Analysis
-
max time kernel
18s -
max time network
40s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
27-07-2020 06:50
Static task
static1
Behavioral task
behavioral1
Sample
D4D32E7583B3FD8363DED73C91ED3D08.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
D4D32E7583B3FD8363DED73C91ED3D08.bin.exe
Resource
win10v200722
General
-
Target
D4D32E7583B3FD8363DED73C91ED3D08.bin.exe
-
Size
52KB
-
MD5
d4d32e7583b3fd8363ded73c91ed3d08
-
SHA1
4079602dce0fb495ed0ec97c5aea5988127fb50c
-
SHA256
2b37a372626063afce9e08199342a41bbe4183b0d5ba7864ff61eb6e6f7c4fdf
-
SHA512
e1ba8e27a19933f15e13ae310920bb74051b5dbe7d3408d8d5aad5f1b80ca7e2ac45d288115c357c9ffcf72a4d2ea29db513a591d64874d972b60962d746aadf
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2328 bcdedit.exe 2436 bcdedit.exe -
Suspicious behavior: EnumeratesProcesses 106 IoCs
pid Process 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 504 powershell.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 508 powershell.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 508 powershell.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3940 powershell.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 504 powershell.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3940 powershell.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 508 powershell.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 504 powershell.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ConvertToUnblock.tif => C:\Users\Admin\Pictures\ConvertToUnblock.tif.ajrLsa D4D32E7583B3FD8363DED73C91ED3D08.bin.exe File opened for modification C:\Users\Admin\Pictures\ConvertToUnblock.tif.ajrLsa D4D32E7583B3FD8363DED73C91ED3D08.bin.exe -
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Kills process with taskkill 91 IoCs
pid Process 3824 taskkill.exe 3720 taskkill.exe 3740 taskkill.exe 3860 taskkill.exe 1676 taskkill.exe 1428 taskkill.exe 3004 taskkill.exe 3076 taskkill.exe 1920 taskkill.exe 2060 taskkill.exe 3972 taskkill.exe 276 taskkill.exe 3984 taskkill.exe 408 taskkill.exe 2388 taskkill.exe 412 taskkill.exe 2436 taskkill.exe 1672 taskkill.exe 3992 taskkill.exe 3828 taskkill.exe 3904 taskkill.exe 388 taskkill.exe 268 taskkill.exe 3940 taskkill.exe 4080 taskkill.exe 2408 taskkill.exe 2176 taskkill.exe 3068 taskkill.exe 2272 taskkill.exe 1524 taskkill.exe 3844 taskkill.exe 3084 taskkill.exe 3040 taskkill.exe 1520 taskkill.exe 2880 taskkill.exe 3280 taskkill.exe 3916 taskkill.exe 3760 taskkill.exe 1516 taskkill.exe 2736 taskkill.exe 260 taskkill.exe 2412 taskkill.exe 3472 taskkill.exe 3568 taskkill.exe 3680 taskkill.exe 3672 taskkill.exe 3932 taskkill.exe 1576 taskkill.exe 3424 taskkill.exe 1920 taskkill.exe 3416 taskkill.exe 2572 taskkill.exe 1412 taskkill.exe 1052 taskkill.exe 3988 taskkill.exe 3372 taskkill.exe 3728 taskkill.exe 3576 taskkill.exe 3676 taskkill.exe 3744 taskkill.exe 1848 taskkill.exe 1280 taskkill.exe 2492 taskkill.exe 496 taskkill.exe 2436 taskkill.exe 3896 taskkill.exe 2316 taskkill.exe 4084 taskkill.exe 3996 taskkill.exe 2308 taskkill.exe 3900 taskkill.exe 3964 taskkill.exe 2740 taskkill.exe 2036 taskkill.exe 2380 taskkill.exe 3780 taskkill.exe 2616 taskkill.exe 3980 taskkill.exe 1356 taskkill.exe 3864 taskkill.exe 272 taskkill.exe 504 taskkill.exe 3612 taskkill.exe 2564 taskkill.exe 1776 taskkill.exe 3388 taskkill.exe 260 taskkill.exe 1364 taskkill.exe 2756 taskkill.exe 3936 taskkill.exe 3484 taskkill.exe -
Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
-
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Suspicious use of WriteProcessMemory 398 IoCs
description pid Process procid_target PID 3816 wrote to memory of 2588 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 67 PID 3816 wrote to memory of 2588 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 67 PID 2588 wrote to memory of 2860 2588 cmd.exe 69 PID 2588 wrote to memory of 2860 2588 cmd.exe 69 PID 3816 wrote to memory of 1280 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 73 PID 3816 wrote to memory of 1280 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 73 PID 1280 wrote to memory of 1528 1280 cmd.exe 75 PID 1280 wrote to memory of 1528 1280 cmd.exe 75 PID 3816 wrote to memory of 1672 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 76 PID 3816 wrote to memory of 1672 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 76 PID 1672 wrote to memory of 1916 1672 cmd.exe 78 PID 1672 wrote to memory of 1916 1672 cmd.exe 78 PID 3816 wrote to memory of 2060 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 79 PID 3816 wrote to memory of 2060 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 79 PID 2060 wrote to memory of 2328 2060 cmd.exe 81 PID 2060 wrote to memory of 2328 2060 cmd.exe 81 PID 3816 wrote to memory of 2308 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 82 PID 3816 wrote to memory of 2308 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 82 PID 2308 wrote to memory of 2436 2308 cmd.exe 84 PID 2308 wrote to memory of 2436 2308 cmd.exe 84 PID 3816 wrote to memory of 2780 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 85 PID 3816 wrote to memory of 2780 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 85 PID 2780 wrote to memory of 3672 2780 cmd.exe 87 PID 2780 wrote to memory of 3672 2780 cmd.exe 87 PID 3816 wrote to memory of 4080 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 88 PID 3816 wrote to memory of 4080 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 88 PID 4080 wrote to memory of 3852 4080 cmd.exe 90 PID 4080 wrote to memory of 3852 4080 cmd.exe 90 PID 3816 wrote to memory of 3936 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 91 PID 3816 wrote to memory of 3936 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 91 PID 3936 wrote to memory of 3984 3936 cmd.exe 93 PID 3936 wrote to memory of 3984 3936 cmd.exe 93 PID 3816 wrote to memory of 3964 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 94 PID 3816 wrote to memory of 3964 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 94 PID 3964 wrote to memory of 1676 3964 cmd.exe 96 PID 3964 wrote to memory of 1676 3964 cmd.exe 96 PID 3816 wrote to memory of 3484 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 97 PID 3816 wrote to memory of 3484 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 97 PID 3484 wrote to memory of 408 3484 cmd.exe 99 PID 3484 wrote to memory of 408 3484 cmd.exe 99 PID 3816 wrote to memory of 3728 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 100 PID 3816 wrote to memory of 3728 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 100 PID 3728 wrote to memory of 2316 3728 cmd.exe 102 PID 3728 wrote to memory of 2316 3728 cmd.exe 102 PID 3816 wrote to memory of 3040 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 103 PID 3816 wrote to memory of 3040 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 103 PID 3040 wrote