Analysis
-
max time kernel
17s -
max time network
37s -
platform
windows10_x64 -
resource
win10 -
submitted
23-07-2020 13:40
Static task
static1
Behavioral task
behavioral1
Sample
build-x32.crypt.bin.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
build-x32.crypt.bin.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
build-x32.crypt.bin.exe
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 573 IoCs
description pid Process procid_target PID 3672 wrote to memory of 3820 3672 build-x32.crypt.bin.exe 68 PID 3672 wrote to memory of 3820 3672 build-x32.crypt.bin.exe 68 PID 3672 wrote to memory of 3820 3672 build-x32.crypt.bin.exe 68 PID 3820 wrote to memory of 1376 3820 cmd.exe 70 PID 3820 wrote to memory of 1376 3820 cmd.exe 70 PID 3820 wrote to memory of 1376 3820 cmd.exe 70 PID 3672 wrote to memory of 1708 3672 build-x32.crypt.bin.exe 73 PID 3672 wrote to memory of 1708 3672 build-x32.crypt.bin.exe 73 PID 3672 wrote to memory of 1708 3672 build-x32.crypt.bin.exe 73 PID 3672 wrote to memory of 3024 3672 build-x32.crypt.bin.exe 75 PID 3672 wrote to memory of 3024 3672 build-x32.crypt.bin.exe 75 PID 3672 wrote to memory of 3024 3672 build-x32.crypt.bin.exe 75 PID 3672 wrote to memory of 788 3672 build-x32.crypt.bin.exe 77 PID 3672 wrote to memory of 788 3672 build-x32.crypt.bin.exe 77 PID 3672 wrote to memory of 788 3672 build-x32.crypt.bin.exe 77 PID 3672 wrote to memory of 588 3672 build-x32.crypt.bin.exe 79 PID 3672 wrote to memory of 588 3672 build-x32.crypt.bin.exe 79 PID 3672 wrote to memory of 588 3672 build-x32.crypt.bin.exe 79 PID 3672 wrote to memory of 860 3672 build-x32.crypt.bin.exe 81 PID 3672 wrote to memory of 860 3672 build-x32.crypt.bin.exe 81 PID 3672 wrote to memory of 860 3672 build-x32.crypt.bin.exe 81 PID 860 wrote to memory of 944 860 cmd.exe 83 PID 860 wrote to memory of 944 860 cmd.exe 83 PID 860 wrote to memory of 944 860 cmd.exe 83 PID 3672 wrote to memory of 1228 3672 build-x32.crypt.bin.exe 84 PID 3672 wrote to memory of 1228 3672 build-x32.crypt.bin.exe 84 PID 3672 wrote to memory of 1228 3672 build-x32.crypt.bin.exe 84 PID 3672 wrote to memory of 3528 3672 build-x32.crypt.bin.exe 86 PID 3672 wrote to memory of 3528 3672 build-x32.crypt.bin.exe 86 PID 3672 wrote to memory of 3528 3672 build-x32.crypt.bin.exe 86 PID 3528 wrote to memory of 1548 3528 cmd.exe 88 PID 3528 wrote to memory of 1548 3528 cmd.exe 88 PID 3528 wrote to memory of 1548 3528 cmd.exe 88 PID 3672 wrote to memory of 1940 3672 build-x32.crypt.bin.exe 90 PID 3672 wrote to memory of 1940 3672 build-x32.crypt.bin.exe 90 PID 3672 wrote to memory of 1940 3672 build-x32.crypt.bin.exe 90 PID 1940 wrote to memory of 2100 1940 cmd.exe 92 PID 1940 wrote to memory of 2100 1940 cmd.exe 92 PID 1940 wrote to memory of 2100 1940 cmd.exe 92 PID 3672 wrote to memory of 2196 3672 build-x32.crypt.bin.exe 93 PID 3672 wrote to memory of 2196 3672 build-x32.crypt.bin.exe 93 PID 3672 wrote to memory of 2196 3672 build-x32.crypt.bin.exe 93 PID 2196 wrote to memory of 2708 2196 cmd.exe 95 PID 2196 wrote to memory of 2708 2196 cmd.exe 95 PID 2196 wrote to memory of 2708 2196 cmd.exe 95 PID 3672 wrote to memory of 3060 3672 build-x32.crypt.bin.exe 96 PID 3672 wrote to memory of 3060 3672 build-x32.crypt.bin.exe 96 PID 3672 wrote to memory of 3060 3672 build-x32.crypt.bin.exe 96 PID 3060 wrote to memory of 1876 3060 cmd.exe 98 PID 3060 wrote to memory of 1876 3060 cmd.exe 98 PID 3060 wrote to memory of 1876 3060 cmd.exe 98 PID 3672 wrote to memory of 3176 3672 build-x32.crypt.bin.exe 99 PID 3672 wrote to memory of 3176 3672 build-x32.crypt.bin.exe 99 PID 3672 wrote to memory of 3176 3672 build-x32.crypt.bin.exe 99 PID 3176 wrote to memory of 3580 3176 cmd.exe 101 PID 3176 wrote to memory of 3580 3176 cmd.exe 101 PID 3176 wrote to memory of 3580 3176 cmd.exe 101 PID 3672 wrote to memory of 3996 3672 build-x32.crypt.bin.exe 102 PID 3672 wrote to memory of 3996 3672 build-x32.crypt.bin.exe 102 PID 3672 wrote to memory of 3996 3672 build-x32.crypt.bin.exe 102 PID 3996 wrote to memory of 3768 3996 cmd.exe 104 PID 3996 wrote to memory of 3768 3996 cmd.exe 104 PID 3996 wrote to memory of 3768 3996 cmd.exe 104 PID 3672 wrote to memory of 3396 3672 build-x32.crypt.bin.exe 105 PID 3672 wrote to memory of 3396 3672 build-x32.crypt.bin.exe 105 PID 3672 wrote to memory of 3396 3672 build-x32.crypt.bin.exe 105 PID 3396 wrote to memory of 3720 3396 cmd.exe 107 PID 3396 wrote to memory of 3720 3396 cmd.exe 107 PID 3396 wrote to memory of 3720 3396 cmd.exe 107 PID 3672 wrote to memory of 3788 3672 build-x32.crypt.bin.exe 108 PID 3672 wrote to memory of 3788 3672 build-x32.crypt.bin.exe 108 PID 3672 wrote to memory of 3788 3672 build-x32.crypt.bin.exe 108 PID 3788 wrote to memory of 496 3788 cmd.exe 110 PID 3788 wrote to memory of 496 3788 cmd.exe 110 PID 3788 wrote to memory of 496 3788 cmd.exe 110 PID 3672 wrote to memory of 3744 3672 build-x32.crypt.bin.exe 111 PID 3672 wrote to memory of 3744 3672 build-x32.crypt.bin.exe 111 PID 3672 wrote to memory of 3744 3672 build-x32.crypt.bin.exe 111 PID 3744 wrote to memory of 788 3744 cmd.exe 113 PID 3744 wrote to memory of 788 3744 cmd.exe 113 PID 3744 wrote to memory of 788 3744 cmd.exe 113 PID 3672 wrote to memory of 588 3672 build-x32.crypt.bin.exe 114 PID 3672 wrote to memory of 588 3672 build-x32.crypt.bin.exe 114 PID 3672 wrote to memory of 588 3672 build-x32.crypt.bin.exe 114 PID 588 wrote to memory of 1172 588 cmd.exe 116 PID 588 wrote to memory of 1172 588 cmd.exe 116 PID 588 wrote to memory of 1172 588 cmd.exe 116 PID 3672 wrote to memory of 412 3672 build-x32.crypt.bin.exe 117 PID 3672 wrote to memory of 412 3672 build-x32.crypt.bin.exe 117 PID 3672 wrote to memory of 412 3672 build-x32.crypt.bin.exe 117 PID 412 wrote to memory of 1316 412 cmd.exe 119 PID 412 wrote to memory of 1316 412 cmd.exe 119 PID 412 wrote to memory of 1316 412 cmd.exe 119 PID 3672 wrote to memory of 3512 3672 build-x32.crypt.bin.exe 120 PID 3672 wrote to memory of 3512 3672 build-x32.crypt.bin.exe 120 PID 3672 wrote to memory of 3512 3672 build-x32.crypt.bin.exe 120 PID 3512 wrote to memory of 1548 3512 cmd.exe 122 PID 3512 wrote to memory of 1548 3512 cmd.exe 122 PID 3512 wrote to memory of 1548 3512 cmd.exe 122 PID 3672 wrote to memory of 960 3672 build-x32.crypt.bin.exe 123 PID 3672 wrote to memory of 960 3672 build-x32.crypt.bin.exe 123 PID 3672 wrote to memory of 960 3672 build-x32.crypt.bin.exe 123 PID 960 wrote to memory of 2100 960 cmd.exe 125 PID 960 wrote to memory of 2100 960 cmd.exe 125 PID 960 wrote to memory of 2100 960 cmd.exe 125 PID 3672 wrote to memory of 2432 3672 build-x32.crypt.bin.exe 126 PID 3672 wrote to memory of 2432 3672 build-x32.crypt.bin.exe 126 PID 3672 wrote to memory of 2432 3672 build-x32.crypt.bin.exe 126 PID 2432 wrote to memory of 2708 2432 cmd.exe 128 PID 2432 wrote to memory of 2708 2432 cmd.exe 128 PID 2432 wrote to memory of 2708 2432 cmd.exe 128 PID 3672 wrote to memory of 3812 3672 build-x32.crypt.bin.exe 129 PID 3672 wrote to memory of 3812 3672 build-x32.crypt.bin.exe 129 PID 3672 wrote to memory of 3812 3672 build-x32.crypt.bin.exe 129 PID 3812 wrote to memory of 1876 3812 cmd.exe 131 PID 3812 wrote to