 281 PID 388 wrote to memory of 1888 388 5a63e7d371dd69c5625f5b48da426c14.exe 281 PID 388 wrote to memory of 1888 388 5a63e7d371dd69c5625f5b48da426c14.exe 281 PID 1888 wrote to memory of 1936 1888 cmd.exe 283 PID 1888 wrote to memory of 1936 1888 cmd.exe 283 PID 1888 wrote to memory of 1936 1888 cmd.exe 283 PID 1888 wrote to memory of 1936 1888 cmd.exe 283 PID 388 wrote to memory of 1932 388 5a63e7d371dd69c5625f5b48da426c14.exe 284 PID 388 wrote to memory of 1932 388 5a63e7d371dd69c5625f5b48da426c14.exe 284 PID 388 wrote to memory of 1932 388 5a63e7d371dd69c5625f5b48da426c14.exe 284 PID 388 wrote to memory of 1932 388 5a63e7d371dd69c5625f5b48da426c14.exe 284 PID 1932 wrote to memory of 1532 1932 cmd.exe 286 PID 1932 wrote to memory of 1532 1932 cmd.exe 286 PID 1932 wrote to memory of 1532 1932 cmd.exe 286 PID 1932 wrote to memory of 1532 1932 cmd.exe 286 PID 388 wrote to memory of 1560 388 5a63e7d371dd69c5625f5b48da426c14.exe 287 PID 388 wrote to memory of 1560 388 5a63e7d371dd69c5625f5b48da426c14.exe 287 PID 388 wrote to memory of 1560 388 5a63e7d371dd69c5625f5b48da426c14.exe 287 PID 388 wrote to memory of 1560 388 5a63e7d371dd69c5625f5b48da426c14.exe 287 PID 1560 wrote to memory of 1772 1560 cmd.exe 289 PID 1560 wrote to memory of 1772 1560 cmd.exe 289 PID 1560 wrote to memory of 1772 1560 cmd.exe 289 PID 1560 wrote to memory of 1772 1560 cmd.exe 289 PID 388 wrote to memory of 1992 388 5a63e7d371dd69c5625f5b48da426c14.exe 290 PID 388 wrote to memory of 1992 388 5a63e7d371dd69c5625f5b48da426c14.exe 290 PID 388 wrote to memory of 1992 388 5a63e7d371dd69c5625f5b48da426c14.exe 290 PID 388 wrote to memory of 1992 388 5a63e7d371dd69c5625f5b48da426c14.exe 290 PID 1992 wrote to memory of 764 1992 cmd.exe 292 PID 1992 wrote to memory of 764 1992 cmd.exe 292 PID 1992 wrote to memory of 764 1992 cmd.exe 292 PID 1992 wrote to memory of 764 1992 cmd.exe 292 PID 388 wrote to memory of 848 388 5a63e7d371dd69c5625f5b48da426c14.exe 293 PID 388 wrote to memory of 848 388 5a63e7d371dd69c5625f5b48da426c14.exe 293 PID 388 wrote to memory of 848 388 5a63e7d371dd69c5625f5b48da426c14.exe 293 PID 388 wrote to memory of 848 388 5a63e7d371dd69c5625f5b48da426c14.exe 293 PID 848 wrote to memory of 1468 848 cmd.exe 295 PID 848 wrote to memory of 1468 848 cmd.exe 295 PID 848 wrote to memory of 1468 848 cmd.exe 295 PID 848 wrote to memory of 1468 848 cmd.exe 295 PID 388 wrote to memory of 1428 388 5a63e7d371dd69c5625f5b48da426c14.exe 296 PID 388 wrote to memory of 1428 388 5a63e7d371dd69c5625f5b48da426c14.exe 296 PID 388 wrote to memory of 1428 388 5a63e7d371dd69c5625f5b48da426c14.exe 296 PID 388 wrote to memory of 1428 388 5a63e7d371dd69c5625f5b48da426c14.exe 296 PID 1428 wrote to memory of 1364 1428 cmd.exe 298 PID 1428 wrote to memory of 1364 1428 cmd.exe 298 PID 1428 wrote to memory of 1364 1428 cmd.exe 298 PID 1428 wrote to memory of 1364 1428 cmd.exe 298 PID 388 wrote to memory of 808 388 5a63e7d371dd69c5625f5b48da426c14.exe 299 PID 388 wrote to memory of 808 388 5a63e7d371dd69c5625f5b48da426c14.exe 299 PID 388 wrote to memory of 808 388 5a63e7d371dd69c5625f5b48da426c14.exe 299 PID 388 wrote to memory of 808 388 5a63e7d371dd69c5625f5b48da426c14.exe 299 PID 808 wrote to memory of 1668 808 cmd.exe 301 PID 808 wrote to memory of 1668 808 cmd.exe 301 PID 808 wrote to memory of 1668 808 cmd.exe 301 PID 808 wrote to memory of 1668 808 cmd.exe 301 PID 388 wrote to memory of 1536 388 5a63e7d371dd69c5625f5b48da426c14.exe 302 PID 388 wrote to memory of 1536 388 5a63e7d371dd69c5625f5b48da426c14.exe 302 PID 388 wrote to memory of 1536 388 5a63e7d371dd69c5625f5b48da426c14.exe 302 PID 388 wrote to memory of 1536 388 5a63e7d371dd69c5625f5b48da426c14.exe 302 PID 1536 wrote to memory of 1916 1536 cmd.exe 304 PID 1536 wrote to memory of 1916 1536 cmd.exe 304 PID 1536 wrote to memory of 1916 1536 cmd.exe 304 PID 1536 wrote to memory of 1916 1536 cmd.exe 304 -
Suspicious behavior: EnumeratesProcesses 278 IoCs
pid Process 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe 388 5a63e7d371dd69c5625f5b48da426c14.exe -
Modifies service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Kills process with taskkill 87 IoCs
