b1bcc54ef15f91d9291357eca02862174bd6158e95813eff1ab0c16ba48ff10e

Analysis

max time kernel
15s
max time network
38s
platform
windows10_x64
resource
win10
submitted
24-07-2020 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a63e7d371dd69c5625f5b48da426c14.exe
Size

43KB
MD5

5a63e7d371dd69c5625f5b48da426c14
SHA1

63a5bd8b7ed922ad5fe498d2a15a57d1d552055a
SHA256

b1bcc54ef15f91d9291357eca02862174bd6158e95813eff1ab0c16ba48ff10e
SHA512

a228061433052e64965ee9cdd678bbe2fa18c88b214642176437504b107c97f68912b1760f15b1e56a7bc9d5ac14ddd1bb2dcfdf27958e88e1a5f0db6cfbc767

Score

9^/10

ransomware persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3068	5a63e7d371dd69c5625f5b48da426c14.exe
3068	5a63e7d371dd69c5625f5b48da426c14.exe
3068	5a63e7d371dd69c5625f5b48da426c14.exe
3068	5a63e7d371dd69c5625f5b48da426c14.exe
3068	5a63e7d371dd69c5625f5b48da426c14.exe
3068	5a63e7d371dd69c5625f5b48da426c14.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Kills process with taskkill 87 IoCs

evasion

pid	Process
1104	taskkill.exe
1508	taskkill.exe
2940	taskkill.exe
2540	taskkill.exe
488	taskkill.exe
3004	taskkill.exe
3856	taskkill.exe
488	taskkill.exe
1788	taskkill.exe
1780	taskkill.exe
840	taskkill.exe
1040	taskkill.exe
3004	taskkill.exe
3200	taskkill.exe
3908	taskkill.exe
3144	taskkill.exe
3796	taskkill.exe
1224	taskkill.exe
488	taskkill.exe
2940	taskkill.exe
2092	taskkill.exe
2684	taskkill.exe
3500	taskkill.exe
2916	taskkill.exe
3892	taskkill.exe
1496	taskkill.exe
1324	taskkill.exe
412	taskkill.exe
424	taskkill.exe
540	taskkill.exe
1324	taskkill.exe
2940	taskkill.exe
3908	taskkill.exe
3520	taskkill.exe
2684	taskkill.exe
408	taskkill.exe
840	taskkill.exe
3892	taskkill.exe
500	taskkill.exe
424	taskkill.exe
1040	taskkill.exe
2540	taskkill.exe
3088	taskkill.exe
1792	taskkill.exe
3768	taskkill.exe
1216	taskkill.exe
3892	taskkill.exe
896	taskkill.exe
2152	taskkill.exe
1156	taskkill.exe
3856	taskkill.exe
2192	taskkill.exe
3032	taskkill.exe
416	taskkill.exe
488	taskkill.exe
3872	taskkill.exe
3976	taskkill.exe
1796	taskkill.exe
1304	taskkill.exe
2192	taskkill.exe
1780	taskkill.exe
2180	taskkill.exe
3792	taskkill.exe
692	taskkill.exe
504	taskkill.exe
3668	taskkill.exe
3668	taskkill.exe
2940	taskkill.exe
1292	taskkill.exe
1008	taskkill.exe
3640	taskkill.exe
1564	taskkill.exe
3856	taskkill.exe
1008	taskkill.exe
1332	taskkill.exe
1000	taskkill.exe
1604	taskkill.exe
2344	taskkill.exe
1008	taskkill.exe
692	taskkill.exe
692	taskkill.exe
3976	taskkill.exe
3032	taskkill.exe
840	taskkill.exe
648	taskkill.exe
2092	taskkill.exe
3904	taskkill.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3768	vssadmin.exe

NTFS ADS 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:yxwmizcdnycyvuyea	5a63e7d371dd69c5625f5b48da426c14.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:jrzuzotpboxvv	5a63e7d371dd69c5625f5b48da426c14.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:ndhvvygzw	5a63e7d371dd69c5625f5b48da426c14.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:yapcqiqpbyseursy	5a63e7d371dd69c5625f5b48da426c14.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:ndhvvygzw	5a63e7d371dd69c5625f5b48da426c14.exe