memory of 1876 3812 cmd.exe 131 PID 3812 wrote to memory of 1876 3812 cmd.exe 131 PID 3672 wrote to memory of 1864 3672 build-x32.crypt.bin.exe 132 PID 3672 wrote to memory of 1864 3672 build-x32.crypt.bin.exe 132 PID 3672 wrote to memory of 1864 3672 build-x32.crypt.bin.exe 132 PID 1864 wrote to memory of 3580 1864 cmd.exe 134 PID 1864 wrote to memory of 3580 1864 cmd.exe 134 PID 1864 wrote to memory of 3580 1864 cmd.exe 134 PID 3672 wrote to memory of 4040 3672 build-x32.crypt.bin.exe 135 PID 3672 wrote to memory of 4040 3672 build-x32.crypt.bin.exe 135 PID 3672 wrote to memory of 4040 3672 build-x32.crypt.bin.exe 135 PID 4040 wrote to memory of 3768 4040 cmd.exe 137 PID 4040 wrote to memory of 3768 4040 cmd.exe 137 PID 4040 wrote to memory of 3768 4040 cmd.exe 137 PID 3672 wrote to memory of 3876 3672 build-x32.crypt.bin.exe 138 PID 3672 wrote to memory of 3876 3672 build-x32.crypt.bin.exe 138 PID 3672 wrote to memory of 3876 3672 build-x32.crypt.bin.exe 138 PID 3876 wrote to memory of 3720 3876 cmd.exe 140 PID 3876 wrote to memory of 3720 3876 cmd.exe 140 PID 3876 wrote to memory of 3720 3876 cmd.exe 140 PID 3672 wrote to memory of 3436 3672 build-x32.crypt.bin.exe 141 PID 3672 wrote to memory of 3436 3672 build-x32.crypt.bin.exe 141 PID 3672 wrote to memory of 3436 3672 build-x32.crypt.bin.exe 141 PID 3436 wrote to memory of 496 3436 cmd.exe 143 PID 3436 wrote to memory of 496 3436 cmd.exe 143 PID 3436 wrote to memory of 496 3436 cmd.exe 143 PID 3672 wrote to memory of 2996 3672 build-x32.crypt.bin.exe 144 PID 3672 wrote to memory of 2996 3672 build-x32.crypt.bin.exe 144 PID 3672 wrote to memory of 2996 3672 build-x32.crypt.bin.exe 144 PID 2996 wrote to memory of 788 2996 cmd.exe 146 PID 2996 wrote to memory of 788 2996 cmd.exe 146 PID 2996 wrote to memory of 788 2996 cmd.exe 146 PID 3672 wrote to memory of 812 3672 build-x32.crypt.bin.exe 147 PID 3672 wrote to memory of 812 3672 build-x32.crypt.bin.exe 147 PID 3672 wrote to memory of 812 3672 build-x32.crypt.bin.exe 147 PID 812 wrote to memory of 1172 812 cmd.exe 149 PID 812 wrote to memory of 1172 812 cmd.exe 149 PID 812 wrote to memory of 1172 812 cmd.exe 149 PID 3672 wrote to memory of 912 3672 build-x32.crypt.bin.exe 150 PID 3672 wrote to memory of 912 3672 build-x32.crypt.bin.exe 150 PID 3672 wrote to memory of 912 3672 build-x32.crypt.bin.exe 150 PID 912 wrote to memory of 1316 912 cmd.exe 152 PID 912 wrote to memory of 1316 912 cmd.exe 152 PID 912 wrote to memory of 1316 912 cmd.exe 152 PID 3672 wrote to memory of 1696 3672 build-x32.crypt.bin.exe 153 PID 3672 wrote to memory of 1696 3672 build-x32.crypt.bin.exe 153 PID 3672 wrote to memory of 1696 3672 build-x32.crypt.bin.exe 153 PID 1696 wrote to memory of 1548 1696 cmd.exe 155 PID 1696 wrote to memory of 1548 1696 cmd.exe 155 PID 1696 wrote to memory of 1548 1696 cmd.exe 155 PID 3672 wrote to memory of 2124 3672 build-x32.crypt.bin.exe 156 PID 3672 wrote to memory of 2124 3672 build-x32.crypt.bin.exe 156 PID 3672 wrote to memory of 2124 3672 build-x32.crypt.bin.exe 156 PID 2124 wrote to memory of 2100 2124 cmd.exe 158 PID 2124 wrote to memory of 2100 2124 cmd.exe 158 PID 2124 wrote to memory of 2100 2124 cmd.exe 158 PID 3672 wrote to memory of 2820 3672 build-x32.crypt.bin.exe 159 PID 3672 wrote to memory of 2820 3672 build-x32.crypt.bin.exe 159 PID 3672 wrote to memory of 2820 3672 build-x32.crypt.bin.exe 159 PID 2820 wrote to memory of 2708 2820 cmd.exe 161 PID 2820 wrote to memory of 2708 2820 cmd.exe 161 PID 2820 wrote to memory of 2708 2820 cmd.exe 161 PID 3672 wrote to memory of 1892 3672 build-x32.crypt.bin.exe 162 PID 3672 wrote to memory of 1892 3672 build-x32.crypt.bin.exe 162 PID 3672 wrote to memory of 1892 3672 build-x32.crypt.bin.exe 162 PID 1892 wrote to memory of 1876 1892 cmd.exe 164 PID 1892 wrote to memory of 1876 1892 cmd.exe 164 PID 1892 wrote to memory of 1876 1892 cmd.exe 164 PID 3672 wrote to memory of 3120 3672 build-x32.crypt.bin.exe 165 PID 3672 wrote to memory of 3120 3672 build-x32.crypt.bin.exe 165 PID 3672 wrote to memory of 3120 3672 build-x32.crypt.bin.exe 165 PID 3120 wrote to memory of 3580 3120 cmd.exe 167 PID 3120 wrote to memory of 3580 3120 cmd.exe 167 PID 3120 wrote to memory of 3580 3120 cmd.exe 167 PID 3672 wrote to memory of 3684 3672 build-x32.crypt.bin.exe 168 PID 3672 wrote to memory of 3684 3672 build-x32.crypt.bin.exe 168 PID 3672 wrote to memory of 3684 3672 build-x32.crypt.bin.exe 168 PID 3684 wrote to memory of 3768 3684 cmd.exe 170 PID 3684 wrote to memory of 3768 3684 cmd.exe 170 PID 3684 wrote to memory of 3768 3684 cmd.exe 170 PID 3672 wrote to memory of 3552 3672 build-x32.crypt.bin.exe 171 PID 3672 wrote to memory of 3552 3672 build-x32.crypt.bin.exe 171 PID 3672 wrote to memory of 3552 3672 build-x32.crypt.bin.exe 171 PID 3552 wrote to memory of 3720 3552 cmd.exe 173 PID 3552 wrote to memory of 3720 3552 cmd.exe 173 PID 3552 wrote to memory of 3720 3552 cmd.exe 173 PID 3672 wrote to memory of 416 3672 build-x32.crypt.bin.exe 174 PID 3672 wrote to memory of 416 3672 build-x32.crypt.bin.exe 174 PID 3672 wrote to memory of 416 3672 build-x32.crypt.bin.exe 174 PID 416 wrote to memory of 496 416 cmd.exe 176 PID 416 wrote to memory of 496 416 cmd.exe 176 PID 416 wrote to memory of 496 416 cmd.exe 176 PID 3672 wrote to memory of 420 3672 build-x32.crypt.bin.exe 177 PID 3672 wrote to memory of 420 3672 build-x32.crypt.bin.exe 177 PID 3672 wrote to memory of 420 3672 build-x32.crypt.bin.exe 177 PID 420 wrote to memory of 788 420 cmd.exe 179 PID 420 wrote to memory of 788 420 cmd.exe 179 PID 420 wrote to memory of 788 420 cmd.exe 179 PID 3672 wrote to memory of 1116 3672 build-x32.crypt.bin.exe 180 PID 3672 wrote to memory of 1116 3672 build-x32.crypt.bin.exe 180 PID 3672 wrote to memory of 1116 3672 build-x32.crypt.bin.exe 180 PID 1116 wrote to memory of 1172 1116 cmd.exe 182 PID 1116 wrote to memory of 1172 1116 cmd.exe 182 PID 1116 wrote to memory of 1172 1116 cmd.exe 182 PID 3672 wrote to memory of 1252 3672 build-x32.crypt.bin.exe 183 PID 3672 wrote to memory of 1252 3672 build-x32.crypt.bin.exe 183 PID 3672 wrote to memory of 1252 3672 build-x32.crypt.bin.exe 183 PID 1252 wrote to memory of 1316 1252 cmd.exe 185 PID 1252 wrote to memory of 1316 1252 cmd.exe 185 PID 1252 wrote to memory of 1316 1252 cmd.exe 185 PID 3672 wrote to memory of 1220 3672 build-x32.crypt.bin.exe 186 PID 3672 wrote to memory of 1220 3672 build-x32.crypt.bin.exe 186 PID 3672 wrote to memory of 1220 3672 build-x32.crypt.bin.exe 186 PID 1220 wrote to memory of 1572 1220 cmd.exe 188 PID 1220 wrote to memory of 1572 1220 cmd.exe 188 PID 1220 wrote to memory of 1572 1220 cmd.exe 188 PID 3672 wrote to memory of 1444 3672 build-x32.crypt.bin.exe 189 PID 3672 wrote to memory of 1444 3672 build-x32.crypt.bin.exe 189 PID 3672 wrote to memory of 1444 3672 build-x32.crypt.bin.exe 189 PID 1444 wrote to memory of 2140 1444 cmd.exe 191 PID 1444 wrote to memory of 2140 1444 cmd.exe 191 PID 1444 wrote to memory of 2140 1444 cmd.exe 191 PID 3672 wrote to memory of 1368 3672 build-x32.crypt.bin.exe 192 PID 3672 wrote to memory of 1368 3672 build-x32.crypt.bin.exe 192 PID 3672 wrote to memory of 1368 3672 