pid Process 1044 taskkill.exe 844 taskkill.exe 1012 taskkill.exe 1936 taskkill.exe 1668 taskkill.exe 376 taskkill.exe 1540 taskkill.exe 1620 taskkill.exe 1584 taskkill.exe 1924 taskkill.exe 1564 taskkill.exe 1976 taskkill.exe 1812 taskkill.exe 892 taskkill.exe 1912 taskkill.exe 1560 taskkill.exe 1640 taskkill.exe 1376 taskkill.exe 1820 taskkill.exe 1156 taskkill.exe 1820 taskkill.exe 1692 taskkill.exe 1640 taskkill.exe 1928 taskkill.exe 364 taskkill.exe 1116 taskkill.exe 1892 taskkill.exe 1832 taskkill.exe 1032 taskkill.exe 1988 taskkill.exe 1036 taskkill.exe 1568 taskkill.exe 1472 taskkill.exe 1444 taskkill.exe 1532 taskkill.exe 1364 taskkill.exe 1808 taskkill.exe 1900 taskkill.exe 1044 taskkill.exe 1828 taskkill.exe 1772 taskkill.exe 1668 taskkill.exe 1824 taskkill.exe 1620 taskkill.exe 376 taskkill.exe 868 taskkill.exe 1156 taskkill.exe 1988 taskkill.exe 1428 taskkill.exe 1504 taskkill.exe 1564 taskkill.exe 636 taskkill.exe 784 taskkill.exe 1040 taskkill.exe 1968 taskkill.exe 1620 taskkill.exe 808 taskkill.exe 524 taskkill.exe 1028 taskkill.exe 1772 taskkill.exe 1488 taskkill.exe 1872 taskkill.exe 1492 taskkill.exe 1164 taskkill.exe 764 taskkill.exe 868 taskkill.exe 1892 taskkill.exe 1616 taskkill.exe 892 taskkill.exe 1960 taskkill.exe 1580 taskkill.exe 1916 taskkill.exe 576 taskkill.exe 1584 taskkill.exe 1216 taskkill.exe 1472 taskkill.exe 1564 taskkill.exe 576 taskkill.exe 1172 taskkill.exe 1616 taskkill.exe 1880 taskkill.exe 1920 taskkill.exe 1828 taskkill.exe 860 taskkill.exe 612 taskkill.exe 1468 taskkill.exe 1916 taskkill.exe -
Enumerates connected drives 3 TTPs
-
Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
-
Suspicious use of AdjustPrivilegeToken 127 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1516 WMIC.exe Token: SeSecurityPrivilege 1516 WMIC.exe Token: SeTakeOwnershipPrivilege 1516 WMIC.exe Token: SeLoadDriverPrivilege 1516 WMIC.exe Token: SeSystemProfilePrivilege 1516 WMIC.exe Token: SeSystemtimePrivilege 1516 WMIC.exe Token: SeProfSingleProcessPrivilege 1516 WMIC.exe Token: SeIncBasePriorityPrivilege 1516 WMIC.exe Token: SeCreatePagefilePrivilege 1516 WMIC.exe Token: SeBackupPrivilege 1516 WMIC.exe Token: SeRestorePrivilege 1516 WMIC.exe Token: SeShutdownPrivilege 1516 WMIC.exe Token: SeDebugPrivilege 1516 WMIC.exe Token: SeSystemEnvironmentPrivilege 1516 WMIC.exe Token: SeRemoteShutdownPrivilege 1516 WMIC.exe Token: SeUndockPrivilege 1516 WMIC.exe Token: SeManageVolumePrivilege 1516 WMIC.exe Token: 33 1516 WMIC.exe Token: 34 1516 WMIC.exe Token: 35 1516 WMIC.exe Token: SeIncreaseQuotaPrivilege 1516 WMIC.exe Token: SeSecurityPrivilege 1516 WMIC.exe Token: SeTakeOwnershipPrivilege 1516 WMIC.exe Token: SeLoadDriverPrivilege 1516 WMIC.exe Token: SeSystemProfilePrivilege 1516 WMIC.exe Token: SeSystemtimePrivilege 1516 WMIC.exe Token: SeProfSingleProcessPrivilege 1516 WMIC.exe Token: SeIncBasePriorityPrivilege 1516 WMIC.exe Token: SeCreatePagefilePrivilege 1516 WMIC.exe Token: SeBackupPrivilege 1516 WMIC.exe Token: SeRestorePrivilege 1516 WMIC.exe Token: SeShutdownPrivilege 1516 WMIC.exe Token: SeDebugPrivilege 1516 WMIC.exe Token: SeSystemEnvironmentPrivilege 1516 WMIC.exe Token: SeRemoteShutdownPrivilege 1516 WMIC.exe Token: SeUndockPrivilege 1516 WMIC.exe Token: SeManageVolumePrivilege 1516 WMIC.exe Token: 33 1516 WMIC.exe Token: 34 1516 WMIC.exe Token: 35 1516 WMIC.exe Token: SeBackupPrivilege 1388 vssvc.exe Token: SeRestorePrivilege 1388 vssvc.exe Token: SeAuditPrivilege 1388 vssvc.exe Token: SeDebugPrivilege 1640 taskkill.exe Token: SeDebugPrivilege 868 taskkill.exe Token: SeDebugPrivilege 376 taskkill.exe Token: SeDebugPrivilege 892 taskkill.exe Token: SeDebugPrivilege 1488 taskkill.exe Token: SeDebugPrivilege 1032 taskkill.exe Token: SeDebugPrivilege 1040 taskkill.exe Token: SeDebugPrivilege 1912 taskkill.exe Token: SeDebugPrivilege 1828 taskkill.exe Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 1640 taskkill.exe Token: SeDebugPrivilege 868 taskkill.exe Token: SeDebugPrivilege 376 taskkill.exe Token: SeDebugPrivilege 892 taskkill.exe Token: SeDebugPrivilege 1540 taskkill.exe Token: SeDebugPrivilege 1872 taskkill.exe Token: SeDebugPrivilege 1916 taskkill.exe Token: SeDebugPrivilege 1376 taskkill.exe Token: SeDebugPrivilege 1808 taskkill.exe Token: SeDebugPrivilege 1564 taskkill.exe Token: SeDebugPrivilege 1620 taskkill.exe Token: SeDebugPrivilege 1988 taskkill.exe Token: SeDebugPrivilege 1156 taskkill.exe Token: SeDebugPrivilege 1584 taskkill.exe Token: SeDebugPrivilege 576 taskkill.exe Token: SeDebugPrivilege 1044 taskkill.exe Token: SeDebugPrivilege 1924 taskkill.exe Token: SeDebugPrivilege 1564 taskkill.exe Token: SeDebugPrivilege 1620 taskkill.exe Token: SeDebugPrivilege 1988 taskkill.exe