to memory of 3940 3040 cmd.exe 105 PID 3040 wrote to memory of 3940 3040 cmd.exe 105 PID 3816 wrote to memory of 3740 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 106 PID 3816 wrote to memory of 3740 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 106 PID 3740 wrote to memory of 260 3740 cmd.exe 108 PID 3740 wrote to memory of 260 3740 cmd.exe 108 PID 3816 wrote to memory of 572 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 109 PID 3816 wrote to memory of 572 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 109 PID 572 wrote to memory of 2564 572 cmd.exe 111 PID 572 wrote to memory of 2564 572 cmd.exe 111 PID 3816 wrote to memory of 1636 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 112 PID 3816 wrote to memory of 1636 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 112 PID 1636 wrote to memory of 1280 1636 cmd.exe 114 PID 1636 wrote to memory of 1280 1636 cmd.exe 114 PID 3816 wrote to memory of 2064 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 115 PID 3816 wrote to memory of 2064 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 115 PID 2064 wrote to memory of 1776 2064 cmd.exe 117 PID 2064 wrote to memory of 1776 2064 cmd.exe 117 PID 3816 wrote to memory of 2292 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 118 PID 3816 wrote to memory of 2292 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 118 PID 2292 wrote to memory of 2388 2292 cmd.exe 120 PID 2292 wrote to memory of 2388 2292 cmd.exe 120 PID 3816 wrote to memory of 2412 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 121 PID 3816 wrote to memory of 2412 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 121 PID 2412 wrote to memory of 4084 2412 cmd.exe 123 PID 2412 wrote to memory of 4084 2412 cmd.exe 123 PID 3816 wrote to memory of 3424 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 124 PID 3816 wrote to memory of 3424 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 124 PID 3424 wrote to memory of 3916 3424 cmd.exe 126 PID 3424 wrote to memory of 3916 3424 cmd.exe 126 PID 3816 wrote to memory of 3844 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 127 PID 3816 wrote to memory of 3844 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 127 PID 3844 wrote to memory of 1428 3844 cmd.exe 129 PID 3844 wrote to memory of 1428 3844 cmd.exe 129 PID 3816 wrote to memory of 3936 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 130 PID 3816 wrote to memory of 3936 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 130 PID 3936 wrote to memory of 412 3936 cmd.exe 132 PID 3936 wrote to memory of 412 3936 cmd.exe 132 PID 3816 wrote to memory of 3964 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 133 PID 3816 wrote to memory of 3964 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 133 PID 3964 wrote to memory of 2740 3964 cmd.exe 135 PID 3964 wrote to memory of 2740 3964 cmd.exe 135 PID 3816 wrote to memory of 3484 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 136 PID 3816 wrote to memory of 3484 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 136 PID 3484 wrote to memory of 3680 3484 cmd.exe 138 PID 3484 wrote to memory of 3680 3484 cmd.exe 138 PID 3816 wrote to memory of 3728 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 139 PID 3816 wrote to memory of 3728 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 139 PID 3728 wrote to memory of 3760 3728 cmd.exe 141 PID 3728 wrote to memory of 3760 3728 cmd.exe 141 PID 3816 wrote to memory of 3040 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 142 PID 3816 wrote to memory of 3040 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 142 PID 3040 wrote to memory of 272 3040 cmd.exe 144 PID 3040 wrote to memory of 272 3040 cmd.exe 144 PID 3816 wrote to memory of 3740 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 145 PID 3816 wrote to memory of 3740 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 145 PID 3740 wrote to memory of 3996 3740 cmd.exe 147 PID 3740 wrote to memory of 3996 3740 cmd.exe 147 PID 3816 wrote to memory of 572 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 148 PID 3816 wrote to memory of 572 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 148 PID 572 wrote to memory of 2036 572 cmd.exe 150 PID 572 wrote to memory of 2036 572 cmd.exe 150 PID 3816 wrote to memory of 1668 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 151 PID 3816 wrote to memory of 1668 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 151 PID 1668 wrote to memory of 2380 1668 cmd.exe 153 PID 1668 wrote to memory of 2380 1668 cmd.exe 153 PID 3816 wrote to memory of 1928 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 154 PID 3816 wrote to memory of 1928 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 154 PID 1928 wrote to memory of 2436 1928 cmd.exe 156 PID 1928 wrote to memory of 2436 1928 cmd.exe 156 PID 3816 wrote to memory of 2328 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 157 PID 3816 wrote to memory of 2328 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 157 PID 2328 wrote to memory of 3672 2328 cmd.exe 159 PID 2328 wrote to memory of 3672 2328 cmd.exe 159 PID 3816 wrote to memory of 2444 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 160 PID 3816 wrote to memory of 2444 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 160 PID 2444 wrote to memory of 3744 2444 cmd.exe 162 PID 2444 wrote to memory of 3744 2444 cmd.exe 162 PID 3816 wrote to memory of 2772 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 163 PID 3816 wrote to memory of 2772 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 163 PID 2772 wrote to memory of 3824 2772 cmd.exe 165 PID 2772 wrote to memory of 3824 2772 cmd.exe 165 PID 3816 wrote to memory of 1012 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 166 PID 3816 wrote to memory of 1012 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 166 PID 1012 wrote to memory of 3720 1012 cmd.exe 168 PID 1012 wrote to memory of 3720 1012 cmd.exe 168 PID 3816 wrote to memory of 1020 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 169 PID 3816 wrote to memory of 1020 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 169 PID 1020 wrote to memory of 3388 1020 cmd.exe 171 PID 1020 wrote to memory of 3388 1020 cmd.exe 171 PID 3816 wrote to memory of 2624 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 172 PID 3816 wrote to memory of 2624 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 172 PID 2624 wrote to memory of 3004 2624 cmd.exe 174 PID 2624 wrote to memory of 3004 2624 cmd.exe 174 PID 3816 wrote to memory of 3512 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 175 PID 3816 wrote to memory of 3512 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 175 PID 3512 wrote to memory of 3076 3512 cmd.exe 177 PID 3512 wrote to memory of 3076 3512 cmd.exe 177 PID 3816 wrote to memory of 3624 