build-x32.crypt.bin.exe 192 PID 1368 wrote to memory of 2880 1368 cmd.exe 194 PID 1368 wrote to memory of 2880 1368 cmd.exe 194 PID 1368 wrote to memory of 2880 1368 cmd.exe 194 PID 3672 wrote to memory of 2980 3672 build-x32.crypt.bin.exe 195 PID 3672 wrote to memory of 2980 3672 build-x32.crypt.bin.exe 195 PID 3672 wrote to memory of 2980 3672 build-x32.crypt.bin.exe 195 PID 2980 wrote to memory of 3844 2980 cmd.exe 197 PID 2980 wrote to memory of 3844 2980 cmd.exe 197 PID 2980 wrote to memory of 3844 2980 cmd.exe 197 PID 3672 wrote to memory of 3620 3672 build-x32.crypt.bin.exe 198 PID 3672 wrote to memory of 3620 3672 build-x32.crypt.bin.exe 198 PID 3672 wrote to memory of 3620 3672 build-x32.crypt.bin.exe 198 PID 3620 wrote to memory of 2992 3620 cmd.exe 200 PID 3620 wrote to memory of 2992 3620 cmd.exe 200 PID 3620 wrote to memory of 2992 3620 cmd.exe 200 PID 3672 wrote to memory of 3916 3672 build-x32.crypt.bin.exe 201 PID 3672 wrote to memory of 3916 3672 build-x32.crypt.bin.exe 201 PID 3672 wrote to memory of 3916 3672 build-x32.crypt.bin.exe 201 PID 3916 wrote to memory of 3704 3916 cmd.exe 203 PID 3916 wrote to memory of 3704 3916 cmd.exe 203 PID 3916 wrote to memory of 3704 3916 cmd.exe 203 PID 3672 wrote to memory of 3772 3672 build-x32.crypt.bin.exe 204 PID 3672 wrote to memory of 3772 3672 build-x32.crypt.bin.exe 204 PID 3672 wrote to memory of 3772 3672 build-x32.crypt.bin.exe 204 PID 3772 wrote to memory of 3824 3772 cmd.exe 206 PID 3772 wrote to memory of 3824 3772 cmd.exe 206 PID 3772 wrote to memory of 3824 3772 cmd.exe 206 PID 3672 wrote to memory of 3816 3672 build-x32.crypt.bin.exe 207 PID 3672 wrote to memory of 3816 3672 build-x32.crypt.bin.exe 207 PID 3672 wrote to memory of 3816 3672 build-x32.crypt.bin.exe 207 PID 3816 wrote to memory of 1708 3816 cmd.exe 209 PID 3816 wrote to memory of 1708 3816 cmd.exe 209 PID 3816 wrote to memory of 1708 3816 cmd.exe 209 PID 3672 wrote to memory of 2988 3672 build-x32.crypt.bin.exe 210 PID 3672 wrote to memory of 2988 3672 build-x32.crypt.bin.exe 210 PID 3672 wrote to memory of 2988 3672 build-x32.crypt.bin.exe 210 PID 2988 wrote to memory of 500 2988 cmd.exe 212 PID 2988 wrote to memory of 500 2988 cmd.exe 212 PID 2988 wrote to memory of 500 2988 cmd.exe 212 PID 3672 wrote to memory of 512 3672 build-x32.crypt.bin.exe 213 PID 3672 wrote to memory of 512 3672 build-x32.crypt.bin.exe 213 PID 3672 wrote to memory of 512 3672 build-x32.crypt.bin.exe 213 PID 512 wrote to memory of 3612 512 cmd.exe 215 PID 512 wrote to memory of 3612 512 cmd.exe 215 PID 512 wrote to memory of 3612 512 cmd.exe 215 PID 3672 wrote to memory of 1176 3672 build-x32.crypt.bin.exe 216 PID 3672 wrote to memory of 1176 3672 build-x32.crypt.bin.exe 216 PID 3672 wrote to memory of 1176 3672 build-x32.crypt.bin.exe 216 PID 1176 wrote to memory of 1224 1176 cmd.exe 218 PID 1176 wrote to memory of 1224 1176 cmd.exe 218 PID 1176 wrote to memory of 1224 1176 cmd.exe 218 PID 3672 wrote to memory of 1232 3672 build-x32.crypt.bin.exe 219 PID 3672 wrote to memory of 1232 3672 build-x32.crypt.bin.exe 219 PID 3672 wrote to memory of 1232 3672 build-x32.crypt.bin.exe 219 PID 1232 wrote to memory of 1448 1232 cmd.exe 221 PID 1232 wrote to memory of 1448 1232 cmd.exe 221 PID 1232 wrote to memory of 1448 1232 cmd.exe 221 PID 3672 wrote to memory of 1608 3672 build-x32.crypt.bin.exe 222 PID 3672 wrote to memory of 1608 3672 build-x32.crypt.bin.exe 222 PID 3672 wrote to memory of 1608 3672 build-x32.crypt.bin.exe 222 PID 1608 wrote to memory of 2088 1608 cmd.exe 224 PID 1608 wrote to memory of 2088 1608 cmd.exe 224 PID 1608 wrote to memory of 2088 1608 cmd.exe 224 PID 3672 wrote to memory of 2080 3672 build-x32.crypt.bin.exe 225 PID 3672 wrote to memory of 2080 3672 build-x32.crypt.bin.exe 225 PID 3672 wrote to memory of 2080 3672 build-x32.crypt.bin.exe 225 PID 2080 wrote to memory of 2880 2080 cmd.exe 227 PID 2080 wrote to memory of 2880 2080 cmd.exe 227 PID 2080 wrote to memory of 2880 2080 cmd.exe 227 PID 3672 wrote to memory of 2720 3672 build-x32.crypt.bin.exe 228 PID 3672 wrote to memory of 2720 3672 build-x32.crypt.bin.exe 228 PID 3672 wrote to memory of 2720 3672 build-x32.crypt.bin.exe 228 PID 2720 wrote to memory of 3844 2720 cmd.exe 230 PID 2720 wrote to memory of 3844 2720 cmd.exe 230 PID 2720 wrote to memory of 3844 2720 cmd.exe 230 PID 3672 wrote to memory of 2776 3672 build-x32.crypt.bin.exe 231 PID 3672 wrote to memory of 2776 3672 build-x32.crypt.bin.exe 231 PID 3672 wrote to memory of 2776 3672 build-x32.crypt.bin.exe 231 PID 2776 wrote to memory of 2992 2776 cmd.exe 233 PID 2776 wrote to memory of 2992 2776 cmd.exe 233 PID 2776 wrote to memory of 2992 2776 cmd.exe 233 PID 3672 wrote to memory of 3548 3672 build-x32.crypt.bin.exe 234 PID 3672 wrote to memory of 3548 3672 build-x32.crypt.bin.exe 234 PID 3672 wrote to memory of 3548 3672 build-x32.crypt.bin.exe 234 PID 3548 wrote to memory of 3704 3548 cmd.exe 236 PID 3548 wrote to memory of 3704 3548 cmd.exe 236 PID 3548 wrote to memory of 3704 3548 cmd.exe 236 PID 3672 wrote to memory of 3708 3672 build-x32.crypt.bin.exe 237 PID 3672 wrote to memory of 3708 3672 build-x32.crypt.bin.exe 237 PID 3672 wrote to memory of 3708 3672 build-x32.crypt.bin.exe 237 PID 3708 wrote to memory of 3824 3708 cmd.exe 239 PID 3708 wrote to memory of 3824 3708 cmd.exe 239 PID 3708 wrote to memory of 3824 3708 cmd.exe 239 PID 3672 wrote to memory of 3944 3672 build-x32.crypt.bin.exe 240 PID 3672 wrote to memory of 3944 3672 build-x32.crypt.bin.exe 240 PID 3672 wrote to memory of 3944 3672 build-x32.crypt.bin.exe 240 PID 3944 wrote to memory of 1708 3944 cmd.exe 242 PID 3944 wrote to memory of 1708 3944 cmd.exe 242 PID 3944 wrote to memory of 1708 3944 cmd.exe 242 PID 3672 wrote to memory of 3000 3672 build-x32.crypt.bin.exe 243 PID 3672 wrote to memory of 3000 3672 build-x32.crypt.bin.exe 243 PID 3672 wrote to memory of 3000 3672 build-x32.crypt.bin.exe 243 PID 3000 wrote to memory of 524 3000 cmd.exe 245 PID 3000 wrote to memory of 524 3000 cmd.exe 245 PID 3000 wrote to memory of 524 3000 cmd.exe 245 PID 3672 wrote to memory of 1628 3672 build-x32.crypt.bin.exe 246 PID 3672 wrote to memory of 1628 3672 build-x32.crypt.bin.exe 246 PID 3672 wrote to memory of 1628 3672 build-x32.crypt.bin.exe 246 PID 1628 wrote to memory of 1012 1628 cmd.exe 248 PID 1628 wrote to memory of 1012 1628 cmd.exe 248 PID 1628 wrote to memory of 1012 1628 cmd.exe 248 PID 3672 wrote to memory of 564 3672 build-x32.crypt.bin.exe 249 PID 3672 wrote to memory of 564 3672 build-x32.crypt.bin.exe 249 PID 3672 wrote to memory of 564 3672 build-x32.crypt.bin.exe 249 PID 564 wrote to memory of 1020 564 cmd.exe 251 PID 564 wrote to memory of 1020 564 cmd.exe 251 PID 564 wrote to memory of 1020 564 cmd.exe 251 PID 3672 wrote to memory of 3608 3672 build-x32.crypt.bin.exe 252 PID 3672 wrote to memory of 3608 3672 build-x32.crypt.bin.exe 252 PID 3672 wrote to memory of 3608 3672 build-x32.crypt.bin.exe 252 PID 3608 wrote to memory of 1548 3608 cmd.exe 254 PID 3608 wrote to memory of 1548 3608 cmd.exe 254 PID 3608 wrote to memory of 1548 3608 cmd.exe 254 PID 3672 wrote to memory of 412 3672 build-x32.crypt.bin.exe 255 PID 