Token: SeDebugPrivilege 1156 taskkill.exe Token: SeDebugPrivilege 1584 taskkill.exe Token: SeDebugPrivilege 576 taskkill.exe Token: SeDebugPrivilege 1044 taskkill.exe Token: SeDebugPrivilege 1892 taskkill.exe Token: SeDebugPrivilege 1960 taskkill.exe Token: SeDebugPrivilege 1616 taskkill.exe Token: SeDebugPrivilege 1568 taskkill.exe Token: SeDebugPrivilege 1580 taskkill.exe Token: SeDebugPrivilege 844 taskkill.exe Token: SeDebugPrivilege 1428 taskkill.exe Token: SeDebugPrivilege 808 taskkill.exe Token: SeDebugPrivilege 1472 taskkill.exe Token: SeDebugPrivilege 1504 taskkill.exe Token: SeDebugPrivilege 1928 taskkill.exe Token: SeDebugPrivilege 1828 taskkill.exe Token: SeDebugPrivilege 1820 taskkill.exe Token: SeDebugPrivilege 1564 taskkill.exe Token: SeDebugPrivilege 1772 taskkill.exe Token: SeDebugPrivilege 1172 taskkill.exe Token: SeDebugPrivilege 524 taskkill.exe Token: SeDebugPrivilege 364 taskkill.exe Token: SeDebugPrivilege 1668 taskkill.exe Token: SeDebugPrivilege 1216 taskkill.exe Token: SeDebugPrivilege 1900 taskkill.exe Token: SeDebugPrivilege 636 taskkill.exe Token: SeDebugPrivilege 1616 taskkill.exe Token: SeDebugPrivilege 1976 taskkill.exe Token: SeDebugPrivilege 1444 taskkill.exe Token: SeDebugPrivilege 1028 taskkill.exe Token: SeDebugPrivilege 860 taskkill.exe Token: SeDebugPrivilege 1492 taskkill.exe Token: SeDebugPrivilege 612 taskkill.exe Token: SeDebugPrivilege 1880 taskkill.exe Token: SeDebugPrivilege 1920 taskkill.exe Token: SeDebugPrivilege 1116 taskkill.exe Token: SeDebugPrivilege 1824 taskkill.exe Token: SeDebugPrivilege 1812 taskkill.exe Token: SeDebugPrivilege 1620 taskkill.exe Token: SeDebugPrivilege 1164 taskkill.exe Token: SeDebugPrivilege 784 taskkill.exe Token: SeDebugPrivilege 1012 taskkill.exe Token: SeDebugPrivilege 1472 taskkill.exe Token: SeDebugPrivilege 1692 taskkill.exe Token: SeDebugPrivilege 1892 taskkill.exe Token: SeDebugPrivilege 1832 taskkill.exe Token: SeDebugPrivilege 1936 taskkill.exe Token: SeDebugPrivilege 1532 taskkill.exe Token: SeDebugPrivilege 1772 taskkill.exe Token: SeDebugPrivilege 764 taskkill.exe Token: SeDebugPrivilege 1468 taskkill.exe Token: SeDebugPrivilege 1364 taskkill.exe Token: SeDebugPrivilege 1668 taskkill.exe Token: SeDebugPrivilege 1916 taskkill.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1816 vssadmin.exe -
NTFS ADS 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\boot.sys:ndhvvygzw 5a63e7d371dd69c5625f5b48da426c14.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:yxwmizcdnycyvuyea 5a63e7d371dd69c5625f5b48da426c14.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:jrzuzotpboxvv 5a63e7d371dd69c5625f5b48da426c14.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:ndhvvygzw 5a63e7d371dd69c5625f5b48da426c14.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:yapcqiqpbyseursy 5a63e7d371dd69c5625f5b48da426c14.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a63e7d371dd69c5625f5b48da426c14.exe"C:\Users\Admin\AppData\Local\Temp\5a63e7d371dd69c5625f5b48da426c14.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- NTFS ADS
PID:388 -
C:\Windows\SysWOW64\cmd.execmd /C wmic.exe SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY DELETE /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵PID:1892
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵PID:1912
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit.exe /set {default} recoveryenabled No2⤵PID:1936
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵PID:1372
-
-
C:\Windows\SysWOW64\cmd.execmd /C vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C C:\Windows\system32\vssvc.exe2⤵PID:1624
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wxServer*2⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wxServer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wxServerView*2⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wxServerView*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlmangr*2⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlmangr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:376
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM RAgui*2⤵PID:808
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM RAgui*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM supervise*2⤵PID:576
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM supervise*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Culture*2⤵PID:872