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 178 PID 3816 wrote to memory of 3624 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 178 PID 3624 wrote to memory of 260 3624 cmd.exe 180 PID 3624 wrote to memory of 260 3624 cmd.exe 180 PID 3816 wrote to memory of 3056 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 181 PID 3816 wrote to memory of 3056 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 181 PID 3056 wrote to memory of 2572 3056 cmd.exe 183 PID 3056 wrote to memory of 2572 3056 cmd.exe 183 PID 3816 wrote to memory of 1276 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 184 PID 3816 wrote to memory of 1276 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 184 PID 1276 wrote to memory of 1364 1276 cmd.exe 186 PID 1276 wrote to memory of 1364 1276 cmd.exe 186 PID 3816 wrote to memory of 2860 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 187 PID 3816 wrote to memory of 2860 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 187 PID 2860 wrote to memory of 1672 2860 cmd.exe 189 PID 2860 wrote to memory of 1672 2860 cmd.exe 189 PID 3816 wrote to memory of 2380 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 190 PID 3816 wrote to memory of 2380 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 190 PID 2380 wrote to memory of 1920 2380 cmd.exe 192 PID 2380 wrote to memory of 1920 2380 cmd.exe 192 PID 3816 wrote to memory of 2468 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 193 PID 3816 wrote to memory of 2468 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 193 PID 2468 wrote to memory of 2272 2468 cmd.exe 195 PID 2468 wrote to memory of 2272 2468 cmd.exe 195 PID 3816 wrote to memory of 3848 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 196 PID 3816 wrote to memory of 3848 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 196 PID 3848 wrote to memory of 2308 3848 cmd.exe 198 PID 3848 wrote to memory of 2308 3848 cmd.exe 198 PID 3816 wrote to memory of 3024 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 199 PID 3816 wrote to memory of 3024 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 199 PID 3024 wrote to memory of 4080 3024 cmd.exe 201 PID 3024 wrote to memory of 4080 3024 cmd.exe 201 PID 3816 wrote to memory of 3628 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 202 PID 3816 wrote to memory of 3628 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 202 PID 3628 wrote to memory of 3932 3628 cmd.exe 204 PID 3628 wrote to memory of 3932 3628 cmd.exe 204 PID 3816 wrote to memory of 3944 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 205 PID 3816 wrote to memory of 3944 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 205 PID 3944 wrote to memory of 3992 3944 cmd.exe 207 PID 3944 wrote to memory of 3992 3944 cmd.exe 207 PID 3816 wrote to memory of 3948 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 208 PID 3816 wrote to memory of 3948 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 208 PID 3948 wrote to memory of 3372 3948 cmd.exe 210 PID 3948 wrote to memory of 3372 3948 cmd.exe 210 PID 3816 wrote to memory of 292 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 211 PID 3816 wrote to memory of 292 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 211 PID 292 wrote to memory of 3780 292 cmd.exe 213 PID 292 wrote to memory of 3780 292 cmd.exe 213 PID 3816 wrote to memory of 3560 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 214 PID 3816 wrote to memory of 3560 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 214 PID 3560 wrote to memory of 3900 3560 cmd.exe 216 PID 3560 wrote to memory of 3900 3560 cmd.exe 216 PID 3816 wrote to memory of 3764 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 217 PID 3816 wrote to memory of 3764 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 217 PID 3764 wrote to memory of 2492 3764 cmd.exe 219 PID 3764 wrote to memory of 2492 3764 cmd.exe 219 PID 3816 wrote to memory of 2084 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 220 PID 3816 wrote to memory of 2084 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 220 PID 2084 wrote to memory of 496 2084 cmd.exe 222 PID 2084 wrote to memory of 496 2084 cmd.exe 222 PID 3816 wrote to memory of 2948 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 223 PID 3816 wrote to memory of 2948 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 223 PID 2948 wrote to memory of 1524 2948 cmd.exe 225 PID 2948 wrote to memory of 1524 2948 cmd.exe 225 PID 3816 wrote to memory of 420 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 226 PID 3816 wrote to memory of 420 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 226 PID 420 wrote to memory of 1576 420 cmd.exe 228 PID 420 wrote to memory of 1576 420 cmd.exe 228 PID 3816 wrote to memory of 2768 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 229 PID 3816 wrote to memory of 2768 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 229 PID 2768 wrote to memory of 2756 2768 cmd.exe 231 PID 2768 wrote to memory of 2756 2768 cmd.exe 231 PID 3816 wrote to memory of 2884 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 232 PID 3816 wrote to memory of 2884 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 232 PID 2884 wrote to memory of 2436 2884 cmd.exe 234 PID 2884 wrote to memory of 2436 2884 cmd.exe 234 PID 3816 wrote to memory of 2328 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 235 PID 3816 wrote to memory of 2328 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 235 PID 2328 wrote to memory of 2412 2328 cmd.exe 237 PID 2328 wrote to memory of 2412 2328 cmd.exe 237 PID 3816 wrote to memory of 3744 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 238 PID 3816 wrote to memory of 3744 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 238 PID 3744 wrote to memory of 3424 3744 cmd.exe 240 PID 3744 wrote to memory of 3424 3744 cmd.exe 240 PID 3816 wrote to memory of 3824 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 241 PID 3816 wrote to memory of 3824 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 241 PID 3824 wrote to memory of 3844 3824 cmd.exe 243 PID 3824 wrote to memory of 3844 3824 cmd.exe 243 PID 3816 wrote to memory of 3720 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 244 PID 3816 wrote to memory of 3720 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 244 PID 3720 wrote to memory of 2616 3720 cmd.exe 246 PID 3720 wrote to memory of 2616 3720 cmd.exe 246 PID 3816 wrote to memory of 3388 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 247 PID 3816 wrote to memory of 3388 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 247 PID 3388 wrote to memory of 3084 3388 cmd.exe 249 PID 3388 wrote to memory of 3084 3388 cmd.exe 249 PID 3816 wrote to memory of 3004 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 250 PID 3816 wrote to memory of 3004 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 