3672 wrote to memory of 412 3672 build-x32.crypt.bin.exe 255 PID 3672 wrote to memory of 412 3672 build-x32.crypt.bin.exe 255 PID 412 wrote to memory of 2128 412 cmd.exe 257 PID 412 wrote to memory of 2128 412 cmd.exe 257 PID 412 wrote to memory of 2128 412 cmd.exe 257 PID 3672 wrote to memory of 1572 3672 build-x32.crypt.bin.exe 258 PID 3672 wrote to memory of 1572 3672 build-x32.crypt.bin.exe 258 PID 3672 wrote to memory of 1572 3672 build-x32.crypt.bin.exe 258 PID 1572 wrote to memory of 2824 1572 cmd.exe 260 PID 1572 wrote to memory of 2824 1572 cmd.exe 260 PID 1572 wrote to memory of 2824 1572 cmd.exe 260 PID 3672 wrote to memory of 2124 3672 build-x32.crypt.bin.exe 261 PID 3672 wrote to memory of 2124 3672 build-x32.crypt.bin.exe 261 PID 3672 wrote to memory of 2124 3672 build-x32.crypt.bin.exe 261 PID 2124 wrote to memory of 2484 2124 cmd.exe 263 PID 2124 wrote to memory of 2484 2124 cmd.exe 263 PID 2124 wrote to memory of 2484 2124 cmd.exe 263 PID 3672 wrote to memory of 2252 3672 build-x32.crypt.bin.exe 264 PID 3672 wrote to memory of 2252 3672 build-x32.crypt.bin.exe 264 PID 3672 wrote to memory of 2252 3672 build-x32.crypt.bin.exe 264 PID 2252 wrote to memory of 3080 2252 cmd.exe 266 PID 2252 wrote to memory of 3080 2252 cmd.exe 266 PID 2252 wrote to memory of 3080 2252 cmd.exe 266 PID 3672 wrote to memory of 3116 3672 build-x32.crypt.bin.exe 267 PID 3672 wrote to memory of 3116 3672 build-x32.crypt.bin.exe 267 PID 3672 wrote to memory of 3116 3672 build-x32.crypt.bin.exe 267 PID 3116 wrote to memory of 1620 3116 cmd.exe 269 PID 3116 wrote to memory of 1620 3116 cmd.exe 269 PID 3116 wrote to memory of 1620 3116 cmd.exe 269 PID 3672 wrote to memory of 3796 3672 build-x32.crypt.bin.exe 270 PID 3672 wrote to memory of 3796 3672 build-x32.crypt.bin.exe 270 PID 3672 wrote to memory of 3796 3672 build-x32.crypt.bin.exe 270 PID 3796 wrote to memory of 3056 3796 cmd.exe 272 PID 3796 wrote to memory of 3056 3796 cmd.exe 272 PID 3796 wrote to memory of 3056 3796 cmd.exe 272 PID 3672 wrote to memory of 3804 3672 build-x32.crypt.bin.exe 273 PID 3672 wrote to memory of 3804 3672 build-x32.crypt.bin.exe 273 PID 3672 wrote to memory of 3804 3672 build-x32.crypt.bin.exe 273 PID 3804 wrote to memory of 3880 3804 cmd.exe 275 PID 3804 wrote to memory of 3880 3804 cmd.exe 275 PID 3804 wrote to memory of 3880 3804 cmd.exe 275 PID 3672 wrote to memory of 3468 3672 build-x32.crypt.bin.exe 276 PID 3672 wrote to memory of 3468 3672 build-x32.crypt.bin.exe 276 PID 3672 wrote to memory of 3468 3672 build-x32.crypt.bin.exe 276 PID 3468 wrote to memory of 500 3468 cmd.exe 278 PID 3468 wrote to memory of 500 3468 cmd.exe 278 PID 3468 wrote to memory of 500 3468 cmd.exe 278 PID 3672 wrote to memory of 692 3672 build-x32.crypt.bin.exe 279 PID 3672 wrote to memory of 692 3672 build-x32.crypt.bin.exe 279 PID 3672 wrote to memory of 692 3672 build-x32.crypt.bin.exe 279 PID 692 wrote to memory of 3612 692 cmd.exe 281 PID 692 wrote to memory of 3612 692 cmd.exe 281 PID 692 wrote to memory of 3612 692 cmd.exe 281 PID 3672 wrote to memory of 1128 3672 build-x32.crypt.bin.exe 282 PID 3672 wrote to memory of 1128 3672 build-x32.crypt.bin.exe 282 PID 3672 wrote to memory of 1128 3672 build-x32.crypt.bin.exe 282 PID 1128 wrote to memory of 1224 1128 cmd.exe 284 PID 1128 wrote to memory of 1224 1128 cmd.exe 284 PID 1128 wrote to memory of 1224 1128 cmd.exe 284 PID 3672 wrote to memory of 1248 3672 build-x32.crypt.bin.exe 285 PID 3672 wrote to memory of 1248 3672 build-x32.crypt.bin.exe 285 PID 3672 wrote to memory of 1248 3672 build-x32.crypt.bin.exe 285 PID 1248 wrote to memory of 1448 1248 cmd.exe 287 PID 1248 wrote to memory of 1448 1248 cmd.exe 287 PID 1248 wrote to memory of 1448 1248 cmd.exe 287 PID 3672 wrote to memory of 1552 3672 build-x32.crypt.bin.exe 288 PID 3672 wrote to memory of 1552 3672 build-x32.crypt.bin.exe 288 PID 3672 wrote to memory of 1552 3672 build-x32.crypt.bin.exe 288 PID 1552 wrote to memory of 2088 1552 cmd.exe 290 PID 1552 wrote to memory of 2088 1552 cmd.exe 290 PID 1552 wrote to memory of 2088 1552 cmd.exe 290 PID 3672 wrote to memory of 2148 3672 build-x32.crypt.bin.exe 291 PID 3672 wrote to memory of 2148 3672 build-x32.crypt.bin.exe 291 PID 3672 wrote to memory of 2148 3672 build-x32.crypt.bin.exe 291 PID 2148 wrote to memory of 2880 2148 cmd.exe 293 PID 2148 wrote to memory of 2880 2148 cmd.exe 293 PID 2148 wrote to memory of 2880 2148 cmd.exe 293 PID 3672 wrote to memory of 2660 3672 build-x32.crypt.bin.exe 294 PID 3672 wrote to memory of 2660 3672 build-x32.crypt.bin.exe 294 PID 3672 wrote to memory of 2660 3672 build-x32.crypt.bin.exe 294 PID 2660 wrote to memory of 3844 2660 cmd.exe 296 PID 2660 wrote to memory of 3844 2660 cmd.exe 296 PID 2660 wrote to memory of 3844 2660 cmd.exe 296 PID 3672 wrote to memory of 2196 3672 build-x32.crypt.bin.exe 297 PID 3672 wrote to memory of 2196 3672 build-x32.crypt.bin.exe 297 PID 3672 wrote to memory of 2196 3672 build-x32.crypt.bin.exe 297 PID 2196 wrote to memory of 2992 2196 cmd.exe 299 PID 2196 wrote to memory of 2992 2196 cmd.exe 299 PID 2196 wrote to memory of 2992 2196 cmd.exe 299 PID 3672 wrote to memory of 3060 3672 build-x32.crypt.bin.exe 300 PID 3672 wrote to memory of 3060 3672 build-x32.crypt.bin.exe 300 PID 3672 wrote to memory of 3060 3672 build-x32.crypt.bin.exe 300 PID 3060 wrote to memory of 3704 3060 cmd.exe 302 PID 3060 wrote to memory of 3704 3060 cmd.exe 302 PID 3060 wrote to memory of 3704 3060 cmd.exe 302 PID 3672 wrote to memory of 3176 3672 build-x32.crypt.bin.exe 303 PID 3672 wrote to memory of 3176 3672 build-x32.crypt.bin.exe 303 PID 3672 wrote to memory of 3176 3672 build-x32.crypt.bin.exe 303 PID 3176 wrote to memory of 3824 3176 cmd.exe 305 PID 3176 wrote to memory of 3824 3176 cmd.exe 305 PID 3176 wrote to memory of 3824 3176 cmd.exe 305 PID 3672 wrote to memory of 3996 3672 build-x32.crypt.bin.exe 306 PID 3672 wrote to memory of 3996 3672 build-x32.crypt.bin.exe 306 PID 3672 wrote to memory of 3996 3672 build-x32.crypt.bin.exe 306 PID 3996 wrote to memory of 1708 3996 cmd.exe 308 PID 3996 wrote to memory of 1708 3996 cmd.exe 308 PID 3996 wrote to memory of 1708 3996 cmd.exe 308 PID 3672 wrote to memory of 3396 3672 build-x32.crypt.bin.exe 309 PID 3672 wrote to memory of 3396 3672 build-x32.crypt.bin.exe 309 PID 3672 wrote to memory of 3396 3672 build-x32.crypt.bin.exe 309 PID 3396 wrote to memory of 524 3396 cmd.exe 311 PID 3396 wrote to memory of 524 3396 cmd.exe 311 PID 3396 wrote to memory of 524 3396 cmd.exe 311 PID 3672 wrote to memory of 3780 3672 build-x32.crypt.bin.exe 312 PID 3672 wrote to memory of 3780 3672 build-x32.crypt.bin.exe 312 PID 3672 wrote to memory of 3780 3672 build-x32.crypt.bin.exe 312 PID 3780 wrote to memory of 1012 3780 cmd.exe 314 PID 3780 wrote to memory of 1012 3780 cmd.exe 314 PID 3780 wrote to memory of 1012 3780 cmd.exe 314 PID 3672 wrote to memory of 2640 3672 build-x32.crypt.bin.exe 315 PID 3672 wrote to memory of 2640 3672 build-x32.crypt.bin.exe 315 PID 3672 wrote to memory of 2640 3672 build-x32.crypt.bin.exe 315 PID 2640 wrote to memory of 1020 2640 cmd.exe 317 PID 2640 wrote to memory of 1020 2640 cmd.exe 317 PID 2640 