Suspicious use of WriteProcessMemory 549 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 3312	3068	5a63e7d371dd69c5625f5b48da426c14.exe	68
PID 3068 wrote to memory of 3312	3068	5a63e7d371dd69c5625f5b48da426c14.exe	68
PID 3068 wrote to memory of 3312	3068	5a63e7d371dd69c5625f5b48da426c14.exe	68
PID 3312 wrote to memory of 3956	3312	cmd.exe	70
PID 3312 wrote to memory of 3956	3312	cmd.exe	70
PID 3312 wrote to memory of 3956	3312	cmd.exe	70
PID 3068 wrote to memory of 2644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	73
PID 3068 wrote to memory of 2644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	73
PID 3068 wrote to memory of 2644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	73
PID 3068 wrote to memory of 3284	3068	5a63e7d371dd69c5625f5b48da426c14.exe	75
PID 3068 wrote to memory of 3284	3068	5a63e7d371dd69c5625f5b48da426c14.exe	75
PID 3068 wrote to memory of 3284	3068	5a63e7d371dd69c5625f5b48da426c14.exe	75
PID 3068 wrote to memory of 3940	3068	5a63e7d371dd69c5625f5b48da426c14.exe	77
PID 3068 wrote to memory of 3940	3068	5a63e7d371dd69c5625f5b48da426c14.exe	77
PID 3068 wrote to memory of 3940	3068	5a63e7d371dd69c5625f5b48da426c14.exe	77
PID 3068 wrote to memory of 1564	3068	5a63e7d371dd69c5625f5b48da426c14.exe	79
PID 3068 wrote to memory of 1564	3068	5a63e7d371dd69c5625f5b48da426c14.exe	79
PID 3068 wrote to memory of 1564	3068	5a63e7d371dd69c5625f5b48da426c14.exe	79
PID 3068 wrote to memory of 3688	3068	5a63e7d371dd69c5625f5b48da426c14.exe	81
PID 3068 wrote to memory of 3688	3068	5a63e7d371dd69c5625f5b48da426c14.exe	81
PID 3068 wrote to memory of 3688	3068	5a63e7d371dd69c5625f5b48da426c14.exe	81
PID 3688 wrote to memory of 3768	3688	cmd.exe	83
PID 3688 wrote to memory of 3768	3688	cmd.exe	83
PID 3688 wrote to memory of 3768	3688	cmd.exe	83
PID 3068 wrote to memory of 3856	3068	5a63e7d371dd69c5625f5b48da426c14.exe	84
PID 3068 wrote to memory of 3856	3068	5a63e7d371dd69c5625f5b48da426c14.exe	84
PID 3068 wrote to memory of 3856	3068	5a63e7d371dd69c5625f5b48da426c14.exe	84
PID 3068 wrote to memory of 504	3068	5a63e7d371dd69c5625f5b48da426c14.exe	86
PID 3068 wrote to memory of 504	3068	5a63e7d371dd69c5625f5b48da426c14.exe	86
PID 3068 wrote to memory of 504	3068	5a63e7d371dd69c5625f5b48da426c14.exe	86
PID 504 wrote to memory of 3520	504	cmd.exe	88
PID 504 wrote to memory of 3520	504	cmd.exe	88
PID 504 wrote to memory of 3520	504	cmd.exe	88
PID 3068 wrote to memory of 2916	3068	5a63e7d371dd69c5625f5b48da426c14.exe	90
PID 3068 wrote to memory of 2916	3068	5a63e7d371dd69c5625f5b48da426c14.exe	90
PID 3068 wrote to memory of 2916	3068	5a63e7d371dd69c5625f5b48da426c14.exe	90
PID 2916 wrote to memory of 3872	2916	cmd.exe	92
PID 2916 wrote to memory of 3872	2916	cmd.exe	92
PID 2916 wrote to memory of 3872	2916	cmd.exe	92
PID 3068 wrote to memory of 2340	3068	5a63e7d371dd69c5625f5b48da426c14.exe	93
PID 3068 wrote to memory of 2340	3068	5a63e7d371dd69c5625f5b48da426c14.exe	93
PID 3068 wrote to memory of 2340	3068	5a63e7d371dd69c5625f5b48da426c14.exe	93
PID 2340 wrote to memory of 3904	2340	cmd.exe	95
PID 2340 wrote to memory of 3904	2340	cmd.exe	95
PID 2340 wrote to memory of 3904	2340	cmd.exe	95
PID 3068 wrote to memory of 3144	3068	5a63e7d371dd69c5625f5b48da426c14.exe	96
PID 3068 wrote to memory of 3144	3068	5a63e7d371dd69c5625f5b48da426c14.exe	96
PID 3068 wrote to memory of 3144	3068	5a63e7d371dd69c5625f5b48da426c14.exe	96
PID 3144 wrote to memory of 3768	3144	cmd.exe	98
PID 3144 wrote to memory of 3768	3144	cmd.exe	98
PID 3144 wrote to memory of 3768	3144	cmd.exe	98
PID 3068 wrote to memory of 3844	3068	5a63e7d371dd69c5625f5b48da426c14.exe	99
PID 3068 wrote to memory of 3844	3068	5a63e7d371dd69c5625f5b48da426c14.exe	99
PID 3068 wrote to memory of 3844	3068	5a63e7d371dd69c5625f5b48da426c14.exe	99
PID 3844 wrote to memory of 416	3844	cmd.exe	101
PID 3844 wrote to memory of 416	3844	cmd.exe	101
PID 3844 wrote to memory of 416	3844	cmd.exe	101
PID 3068 wrote to memory of 904	3068	5a63e7d371dd69c5625f5b48da426c14.exe	102
PID 3068 wrote to memory of 904	3068	5a63e7d371dd69c5625f5b48da426c14.exe	102
PID 3068 wrote to memory of 904	3068	5a63e7d371dd69c5625f5b48da426c14.exe	102
PID 904 wrote to memory of 3892	904	cmd.exe	104
PID 904 wrote to memory of 3892	904	cmd.exe	104
PID 904 wrote to memory of 3892	904	cmd.exe	104
PID 3068 wrote to memory of 756	3068	5a63e7d371dd69c5625f5b48da426c14.exe	105
PID 3068 wrote to memory of 756	3068	5a63e7d371dd69c5625f5b48da426c14.exe	105
PID 3068 wrote to memory of 756	3068	5a63e7d371dd69c5625f5b48da426c14.exe	105
PID 756 wrote to memory of 692	756	cmd.exe	107
PID 756 wrote to memory of 692	756	cmd.exe	107
PID 756 wrote to memory of 692	756	cmd.exe	107
PID 3068 wrote to memory of 3104	3068	5a63e7d371dd69c5625f5b48da426c14.exe	108
PID 3068 wrote to memory of 3104	3068	5a63e7d371dd69c5625f5b48da426c14.exe	108
PID 3068 wrote to memory of 3104	3068	5a63e7d371dd69c5625f5b48da426c14.exe	108
PID 3104 wrote to memory of 2916	3104	cmd.exe	110
PID 3104 wrote to memory of 2916	3104	cmd.exe	110
PID 3104 wrote to memory of 2916	3104	cmd.exe	110
PID 3068 wrote to memory of 1168	3068	5a63e7d371dd69c5625f5b48da426c14.exe	111
PID 3068 wrote to memory of 1168	3068	5a63e7d371dd69c5625f5b48da426c14.exe	111
PID 3068 wrote to memory of 1168	3068	5a63e7d371dd69c5625f5b48da426c14.exe	111
PID 1168 wrote to memory of 1564	1168	cmd.exe	113
PID 1168 wrote to memory of 1564	1168	cmd.exe	113
PID 1168 wrote to memory of 1564	1168	cmd.exe	113
PID 3068 wrote to memory of 2340	3068	5a63e7d371dd69c5625f5b48da426c14.exe	114
PID 3068 wrote to memory of 2340	3068	5a63e7d371dd69c5625f5b48da426c14.exe	114
PID 3068 wrote to memory of 2340	3068	5a63e7d371dd69c5625f5b48da426c14.exe	114
PID 2340 wrote to memory of 1324	2340	cmd.exe	116
PID 2340 wrote to memory of 1324	2340	cmd.exe	116
PID 2340 wrote to memory of 1324	2340	cmd.exe	116
PID 3068 wrote to memory of 3768	3068	5a63e7d371dd69c5625f5b48da426c14.exe	117