250 PID 3004 wrote to memory of 3828 3004 cmd.exe 252 PID 3004 wrote to memory of 3828 3004 cmd.exe 252 PID 3816 wrote to memory of 3076 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 253 PID 3816 wrote to memory of 3076 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 253 PID 3076 wrote to memory of 3728 3076 cmd.exe 255 PID 3076 wrote to memory of 3728 3076 cmd.exe 255 PID 3816 wrote to memory of 260 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 256 PID 3816 wrote to memory of 260 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 256 PID 260 wrote to memory of 3040 260 cmd.exe 258 PID 260 wrote to memory of 3040 260 cmd.exe 258 PID 3816 wrote to memory of 2572 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 259 PID 3816 wrote to memory of 2572 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 259 PID 2572 wrote to memory of 1412 2572 cmd.exe 261 PID 2572 wrote to memory of 1412 2572 cmd.exe 261 PID 3816 wrote to memory of 1364 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 262 PID 3816 wrote to memory of 1364 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 262 PID 1364 wrote to memory of 1520 1364 cmd.exe 264 PID 1364 wrote to memory of 1520 1364 cmd.exe 264 PID 3816 wrote to memory of 2860 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 265 PID 3816 wrote to memory of 2860 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 265 PID 2860 wrote to memory of 1920 2860 cmd.exe 267 PID 2860 wrote to memory of 1920 2860 cmd.exe 267 PID 3816 wrote to memory of 1780 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 268 PID 3816 wrote to memory of 1780 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 268 PID 1780 wrote to memory of 3416 1780 cmd.exe 270 PID 1780 wrote to memory of 3416 1780 cmd.exe 270 PID 3816 wrote to memory of 2476 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 271 PID 3816 wrote to memory of 2476 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 271 PID 2476 wrote to memory of 2408 2476 cmd.exe 273 PID 2476 wrote to memory of 2408 2476 cmd.exe 273 PID 3816 wrote to memory of 2308 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 274 PID 3816 wrote to memory of 2308 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 274 PID 2308 wrote to memory of 2880 2308 cmd.exe 276 PID 2308 wrote to memory of 2880 2308 cmd.exe 276 PID 3816 wrote to memory of 3276 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 277 PID 3816 wrote to memory of 3276 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 277 PID 3276 wrote to memory of 3280 3276 cmd.exe 279 PID 3276 wrote to memory of 3280 3276 cmd.exe 279 PID 3816 wrote to memory of 3368 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 280 PID 3816 wrote to memory of 3368 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 280 PID 3368 wrote to memory of 3980 3368 cmd.exe 282 PID 3368 wrote to memory of 3980 3368 cmd.exe 282 PID 3816 wrote to memory of 3140 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 283 PID 3816 wrote to memory of 3140 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 283 PID 3140 wrote to memory of 3472 3140 cmd.exe 285 PID 3140 wrote to memory of 3472 3140 cmd.exe 285 PID 3816 wrote to memory of 2840 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 286 PID 3816 wrote to memory of 2840 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 286 PID 2840 wrote to memory of 3576 2840 cmd.exe 288 PID 2840 wrote to memory of 3576 2840 cmd.exe 288 PID 3816 wrote to memory of 3752 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 289 PID 3816 wrote to memory of 3752 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 289 PID 3752 wrote to memory of 3904 3752 cmd.exe 291 PID 3752 wrote to memory of 3904 3752 cmd.exe 291 PID 3816 wrote to memory of 264 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 292 PID 3816 wrote to memory of 264 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 292 PID 264 wrote to memory of 1052 264 cmd.exe 294 PID 264 wrote to memory of 1052 264 cmd.exe 294 PID 3816 wrote to memory of 2568 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 295 PID 3816 wrote to memory of 2568 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 295 PID 2568 wrote to memory of 504 2568 cmd.exe 297 PID 2568 wrote to memory of 504 2568 cmd.exe 297 PID 3816 wrote to memory of 1728 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 298 PID 3816 wrote to memory of 1728 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 298 PID 1728 wrote to memory of 2176 1728 cmd.exe 300 PID 1728 wrote to memory of 2176 1728 cmd.exe 300 PID 3816 wrote to memory of 1788 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 301 PID 3816 wrote to memory of 1788 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 301 PID 1788 wrote to memory of 3676 1788 cmd.exe 303 PID 1788 wrote to memory of 3676 1788 cmd.exe 303 PID 3816 wrote to memory of 2384 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 304 PID 3816 wrote to memory of 2384 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 304 PID 2384 wrote to memory of 2060 2384 cmd.exe 306 PID 2384 wrote to memory of 2060 2384 cmd.exe 306 PID 3816 wrote to memory of 1928 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 307 PID 3816 wrote to memory of 1928 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 307 PID 1928 wrote to memory of 3612 1928 cmd.exe 309 PID 1928 wrote to memory of 3612 1928 cmd.exe 309 PID 3816 wrote to memory of 2292 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 310 PID 3816 wrote to memory of 2292 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 310 PID 2292 wrote to memory of 3972 2292 cmd.exe 312 PID 2292 wrote to memory of 3972 2292 cmd.exe 312 PID 3816 wrote to memory of 3916 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 313 PID 3816 wrote to memory of 3916 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 313 PID 3916 wrote to memory of 1848 3916 cmd.exe 315 PID 3916 wrote to memory of 1848 3916 cmd.exe 315 PID 3816 wrote to memory of 1428 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 316 PID 3816 wrote to memory of 1428 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 316 PID 1428 wrote to memory of 3936 1428 cmd.exe 318 PID 1428 wrote to memory of 3936 1428 cmd.exe 318 PID 3816 wrote to memory of 1676 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 319 PID 3816 wrote to memory of 1676 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 319 PID 1676 wrote to memory of 3964 1676 cmd.exe 321 PID 1676 wrote to memory of 3964 1676 cmd.exe 321 PID 3816 wrote to memory of 2740 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 322 PID 3816 wrote to memory of 2740 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 322 PID 2740 wrote to memory of 3484 2740 cmd.exe 324 PID 2740 wrote to memory of 3484 2740 cmd.exe 324 PID 