wrote to memory of 1020 2640 cmd.exe 317 PID 3672 wrote to memory of 656 3672 build-x32.crypt.bin.exe 318 PID 3672 wrote to memory of 656 3672 build-x32.crypt.bin.exe 318 PID 3672 wrote to memory of 656 3672 build-x32.crypt.bin.exe 318 PID 656 wrote to memory of 1548 656 cmd.exe 320 PID 656 wrote to memory of 1548 656 cmd.exe 320 PID 656 wrote to memory of 1548 656 cmd.exe 320 PID 3672 wrote to memory of 1532 3672 build-x32.crypt.bin.exe 321 PID 3672 wrote to memory of 1532 3672 build-x32.crypt.bin.exe 321 PID 3672 wrote to memory of 1532 3672 build-x32.crypt.bin.exe 321 PID 1532 wrote to memory of 2128 1532 cmd.exe 323 PID 1532 wrote to memory of 2128 1532 cmd.exe 323 PID 1532 wrote to memory of 2128 1532 cmd.exe 323 PID 3672 wrote to memory of 2136 3672 build-x32.crypt.bin.exe 324 PID 3672 wrote to memory of 2136 3672 build-x32.crypt.bin.exe 324 PID 3672 wrote to memory of 2136 3672 build-x32.crypt.bin.exe 324 PID 2136 wrote to memory of 2824 2136 cmd.exe 326 PID 2136 wrote to memory of 2824 2136 cmd.exe 326 PID 2136 wrote to memory of 2824 2136 cmd.exe 326 PID 3672 wrote to memory of 2832 3672 build-x32.crypt.bin.exe 327 PID 3672 wrote to memory of 2832 3672 build-x32.crypt.bin.exe 327 PID 3672 wrote to memory of 2832 3672 build-x32.crypt.bin.exe 327 PID 2832 wrote to memory of 2484 2832 cmd.exe 329 PID 2832 wrote to memory of 2484 2832 cmd.exe 329 PID 2832 wrote to memory of 2484 2832 cmd.exe 329 PID 3672 wrote to memory of 3808 3672 build-x32.crypt.bin.exe 330 PID 3672 wrote to memory of 3808 3672 build-x32.crypt.bin.exe 330 PID 3672 wrote to memory of 3808 3672 build-x32.crypt.bin.exe 330 PID 3808 wrote to memory of 3080 3808 cmd.exe 332 PID 3808 wrote to memory of 3080 3808 cmd.exe 332 PID 3808 wrote to memory of 3080 3808 cmd.exe 332 PID 3672 wrote to memory of 3020 3672 build-x32.crypt.bin.exe 333 PID 3672 wrote to memory of 3020 3672 build-x32.crypt.bin.exe 333 PID 3672 wrote to memory of 3020 3672 build-x32.crypt.bin.exe 333 PID 3020 wrote to memory of 1620 3020 cmd.exe 335 PID 3020 wrote to memory of 1620 3020 cmd.exe 335 PID 3020 wrote to memory of 1620 3020 cmd.exe 335 PID 3672 wrote to memory of 3696 3672 build-x32.crypt.bin.exe 336 PID 3672 wrote to memory of 3696 3672 build-x32.crypt.bin.exe 336 PID 3672 wrote to memory of 3696 3672 build-x32.crypt.bin.exe 336 PID 3696 wrote to memory of 3056 3696 cmd.exe 338 PID 3696 wrote to memory of 3056 3696 cmd.exe 338 PID 3696 wrote to memory of 3056 3696 cmd.exe 338 PID 3672 wrote to memory of 3832 3672 build-x32.crypt.bin.exe 339 PID 3672 wrote to memory of 3832 3672 build-x32.crypt.bin.exe 339 PID 3672 wrote to memory of 3832 3672 build-x32.crypt.bin.exe 339 PID 3832 wrote to memory of 3880 3832 cmd.exe 341 PID 3832 wrote to memory of 3880 3832 cmd.exe 341 PID 3832 wrote to memory of 3880 3832 cmd.exe 341 PID 3672 wrote to memory of 3420 3672 build-x32.crypt.bin.exe 342 PID 3672 wrote to memory of 3420 3672 build-x32.crypt.bin.exe 342 PID 3672 wrote to memory of 3420 3672 build-x32.crypt.bin.exe 342 PID 3420 wrote to memory of 500 3420 cmd.exe 344 PID 3420 wrote to memory of 500 3420 cmd.exe 344 PID 3420 wrote to memory of 500 3420 cmd.exe 344 PID 3672 wrote to memory of 2996 3672 build-x32.crypt.bin.exe 345 PID 3672 wrote to memory of 2996 3672 build-x32.crypt.bin.exe 345 PID 3672 wrote to memory of 2996 3672 build-x32.crypt.bin.exe 345 PID 2996 wrote to memory of 3612 2996 cmd.exe 347 PID 2996 wrote to memory of 3612 2996 cmd.exe 347 PID 2996 wrote to memory of 3612 2996 cmd.exe 347 PID 3672 wrote to memory of 812 3672 build-x32.crypt.bin.exe 348 PID 3672 wrote to memory of 812 3672 build-x32.crypt.bin.exe 348 PID 3672 wrote to memory of 812 3672 build-x32.crypt.bin.exe 348 PID 812 wrote to memory of 1224 812 cmd.exe 350 PID 812 wrote to memory of 1224 812 cmd.exe 350 PID 812 wrote to memory of 1224 812 cmd.exe 350 PID 3672 wrote to memory of 1348 3672 build-x32.crypt.bin.exe 351 PID 3672 wrote to memory of 1348 3672 build-x32.crypt.bin.exe 351 PID 3672 wrote to memory of 1348 3672 build-x32.crypt.bin.exe 351 PID 1348 wrote to memory of 1448 1348 cmd.exe 353 PID 1348 wrote to memory of 1448 1348 cmd.exe 353 PID 1348 wrote to memory of 1448 1348 cmd.exe 353 PID 3672 wrote to memory of 1228 3672 build-x32.crypt.bin.exe 354 PID 3672 wrote to memory of 1228 3672 build-x32.crypt.bin.exe 354 PID 3672 wrote to memory of 1228 3672 build-x32.crypt.bin.exe 354 PID 1228 wrote to memory of 2088 1228 cmd.exe 356 PID 1228 wrote to memory of 2088 1228 cmd.exe 356 PID 1228 wrote to memory of 2088 1228 cmd.exe 356 PID 3672 wrote to memory of 2056 3672 build-x32.crypt.bin.exe 357 PID 3672 wrote to memory of 2056 3672 build-x32.crypt.bin.exe 357 PID 3672 wrote to memory of 2056 3672 build-x32.crypt.bin.exe 357 PID 2056 wrote to memory of 2880 2056 cmd.exe 359 PID 2056 wrote to memory of 2880 2056 cmd.exe 359 PID 2056 wrote to memory of 2880 2056 cmd.exe 359 -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe 3672 build-x32.crypt.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 944 vssadmin.exe -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:uzkcayivo build-x32.crypt.bin.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:fwsjvisltoiwhlkd build-x32.crypt.bin.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:uzkcayivo build-x32.crypt.bin.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:ftztnzezfosqioqjq build-x32.crypt.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:qncbeovltenni build-x32.crypt.bin.exe -
Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
-
Suspicious use of AdjustPrivilegeToken 133 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1376 WMIC.exe Token: SeSecurityPrivilege 1376 WMIC.exe Token: SeTakeOwnershipPrivilege 1376 WMIC.exe Token: SeLoadDriverPrivilege 1376 WMIC.exe Token: SeSystemProfilePrivilege 1376 WMIC.exe Token: SeSystemtimePrivilege 1376 WMIC.exe Token: SeProfSingleProcessPrivilege 1376 WMIC.exe Token: SeIncBasePriorityPrivilege 1376 WMIC.exe Token: SeCreatePagefilePrivilege 1376 WMIC.exe Token: SeBackupPrivilege 1376 WMIC.exe Token: SeRestorePrivilege 1376 WMIC.exe Token: SeShutdownPrivilege 1376 WMIC.exe Token: SeDebugPrivilege 1376 WMIC.exe Token: SeSystemEnvironmentPrivilege 1376 WMIC.exe Token: SeRemoteShutdownPrivilege 1376 WMIC.exe Token: SeUndockPrivilege 1376 WMIC.exe Token: SeManageVolumePrivilege 1376 WMIC.exe Token: 33 1376 WMIC.exe Token: 34 1376 WMIC.exe Token: 35 1376 WMIC.exe Token: 36 1376 WMIC.exe Token: SeIncreaseQuotaPrivilege 1376 WMIC.exe Token: SeSecurityPrivilege 1376 WMIC.exe Token: SeTakeOwnershipPrivilege 1376 WMIC.exe Token: SeLoadDriverPrivilege 1376 WMIC.exe Token: SeSystemProfilePrivilege 1376 WMIC.exe Token: SeSystemtimePrivilege 1376 WMIC.exe Token: SeProfSingleProcessPrivilege 1376 WMIC.exe Token: SeIncBasePriorityPrivilege 1376 WMIC.exe Token: SeCreatePagefilePrivilege 1376 WMIC.exe Token: SeBackupPrivilege 1376 WMIC.exe Token: SeRestorePrivilege 1376 WMIC.exe Token: SeShutdownPrivilege 1376 WMIC.exe Token: SeDebugPrivilege 1376 WMIC.exe Token: SeSystemEnvironmentPrivilege 1376 WMIC.exe Token: SeRemoteShutdownPrivilege 1376 WMIC.exe Token: SeUndockPrivilege 1376 WMIC.exe Token: SeManageVolumePrivilege 