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Culture*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Defwatch*2⤵PID:1480
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Defwatch*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM winword*2⤵PID:1904
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM winword*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBW32*2⤵PID:1956
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBW32*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBDBMgr*2⤵PID:1816
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBDBMgr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM qbupdate*2⤵PID:1992
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM qbupdate*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM axlbridge*2⤵PID:1184
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM axlbridge*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM httpd*2⤵PID:320
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM httpd*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:376
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fdlauncher*2⤵PID:1600
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fdlauncher*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MsDtSrvr*2⤵PID:820
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MsDtSrvr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM java*2⤵PID:1216
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM java*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM 360se*2⤵PID:1048
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM 360se*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM 360doctor*2⤵PID:1924
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM 360doctor*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wdswfsafe*2⤵PID:1372
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wdswfsafe*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fdhost*2⤵PID:1980
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fdhost*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM GDscan*2⤵PID:1528
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM GDscan*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ZhuDongFangYu*2⤵PID:1164
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ZhuDongFangYu*3⤵
- Kills process with taskkill
PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBDBMgrN*2⤵PID:692
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBDBMgrN*3⤵
- Kills process with taskkill
PID:1156
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM mysqld*2⤵PID:1012
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mysqld*3⤵
- Kills process with taskkill
PID:1584
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AutodeskDesktopApp*2⤵PID:1472
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AutodeskDesktopApp*3⤵PID:576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM acwebbrowser*2⤵PID:1692
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM acwebbrowser*3⤵
- Kills process with taskkill
PID:1044
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Creative Cloud*2⤵PID:1892
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Creative Cloud*3⤵
- Kills process with taskkill
PID:1036
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Adobe Desktop Service*2⤵PID:1048
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Adobe Desktop Service*3⤵
- Kills process with taskkill
PID:1968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM CoreSync*2⤵PID:1904
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM CoreSync*3⤵
- Kills process with taskkill
PID:1924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Adobe CEF Helper*2⤵PID:1120
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Adobe CEF Helper*3⤵
- Kills process with taskkill
PID:1820
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM node*2⤵PID:1816
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM node*3⤵
- Kills process with taskkill
PID:1564
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AdobeIPCBroker*2⤵PID:1664
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AdobeIPCBroker*3⤵
- Kills process with taskkill
PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sync-taskbar*2⤵PID:1172
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sync-taskbar*3⤵
- Kills process with taskkill
PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sync-worker*2⤵PID:660
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sync-worker*3⤵
- Kills process with taskkill