3816 wrote to memory of 3680 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 325 PID 3816 wrote to memory of 3680 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 325 PID 3680 wrote to memory of 276 3680 cmd.exe 327 PID 3680 wrote to memory of 276 3680 cmd.exe 327 PID 3816 wrote to memory of 3760 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 328 PID 3816 wrote to memory of 3760 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 328 PID 3760 wrote to memory of 1356 3760 cmd.exe 330 PID 3760 wrote to memory of 1356 3760 cmd.exe 330 PID 3816 wrote to memory of 272 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 331 PID 3816 wrote to memory of 272 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 331 PID 272 wrote to memory of 3740 272 cmd.exe 333 PID 272 wrote to memory of 3740 272 cmd.exe 333 PID 3816 wrote to memory of 3996 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 334 PID 3816 wrote to memory of 3996 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 334 PID 3996 wrote to memory of 1516 3996 cmd.exe 336 PID 3996 wrote to memory of 1516 3996 cmd.exe 336 PID 3816 wrote to memory of 2036 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 337 PID 3816 wrote to memory of 2036 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 337 PID 2036 wrote to memory of 2736 2036 cmd.exe 339 PID 2036 wrote to memory of 2736 2036 cmd.exe 339 PID 3816 wrote to memory of 2172 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 340 PID 3816 wrote to memory of 2172 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 340 PID 2172 wrote to memory of 3864 2172 cmd.exe 342 PID 2172 wrote to memory of 3864 2172 cmd.exe 342 PID 3816 wrote to memory of 2040 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 343 PID 3816 wrote to memory of 2040 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 343 PID 2040 wrote to memory of 3896 2040 cmd.exe 345 PID 2040 wrote to memory of 3896 2040 cmd.exe 345 PID 3816 wrote to memory of 2468 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 346 PID 3816 wrote to memory of 2468 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 346 PID 2468 wrote to memory of 3988 2468 cmd.exe 348 PID 2468 wrote to memory of 3988 2468 cmd.exe 348 PID 3816 wrote to memory of 3884 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 349 PID 3816 wrote to memory of 3884 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 349 PID 3884 wrote to memory of 3568 3884 cmd.exe 351 PID 3884 wrote to memory of 3568 3884 cmd.exe 351 PID 3816 wrote to memory of 3832 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 352 PID 3816 wrote to memory of 3832 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 352 PID 3832 wrote to memory of 388 3832 cmd.exe 354 PID 3832 wrote to memory of 388 3832 cmd.exe 354 PID 3816 wrote to memory of 3956 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 355 PID 3816 wrote to memory of 3956 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 355 PID 3956 wrote to memory of 3068 3956 cmd.exe 357 PID 3956 wrote to memory of 3068 3956 cmd.exe 357 PID 3816 wrote to memory of 3440 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 358 PID 3816 wrote to memory of 3440 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 358 PID 3440 wrote to memory of 3860 3440 cmd.exe 360 PID 3440 wrote to memory of 3860 3440 cmd.exe 360 PID 3816 wrote to memory of 3000 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 361 PID 3816 wrote to memory of 3000 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 361 PID 3000 wrote to memory of 268 3000 cmd.exe 363 PID 3000 wrote to memory of 268 3000 cmd.exe 363 PID 3816 wrote to memory of 508 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 364 PID 3816 wrote to memory of 508 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 364 PID 3816 wrote to memory of 3940 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 366 PID 3816 wrote to memory of 3940 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 366 PID 3816 wrote to memory of 504 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 367 PID 3816 wrote to memory of 504 3816 D4D32E7583B3FD8363DED73C91ED3D08.bin.exe 367 -
Suspicious use of AdjustPrivilegeToken 136 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2860 WMIC.exe Token: SeSecurityPrivilege 2860 WMIC.exe Token: SeTakeOwnershipPrivilege 2860 WMIC.exe Token: SeLoadDriverPrivilege 2860 WMIC.exe Token: SeSystemProfilePrivilege 2860 WMIC.exe Token: SeSystemtimePrivilege 2860 WMIC.exe Token: SeProfSingleProcessPrivilege 2860 WMIC.exe Token: SeIncBasePriorityPrivilege 2860 WMIC.exe Token: SeCreatePagefilePrivilege 2860 WMIC.exe Token: SeBackupPrivilege 2860 WMIC.exe Token: SeRestorePrivilege 2860 WMIC.exe Token: SeShutdownPrivilege 2860 WMIC.exe Token: SeDebugPrivilege 2860 WMIC.exe Token: SeSystemEnvironmentPrivilege 2860 WMIC.exe Token: SeRemoteShutdownPrivilege 2860 WMIC.exe Token: SeUndockPrivilege 2860 WMIC.exe Token: SeManageVolumePrivilege 2860 WMIC.exe Token: 33 2860 WMIC.exe Token: 34 2860 WMIC.exe Token: 35 2860 WMIC.exe Token: 36 2860 WMIC.exe Token: SeIncreaseQuotaPrivilege 2860 WMIC.exe Token: SeSecurityPrivilege 2860 WMIC.exe Token: SeTakeOwnershipPrivilege 2860 WMIC.exe Token: SeLoadDriverPrivilege 2860 WMIC.exe Token: SeSystemProfilePrivilege 2860 WMIC.exe Token: SeSystemtimePrivilege 2860 WMIC.exe Token: SeProfSingleProcessPrivilege 2860 WMIC.exe Token: SeIncBasePriorityPrivilege 2860 WMIC.exe Token: SeCreatePagefilePrivilege 2860 WMIC.exe Token: SeBackupPrivilege 2860 WMIC.exe Token: SeRestorePrivilege 2860 WMIC.exe Token: SeShutdownPrivilege 2860 WMIC.exe Token: SeDebugPrivilege 2860 WMIC.exe Token: SeSystemEnvironmentPrivilege 2860 WMIC.exe Token: SeRemoteShutdownPrivilege 2860 WMIC.exe Token: SeUndockPrivilege 2860 WMIC.exe Token: SeManageVolumePrivilege 2860 WMIC.exe Token: 33 2860 WMIC.exe Token: 34 2860 WMIC.exe Token: 35 2860 WMIC.exe Token: 36 2860 WMIC.exe Token: SeBackupPrivilege 1004 vssvc.exe Token: SeRestorePrivilege 1004 vssvc.exe Token: SeAuditPrivilege 1004 vssvc.exe Token: SeDebugPrivilege 3984 taskkill.exe Token: SeDebugPrivilege 1676 taskkill.exe Token: SeDebugPrivilege 408 taskkill.exe Token: SeDebugPrivilege 2316 taskkill.exe Token: SeDebugPrivilege 3940 taskkill.exe Token: SeDebugPrivilege 260 taskkill.exe Token: SeDebugPrivilege 2564 taskkill.exe Token: SeDebugPrivilege 1280 taskkill.exe Token: SeDebugPrivilege 1776 taskkill.exe Token: SeDebugPrivilege 2388 taskkill.exe Token: SeDebugPrivilege 4084 taskkill.exe Token: SeDebugPrivilege 3916 taskkill.exe Token: SeDebugPrivilege 1428 taskkill.exe Token: SeDebugPrivilege 412 taskkill.exe Token: SeDebugPrivilege 2740 taskkill.exe Token: SeDebugPrivilege 3680 taskkill.exe Token: SeDebugPrivilege 3760 taskkill.exe Token: SeDebugPrivilege 272 taskkill.exe Token: SeDebugPrivilege 3996 taskkill.exe Token: SeDebugPrivilege 