PID 3068 wrote to memory of 3768	3068	5a63e7d371dd69c5625f5b48da426c14.exe	117
PID 3068 wrote to memory of 3768	3068	5a63e7d371dd69c5625f5b48da426c14.exe	117
PID 3768 wrote to memory of 3796	3768	cmd.exe	119
PID 3768 wrote to memory of 3796	3768	cmd.exe	119
PID 3768 wrote to memory of 3796	3768	cmd.exe	119
PID 3068 wrote to memory of 572	3068	5a63e7d371dd69c5625f5b48da426c14.exe	120
PID 3068 wrote to memory of 572	3068	5a63e7d371dd69c5625f5b48da426c14.exe	120
PID 3068 wrote to memory of 572	3068	5a63e7d371dd69c5625f5b48da426c14.exe	120
PID 572 wrote to memory of 500	572	cmd.exe	122
PID 572 wrote to memory of 500	572	cmd.exe	122
PID 572 wrote to memory of 500	572	cmd.exe	122
PID 3068 wrote to memory of 1512	3068	5a63e7d371dd69c5625f5b48da426c14.exe	123
PID 3068 wrote to memory of 1512	3068	5a63e7d371dd69c5625f5b48da426c14.exe	123
PID 3068 wrote to memory of 1512	3068	5a63e7d371dd69c5625f5b48da426c14.exe	123
PID 1512 wrote to memory of 488	1512	cmd.exe	125
PID 1512 wrote to memory of 488	1512	cmd.exe	125
PID 1512 wrote to memory of 488	1512	cmd.exe	125
PID 3068 wrote to memory of 4004	3068	5a63e7d371dd69c5625f5b48da426c14.exe	126
PID 3068 wrote to memory of 4004	3068	5a63e7d371dd69c5625f5b48da426c14.exe	126
PID 3068 wrote to memory of 4004	3068	5a63e7d371dd69c5625f5b48da426c14.exe	126
PID 4004 wrote to memory of 692	4004	cmd.exe	128
PID 4004 wrote to memory of 692	4004	cmd.exe	128
PID 4004 wrote to memory of 692	4004	cmd.exe	128
PID 3068 wrote to memory of 3284	3068	5a63e7d371dd69c5625f5b48da426c14.exe	129
PID 3068 wrote to memory of 3284	3068	5a63e7d371dd69c5625f5b48da426c14.exe	129
PID 3068 wrote to memory of 3284	3068	5a63e7d371dd69c5625f5b48da426c14.exe	129
PID 3284 wrote to memory of 3976	3284	cmd.exe	131
PID 3284 wrote to memory of 3976	3284	cmd.exe	131
PID 3284 wrote to memory of 3976	3284	cmd.exe	131
PID 3068 wrote to memory of 3104	3068	5a63e7d371dd69c5625f5b48da426c14.exe	132
PID 3068 wrote to memory of 3104	3068	5a63e7d371dd69c5625f5b48da426c14.exe	132
PID 3068 wrote to memory of 3104	3068	5a63e7d371dd69c5625f5b48da426c14.exe	132
PID 3104 wrote to memory of 1796	3104	cmd.exe	134
PID 3104 wrote to memory of 1796	3104	cmd.exe	134
PID 3104 wrote to memory of 1796	3104	cmd.exe	134
PID 3068 wrote to memory of 2108	3068	5a63e7d371dd69c5625f5b48da426c14.exe	135
PID 3068 wrote to memory of 2108	3068	5a63e7d371dd69c5625f5b48da426c14.exe	135
PID 3068 wrote to memory of 2108	3068	5a63e7d371dd69c5625f5b48da426c14.exe	135
PID 2108 wrote to memory of 1224	2108	cmd.exe	137
PID 2108 wrote to memory of 1224	2108	cmd.exe	137
PID 2108 wrote to memory of 1224	2108	cmd.exe	137
PID 3068 wrote to memory of 3760	3068	5a63e7d371dd69c5625f5b48da426c14.exe	138
PID 3068 wrote to memory of 3760	3068	5a63e7d371dd69c5625f5b48da426c14.exe	138
PID 3068 wrote to memory of 3760	3068	5a63e7d371dd69c5625f5b48da426c14.exe	138
PID 3760 wrote to memory of 1292	3760	cmd.exe	140
PID 3760 wrote to memory of 1292	3760	cmd.exe	140
PID 3760 wrote to memory of 1292	3760	cmd.exe	140
PID 3068 wrote to memory of 3144	3068	5a63e7d371dd69c5625f5b48da426c14.exe	141
PID 3068 wrote to memory of 3144	3068	5a63e7d371dd69c5625f5b48da426c14.exe	141
PID 3068 wrote to memory of 3144	3068	5a63e7d371dd69c5625f5b48da426c14.exe	141
PID 3144 wrote to memory of 896	3144	cmd.exe	143
PID 3144 wrote to memory of 896	3144	cmd.exe	143
PID 3144 wrote to memory of 896	3144	cmd.exe	143
PID 3068 wrote to memory of 412	3068	5a63e7d371dd69c5625f5b48da426c14.exe	144
PID 3068 wrote to memory of 412	3068	5a63e7d371dd69c5625f5b48da426c14.exe	144
PID 3068 wrote to memory of 412	3068	5a63e7d371dd69c5625f5b48da426c14.exe	144
PID 412 wrote to memory of 540	412	cmd.exe	146
PID 412 wrote to memory of 540	412	cmd.exe	146
PID 412 wrote to memory of 540	412	cmd.exe	146
PID 3068 wrote to memory of 1840	3068	5a63e7d371dd69c5625f5b48da426c14.exe	147
PID 3068 wrote to memory of 1840	3068	5a63e7d371dd69c5625f5b48da426c14.exe	147
PID 3068 wrote to memory of 1840	3068	5a63e7d371dd69c5625f5b48da426c14.exe	147
PID 1840 wrote to memory of 424	1840	cmd.exe	149
PID 1840 wrote to memory of 424	1840	cmd.exe	149
PID 1840 wrote to memory of 424	1840	cmd.exe	149
PID 3068 wrote to memory of 3892	3068	5a63e7d371dd69c5625f5b48da426c14.exe	150
PID 3068 wrote to memory of 3892	3068	5a63e7d371dd69c5625f5b48da426c14.exe	150
PID 3068 wrote to memory of 3892	3068	5a63e7d371dd69c5625f5b48da426c14.exe	150
PID 3892 wrote to memory of 1104	3892	cmd.exe	152
PID 3892 wrote to memory of 1104	3892	cmd.exe	152
PID 3892 wrote to memory of 1104	3892	cmd.exe	152
PID 3068 wrote to memory of 2192	3068	5a63e7d371dd69c5625f5b48da426c14.exe	153
PID 3068 wrote to memory of 2192	3068	5a63e7d371dd69c5625f5b48da426c14.exe	153
PID 3068 wrote to memory of 2192	3068	5a63e7d371dd69c5625f5b48da426c14.exe	153
PID 2192 wrote to memory of 692	2192	cmd.exe	155
PID 2192 wrote to memory of 692	2192	cmd.exe	155
PID 2192 wrote to memory of 692	2192	cmd.exe	155
PID 3068 wrote to memory of 1636	3068	5a63e7d371dd69c5625f5b48da426c14.exe	156
PID 3068 wrote to memory of 1636	3068	5a63e7d371dd69c5625f5b48da426c14.exe	156
PID 3068 wrote to memory of 1636	3068	5a63e7d371dd69c5625f5b48da426c14.exe	156
PID 1636 wrote to memory of 3976	1636	cmd.exe	158
PID 1636 wrote to memory of 3976	1636	cmd.exe	158
PID 1636 wrote to memory of 3976	1636	cmd.exe	158
PID 3068 wrote to memory of 3640	3068	5a63e7d371dd69c5625f5b48da426c14.exe	159
PID 3068 wrote to memory of 3640	3068	5a63e7d371dd69c5625f5b48da426c14.exe	159
PID 3068 wrote to memory of 3640	3068	5a63e7d371dd69c5625f5b48da426c14.exe	159
PID 3640 wrote to memory of 1780	3640	cmd.exe	161
PID 3640 wrote to memory of 1780	3640	cmd.exe	161
PID 3640 wrote to memory of 1780	3640	cmd.exe	161
PID 3068 wrote to memory of 2092	3068	5a63e7d371dd69c5625f5b48da426c14.exe	162
PID 3068 wrote to memory of 2092	3068	5a63e7d371dd69c5625f5b48da426c14.exe	162
PID 3068 wrote to memory of 2092	3068	5a63e7d371dd69c5625f5b48da426c14.exe	162
PID 2092 wrote to memory of 1216	2092	cmd.exe	164