PID:1156
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM InputPersonalization*2⤵PID:1460
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM InputPersonalization*3⤵PID:1584
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AdobeCollabSync*2⤵PID:1668
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AdobeCollabSync*3⤵PID:576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM BrCtrlCntr*2⤵PID:1896
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM BrCtrlCntr*3⤵
- Kills process with taskkill
PID:1044
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM BrCcUxSys*2⤵PID:1900
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM BrCcUxSys*3⤵PID:1892
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SimplyConnectionManager*2⤵PID:1948
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SimplyConnectionManager*3⤵PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Simply.SystemTrayIcon*2⤵PID:1932
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Simply.SystemTrayIcon*3⤵PID:1616
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fbguard*2⤵PID:1552
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fbguard*3⤵
- Kills process with taskkill
PID:1568
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fbserver*2⤵PID:1556
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fbserver*3⤵PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ONENOTEM*2⤵PID:1264
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ONENOTEM*3⤵
- Kills process with taskkill
PID:844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wrapper*2⤵PID:860
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wrapper*3⤵
- Kills process with taskkill
PID:1428
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM DefWatch*2⤵PID:1604
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM DefWatch*3⤵
- Kills process with taskkill
PID:808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ccEvtMgr*2⤵PID:816
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ccEvtMgr*3⤵
- Kills process with taskkill
PID:1472
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ccSetMgr*2⤵PID:1880
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ccSetMgr*3⤵
- Kills process with taskkill
PID:1504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SavRoam*2⤵PID:1036
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SavRoam*3⤵
- Kills process with taskkill
PID:1928
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Sqlservr*2⤵PID:1048
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Sqlservr*3⤵
- Kills process with taskkill
PID:1828
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlagent*2⤵PID:1904
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlagent*3⤵
- Kills process with taskkill
PID:1820
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqladhlp*2⤵PID:1980
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqladhlp*3⤵
- Kills process with taskkill
PID:1564
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Culserver*2⤵PID:1996
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Culserver*3⤵
- Kills process with taskkill
PID:1772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM RTVscan*2⤵PID:568
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM RTVscan*3⤵PID:1172
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlbrowser*2⤵PID:1264
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlbrowser*3⤵
- Kills process with taskkill
PID:524
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLADHLP*2⤵PID:852
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLADHLP*3⤵
- Kills process with taskkill
PID:364
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBIDPService*2⤵PID:1604
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBIDPService*3⤵
- Kills process with taskkill
PID:1668
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*2⤵PID:1872
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Intuit.QuickBooks.FCS*3⤵PID:1216
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBCFMonitorService*2⤵PID:1508
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBCFMonitorService*3⤵
- Kills process with taskkill
PID:1900
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlwriter*2⤵PID:1912
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlwriter*3⤵
- Kills process with taskkill
PID:636
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msmdsrv*2⤵PID:1048
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msmdsrv*3⤵PID:1616