2036 taskkill.exe Token: SeDebugPrivilege 2380 taskkill.exe Token: SeDebugPrivilege 2436 taskkill.exe Token: SeDebugPrivilege 3672 taskkill.exe Token: SeDebugPrivilege 3744 taskkill.exe Token: SeDebugPrivilege 3824 taskkill.exe Token: SeDebugPrivilege 3720 taskkill.exe Token: SeDebugPrivilege 3388 taskkill.exe Token: SeDebugPrivilege 3004 taskkill.exe Token: SeDebugPrivilege 3076 taskkill.exe Token: SeDebugPrivilege 260 taskkill.exe Token: SeDebugPrivilege 2572 taskkill.exe Token: SeDebugPrivilege 1364 taskkill.exe Token: SeDebugPrivilege 2272 taskkill.exe Token: SeDebugPrivilege 4080 taskkill.exe Token: SeDebugPrivilege 3932 taskkill.exe Token: SeDebugPrivilege 3992 taskkill.exe Token: SeDebugPrivilege 3372 taskkill.exe Token: SeDebugPrivilege 3780 taskkill.exe Token: SeDebugPrivilege 3900 taskkill.exe Token: SeDebugPrivilege 2492 taskkill.exe Token: SeDebugPrivilege 496 taskkill.exe Token: SeDebugPrivilege 1524 taskkill.exe Token: SeDebugPrivilege 1576 taskkill.exe Token: SeDebugPrivilege 2756 taskkill.exe Token: SeDebugPrivilege 2436 taskkill.exe Token: SeDebugPrivilege 2412 taskkill.exe Token: SeDebugPrivilege 3424 taskkill.exe Token: SeDebugPrivilege 3844 taskkill.exe Token: SeDebugPrivilege 2616 taskkill.exe Token: SeDebugPrivilege 3084 taskkill.exe Token: SeDebugPrivilege 3828 taskkill.exe Token: SeDebugPrivilege 3728 taskkill.exe Token: SeDebugPrivilege 3040 taskkill.exe Token: SeDebugPrivilege 1412 taskkill.exe Token: SeDebugPrivilege 1520 taskkill.exe Token: SeDebugPrivilege 1920 taskkill.exe Token: SeDebugPrivilege 3416 taskkill.exe Token: SeDebugPrivilege 2408 taskkill.exe Token: SeDebugPrivilege 2880 taskkill.exe Token: SeDebugPrivilege 3280 taskkill.exe Token: SeDebugPrivilege 3980 taskkill.exe Token: SeDebugPrivilege 3472 taskkill.exe Token: SeDebugPrivilege 3576 taskkill.exe Token: SeDebugPrivilege 3904 taskkill.exe Token: SeDebugPrivilege 1052 taskkill.exe Token: SeDebugPrivilege 504 taskkill.exe Token: SeDebugPrivilege 2176 taskkill.exe Token: SeDebugPrivilege 3676 taskkill.exe Token: SeDebugPrivilege 2060 taskkill.exe Token: SeDebugPrivilege 3612 taskkill.exe Token: SeDebugPrivilege 3972 taskkill.exe Token: SeDebugPrivilege 1848 taskkill.exe Token: SeDebugPrivilege 3936 taskkill.exe Token: SeDebugPrivilege 3964 taskkill.exe Token: SeDebugPrivilege 3484 taskkill.exe Token: SeDebugPrivilege 276 taskkill.exe Token: SeDebugPrivilege 1356 taskkill.exe Token: SeDebugPrivilege 3740 taskkill.exe Token: SeDebugPrivilege 1516 taskkill.exe Token: SeDebugPrivilege 2736 taskkill.exe Token: SeDebugPrivilege 3864 taskkill.exe Token: SeDebugPrivilege 3896 taskkill.exe Token: SeDebugPrivilege 3988 taskkill.exe Token: SeDebugPrivilege 3568 taskkill.exe Token: SeDebugPrivilege 388 taskkill.exe Token: SeDebugPrivilege 3068 taskkill.exe Token: SeDebugPrivilege 3860 taskkill.exe Token: SeDebugPrivilege 268 taskkill.exe Token: SeDebugPrivilege 504 powershell.exe Token: SeDebugPrivilege 508 powershell.exe Token: SeDebugPrivilege 3940 powershell.exe -
pid Process 1528 wbadmin.exe 1916 wbadmin.exe -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:sgewszqwu D4D32E7583B3FD8363DED73C91ED3D08.bin.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:ddmdnjamzhispuay D4D32E7583B3FD8363DED73C91ED3D08.bin.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:sgewszqwu D4D32E7583B3FD8363DED73C91ED3D08.bin.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:datnfamalhsmqxgef D4D32E7583B3FD8363DED73C91ED3D08.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:ouwvwpdmzxnjq D4D32E7583B3FD8363DED73C91ED3D08.bin.exe -
Enumerates connected drives 3 TTPs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3672 vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\D4D32E7583B3FD8363DED73C91ED3D08.bin.exe"C:\Users\Admin\AppData\Local\Temp\D4D32E7583B3FD8363DED73C91ED3D08.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
- NTFS ADS
PID:3816 -
C:\Windows\SYSTEM32\cmd.execmd /C wmic.exe SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY DELETE /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP3⤵
- Drops file in Windows directory
- Deletes System State backups
PID:1528
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest3⤵
- Drops file in Windows directory
- Deletes System State backups
PID:1916
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C bcdedit.exe /set {default} recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2328
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2436
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3672
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C C:\Windows\system32\vssvc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\system32\VSSVC.exeC:\Windows\system32\vssvc.exe3⤵PID:3852
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM wxServer*2⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\system32\taskkill.exetaskkill /F /T /IM wxServer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM QBFCService*2⤵
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\system32\taskkill.exetaskkill /F /T /IM QBFCService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM QBVSS*2⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\system32\taskkill.exetaskkill /F /T /IM QBVSS*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM sql*2⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sql*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM msaccess*2⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\taskkill.exetaskkill /F /T /IM msaccess*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM mssql*2⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\system32\taskkill.exetaskkill /F /T /IM mssql*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:260
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM mysql*2⤵
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\system32\taskkill.exetaskkill /F /T /IM mysql*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM wxServerView*2⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\taskkill.exetaskkill /F /T /IM wxServerView*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM sqlmangr*2⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sqlmangr*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM RAgui*2⤵PID:2292
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM RAgui*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM supervise*2⤵PID:2412
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM supervise*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM Culture*2⤵PID:3424
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Culture*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM Defwatch*2⤵PID:3844
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Defwatch*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM winword*2⤵PID:3936
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM winword*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:412