PID 2092 wrote to memory of 1216	2092	cmd.exe	164
PID 2092 wrote to memory of 1216	2092	cmd.exe	164
PID 3068 wrote to memory of 3780	3068	5a63e7d371dd69c5625f5b48da426c14.exe	165
PID 3068 wrote to memory of 3780	3068	5a63e7d371dd69c5625f5b48da426c14.exe	165
PID 3068 wrote to memory of 3780	3068	5a63e7d371dd69c5625f5b48da426c14.exe	165
PID 3780 wrote to memory of 1304	3780	cmd.exe	167
PID 3780 wrote to memory of 1304	3780	cmd.exe	167
PID 3780 wrote to memory of 1304	3780	cmd.exe	167
PID 3068 wrote to memory of 3760	3068	5a63e7d371dd69c5625f5b48da426c14.exe	168
PID 3068 wrote to memory of 3760	3068	5a63e7d371dd69c5625f5b48da426c14.exe	168
PID 3068 wrote to memory of 3760	3068	5a63e7d371dd69c5625f5b48da426c14.exe	168
PID 3760 wrote to memory of 2684	3760	cmd.exe	170
PID 3760 wrote to memory of 2684	3760	cmd.exe	170
PID 3760 wrote to memory of 2684	3760	cmd.exe	170
PID 3068 wrote to memory of 3812	3068	5a63e7d371dd69c5625f5b48da426c14.exe	171
PID 3068 wrote to memory of 3812	3068	5a63e7d371dd69c5625f5b48da426c14.exe	171
PID 3068 wrote to memory of 3812	3068	5a63e7d371dd69c5625f5b48da426c14.exe	171
PID 3812 wrote to memory of 3144	3812	cmd.exe	173
PID 3812 wrote to memory of 3144	3812	cmd.exe	173
PID 3812 wrote to memory of 3144	3812	cmd.exe	173
PID 3068 wrote to memory of 796	3068	5a63e7d371dd69c5625f5b48da426c14.exe	174
PID 3068 wrote to memory of 796	3068	5a63e7d371dd69c5625f5b48da426c14.exe	174
PID 3068 wrote to memory of 796	3068	5a63e7d371dd69c5625f5b48da426c14.exe	174
PID 796 wrote to memory of 1508	796	cmd.exe	176
PID 796 wrote to memory of 1508	796	cmd.exe	176
PID 796 wrote to memory of 1508	796	cmd.exe	176
PID 3068 wrote to memory of 2980	3068	5a63e7d371dd69c5625f5b48da426c14.exe	177
PID 3068 wrote to memory of 2980	3068	5a63e7d371dd69c5625f5b48da426c14.exe	177
PID 3068 wrote to memory of 2980	3068	5a63e7d371dd69c5625f5b48da426c14.exe	177
PID 2980 wrote to memory of 488	2980	cmd.exe	179
PID 2980 wrote to memory of 488	2980	cmd.exe	179
PID 2980 wrote to memory of 488	2980	cmd.exe	179
PID 3068 wrote to memory of 644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	180
PID 3068 wrote to memory of 644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	180
PID 3068 wrote to memory of 644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	180
PID 644 wrote to memory of 2940	644	cmd.exe	182
PID 644 wrote to memory of 2940	644	cmd.exe	182
PID 644 wrote to memory of 2940	644	cmd.exe	182
PID 3068 wrote to memory of 3792	3068	5a63e7d371dd69c5625f5b48da426c14.exe	183
PID 3068 wrote to memory of 3792	3068	5a63e7d371dd69c5625f5b48da426c14.exe	183
PID 3068 wrote to memory of 3792	3068	5a63e7d371dd69c5625f5b48da426c14.exe	183
PID 3792 wrote to memory of 1040	3792	cmd.exe	185
PID 3792 wrote to memory of 1040	3792	cmd.exe	185
PID 3792 wrote to memory of 1040	3792	cmd.exe	185
PID 3068 wrote to memory of 504	3068	5a63e7d371dd69c5625f5b48da426c14.exe	186
PID 3068 wrote to memory of 504	3068	5a63e7d371dd69c5625f5b48da426c14.exe	186
PID 3068 wrote to memory of 504	3068	5a63e7d371dd69c5625f5b48da426c14.exe	186
PID 504 wrote to memory of 3032	504	cmd.exe	188
PID 504 wrote to memory of 3032	504	cmd.exe	188
PID 504 wrote to memory of 3032	504	cmd.exe	188
PID 3068 wrote to memory of 1156	3068	5a63e7d371dd69c5625f5b48da426c14.exe	189
PID 3068 wrote to memory of 1156	3068	5a63e7d371dd69c5625f5b48da426c14.exe	189
PID 3068 wrote to memory of 1156	3068	5a63e7d371dd69c5625f5b48da426c14.exe	189
PID 1156 wrote to memory of 3668	1156	cmd.exe	191
PID 1156 wrote to memory of 3668	1156	cmd.exe	191
PID 1156 wrote to memory of 3668	1156	cmd.exe	191
PID 3068 wrote to memory of 1788	3068	5a63e7d371dd69c5625f5b48da426c14.exe	192
PID 3068 wrote to memory of 1788	3068	5a63e7d371dd69c5625f5b48da426c14.exe	192
PID 3068 wrote to memory of 1788	3068	5a63e7d371dd69c5625f5b48da426c14.exe	192
PID 1788 wrote to memory of 3004	1788	cmd.exe	194
PID 1788 wrote to memory of 3004	1788	cmd.exe	194
PID 1788 wrote to memory of 3004	1788	cmd.exe	194
PID 3068 wrote to memory of 1228	3068	5a63e7d371dd69c5625f5b48da426c14.exe	195
PID 3068 wrote to memory of 1228	3068	5a63e7d371dd69c5625f5b48da426c14.exe	195
PID 3068 wrote to memory of 1228	3068	5a63e7d371dd69c5625f5b48da426c14.exe	195
PID 1228 wrote to memory of 2540	1228	cmd.exe	197
PID 1228 wrote to memory of 2540	1228	cmd.exe	197
PID 1228 wrote to memory of 2540	1228	cmd.exe	197
PID 3068 wrote to memory of 3732	3068	5a63e7d371dd69c5625f5b48da426c14.exe	198
PID 3068 wrote to memory of 3732	3068	5a63e7d371dd69c5625f5b48da426c14.exe	198
PID 3068 wrote to memory of 3732	3068	5a63e7d371dd69c5625f5b48da426c14.exe	198
PID 3732 wrote to memory of 3856	3732	cmd.exe	200
PID 3732 wrote to memory of 3856	3732	cmd.exe	200
PID 3732 wrote to memory of 3856	3732	cmd.exe	200
PID 3068 wrote to memory of 1432	3068	5a63e7d371dd69c5625f5b48da426c14.exe	201
PID 3068 wrote to memory of 1432	3068	5a63e7d371dd69c5625f5b48da426c14.exe	201
PID 3068 wrote to memory of 1432	3068	5a63e7d371dd69c5625f5b48da426c14.exe	201
PID 1432 wrote to memory of 840	1432	cmd.exe	203
PID 1432 wrote to memory of 840	1432	cmd.exe	203
PID 1432 wrote to memory of 840	1432	cmd.exe	203
PID 3068 wrote to memory of 3796	3068	5a63e7d371dd69c5625f5b48da426c14.exe	204
PID 3068 wrote to memory of 3796	3068	5a63e7d371dd69c5625f5b48da426c14.exe	204
PID 3068 wrote to memory of 3796	3068	5a63e7d371dd69c5625f5b48da426c14.exe	204
PID 3796 wrote to memory of 1008	3796	cmd.exe	206
PID 3796 wrote to memory of 1008	3796	cmd.exe	206
PID 3796 wrote to memory of 1008	3796	cmd.exe	206
PID 3068 wrote to memory of 2824	3068	5a63e7d371dd69c5625f5b48da426c14.exe	207
PID 3068 wrote to memory of 2824	3068	5a63e7d371dd69c5625f5b48da426c14.exe	207
PID 3068 wrote to memory of 2824	3068	5a63e7d371dd69c5625f5b48da426c14.exe	207
PID 2824 wrote to memory of 488	2824	cmd.exe	209
PID 2824 wrote to memory of 488	2824	cmd.exe	209
PID 2824 wrote to memory of 488	2824	cmd.exe	209