1376 WMIC.exe Token: 33 1376 WMIC.exe Token: 34 1376 WMIC.exe Token: 35 1376 WMIC.exe Token: 36 1376 WMIC.exe Token: SeBackupPrivilege 3928 vssvc.exe Token: SeRestorePrivilege 3928 vssvc.exe Token: SeAuditPrivilege 3928 vssvc.exe Token: SeDebugPrivilege 1548 taskkill.exe Token: SeDebugPrivilege 2100 taskkill.exe Token: SeDebugPrivilege 2708 taskkill.exe Token: SeDebugPrivilege 1876 taskkill.exe Token: SeDebugPrivilege 3580 taskkill.exe Token: SeDebugPrivilege 3768 taskkill.exe Token: SeDebugPrivilege 3720 taskkill.exe Token: SeDebugPrivilege 496 taskkill.exe Token: SeDebugPrivilege 788 taskkill.exe Token: SeDebugPrivilege 1172 taskkill.exe Token: SeDebugPrivilege 1316 taskkill.exe Token: SeDebugPrivilege 1548 taskkill.exe Token: SeDebugPrivilege 2100 taskkill.exe Token: SeDebugPrivilege 2708 taskkill.exe Token: SeDebugPrivilege 1876 taskkill.exe Token: SeDebugPrivilege 3580 taskkill.exe Token: SeDebugPrivilege 3768 taskkill.exe Token: SeDebugPrivilege 3720 taskkill.exe Token: SeDebugPrivilege 496 taskkill.exe Token: SeDebugPrivilege 788 taskkill.exe Token: SeDebugPrivilege 1172 taskkill.exe Token: SeDebugPrivilege 1316 taskkill.exe Token: SeDebugPrivilege 1548 taskkill.exe Token: SeDebugPrivilege 2100 taskkill.exe Token: SeDebugPrivilege 2708 taskkill.exe Token: SeDebugPrivilege 1876 taskkill.exe Token: SeDebugPrivilege 3580 taskkill.exe Token: SeDebugPrivilege 3768 taskkill.exe Token: SeDebugPrivilege 3720 taskkill.exe Token: SeDebugPrivilege 496 taskkill.exe Token: SeDebugPrivilege 788 taskkill.exe Token: SeDebugPrivilege 1172 taskkill.exe Token: SeDebugPrivilege 2140 taskkill.exe Token: SeDebugPrivilege 3844 taskkill.exe Token: SeDebugPrivilege 2992 taskkill.exe Token: SeDebugPrivilege 3704 taskkill.exe Token: SeDebugPrivilege 3824 taskkill.exe Token: SeDebugPrivilege 1708 taskkill.exe Token: SeDebugPrivilege 500 taskkill.exe Token: SeDebugPrivilege 3612 taskkill.exe Token: SeDebugPrivilege 1224 taskkill.exe Token: SeDebugPrivilege 1448 taskkill.exe Token: SeDebugPrivilege 2088 taskkill.exe Token: SeDebugPrivilege 2880 taskkill.exe Token: SeDebugPrivilege 3844 taskkill.exe Token: SeDebugPrivilege 2992 taskkill.exe Token: SeDebugPrivilege 3704 taskkill.exe Token: SeDebugPrivilege 3824 taskkill.exe Token: SeDebugPrivilege 1708 taskkill.exe Token: SeDebugPrivilege 524 taskkill.exe Token: SeDebugPrivilege 1012 taskkill.exe Token: SeDebugPrivilege 1020 taskkill.exe Token: SeDebugPrivilege 1548 taskkill.exe Token: SeDebugPrivilege 2128 taskkill.exe Token: SeDebugPrivilege 2824 taskkill.exe Token: SeDebugPrivilege 2484 taskkill.exe Token: SeDebugPrivilege 3080 taskkill.exe Token: SeDebugPrivilege 1620 taskkill.exe Token: SeDebugPrivilege 3056 taskkill.exe Token: SeDebugPrivilege 3880 taskkill.exe Token: SeDebugPrivilege 500 taskkill.exe Token: SeDebugPrivilege 3612 taskkill.exe Token: SeDebugPrivilege 1224 taskkill.exe Token: SeDebugPrivilege 1448 taskkill.exe Token: SeDebugPrivilege 2088 taskkill.exe Token: SeDebugPrivilege 2880 taskkill.exe Token: SeDebugPrivilege 3844 taskkill.exe Token: SeDebugPrivilege 2992 taskkill.exe Token: SeDebugPrivilege 3704 taskkill.exe Token: SeDebugPrivilege 3824 taskkill.exe Token: SeDebugPrivilege 1708 taskkill.exe Token: SeDebugPrivilege 524 taskkill.exe Token: SeDebugPrivilege 1012 taskkill.exe Token: SeDebugPrivilege 1020 taskkill.exe Token: SeDebugPrivilege 1548 taskkill.exe Token: SeDebugPrivilege 2128 taskkill.exe Token: SeDebugPrivilege 2824 taskkill.exe Token: SeDebugPrivilege 2484 taskkill.exe Token: SeDebugPrivilege 3080 taskkill.exe Token: SeDebugPrivilege 1620 taskkill.exe Token: SeDebugPrivilege 3056 taskkill.exe Token: SeDebugPrivilege 3880 taskkill.exe Token: SeDebugPrivilege 500 taskkill.exe Token: SeDebugPrivilege 3612 taskkill.exe Token: SeDebugPrivilege 1224 taskkill.exe Token: SeDebugPrivilege 1448 taskkill.exe Token: SeDebugPrivilege 2088 taskkill.exe Token: SeDebugPrivilege 2880 taskkill.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Kills process with taskkill 91 IoCs
pid Process 2880 taskkill.exe 1708 taskkill.exe 3704 taskkill.exe 3824 taskkill.exe 1020 taskkill.exe 2708 taskkill.exe 3768 taskkill.exe 1316 taskkill.exe 524 taskkill.exe 3056 taskkill.exe 1548 taskkill.exe 3080 taskkill.exe 3580 taskkill.exe 1448 taskkill.exe 500 taskkill.exe 2128 taskkill.exe 2708 taskkill.exe 3580 taskkill.exe 788 taskkill.exe 2100 taskkill.exe 1572 taskkill.exe 3844 taskkill.exe 2484 taskkill.exe 1708 taskkill.exe 1316 taskkill.exe 3720 taskkill.exe 2140 taskkill.exe 3824 taskkill.exe 1708 taskkill.exe 1012 taskkill.exe 3880 taskkill.exe 788 taskkill.exe 2992 taskkill.exe 3612 taskkill.exe 2992 taskkill.exe 3720 taskkill.exe 3704 taskkill.exe 500 taskkill.exe 1876 taskkill.exe 1876 taskkill.exe 3844 taskkill.exe 2992 taskkill.exe 3824 taskkill.exe 1620 taskkill.exe 3612 taskkill.exe 1224 taskkill.exe 3720 taskkill.exe 2100 taskkill.exe 1876 taskkill.exe 1172 taskkill.exe 1548 taskkill.exe 3580 taskkill.exe 3768 taskkill.exe 1620 taskkill.exe 2880 taskkill.exe 1316 taskkill.exe 3612 taskkill.exe 3704 taskkill.exe 2088 taskkill.exe 2824 taskkill.exe 2484 taskkill.exe 2708 taskkill.exe 2088 taskkill.exe 2880 taskkill.exe 3844 taskkill.exe 3056 taskkill.exe 1172 taskkill.exe 2824 taskkill.exe 524 taskkill.exe 3880 taskkill.exe 500 taskkill.exe 2100 taskkill.exe 496 taskkill.exe 1224 taskkill.exe 1020 taskkill.exe 2128 taskkill.exe 1548 taskkill.exe 496 taskkill.exe 1548 taskkill.exe 496 taskkill.exe 1172 taskkill.exe 3080 taskkill.exe 1448 taskkill.exe 1448 taskkill.exe 1548 taskkill.exe 3768 taskkill.exe 788 taskkill.exe 2880 taskkill.exe 1224 taskkill.exe 1012 taskkill.exe 2088 taskkill.exe -
Enumerates connected drives 3 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\build-x32.crypt.bin.exe"C:\Users\Admin\AppData\Local\Temp\build-x32.crypt.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- NTFS ADS
PID:3672 -
C:\Windows\SysWOW64\cmd.execmd /C wmic.exe SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY DELETE /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵PID:1708
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵PID:3024
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit.exe /set {default} recoveryenabled No2⤵PID:788
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵PID:588
-
-
C:\Windows\SysWOW64\cmd.execmd /C vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:944
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C C:\Windows\system32\vssvc.exe2⤵PID:1228
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wxServer*2⤵
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wxServer*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBFCService*2⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBFCService*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBVSS*2⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBVSS*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sql*2⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sql*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1876