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM QBW32*2⤵PID:3964
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM QBW32*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM QBDBMgr*2⤵PID:3484
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM QBDBMgr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM qbupdate*2⤵PID:3728
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM qbupdate*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM axlbridge*2⤵PID:3040
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM axlbridge*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:272
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM httpd*2⤵PID:3740
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM httpd*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM fdlauncher*2⤵PID:572
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM fdlauncher*3⤵PID:2036
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM MsDtSrvr*2⤵PID:1668
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MsDtSrvr*3⤵PID:2380
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM java*2⤵PID:1928
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM java*3⤵
- Kills process with taskkill
PID:2436
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM 360se*2⤵PID:2328
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM 360se*3⤵
- Kills process with taskkill
PID:3672
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM 360doctor*2⤵PID:2444
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM 360doctor*3⤵
- Kills process with taskkill
PID:3744
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM wdswfsafe*2⤵PID:2772
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM wdswfsafe*3⤵
- Kills process with taskkill
PID:3824
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM fdhost*2⤵PID:1012
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM fdhost*3⤵
- Kills process with taskkill
PID:3720
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM GDscan*2⤵PID:1020
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM GDscan*3⤵PID:3388
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM ZhuDongFangYu*2⤵PID:2624
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM ZhuDongFangYu*3⤵
- Kills process with taskkill
PID:3004
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM QBDBMgrN*2⤵PID:3512
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM QBDBMgrN*3⤵
- Kills process with taskkill
PID:3076
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM mysqld*2⤵PID:3624
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM mysqld*3⤵PID:260
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM AutodeskDesktopApp*2⤵PID:3056
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM AutodeskDesktopApp*3⤵
- Kills process with taskkill
PID:2572
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM acwebbrowser*2⤵PID:1276
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM acwebbrowser*3⤵PID:1364
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM Creative Cloud*2⤵PID:2860
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Creative Cloud*3⤵
- Kills process with taskkill
PID:1672
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM Adobe Desktop Service*2⤵PID:2380
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Adobe Desktop Service*3⤵
- Kills process with taskkill
PID:1920
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM CoreSync*2⤵PID:2468
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM CoreSync*3⤵
- Kills process with taskkill
PID:2272
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM Adobe CEF Helper*2⤵PID:3848
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Adobe CEF Helper*3⤵PID:2308
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM node*2⤵PID:3024
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM node*3⤵
- Kills process with taskkill
PID:4080
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM AdobeIPCBroker*2⤵PID:3628
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM AdobeIPCBroker*3⤵
- Kills process with taskkill
PID:3932
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM sync-taskbar*2⤵PID:3944
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sync-taskbar*3⤵
- Kills process with taskkill
PID:3992
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM sync-worker*2⤵PID:3948
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sync-worker*3⤵
- Kills process with taskkill
PID:3372
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM InputPersonalization*2⤵PID:292
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM InputPersonalization*3⤵PID:3780
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM AdobeCollabSync*2⤵PID:3560
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM AdobeCollabSync*3⤵PID:3900
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM BrCtrlCntr*2⤵PID:3764
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM BrCtrlCntr*3⤵
- Kills process with taskkill
PID:2492
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM BrCcUxSys*2⤵PID:2084
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM BrCcUxSys*3⤵
- Kills process with taskkill
PID:496
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM SimplyConnectionManager*2⤵PID:2948
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SimplyConnectionManager*3⤵
- Kills process with taskkill
PID:1524
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM Simply.SystemTrayIcon*2⤵PID:420
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Simply.SystemTrayIcon*3⤵
- Kills process with taskkill
PID:1576
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM fbguard*2⤵PID:2768
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM fbguard*3⤵PID:2756
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM fbserver*2⤵PID:2884
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM fbserver*3⤵PID:2436
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM ONENOTEM*2⤵PID:2328
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM ONENOTEM*3⤵
- Kills process with taskkill
PID:2412
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM wrapper*2⤵PID:3744
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM wrapper*3⤵
- Kills process with taskkill
PID:3424
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM DefWatch*2⤵PID:3824
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM DefWatch*3⤵
- Kills process with taskkill
PID:3844
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM ccEvtMgr*2⤵PID:3720
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM ccEvtMgr*3⤵PID:2616
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM ccSetMgr*2⤵PID:3388
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM ccSetMgr*3⤵
- Kills process with taskkill
PID:3084
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM SavRoam*2⤵PID:3004
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SavRoam*3⤵
- Kills process with taskkill
PID:3828
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM Sqlservr*2⤵PID:3076
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Sqlservr*3⤵
- Kills process with taskkill
PID:3728
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM sqlagent*2⤵PID:260
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sqlagent*3⤵
- Kills process with taskkill
PID:3040
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM sqladhlp*2⤵PID:2572
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sqladhlp*3⤵
- Kills process with taskkill
PID:1412
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM Culserver*2⤵PID:1364
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Culserver*3⤵
- Kills process with taskkill
PID:1520
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM RTVscan*2⤵PID:2860
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM RTVscan*3⤵
- Kills process with taskkill
PID:1920
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM sqlbrowser*2⤵PID:1780
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sqlbrowser*3⤵
- Kills process with taskkill
PID:3416
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM SQLADHLP*2⤵PID:2476
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SQLADHLP*3⤵
- Kills process with taskkill
PID:2408
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM QBIDPService*2⤵PID:2308
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM QBIDPService*3⤵
- Kills process with taskkill
PID:2880
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*2⤵PID:3276
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM Intuit.QuickBooks.FCS*3⤵
- Kills process with taskkill
PID:3280
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM QBCFMonitorService*2⤵PID:3368
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM QBCFMonitorService*3⤵PID:3980
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM sqlwriter*2⤵PID:3140
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM sqlwriter*3⤵
- Kills process with taskkill
PID:3472
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM msmdsrv*2⤵PID:2840
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM msmdsrv*3⤵
- Kills process with taskkill
PID:3576
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM tomcat6*2⤵PID:3752
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM tomcat6*3⤵
- Kills process with taskkill
PID:3904
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM zhudongfangyu*2⤵PID:264
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM zhudongfangyu*3⤵
- Kills process with taskkill
PID:1052
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM vmware-usbarbitator64*2⤵PID:2568
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM vmware-usbarbitator64*3⤵PID:504
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM vmware-converter*2⤵PID:1728
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM vmware-converter*3⤵
- Kills process with taskkill
PID:2176
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM dbsrv12*2⤵PID:1788
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM dbsrv12*3⤵
- Kills process with taskkill
PID:3676
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM dbeng8*2⤵PID:2384
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM dbeng8*3⤵
- Kills process with taskkill
PID:2060
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:1928
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵PID:3612
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*2⤵PID:2292
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQL$VEEAMSQL2012*3⤵
- Kills process with taskkill
PID:3972
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*2⤵PID:3916
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SQLAgent$VEEAMSQL2012*3⤵
- Kills process with taskkill
PID:1848
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM SQLBrowser*2⤵PID:1428
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SQLBrowser*3⤵PID:3936
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM SQLWriter*2⤵PID:1676
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SQLWriter*3⤵PID:3964
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM FishbowlMySQL*2⤵PID:2740
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM FishbowlMySQL*3⤵PID:3484
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:3680
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵
- Kills process with taskkill
PID:276
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM MySQL57*2⤵PID:3760
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MySQL57*3⤵PID:1356
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*2⤵PID:272
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:3740
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM MSSQLServerADHelper100*2⤵PID:3996
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQLServerADHelper100*3⤵
- Kills process with taskkill
PID:1516
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*2⤵PID:2036
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:2736
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM msftesql-Exchange*2⤵PID:2172
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM msftesql-Exchange*3⤵PID:3864
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*2⤵PID:2040
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##SSEE*3⤵PID:3896
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*2⤵PID:2468
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQL$SBSMONITORING*3⤵
- Kills process with taskkill
PID:3988
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*2⤵PID:3884
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQL$SHAREPOINT*3⤵
- Kills process with taskkill
PID:3568
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*2⤵PID:3832
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*3⤵
- Kills process with taskkill
PID:388
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*2⤵PID:3956
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*3⤵
- Kills process with taskkill
PID:3068
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*2⤵PID:3440
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SQLAgent$SBSMONITORING*3⤵
- Kills process with taskkill
PID:3860
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*2⤵PID:3000
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM SQLAgent$SHAREPOINT*3⤵
- Kills process with taskkill
PID:268
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell [System.Net.Dns]::GetHostByAddress('10.10.0.53').hostname2⤵
- Suspicious behavior: EnumeratesProcesses
PID:508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell [System.Net.Dns]::GetHostByAddress('10.10.0.78').hostname2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell [System.Net.Dns]::GetHostByAddress('10.10.0.81').hostname2⤵
- Suspicious behavior: EnumeratesProcesses
PID:504
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1004