PID 3068 wrote to memory of 2076	3068	5a63e7d371dd69c5625f5b48da426c14.exe	210
PID 3068 wrote to memory of 2076	3068	5a63e7d371dd69c5625f5b48da426c14.exe	210
PID 3068 wrote to memory of 2076	3068	5a63e7d371dd69c5625f5b48da426c14.exe	210
PID 2076 wrote to memory of 2940	2076	cmd.exe	212
PID 2076 wrote to memory of 2940	2076	cmd.exe	212
PID 2076 wrote to memory of 2940	2076	cmd.exe	212
PID 3068 wrote to memory of 2160	3068	5a63e7d371dd69c5625f5b48da426c14.exe	213
PID 3068 wrote to memory of 2160	3068	5a63e7d371dd69c5625f5b48da426c14.exe	213
PID 3068 wrote to memory of 2160	3068	5a63e7d371dd69c5625f5b48da426c14.exe	213
PID 2160 wrote to memory of 1040	2160	cmd.exe	215
PID 2160 wrote to memory of 1040	2160	cmd.exe	215
PID 2160 wrote to memory of 1040	2160	cmd.exe	215
PID 3068 wrote to memory of 640	3068	5a63e7d371dd69c5625f5b48da426c14.exe	216
PID 3068 wrote to memory of 640	3068	5a63e7d371dd69c5625f5b48da426c14.exe	216
PID 3068 wrote to memory of 640	3068	5a63e7d371dd69c5625f5b48da426c14.exe	216
PID 640 wrote to memory of 3032	640	cmd.exe	218
PID 640 wrote to memory of 3032	640	cmd.exe	218
PID 640 wrote to memory of 3032	640	cmd.exe	218
PID 3068 wrote to memory of 2644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	219
PID 3068 wrote to memory of 2644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	219
PID 3068 wrote to memory of 2644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	219
PID 2644 wrote to memory of 3668	2644	cmd.exe	221
PID 2644 wrote to memory of 3668	2644	cmd.exe	221
PID 2644 wrote to memory of 3668	2644	cmd.exe	221
PID 3068 wrote to memory of 1796	3068	5a63e7d371dd69c5625f5b48da426c14.exe	222
PID 3068 wrote to memory of 1796	3068	5a63e7d371dd69c5625f5b48da426c14.exe	222
PID 3068 wrote to memory of 1796	3068	5a63e7d371dd69c5625f5b48da426c14.exe	222
PID 1796 wrote to memory of 3004	1796	cmd.exe	224
PID 1796 wrote to memory of 3004	1796	cmd.exe	224
PID 1796 wrote to memory of 3004	1796	cmd.exe	224
PID 3068 wrote to memory of 1224	3068	5a63e7d371dd69c5625f5b48da426c14.exe	225
PID 3068 wrote to memory of 1224	3068	5a63e7d371dd69c5625f5b48da426c14.exe	225
PID 3068 wrote to memory of 1224	3068	5a63e7d371dd69c5625f5b48da426c14.exe	225
PID 1224 wrote to memory of 2540	1224	cmd.exe	227
PID 1224 wrote to memory of 2540	1224	cmd.exe	227
PID 1224 wrote to memory of 2540	1224	cmd.exe	227
PID 3068 wrote to memory of 3756	3068	5a63e7d371dd69c5625f5b48da426c14.exe	228
PID 3068 wrote to memory of 3756	3068	5a63e7d371dd69c5625f5b48da426c14.exe	228
PID 3068 wrote to memory of 3756	3068	5a63e7d371dd69c5625f5b48da426c14.exe	228
PID 3756 wrote to memory of 3856	3756	cmd.exe	230
PID 3756 wrote to memory of 3856	3756	cmd.exe	230
PID 3756 wrote to memory of 3856	3756	cmd.exe	230
PID 3068 wrote to memory of 3768	3068	5a63e7d371dd69c5625f5b48da426c14.exe	231
PID 3068 wrote to memory of 3768	3068	5a63e7d371dd69c5625f5b48da426c14.exe	231
PID 3068 wrote to memory of 3768	3068	5a63e7d371dd69c5625f5b48da426c14.exe	231
PID 3768 wrote to memory of 840	3768	cmd.exe	233
PID 3768 wrote to memory of 840	3768	cmd.exe	233
PID 3768 wrote to memory of 840	3768	cmd.exe	233
PID 3068 wrote to memory of 3808	3068	5a63e7d371dd69c5625f5b48da426c14.exe	234
PID 3068 wrote to memory of 3808	3068	5a63e7d371dd69c5625f5b48da426c14.exe	234
PID 3068 wrote to memory of 3808	3068	5a63e7d371dd69c5625f5b48da426c14.exe	234
PID 3808 wrote to memory of 1008	3808	cmd.exe	236
PID 3808 wrote to memory of 1008	3808	cmd.exe	236
PID 3808 wrote to memory of 1008	3808	cmd.exe	236
PID 3068 wrote to memory of 356	3068	5a63e7d371dd69c5625f5b48da426c14.exe	237
PID 3068 wrote to memory of 356	3068	5a63e7d371dd69c5625f5b48da426c14.exe	237
PID 3068 wrote to memory of 356	3068	5a63e7d371dd69c5625f5b48da426c14.exe	237
PID 356 wrote to memory of 488	356	cmd.exe	239
PID 356 wrote to memory of 488	356	cmd.exe	239
PID 356 wrote to memory of 488	356	cmd.exe	239
PID 3068 wrote to memory of 2548	3068	5a63e7d371dd69c5625f5b48da426c14.exe	240
PID 3068 wrote to memory of 2548	3068	5a63e7d371dd69c5625f5b48da426c14.exe	240
PID 3068 wrote to memory of 2548	3068	5a63e7d371dd69c5625f5b48da426c14.exe	240
PID 2548 wrote to memory of 2940	2548	cmd.exe	242
PID 2548 wrote to memory of 2940	2548	cmd.exe	242
PID 2548 wrote to memory of 2940	2548	cmd.exe	242
PID 3068 wrote to memory of 1584	3068	5a63e7d371dd69c5625f5b48da426c14.exe	243
PID 3068 wrote to memory of 1584	3068	5a63e7d371dd69c5625f5b48da426c14.exe	243
PID 3068 wrote to memory of 1584	3068	5a63e7d371dd69c5625f5b48da426c14.exe	243
PID 1584 wrote to memory of 3892	1584	cmd.exe	245
PID 1584 wrote to memory of 3892	1584	cmd.exe	245
PID 1584 wrote to memory of 3892	1584	cmd.exe	245
PID 3068 wrote to memory of 1052	3068	5a63e7d371dd69c5625f5b48da426c14.exe	246
PID 3068 wrote to memory of 1052	3068	5a63e7d371dd69c5625f5b48da426c14.exe	246
PID 3068 wrote to memory of 1052	3068	5a63e7d371dd69c5625f5b48da426c14.exe	246
PID 1052 wrote to memory of 2192	1052	cmd.exe	248
PID 1052 wrote to memory of 2192	1052	cmd.exe	248
PID 1052 wrote to memory of 2192	1052	cmd.exe	248
PID 3068 wrote to memory of 1644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	249
PID 3068 wrote to memory of 1644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	249
PID 3068 wrote to memory of 1644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	249
PID 1644 wrote to memory of 3908	1644	cmd.exe	251
PID 1644 wrote to memory of 3908	1644	cmd.exe	251
PID 1644 wrote to memory of 3908	1644	cmd.exe	251
PID 3068 wrote to memory of 1564	3068	5a63e7d371dd69c5625f5b48da426c14.exe	252
PID 3068 wrote to memory of 1564	3068	5a63e7d371dd69c5625f5b48da426c14.exe	252
PID 3068 wrote to memory of 1564	3068	5a63e7d371dd69c5625f5b48da426c14.exe	252
PID 1564 wrote to memory of 1780	1564	cmd.exe	254
PID 1564 wrote to memory of 1780	1564	cmd.exe	254
PID 1564 wrote to memory of 1780	1564	cmd.exe	254
PID 3068 wrote to memory of 3692	3068	5a63e7d371dd69c5625f5b48da426c14.exe	255