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msaccess*2⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msaccess*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM mssql*2⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mssql*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM mysql*2⤵PID:3396
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mysql*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3720
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wxServerView*2⤵PID:3788
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wxServerView*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:496
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlmangr*2⤵PID:3744
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlmangr*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM RAgui*2⤵PID:588
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM RAgui*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM supervise*2⤵PID:412
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM supervise*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1316
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Culture*2⤵PID:3512
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Culture*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Defwatch*2⤵PID:960
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Defwatch*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2100
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM winword*2⤵PID:2432
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM winword*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBW32*2⤵PID:3812
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBW32*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1876
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBDBMgr*2⤵PID:1864
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBDBMgr*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM qbupdate*2⤵PID:4040
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM qbupdate*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM axlbridge*2⤵PID:3876
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM axlbridge*3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3720
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM httpd*2⤵PID:3436
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM httpd*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:496
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fdlauncher*2⤵PID:2996
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fdlauncher*3⤵
- Kills process with taskkill
PID:788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MsDtSrvr*2⤵PID:812
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MsDtSrvr*3⤵
- Kills process with taskkill
PID:1172
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM java*2⤵PID:912
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM java*3⤵
- Kills process with taskkill
PID:1316
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM 360se*2⤵PID:1696
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM 360se*3⤵
- Kills process with taskkill
PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM 360doctor*2⤵PID:2124
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM 360doctor*3⤵
- Kills process with taskkill
PID:2100
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wdswfsafe*2⤵PID:2820
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wdswfsafe*3⤵
- Kills process with taskkill
PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fdhost*2⤵PID:1892
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fdhost*3⤵
- Kills process with taskkill
PID:1876
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM GDscan*2⤵PID:3120
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM GDscan*3⤵
- Kills process with taskkill
PID:3580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ZhuDongFangYu*2⤵PID:3684
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ZhuDongFangYu*3⤵
- Kills process with taskkill
PID:3768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBDBMgrN*2⤵PID:3552
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBDBMgrN*3⤵
- Kills process with taskkill
PID:3720
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM mysqld*2⤵PID:416
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mysqld*3⤵PID:496
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AutodeskDesktopApp*2⤵PID:420
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AutodeskDesktopApp*3⤵PID:788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM acwebbrowser*2⤵PID:1116
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM acwebbrowser*3⤵PID:1172
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Creative Cloud*2⤵PID:1252
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Creative Cloud*3⤵
- Kills process with taskkill
PID:1316
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Adobe Desktop Service*2⤵PID:1220
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Adobe Desktop Service*3⤵
- Kills process with taskkill
PID:1572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM CoreSync*2⤵PID:1444
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM CoreSync*3⤵
- Kills process with taskkill
PID:2140
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Adobe CEF Helper*2⤵PID:1368
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Adobe CEF Helper*3⤵
- Kills process with taskkill
PID:2880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM node*2⤵PID:2980
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM node*3⤵
- Kills process with taskkill
PID:3844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AdobeIPCBroker*2⤵PID:3620
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AdobeIPCBroker*3⤵
- Kills process with taskkill
PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sync-taskbar*2⤵PID:3916
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sync-taskbar*3⤵
- Kills process with taskkill
PID:3704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sync-worker*2⤵PID:3772
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sync-worker*3⤵
- Kills process with taskkill
PID:3824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM InputPersonalization*2⤵PID:3816
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM InputPersonalization*3⤵
- Kills process with taskkill
PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AdobeCollabSync*2⤵PID:2988
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AdobeCollabSync*3⤵
- Kills process with taskkill
PID:500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM BrCtrlCntr*2⤵PID:512
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM BrCtrlCntr*3⤵
- Kills process with taskkill
PID:3612
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM BrCcUxSys*2⤵PID:1176
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM BrCcUxSys*3⤵PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SimplyConnectionManager*2⤵PID:1232
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SimplyConnectionManager*3⤵
- Kills process with taskkill
PID:1448
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Simply.SystemTrayIcon*2⤵PID:1608
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Simply.SystemTrayIcon*3⤵
- Kills process with taskkill
PID:2088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fbguard*2⤵PID:2080