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM tomcat6*2⤵PID:1736
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM tomcat6*3⤵
- Kills process with taskkill
PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM zhudongfangyu*2⤵PID:1980
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM zhudongfangyu*3⤵
- Kills process with taskkill
PID:1444
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM vmware-usbarbitator64*2⤵PID:1588
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM vmware-usbarbitator64*3⤵
- Kills process with taskkill
PID:1028
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM vmware-converter*2⤵PID:568
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM vmware-converter*3⤵PID:860
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM dbsrv12*2⤵PID:1264
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dbsrv12*3⤵
- Kills process with taskkill
PID:1492
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM dbeng8*2⤵PID:680
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dbeng8*3⤵PID:612
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:1548
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵PID:1880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*2⤵PID:1872
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$VEEAMSQL2012*3⤵PID:1920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*2⤵PID:1888
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$VEEAMSQL2012*3⤵
- Kills process with taskkill
PID:1116
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLBrowser*2⤵PID:1912
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLBrowser*3⤵
- Kills process with taskkill
PID:1824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLWriter*2⤵PID:1560
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLWriter*3⤵
- Kills process with taskkill
PID:1812
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM FishbowlMySQL*2⤵PID:1736
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM FishbowlMySQL*3⤵
- Kills process with taskkill
PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:848
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵
- Kills process with taskkill
PID:1164
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MySQL57*2⤵PID:1588
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MySQL57*3⤵
- Kills process with taskkill
PID:784
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*2⤵PID:1148
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:1012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLServerADHelper100*2⤵PID:1264
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLServerADHelper100*3⤵PID:1472
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*2⤵PID:820
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:1692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msftesql-Exchange*2⤵PID:1548
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msftesql-Exchange*3⤵
- Kills process with taskkill
PID:1892
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*2⤵PID:1884
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##SSEE*3⤵
- Kills process with taskkill
PID:1832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*2⤵PID:1888
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$SBSMONITORING*3⤵
- Kills process with taskkill
PID:1936
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*2⤵PID:1932
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$SHAREPOINT*3⤵
- Kills process with taskkill
PID:1532
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*2⤵PID:1560
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*3⤵
- Kills process with taskkill
PID:1772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*2⤵PID:1992
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*3⤵PID:764
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*2⤵PID:848
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$SBSMONITORING*3⤵PID:1468
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*2⤵PID:1428
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$SHAREPOINT*3⤵
- Kills process with taskkill
PID:1364
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBFCService*2⤵PID:808
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBFCService*3⤵
- Kills process with taskkill
PID:1668
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBVSS*2⤵PID:1536
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBVSS*3⤵PID:1916
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1388