PID 3068 wrote to memory of 3692	3068	5a63e7d371dd69c5625f5b48da426c14.exe	255
PID 3068 wrote to memory of 3692	3068	5a63e7d371dd69c5625f5b48da426c14.exe	255
PID 3692 wrote to memory of 2092	3692	cmd.exe	257
PID 3692 wrote to memory of 2092	3692	cmd.exe	257
PID 3692 wrote to memory of 2092	3692	cmd.exe	257
PID 3068 wrote to memory of 1888	3068	5a63e7d371dd69c5625f5b48da426c14.exe	258
PID 3068 wrote to memory of 1888	3068	5a63e7d371dd69c5625f5b48da426c14.exe	258
PID 3068 wrote to memory of 1888	3068	5a63e7d371dd69c5625f5b48da426c14.exe	258
PID 1888 wrote to memory of 1332	1888	cmd.exe	260
PID 1888 wrote to memory of 1332	1888	cmd.exe	260
PID 1888 wrote to memory of 1332	1888	cmd.exe	260
PID 3068 wrote to memory of 2536	3068	5a63e7d371dd69c5625f5b48da426c14.exe	261
PID 3068 wrote to memory of 2536	3068	5a63e7d371dd69c5625f5b48da426c14.exe	261
PID 3068 wrote to memory of 2536	3068	5a63e7d371dd69c5625f5b48da426c14.exe	261
PID 2536 wrote to memory of 2684	2536	cmd.exe	263
PID 2536 wrote to memory of 2684	2536	cmd.exe	263
PID 2536 wrote to memory of 2684	2536	cmd.exe	263
PID 3068 wrote to memory of 1428	3068	5a63e7d371dd69c5625f5b48da426c14.exe	264
PID 3068 wrote to memory of 1428	3068	5a63e7d371dd69c5625f5b48da426c14.exe	264
PID 3068 wrote to memory of 1428	3068	5a63e7d371dd69c5625f5b48da426c14.exe	264
PID 1428 wrote to memory of 1496	1428	cmd.exe	266
PID 1428 wrote to memory of 1496	1428	cmd.exe	266
PID 1428 wrote to memory of 1496	1428	cmd.exe	266
PID 3068 wrote to memory of 540	3068	5a63e7d371dd69c5625f5b48da426c14.exe	267
PID 3068 wrote to memory of 540	3068	5a63e7d371dd69c5625f5b48da426c14.exe	267
PID 3068 wrote to memory of 540	3068	5a63e7d371dd69c5625f5b48da426c14.exe	267
PID 540 wrote to memory of 1000	540	cmd.exe	269
PID 540 wrote to memory of 1000	540	cmd.exe	269
PID 540 wrote to memory of 1000	540	cmd.exe	269
PID 3068 wrote to memory of 904	3068	5a63e7d371dd69c5625f5b48da426c14.exe	270
PID 3068 wrote to memory of 904	3068	5a63e7d371dd69c5625f5b48da426c14.exe	270
PID 3068 wrote to memory of 904	3068	5a63e7d371dd69c5625f5b48da426c14.exe	270
PID 904 wrote to memory of 2152	904	cmd.exe	272
PID 904 wrote to memory of 2152	904	cmd.exe	272
PID 904 wrote to memory of 2152	904	cmd.exe	272
PID 3068 wrote to memory of 2164	3068	5a63e7d371dd69c5625f5b48da426c14.exe	273
PID 3068 wrote to memory of 2164	3068	5a63e7d371dd69c5625f5b48da426c14.exe	273
PID 3068 wrote to memory of 2164	3068	5a63e7d371dd69c5625f5b48da426c14.exe	273
PID 2164 wrote to memory of 1604	2164	cmd.exe	275
PID 2164 wrote to memory of 1604	2164	cmd.exe	275
PID 2164 wrote to memory of 1604	2164	cmd.exe	275
PID 3068 wrote to memory of 3100	3068	5a63e7d371dd69c5625f5b48da426c14.exe	276
PID 3068 wrote to memory of 3100	3068	5a63e7d371dd69c5625f5b48da426c14.exe	276
PID 3068 wrote to memory of 3100	3068	5a63e7d371dd69c5625f5b48da426c14.exe	276
PID 3100 wrote to memory of 648	3100	cmd.exe	278
PID 3100 wrote to memory of 648	3100	cmd.exe	278
PID 3100 wrote to memory of 648	3100	cmd.exe	278
PID 3068 wrote to memory of 380	3068	5a63e7d371dd69c5625f5b48da426c14.exe	279
PID 3068 wrote to memory of 380	3068	5a63e7d371dd69c5625f5b48da426c14.exe	279
PID 3068 wrote to memory of 380	3068	5a63e7d371dd69c5625f5b48da426c14.exe	279
PID 380 wrote to memory of 3088	380	cmd.exe	281
PID 380 wrote to memory of 3088	380	cmd.exe	281
PID 380 wrote to memory of 3088	380	cmd.exe	281
PID 3068 wrote to memory of 1648	3068	5a63e7d371dd69c5625f5b48da426c14.exe	282
PID 3068 wrote to memory of 1648	3068	5a63e7d371dd69c5625f5b48da426c14.exe	282
PID 3068 wrote to memory of 1648	3068	5a63e7d371dd69c5625f5b48da426c14.exe	282
PID 1648 wrote to memory of 1792	1648	cmd.exe	284
PID 1648 wrote to memory of 1792	1648	cmd.exe	284
PID 1648 wrote to memory of 1792	1648	cmd.exe	284
PID 3068 wrote to memory of 1564	3068	5a63e7d371dd69c5625f5b48da426c14.exe	285
PID 3068 wrote to memory of 1564	3068	5a63e7d371dd69c5625f5b48da426c14.exe	285
PID 3068 wrote to memory of 1564	3068	5a63e7d371dd69c5625f5b48da426c14.exe	285
PID 1564 wrote to memory of 3200	1564	cmd.exe	287
PID 1564 wrote to memory of 3200	1564	cmd.exe	287
PID 1564 wrote to memory of 3200	1564	cmd.exe	287
PID 3068 wrote to memory of 2068	3068	5a63e7d371dd69c5625f5b48da426c14.exe	288
PID 3068 wrote to memory of 2068	3068	5a63e7d371dd69c5625f5b48da426c14.exe	288
PID 3068 wrote to memory of 2068	3068	5a63e7d371dd69c5625f5b48da426c14.exe	288
PID 2068 wrote to memory of 1324	2068	cmd.exe	290
PID 2068 wrote to memory of 1324	2068	cmd.exe	290
PID 2068 wrote to memory of 1324	2068	cmd.exe	290
PID 3068 wrote to memory of 1224	3068	5a63e7d371dd69c5625f5b48da426c14.exe	291
PID 3068 wrote to memory of 1224	3068	5a63e7d371dd69c5625f5b48da426c14.exe	291
PID 3068 wrote to memory of 1224	3068	5a63e7d371dd69c5625f5b48da426c14.exe	291
PID 1224 wrote to memory of 3500	1224	cmd.exe	293
PID 1224 wrote to memory of 3500	1224	cmd.exe	293
PID 1224 wrote to memory of 3500	1224	cmd.exe	293
PID 3068 wrote to memory of 3756	3068	5a63e7d371dd69c5625f5b48da426c14.exe	294
PID 3068 wrote to memory of 3756	3068	5a63e7d371dd69c5625f5b48da426c14.exe	294
PID 3068 wrote to memory of 3756	3068	5a63e7d371dd69c5625f5b48da426c14.exe	294
PID 3756 wrote to memory of 412	3756	cmd.exe	296
PID 3756 wrote to memory of 412	3756	cmd.exe	296
PID 3756 wrote to memory of 412	3756	cmd.exe	296
PID 3068 wrote to memory of 3768	3068	5a63e7d371dd69c5625f5b48da426c14.exe	297
PID 3068 wrote to memory of 3768	3068	5a63e7d371dd69c5625f5b48da426c14.exe	297
PID 3068 wrote to memory of 3768	3068	5a63e7d371dd69c5625f5b48da426c14.exe	297
PID 3768 wrote to memory of 408	3768	cmd.exe	299
PID 3768 wrote to memory of 408	3768	cmd.exe	299
PID 3768 wrote to memory of 408	3768	cmd.exe	299
PID 3068 wrote to memory of 3808	3068	5a63e7d371dd69c5625f5b48da426c14.exe	300
PID 3068 wrote to memory of 3808	3068	5a63e7d371dd69c5625f5b48da426c14.exe	300
PID 3068 wrote to memory of 3808	3068	5a63e7d371dd69c5625f5b48da426c14.exe	300
PID 3808 wrote to memory of 2180	3808	cmd.exe	302