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fbguard*3⤵PID:2880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fbserver*2⤵PID:2720
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fbserver*3⤵
- Kills process with taskkill
PID:3844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ONENOTEM*2⤵PID:2776
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ONENOTEM*3⤵
- Kills process with taskkill
PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wrapper*2⤵PID:3548
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wrapper*3⤵
- Kills process with taskkill
PID:3704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM DefWatch*2⤵PID:3708
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM DefWatch*3⤵
- Kills process with taskkill
PID:3824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ccEvtMgr*2⤵PID:3944
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ccEvtMgr*3⤵
- Kills process with taskkill
PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ccSetMgr*2⤵PID:3000
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ccSetMgr*3⤵
- Kills process with taskkill
PID:524
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SavRoam*2⤵PID:1628
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SavRoam*3⤵
- Kills process with taskkill
PID:1012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Sqlservr*2⤵PID:564
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Sqlservr*3⤵PID:1020
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlagent*2⤵PID:3608
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlagent*3⤵PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqladhlp*2⤵PID:412
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqladhlp*3⤵PID:2128
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Culserver*2⤵PID:1572
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Culserver*3⤵PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM RTVscan*2⤵PID:2124
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM RTVscan*3⤵
- Kills process with taskkill
PID:2484
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlbrowser*2⤵PID:2252
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlbrowser*3⤵PID:3080
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLADHLP*2⤵PID:3116
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLADHLP*3⤵
- Kills process with taskkill
PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBIDPService*2⤵PID:3796
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBIDPService*3⤵
- Kills process with taskkill
PID:3056
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*2⤵PID:3804
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Intuit.QuickBooks.FCS*3⤵
- Kills process with taskkill
PID:3880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBCFMonitorService*2⤵PID:3468
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBCFMonitorService*3⤵
- Kills process with taskkill
PID:500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlwriter*2⤵PID:692
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlwriter*3⤵
- Kills process with taskkill
PID:3612
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msmdsrv*2⤵PID:1128
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msmdsrv*3⤵PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM tomcat6*2⤵PID:1248
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM tomcat6*3⤵PID:1448
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM zhudongfangyu*2⤵PID:1552
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM zhudongfangyu*3⤵
- Kills process with taskkill
PID:2088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM vmware-usbarbitator64*2⤵PID:2148
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM vmware-usbarbitator64*3⤵
- Kills process with taskkill
PID:2880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM vmware-converter*2⤵PID:2660
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM vmware-converter*3⤵PID:3844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM dbsrv12*2⤵PID:2196
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dbsrv12*3⤵
- Kills process with taskkill
PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM dbeng8*2⤵PID:3060
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dbeng8*3⤵
- Kills process with taskkill
PID:3704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:3176
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵
- Kills process with taskkill
PID:3824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*2⤵PID:3996
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$VEEAMSQL2012*3⤵
- Kills process with taskkill
PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*2⤵PID:3396
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$VEEAMSQL2012*3⤵PID:524
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLBrowser*2⤵PID:3780
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLBrowser*3⤵PID:1012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLWriter*2⤵PID:2640
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLWriter*3⤵
- Kills process with taskkill
PID:1020
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM FishbowlMySQL*2⤵PID:656
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM FishbowlMySQL*3⤵
- Kills process with taskkill
PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:1532
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵
- Kills process with taskkill
PID:2128
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MySQL57*2⤵PID:2136
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MySQL57*3⤵
- Kills process with taskkill
PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*2⤵PID:2832
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:2484
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLServerADHelper100*2⤵PID:3808
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLServerADHelper100*3⤵
- Kills process with taskkill
PID:3080
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*2⤵PID:3020
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msftesql-Exchange*2⤵PID:3696
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msftesql-Exchange*3⤵PID:3056
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*2⤵PID:3832
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##SSEE*3⤵PID:3880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*2⤵PID:3420
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$SBSMONITORING*3⤵PID:500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*2⤵PID:2996
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$SHAREPOINT*3⤵
- Kills process with taskkill
PID:3612
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*2⤵PID:812
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*3⤵
- Kills process with taskkill
PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*2⤵PID:1348
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*3⤵PID:1448
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*2⤵PID:1228
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$SBSMONITORING*3⤵PID:2088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*2⤵PID:2056
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$SHAREPOINT*3⤵
- Kills process with taskkill
PID:2880
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:3928