PID 3808 wrote to memory of 2180	3808	cmd.exe	302
PID 3808 wrote to memory of 2180	3808	cmd.exe	302
PID 3068 wrote to memory of 356	3068	5a63e7d371dd69c5625f5b48da426c14.exe	303
PID 3068 wrote to memory of 356	3068	5a63e7d371dd69c5625f5b48da426c14.exe	303
PID 3068 wrote to memory of 356	3068	5a63e7d371dd69c5625f5b48da426c14.exe	303
PID 356 wrote to memory of 3792	356	cmd.exe	305
PID 356 wrote to memory of 3792	356	cmd.exe	305
PID 356 wrote to memory of 3792	356	cmd.exe	305
PID 3068 wrote to memory of 2548	3068	5a63e7d371dd69c5625f5b48da426c14.exe	306
PID 3068 wrote to memory of 2548	3068	5a63e7d371dd69c5625f5b48da426c14.exe	306
PID 3068 wrote to memory of 2548	3068	5a63e7d371dd69c5625f5b48da426c14.exe	306
PID 2548 wrote to memory of 504	2548	cmd.exe	308
PID 2548 wrote to memory of 504	2548	cmd.exe	308
PID 2548 wrote to memory of 504	2548	cmd.exe	308
PID 3068 wrote to memory of 1584	3068	5a63e7d371dd69c5625f5b48da426c14.exe	309
PID 3068 wrote to memory of 1584	3068	5a63e7d371dd69c5625f5b48da426c14.exe	309
PID 3068 wrote to memory of 1584	3068	5a63e7d371dd69c5625f5b48da426c14.exe	309
PID 1584 wrote to memory of 1156	1584	cmd.exe	311
PID 1584 wrote to memory of 1156	1584	cmd.exe	311
PID 1584 wrote to memory of 1156	1584	cmd.exe	311
PID 3068 wrote to memory of 1052	3068	5a63e7d371dd69c5625f5b48da426c14.exe	312
PID 3068 wrote to memory of 1052	3068	5a63e7d371dd69c5625f5b48da426c14.exe	312
PID 3068 wrote to memory of 1052	3068	5a63e7d371dd69c5625f5b48da426c14.exe	312
PID 1052 wrote to memory of 3640	1052	cmd.exe	314
PID 1052 wrote to memory of 3640	1052	cmd.exe	314
PID 1052 wrote to memory of 3640	1052	cmd.exe	314
PID 3068 wrote to memory of 1644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	315
PID 3068 wrote to memory of 1644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	315
PID 3068 wrote to memory of 1644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	315
PID 1644 wrote to memory of 2344	1644	cmd.exe	317
PID 1644 wrote to memory of 2344	1644	cmd.exe	317
PID 1644 wrote to memory of 2344	1644	cmd.exe	317
PID 3068 wrote to memory of 2340	3068	5a63e7d371dd69c5625f5b48da426c14.exe	318
PID 3068 wrote to memory of 2340	3068	5a63e7d371dd69c5625f5b48da426c14.exe	318
PID 3068 wrote to memory of 2340	3068	5a63e7d371dd69c5625f5b48da426c14.exe	318
PID 2340 wrote to memory of 3856	2340	cmd.exe	320
PID 2340 wrote to memory of 3856	2340	cmd.exe	320
PID 2340 wrote to memory of 3856	2340	cmd.exe	320
PID 3068 wrote to memory of 3836	3068	5a63e7d371dd69c5625f5b48da426c14.exe	321
PID 3068 wrote to memory of 3836	3068	5a63e7d371dd69c5625f5b48da426c14.exe	321
PID 3068 wrote to memory of 3836	3068	5a63e7d371dd69c5625f5b48da426c14.exe	321
PID 3836 wrote to memory of 840	3836	cmd.exe	323
PID 3836 wrote to memory of 840	3836	cmd.exe	323
PID 3836 wrote to memory of 840	3836	cmd.exe	323
PID 3068 wrote to memory of 2604	3068	5a63e7d371dd69c5625f5b48da426c14.exe	324
PID 3068 wrote to memory of 2604	3068	5a63e7d371dd69c5625f5b48da426c14.exe	324
PID 3068 wrote to memory of 2604	3068	5a63e7d371dd69c5625f5b48da426c14.exe	324
PID 2604 wrote to memory of 1008	2604	cmd.exe	326
PID 2604 wrote to memory of 1008	2604	cmd.exe	326
PID 2604 wrote to memory of 1008	2604	cmd.exe	326
PID 3068 wrote to memory of 3812	3068	5a63e7d371dd69c5625f5b48da426c14.exe	327
PID 3068 wrote to memory of 3812	3068	5a63e7d371dd69c5625f5b48da426c14.exe	327
PID 3068 wrote to memory of 3812	3068	5a63e7d371dd69c5625f5b48da426c14.exe	327
PID 3812 wrote to memory of 424	3812	cmd.exe	329
PID 3812 wrote to memory of 424	3812	cmd.exe	329
PID 3812 wrote to memory of 424	3812	cmd.exe	329
PID 3068 wrote to memory of 2800	3068	5a63e7d371dd69c5625f5b48da426c14.exe	330
PID 3068 wrote to memory of 2800	3068	5a63e7d371dd69c5625f5b48da426c14.exe	330
PID 3068 wrote to memory of 2800	3068	5a63e7d371dd69c5625f5b48da426c14.exe	330
PID 2800 wrote to memory of 2940	2800	cmd.exe	332
PID 2800 wrote to memory of 2940	2800	cmd.exe	332
PID 2800 wrote to memory of 2940	2800	cmd.exe	332
PID 3068 wrote to memory of 892	3068	5a63e7d371dd69c5625f5b48da426c14.exe	333
PID 3068 wrote to memory of 892	3068	5a63e7d371dd69c5625f5b48da426c14.exe	333
PID 3068 wrote to memory of 892	3068	5a63e7d371dd69c5625f5b48da426c14.exe	333
PID 892 wrote to memory of 3892	892	cmd.exe	335
PID 892 wrote to memory of 3892	892	cmd.exe	335
PID 892 wrote to memory of 3892	892	cmd.exe	335
PID 3068 wrote to memory of 2436	3068	5a63e7d371dd69c5625f5b48da426c14.exe	336
PID 3068 wrote to memory of 2436	3068	5a63e7d371dd69c5625f5b48da426c14.exe	336
PID 3068 wrote to memory of 2436	3068	5a63e7d371dd69c5625f5b48da426c14.exe	336
PID 2436 wrote to memory of 2192	2436	cmd.exe	338
PID 2436 wrote to memory of 2192	2436	cmd.exe	338
PID 2436 wrote to memory of 2192	2436	cmd.exe	338
PID 3068 wrote to memory of 2624	3068	5a63e7d371dd69c5625f5b48da426c14.exe	339
PID 3068 wrote to memory of 2624	3068	5a63e7d371dd69c5625f5b48da426c14.exe	339
PID 3068 wrote to memory of 2624	3068	5a63e7d371dd69c5625f5b48da426c14.exe	339
PID 2624 wrote to memory of 3908	2624	cmd.exe	341
PID 2624 wrote to memory of 3908	2624	cmd.exe	341
PID 2624 wrote to memory of 3908	2624	cmd.exe	341
PID 3068 wrote to memory of 3872	3068	5a63e7d371dd69c5625f5b48da426c14.exe	342
PID 3068 wrote to memory of 3872	3068	5a63e7d371dd69c5625f5b48da426c14.exe	342
PID 3068 wrote to memory of 3872	3068	5a63e7d371dd69c5625f5b48da426c14.exe	342
PID 3872 wrote to memory of 1788	3872	cmd.exe	344
PID 3872 wrote to memory of 1788	3872	cmd.exe	344
PID 3872 wrote to memory of 1788	3872	cmd.exe	344
PID 3068 wrote to memory of 2788	3068	5a63e7d371dd69c5625f5b48da426c14.exe	345
PID 3068 wrote to memory of 2788	3068	5a63e7d371dd69c5625f5b48da426c14.exe	345
PID 3068 wrote to memory of 2788	3068	5a63e7d371dd69c5625f5b48da426c14.exe	345
PID 2788 wrote to memory of 2092	2788	cmd.exe	347
PID 2788 wrote to memory of 2092	2788	cmd.exe	347
PID 2788 wrote to memory of 2092	2788	cmd.exe	347

Suspicious use of AdjustPrivilegeToken 129 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3956	WMIC.exe
Token: SeSecurityPrivilege	3956	WMIC.exe
Token: SeTakeOwnershipPrivilege	3956	WMIC.exe
Token: SeLoadDriverPrivilege	3956	WMIC.exe
Token: SeSystemProfilePrivilege	3956	WMIC.exe
Token: SeSystemtimePrivilege	3956	WMIC.exe
Token: SeProfSingleProcessPrivilege	3956	WMIC.exe
Token: SeIncBasePriorityPrivilege	3956	WMIC.exe
Token: SeCreatePagefilePrivilege	3956	WMIC.exe
Token: SeBackupPrivilege	3956	WMIC.exe
Token: SeRestorePrivilege	3956	WMIC.exe
Token: SeShutdownPrivilege	3956	WMIC.exe
Token: SeDebugPrivilege	3956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3956	WMIC.exe
Token: SeRemoteShutdownPrivilege	3956	WMIC.exe
Token: SeUndockPrivilege	3956	WMIC.exe
Token: SeManageVolumePrivilege	3956	WMIC.exe
Token: 33	3956	WMIC.exe
Token: 34	3956	WMIC.exe
Token: 35	3956	WMIC.exe
Token: 36	3956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3956	WMIC.exe
Token: SeSecurityPrivilege	3956	WMIC.exe
Token: SeTakeOwnershipPrivilege	3956	WMIC.exe
Token: SeLoadDriverPrivilege	3956	WMIC.exe
Token: SeSystemProfilePrivilege	3956	WMIC.exe
Token: SeSystemtimePrivilege	3956	WMIC.exe
Token: SeProfSingleProcessPrivilege	3956	WMIC.exe
Token: SeIncBasePriorityPrivilege	3956	WMIC.exe
Token: SeCreatePagefilePrivilege	3956	WMIC.exe
Token: SeBackupPrivilege	3956	WMIC.exe
Token: SeRestorePrivilege	3956	WMIC.exe
Token: SeShutdownPrivilege	3956	WMIC.exe
Token: SeDebugPrivilege	3956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3956	WMIC.exe
Token: SeRemoteShutdownPrivilege	3956	WMIC.exe
Token: SeUndockPrivilege	3956	WMIC.exe
Token: SeManageVolumePrivilege	3956	WMIC.exe
Token: 33	3956	WMIC.exe
Token: 34	3956	WMIC.exe
Token: 35	3956	WMIC.exe
Token: 36	3956	WMIC.exe
Token: SeBackupPrivilege	1816	vssvc.exe
Token: SeRestorePrivilege	1816	vssvc.exe
Token: SeAuditPrivilege	1816	vssvc.exe
Token: SeDebugPrivilege	3520	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeDebugPrivilege	3768	taskkill.exe
Token: SeDebugPrivilege	416	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	500	taskkill.exe
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	896	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	424	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	3668	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	3856	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	3668	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	3856	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	3908	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	648	taskkill.exe
Token: SeDebugPrivilege	3088	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	3200	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	3500	taskkill.exe
Token: SeDebugPrivilege	412	taskkill.exe
Token: SeDebugPrivilege	408	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	3792	taskkill.exe
Token: SeDebugPrivilege	504	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	3856	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	424	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	3908	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\5a63e7d371dd69c5625f5b48da426c14.exe
"C:\Users\Admin\AppData\Local\Temp\5a63e7d371dd69c5625f5b48da426c14.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY DELETE /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  PID:3284
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} recoveryenabled No
  2⤵
  PID:3940
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\vssvc.exe
  2⤵
  PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServer*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3520
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServerView*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServerView*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlmangr*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlmangr*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3904
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RAgui*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RAgui*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM supervise*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM supervise*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:416
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culture*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culture*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3892
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Defwatch*
  2⤵
  PID:756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Defwatch*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM winword*
  2⤵
  PID:3104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM winword*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBW32*
  2⤵
  PID:1168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBW32*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgr*
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM qbupdate*
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM qbupdate*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3796
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM axlbridge*
  2⤵
  PID:572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM axlbridge*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:500
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM httpd*
  2⤵
  PID:1512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM httpd*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:488
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdlauncher*
  2⤵
  PID:4004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdlauncher*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MsDtSrvr*
  2⤵
  PID:3284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MsDtSrvr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3976
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM java*
  2⤵
  PID:3104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM java*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360se*
  2⤵
  PID:2108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360se*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360doctor*
  2⤵
  PID:3760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360doctor*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wdswfsafe*
  2⤵
  PID:3144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wdswfsafe*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:896
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdhost*
  2⤵
  PID:412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdhost*
    3⤵
    - Kills process with taskkill
    PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM GDscan*
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM GDscan*
    3⤵
    - Kills process with taskkill
    PID:424
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ZhuDongFangYu*
  2⤵
  PID:3892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ZhuDongFangYu*
    3⤵
    - Kills process with taskkill
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgrN*
  2⤵
  PID:2192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgrN*
    3⤵
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM mysqld*
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM mysqld*
    3⤵
    PID:3976
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AutodeskDesktopApp*
  2⤵
  PID:3640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AutodeskDesktopApp*
    3⤵
    - Kills process with taskkill
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM acwebbrowser*
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM acwebbrowser*
    3⤵
    - Kills process with taskkill
    PID:1216
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Creative Cloud*
  2⤵
  PID:3780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Creative Cloud*
    3⤵
    - Kills process with taskkill
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe Desktop Service*
  2⤵
  PID:3760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe Desktop Service*
    3⤵
    - Kills process with taskkill
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM CoreSync*
  2⤵
  PID:3812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM CoreSync*
    3⤵
    - Kills process with taskkill
    PID:3144
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe CEF Helper*
  2⤵
  PID:796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe CEF Helper*
    3⤵
    - Kills process with taskkill
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM node*
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM node*
    3⤵
    - Kills process with taskkill
    PID:488
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeIPCBroker*
  2⤵
  PID:644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeIPCBroker*
    3⤵
    - Kills process with taskkill
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-taskbar*
  2⤵
  PID:3792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-taskbar*
    3⤵
    - Kills process with taskkill
    PID:1040
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-worker*
  2⤵
  PID:504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-worker*
    3⤵
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM InputPersonalization*
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM InputPersonalization*
    3⤵
    PID:3668
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeCollabSync*
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeCollabSync*
    3⤵
    - Kills process with taskkill
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCtrlCntr*
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCtrlCntr*
    3⤵
    - Kills process with taskkill
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCcUxSys*
  2⤵
  PID:3732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCcUxSys*
    3⤵
    PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SimplyConnectionManager*
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SimplyConnectionManager*
    3⤵
    - Kills process with taskkill
    PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
  2⤵
  PID:3796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Simply.SystemTrayIcon*
    3⤵
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbguard*
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbguard*
    3⤵
    - Kills process with taskkill
    PID:488
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbserver*
  2⤵
  PID:2076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbserver*
    3⤵
    - Kills process with taskkill
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ONENOTEM*
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ONENOTEM*
    3⤵
    - Kills process with taskkill
    PID:1040
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wrapper*
  2⤵
  PID:640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wrapper*
    3⤵
    - Kills process with taskkill
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM DefWatch*
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM DefWatch*
    3⤵
    PID:3668
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccEvtMgr*
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccSetMgr*
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccSetMgr*
    3⤵
    - Kills process with taskkill
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SavRoam*
  2⤵
  PID:3756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SavRoam*
    3⤵
    - Kills process with taskkill
    PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Sqlservr*
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Sqlservr*
    3⤵
    PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlagent*
  2⤵
  PID:3808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlagent*
    3⤵
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqladhlp*
  2⤵
  PID:356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqladhlp*
    3⤵
    - Kills process with taskkill
    PID:488
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culserver*
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culserver*
    3⤵
    - Kills process with taskkill
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RTVscan*
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RTVscan*
    3⤵
    - Kills process with taskkill
    PID:3892
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlbrowser*
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlbrowser*
    3⤵
    - Kills process with taskkill
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLADHLP*
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLADHLP*
    3⤵
    - Kills process with taskkill
    PID:3908
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBIDPService*
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBIDPService*
    3⤵
    - Kills process with taskkill
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
  2⤵
  PID:3692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBCFMonitorService*
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBCFMonitorService*
    3⤵
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlwriter*
  2⤵
  PID:2536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlwriter*
    3⤵
    - Kills process with taskkill
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msmdsrv*
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msmdsrv*
    3⤵
    - Kills process with taskkill
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM tomcat6*
  2⤵
  PID:540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM tomcat6*
    3⤵
    PID:1000
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM zhudongfangyu*
  2⤵
  PID:904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-usbarbitator64*
  2⤵
  PID:2164
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-usbarbitator64*
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-converter*
  2⤵
  PID:3100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-converter*
    3⤵
    PID:648
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbsrv12*
  2⤵
  PID:380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbsrv12*
    3⤵
    - Kills process with taskkill
    PID:3088
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbeng8*
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbeng8*
    3⤵
    - Kills process with taskkill
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    - Kills process with taskkill
    PID:3200
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
  2⤵
  PID:2068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLBrowser*
  2⤵
  PID:3756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLBrowser*
    3⤵
    - Kills process with taskkill
    PID:412
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLWriter*
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLWriter*
    3⤵
    - Kills process with taskkill
    PID:408
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM FishbowlMySQL*
  2⤵
  PID:3808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM FishbowlMySQL*
    3⤵
    - Kills process with taskkill
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    - Kills process with taskkill
    PID:3792
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MySQL57*
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MySQL57*
    3⤵
    PID:504
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
    3⤵
    - Kills process with taskkill
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLServerADHelper100*
    3⤵
    PID:3640
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
    3⤵
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msftesql-Exchange*
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msftesql-Exchange*
    3⤵
    - Kills process with taskkill
    PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
  2⤵
  PID:3836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
    3⤵
    - Kills process with taskkill
    PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
  2⤵
  PID:2604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SBSMONITORING*
    3⤵
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
  2⤵
  PID:3812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:424
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
  2⤵
  PID:2800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
    3⤵
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
  2⤵
  PID:892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:3892
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
  2⤵
  PID:2624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:3908
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBFCService*
  2⤵
  PID:3872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBFCService*
    3⤵
    - Kills process with taskkill
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBVSS*
  2⤵
  PID:2788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBVSS*
    3⤵
    PID:2092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads