exorcist | d7d0688022b5848caf5cbabc1bde628cb74f32e014311f5299ed63241fff72b0

Resubmissions

23/09/2020, 10:35

200923-mkwlt9yalx 10

23/07/2020, 14:59

200723-mtbw6t99d2 10

23/07/2020, 13:47

200723-5t3mhtw95x 10

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7v200722
submitted
23/09/2020, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build-x64-crypt.bin.exe
Size

52KB
MD5

8cc13fea61cc0ba1382a779ee46726f0
SHA1

bd8ef46a02085153605a87fcc047f7ef3d0c4131
SHA256

eeb8a83d7532797d39d060ffb2a65562e8d803c4dbd8379289f99367cac2f850
SHA512

2f317f04b6bda9af58b049cb9bd0032d08c0aa30b8ac8d76b10f738ab11f4cc9f4eca4af3ecf26e610715117e2d68e5f8fb0ac139e60e882cc24fc795bf0a34a

Score

10^/10

ransomware evasion persistence exorcist

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Ejdgcj-decrypt.hta

Family

exorcist

Ransom Note

Ejdgcj Decrypt All your data has been encrypted with Exorcist Ransomware. Do not worry: you have some hours to contact us and decrypt your data by paying a ransom. To do this, follow instructions on this web site: http://217.8.117.26/pay Also, you can install Tor Browser and use this web site: http://4dnd3utjsmm2zcsb.onion/pay IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data! Your authorization key: rKVYb/4uYQisWzdJsLmE3MCYrBkNeRx+njcZrAZE64UKRyGa8O2gQeQJ2hnddc1c bBrY+agIgwL+W85GIM8WI0N0bIezVBdHO+4j8HFsZxbhfJFGattz4rmXyBAQ2aXo X+EBr2SIhZ7VMF9oU5OwOCLJjIl8B2lcmaaXsWm6SLytwu6U4Hd9NbccpHNKdtCM 2hpmwkfoBf3zfzxA5ABQn582eonk0NFprOPKstsy/RBKBZb9xb2RSAayqPr+mmfy LeBD487QF5JQ+I+BFXD2BWS5U1bLBnJvKqarkseY295XNcN73Cfsn/UqkWuPSKXu HWROx48WYTBOGZACDFMs+6c/nm5CU1vhXbYDLPfgJ6LiTLdmd/IE/IIrUqReyhTe nxOrSc9H13s3mgwBThG/0O4EVqgsRXBfHyrL3umCBpOcGXphEtPoZx58E/4HtRrC pIjWhyO8Gw9SJSOavE8l4OVY5k6ygKgfA6Tj0gKHl42fjxhO3rFDieX0Pusp56pn iUQMv6HMQbHPLrmepXIa+W1FgNeVvbeWM+Mu+tpPCFVsWQ8uYduXZGRgkJW8opM5 chhrmINFA918FzttIC+SyD7Q0kn9xNGArEYsn1iScLNJwJvdOl5O9jIliSZFszqJ ANOJNhMrrjvJjPNJi3YJ7zzDiBALPo0opeGizFRJbs629NZn1S8JB+xmVmEakXXO tD+d2pzVgOzEWoqEgHQs/FRiB8DfkjoNMu2NpXrshJfV7lC/9Iw32a6UghX8JGJL Oy0avvFmZatx2uHYzuVj+DSuHcRJcUWvKrDuDsrPmoUMgGF/IMFVAvhloTBaHCGD t5OunZxJpqdRLo0p9C5iFLHi6Ebv70ezNFE+3dxvOFMynj3h73l8ckZtccjOO1Bn +cjXUqg+2holWR2Qw0f2AV+79V0x8Ddo0AJRFlbv58tkfoFptubkE/lLON+luWCo n17+uQ2II8SqHEICmwbTlVt9Sva+t9smv1YuHBiXNar5x+1Bylnzset39TV/6wxh EkSB/Z4Lb2shZAHYTTeuYFxdAUyGn1gnzZ2BfMhAj045QcmUoD4hFsq9adLf4e5L elwfqD/9UgxqFV/H1jCZQjN9UJ1hN7NtJYknNpB2LqV8mBkZj/ALQVQoBbav4JCV aFwyvsWyxp8oCpNOUF8mo9S9AiOMsJwJoWVK7ddmevEZGGkUA++lfnTAhruCDXkb 4BLOrVDSF09+CXD1VNbmm22fMkgObx8gEqDML5zPjwoCoIgQEqpcyt3CLOpky5gq JmPYccSNgzbNlEvYdXC4JtbjvyNjdTuANs/1I5Q1O2n2Ur3S6zcbG2r0d04BihYz YDbFPecikm2TGkFWtDFv/sG+LuJE8G4XVSya70pfDK1laI52QszdwUfIzZJzpb1d J2Q0/XwR+k7W2gH+oh0z9qFPIH40Tosz9bJHKGZF59O4o3LsINAzkINmJfYb5xLV S4+NBGiw6tYw7OF8aY3CjniKDsKqFlXg4urrG53/9qQrw1ZR1PqnH7aKX/hTJy28 tR5o42NNlmyiFh+OyYKzwI6PNchrkJ2OSuTNtqut/nv2rUFXTdKiHYy/7KTXwDUg UVZpg4ThLxg9MzHIXBj/x9TACf0Uwk6+vB4CH6MLSBDxH13i8jmjBZxaqc97gUhV xAjUbRrXp3NslAczaLI2dV2yAvHX28z45PM1JNihcQJx5lDQKDGt62wGagoFAd3C s8jb7mGvxZHgb2NDVGmFHSixdrL3cGY30DtF6zoqjOruAorbC35RLDyXbnI/3ibu 7FXhJpI0vHgZ8ZWKj0dPYak6sDwf4Pl54pUwjJea1VwgZjo84oWgPUDeEwXXMjeW jW7nSL1hTPTKeC/acrzhkoNmzuJZNeUQC6NuTu1LW52ZCyxxYokUNh20dymPk5FH e8J70u5noWjECDtjUwg6Q843MsfUFRkWFWL7gYkrNPS/yMZaCTrU63GaMWxbzsIJ yJbpf8AQYxce36+601sjmSOiCupdmU1hHEVdVDH8fNnwewOfX8d1/RuOJpJKQq8c Z94Emyc5+ldcB4UTnW8f4OnHPgVAnLGa4b9EWTTdY6SARjxdfvr/8ixXpMI2QGlC d7VfplNkyKel7V0kVMnRvxrYvh1X4rLOo5n0yrsX9cGea1r0fWhBCr2Hjppx49QW RT+2+B5hVQfhhErO7YsSX52I2niZrbqH+S6iSmQGkGu9/sPS/Ub2ffOTW7lwvhcB D3nqCYgPnm3EtkKINI+Nmb9wDblhBIurVQg+OfD2UiI0La9Gw3z4fOza2cf/yNkk dZOslQvzLthHectMjb/WQ2cyLf6kSCcOi/nD/jAFAldHw0uflT/f218pqgzQD0fb EXEVAUghpP1OxFciql4TW/kZ1ksJ+99yx6bJVPyig1pBB60gvyoWVuALPwzZgPK7 WkKQk5H5rBEU8/hfCzCtDXTvxrg2OblQ7BVNYJYvBPHgWVjQPDAxlfhn+YcJAQUE pRCMl7UX76iB8hQbIuuH9TCOgmP852/MH1KDVtV6ccjlvy2QPJQ/60jErZhPYPaF J/NC2O8DhvDTsp0UOhOwZ7oj4GT0dSZwXqrcoW6dItrOLflQ5Tr1SXkNLSfRSYwB /UL6GnPiQqHo3OwPNOt10lp820w0F4Skp6liEOoB7tIp7tA0cHJ5dNK3MuGGrHSL Gxjyu3uN40SNvgCq0WybXf+1UpMxb/djY6uA/dxP/2cCfaghW0uJWeeQ33kHyjkB IiFxfTaYseer8pk2D0ZB6mW0yWLL9eyXHSQdOKBN//q7DYWiNyyMd4oJxIv7qtcc wbb3K7CVOEwf0q2PXBpFfkVaAl1BuNdxfXPz3s4gSgwZs3bYEInIAiB+m0pQW5cH dHDPlrqpSqmRc7hMOnHIB5y1i+++x5QTnO4imyGasWjtp+XdQGEtyZ/YfkU+VNzL zohWA/YnAOeBlALWld1W/bg+MxWjvUu/BZ5tHrBtcjb6IW2kxjtCfrQGVhziK1FF gzZjePVfjknGzvTJNvWApuI+0GOwsOaTyqT3+Zv5pY5sXLwXobZPYCUExishZGCV rNYly6bfYFzKBHeaS0QFDR2Q5khQPMqR/MCfQKS2StEbLSeqrdSlKAffkyojB5Kx M69sZcwKbTjDXxcDq5X8KJNxHbnseGcBla3iZCCljNWXS4IebrzScgspedJ0cSEp snUtgz99hrcYG+G2z5BAIumPHWEIXvXWRvjH4zxlmpW1g1UqtMmVLet4XD43gknb TQanse1GHB660zfzHrmJwUOOdnBsPn6oXSlXIGCEi26Yd5pevI9zdeYqKSQSVBB/ fDb2pMxVgSY4TuaAw4yyti1V+Nmaai1aFsjhST2UzSGWouSypHcKE4tysLOmjIF1 yl5YPw2Hdt9V9jB8gTXWxERMknI1aSU7JzeXw7BwloGkuyiYYsrwdhDfHfqG4BCb PYx63znjfx2VVfZXIOSb9lFFB29j30XXJGZCTbAePg4bOFfoIXwhxqplj/ucbko4 sDF010Lyjdf9IKLmh8P9Vf6GtbVVNpcxWKTodl8YivBlST8zcl6wVoLj25EhwQwH KyK6iwehYtSee1+5KdjXXIBabkCHxqwAF2MUXX+X292Ys4Y3OGkxiipP+y7WDiKR euiMfTAEjfj55GRSC5TR0vXKU7icslkxQowk+vHH4oiA4COBDwYVSkMyrp6wlJY8 Xu8jwCktenzHBz3Ty+frg+1fKtRcf/g1p8PjYwgHyPBYvGsxm8BsbQfJXoLcaKGD ZJUGJWaytLnVKGM3lvOUWmlMWDkgTrUmuXYFQAEdqKvCgYJZWfD4mODCWZg70MaH qZABLQXmIlkGG4MCvnoS3vDefr4zGVNxUgmWja+i7Y7adxjjTmlpksgnm2bkdi0a PHHwurgl7x5WDxiSYHyVJGgNSM7BoZBp3Ne+da1XevqbOl/VSsIRtqAshTDKa1hR

URLs

http://217.8.117.26/pay

http://4dnd3utjsmm2zcsb.onion/pay

Signatures

Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
360	bcdedit.exe
912	bcdedit.exe

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1780	wbadmin.exe
316	wbadmin.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\JoinDebug.crw => C:\Users\Admin\Pictures\JoinDebug.crw.Ejdgcj	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\JoinDebug.crw.Ejdgcj	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\LockBackup.raw => C:\Users\Admin\Pictures\LockBackup.raw.Ejdgcj	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\LockBackup.raw.Ejdgcj	build-x64-crypt.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	build-x64-crypt.bin.exe
File opened (read-only)	\??\P:	build-x64-crypt.bin.exe
File opened (read-only)	\??\A:	build-x64-crypt.bin.exe
File opened (read-only)	\??\B:	build-x64-crypt.bin.exe
File opened (read-only)	\??\I:	build-x64-crypt.bin.exe
File opened (read-only)	\??\K:	build-x64-crypt.bin.exe
File opened (read-only)	\??\V:	build-x64-crypt.bin.exe
File opened (read-only)	\??\F:	build-x64-crypt.bin.exe
File opened (read-only)	\??\L:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Q:	build-x64-crypt.bin.exe
File opened (read-only)	\??\S:	build-x64-crypt.bin.exe
File opened (read-only)	\??\J:	build-x64-crypt.bin.exe
File opened (read-only)	\??\M:	build-x64-crypt.bin.exe
File opened (read-only)	\??\R:	build-x64-crypt.bin.exe
File opened (read-only)	\??\T:	build-x64-crypt.bin.exe
File opened (read-only)	\??\U:	build-x64-crypt.bin.exe
File opened (read-only)	\??\W:	build-x64-crypt.bin.exe
File opened (read-only)	\??\X:	build-x64-crypt.bin.exe
File opened (read-only)	\??\E:	build-x64-crypt.bin.exe
File opened (read-only)	\??\G:	build-x64-crypt.bin.exe
File opened (read-only)	\??\H:	build-x64-crypt.bin.exe
File opened (read-only)	\??\N:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Y:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Z:	build-x64-crypt.bin.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1408	vssadmin.exe

Kills process with taskkill 91 IoCs

evasion

pid	Process
228	taskkill.exe
552	taskkill.exe
968	taskkill.exe
1140	taskkill.exe
340	taskkill.exe
220	taskkill.exe
1708	taskkill.exe
2016	taskkill.exe
1252	taskkill.exe
1544	taskkill.exe
316	taskkill.exe
1736	taskkill.exe
588	taskkill.exe
224	taskkill.exe
1456	taskkill.exe
1040	taskkill.exe
1100	taskkill.exe
804	taskkill.exe
1848	taskkill.exe
2036	taskkill.exe
1300	taskkill.exe
1756	taskkill.exe
1756	taskkill.exe
1144	taskkill.exe
1336	taskkill.exe
968	taskkill.exe
1936	taskkill.exe
1780	taskkill.exe
2008	taskkill.exe
684	taskkill.exe
1548	taskkill.exe
684	taskkill.exe
2008	taskkill.exe
1488	taskkill.exe
956	taskkill.exe
1972	taskkill.exe
1144	taskkill.exe
1952	taskkill.exe
1836	taskkill.exe
1792	taskkill.exe
1760	taskkill.exe
900	taskkill.exe
1952	taskkill.exe
1500	taskkill.exe
1064	taskkill.exe
1524	taskkill.exe
1736	taskkill.exe
236	taskkill.exe
1556	taskkill.exe
1996	taskkill.exe
1524	taskkill.exe
480	taskkill.exe
1936	taskkill.exe
924	taskkill.exe
316	taskkill.exe
1556	taskkill.exe
1836	taskkill.exe
1336	taskkill.exe
848	taskkill.exe
936	taskkill.exe
956	taskkill.exe
2036	taskkill.exe
848	taskkill.exe
2016	taskkill.exe
1476	taskkill.exe
1752	taskkill.exe
1996	taskkill.exe
232	taskkill.exe
1228	taskkill.exe
1824	taskkill.exe
1868	taskkill.exe
276	taskkill.exe
1484	taskkill.exe
1248	taskkill.exe
1108	taskkill.exe
360	taskkill.exe
1080	taskkill.exe
2044	taskkill.exe
1064	taskkill.exe
1736	taskkill.exe
1780	taskkill.exe
1972	taskkill.exe
544	taskkill.exe
232	taskkill.exe
1488	taskkill.exe
1840	taskkill.exe
1772	taskkill.exe
968	taskkill.exe
924	taskkill.exe
1736	taskkill.exe
1252	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

NTFS ADS 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:ivrhwmenumbuocvak	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:tpupnbvzicwro	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:iykxevszimranzpu	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe

Suspicious behavior: EnumeratesProcesses 344 IoCs

pid	Process
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe

Suspicious use of AdjustPrivilegeToken 135 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe
Token: SeSystemProfilePrivilege	1760	WMIC.exe
Token: SeSystemtimePrivilege	1760	WMIC.exe
Token: SeProfSingleProcessPrivilege	1760	WMIC.exe
Token: SeIncBasePriorityPrivilege	1760	WMIC.exe
Token: SeCreatePagefilePrivilege	1760	WMIC.exe
Token: SeBackupPrivilege	1760	WMIC.exe
Token: SeRestorePrivilege	1760	WMIC.exe
Token: SeShutdownPrivilege	1760	WMIC.exe
Token: SeDebugPrivilege	1760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1760	WMIC.exe
Token: SeRemoteShutdownPrivilege	1760	WMIC.exe
Token: SeUndockPrivilege	1760	WMIC.exe
Token: SeManageVolumePrivilege	1760	WMIC.exe
Token: 33	1760	WMIC.exe
Token: 34	1760	WMIC.exe
Token: 35	1760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe
Token: SeSystemProfilePrivilege	1760	WMIC.exe
Token: SeSystemtimePrivilege	1760	WMIC.exe
Token: SeProfSingleProcessPrivilege	1760	WMIC.exe
Token: SeIncBasePriorityPrivilege	1760	WMIC.exe
Token: SeCreatePagefilePrivilege	1760	WMIC.exe
Token: SeBackupPrivilege	1760	WMIC.exe
Token: SeRestorePrivilege	1760	WMIC.exe
Token: SeShutdownPrivilege	1760	WMIC.exe
Token: SeDebugPrivilege	1760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1760	WMIC.exe
Token: SeRemoteShutdownPrivilege	1760	WMIC.exe
Token: SeUndockPrivilege	1760	WMIC.exe
Token: SeManageVolumePrivilege	1760	WMIC.exe
Token: 33	1760	WMIC.exe
Token: 34	1760	WMIC.exe
Token: 35	1760	WMIC.exe
Token: SeBackupPrivilege	1512	vssvc.exe
Token: SeRestorePrivilege	1512	vssvc.exe
Token: SeAuditPrivilege	1512	vssvc.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	544	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	232	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1140	taskkill.exe
Token: SeDebugPrivilege	360	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	228	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	848	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	232	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	340	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	236	taskkill.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	848	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	1544	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	276	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	804	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	588	taskkill.exe
Token: SeDebugPrivilege	936	taskkill.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	480	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: 33	808	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	808	AUDIODG.EXE
Token: 33	808	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	808	AUDIODG.EXE

Suspicious use of WriteProcessMemory 588 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 1304	1000	build-x64-crypt.bin.exe	25
PID 1000 wrote to memory of 1304	1000	build-x64-crypt.bin.exe	25
PID 1000 wrote to memory of 1304	1000	build-x64-crypt.bin.exe	25
PID 1304 wrote to memory of 1760	1304	cmd.exe	28
PID 1304 wrote to memory of 1760	1304	cmd.exe	28
PID 1304 wrote to memory of 1760	1304	cmd.exe	28
PID 1000 wrote to memory of 2000	1000	build-x64-crypt.bin.exe	35
PID 1000 wrote to memory of 2000	1000	build-x64-crypt.bin.exe	35
PID 1000 wrote to memory of 2000	1000	build-x64-crypt.bin.exe	35
PID 2000 wrote to memory of 1780	2000	cmd.exe	37
PID 2000 wrote to memory of 1780	2000	cmd.exe	37
PID 2000 wrote to memory of 1780	2000	cmd.exe	37
PID 1000 wrote to memory of 420	1000	build-x64-crypt.bin.exe	38
PID 1000 wrote to memory of 420	1000	build-x64-crypt.bin.exe	38
PID 1000 wrote to memory of 420	1000	build-x64-crypt.bin.exe	38
PID 420 wrote to memory of 316	420	cmd.exe	40
PID 420 wrote to memory of 316	420	cmd.exe	40
PID 420 wrote to memory of 316	420	cmd.exe	40
PID 1000 wrote to memory of 684	1000	build-x64-crypt.bin.exe	41
PID 1000 wrote to memory of 684	1000	build-x64-crypt.bin.exe	41
PID 1000 wrote to memory of 684	1000	build-x64-crypt.bin.exe	41
PID 684 wrote to memory of 360	684	cmd.exe	43
PID 684 wrote to memory of 360	684	cmd.exe	43
PID 684 wrote to memory of 360	684	cmd.exe	43
PID 1000 wrote to memory of 276	1000	build-x64-crypt.bin.exe	44
PID 1000 wrote to memory of 276	1000	build-x64-crypt.bin.exe	44
PID 1000 wrote to memory of 276	1000	build-x64-crypt.bin.exe	44
PID 276 wrote to memory of 912	276	cmd.exe	46
PID 276 wrote to memory of 912	276	cmd.exe	46
PID 276 wrote to memory of 912	276	cmd.exe	46
PID 1000 wrote to memory of 1776	1000	build-x64-crypt.bin.exe	47
PID 1000 wrote to memory of 1776	1000	build-x64-crypt.bin.exe	47
PID 1000 wrote to memory of 1776	1000	build-x64-crypt.bin.exe	47
PID 1776 wrote to memory of 1408	1776	cmd.exe	49
PID 1776 wrote to memory of 1408	1776	cmd.exe	49
PID 1776 wrote to memory of 1408	1776	cmd.exe	49
PID 1000 wrote to memory of 372	1000	build-x64-crypt.bin.exe	50
PID 1000 wrote to memory of 372	1000	build-x64-crypt.bin.exe	50
PID 1000 wrote to memory of 372	1000	build-x64-crypt.bin.exe	50
PID 372 wrote to memory of 1040	372	cmd.exe	52
PID 372 wrote to memory of 1040	372	cmd.exe	52
PID 372 wrote to memory of 1040	372	cmd.exe	52
PID 1000 wrote to memory of 1740	1000	build-x64-crypt.bin.exe	53
PID 1000 wrote to memory of 1740	1000	build-x64-crypt.bin.exe	53
PID 1000 wrote to memory of 1740	1000	build-x64-crypt.bin.exe	53
PID 1740 wrote to memory of 1972	1740	cmd.exe	55
PID 1740 wrote to memory of 1972	1740	cmd.exe	55
PID 1740 wrote to memory of 1972	1740	cmd.exe	55
PID 1000 wrote to memory of 2024	1000	build-x64-crypt.bin.exe	56
PID 1000 wrote to memory of 2024	1000	build-x64-crypt.bin.exe	56
PID 1000 wrote to memory of 2024	1000	build-x64-crypt.bin.exe	56
PID 2024 wrote to memory of 224	2024	cmd.exe	58
PID 2024 wrote to memory of 224	2024	cmd.exe	58
PID 2024 wrote to memory of 224	2024	cmd.exe	58
PID 1000 wrote to memory of 1828	1000	build-x64-crypt.bin.exe	59
PID 1000 wrote to memory of 1828	1000	build-x64-crypt.bin.exe	59
PID 1000 wrote to memory of 1828	1000	build-x64-crypt.bin.exe	59
PID 1828 wrote to memory of 1736	1828	cmd.exe	61
PID 1828 wrote to memory of 1736	1828	cmd.exe	61
PID 1828 wrote to memory of 1736	1828	cmd.exe	61
PID 1000 wrote to memory of 920	1000	build-x64-crypt.bin.exe	62
PID 1000 wrote to memory of 920	1000	build-x64-crypt.bin.exe	62
PID 1000 wrote to memory of 920	1000	build-x64-crypt.bin.exe	62
PID 920 wrote to memory of 544	920	cmd.exe	64
PID 920 wrote to memory of 544	920	cmd.exe	64
PID 920 wrote to memory of 544	920	cmd.exe	64
PID 1000 wrote to memory of 1792	1000	build-x64-crypt.bin.exe	65
PID 1000 wrote to memory of 1792	1000	build-x64-crypt.bin.exe	65
PID 1000 wrote to memory of 1792	1000	build-x64-crypt.bin.exe	65
PID 1792 wrote to memory of 968	1792	cmd.exe	67
PID 1792 wrote to memory of 968	1792	cmd.exe	67
PID 1792 wrote to memory of 968	1792	cmd.exe	67
PID 1000 wrote to memory of 804	1000	build-x64-crypt.bin.exe	68
PID 1000 wrote to memory of 804	1000	build-x64-crypt.bin.exe	68
PID 1000 wrote to memory of 804	1000	build-x64-crypt.bin.exe	68
PID 804 wrote to memory of 956	804	cmd.exe	70
PID 804 wrote to memory of 956	804	cmd.exe	70
PID 804 wrote to memory of 956	804	cmd.exe	70
PID 1000 wrote to memory of 840	1000	build-x64-crypt.bin.exe	71
PID 1000 wrote to memory of 840	1000	build-x64-crypt.bin.exe	71
PID 1000 wrote to memory of 840	1000	build-x64-crypt.bin.exe	71
PID 840 wrote to memory of 1252	840	cmd.exe	73
PID 840 wrote to memory of 1252	840	cmd.exe	73
PID 840 wrote to memory of 1252	840	cmd.exe	73
PID 1000 wrote to memory of 1472	1000	build-x64-crypt.bin.exe	74
PID 1000 wrote to memory of 1472	1000	build-x64-crypt.bin.exe	74
PID 1000 wrote to memory of 1472	1000	build-x64-crypt.bin.exe	74
PID 1472 wrote to memory of 1952	1472	cmd.exe	76
PID 1472 wrote to memory of 1952	1472	cmd.exe	76
PID 1472 wrote to memory of 1952	1472	cmd.exe	76
PID 1000 wrote to memory of 1824	1000	build-x64-crypt.bin.exe	77
PID 1000 wrote to memory of 1824	1000	build-x64-crypt.bin.exe	77
PID 1000 wrote to memory of 1824	1000	build-x64-crypt.bin.exe	77
PID 1824 wrote to memory of 232	1824	cmd.exe	79
PID 1824 wrote to memory of 232	1824	cmd.exe	79
PID 1824 wrote to memory of 232	1824	cmd.exe	79
PID 1000 wrote to memory of 204	1000	build-x64-crypt.bin.exe	80
PID 1000 wrote to memory of 204	1000	build-x64-crypt.bin.exe	80
PID 1000 wrote to memory of 204	1000	build-x64-crypt.bin.exe	80
PID 204 wrote to memory of 1996	204	cmd.exe	82
PID 204 wrote to memory of 1996	204	cmd.exe	82
PID 204 wrote to memory of 1996	204	cmd.exe	82
PID 1000 wrote to memory of 1744	1000	build-x64-crypt.bin.exe	83
PID 1000 wrote to memory of 1744	1000	build-x64-crypt.bin.exe	83
PID 1000 wrote to memory of 1744	1000	build-x64-crypt.bin.exe	83
PID 1744 wrote to memory of 1140	1744	cmd.exe	85
PID 1744 wrote to memory of 1140	1744	cmd.exe	85
PID 1744 wrote to memory of 1140	1744	cmd.exe	85
PID 1000 wrote to memory of 1780	1000	build-x64-crypt.bin.exe	86
PID 1000 wrote to memory of 1780	1000	build-x64-crypt.bin.exe	86
PID 1000 wrote to memory of 1780	1000	build-x64-crypt.bin.exe	86
PID 1780 wrote to memory of 360	1780	cmd.exe	88
PID 1780 wrote to memory of 360	1780	cmd.exe	88
PID 1780 wrote to memory of 360	1780	cmd.exe	88
PID 1000 wrote to memory of 420	1000	build-x64-crypt.bin.exe	89
PID 1000 wrote to memory of 420	1000	build-x64-crypt.bin.exe	89
PID 1000 wrote to memory of 420	1000	build-x64-crypt.bin.exe	89
PID 420 wrote to memory of 1756	420	cmd.exe	91
PID 420 wrote to memory of 1756	420	cmd.exe	91
PID 420 wrote to memory of 1756	420	cmd.exe	91
PID 1000 wrote to memory of 908	1000	build-x64-crypt.bin.exe	92
PID 1000 wrote to memory of 908	1000	build-x64-crypt.bin.exe	92
PID 1000 wrote to memory of 908	1000	build-x64-crypt.bin.exe	92
PID 908 wrote to memory of 1488	908	cmd.exe	94
PID 908 wrote to memory of 1488	908	cmd.exe	94
PID 908 wrote to memory of 1488	908	cmd.exe	94
PID 1000 wrote to memory of 1296	1000	build-x64-crypt.bin.exe	95
PID 1000 wrote to memory of 1296	1000	build-x64-crypt.bin.exe	95
PID 1000 wrote to memory of 1296	1000	build-x64-crypt.bin.exe	95
PID 1296 wrote to memory of 1080	1296	cmd.exe	97
PID 1296 wrote to memory of 1080	1296	cmd.exe	97
PID 1296 wrote to memory of 1080	1296	cmd.exe	97
PID 1000 wrote to memory of 372	1000	build-x64-crypt.bin.exe	98
PID 1000 wrote to memory of 372	1000	build-x64-crypt.bin.exe	98
PID 1000 wrote to memory of 372	1000	build-x64-crypt.bin.exe	98
PID 372 wrote to memory of 1848	372	cmd.exe	100
PID 372 wrote to memory of 1848	372	cmd.exe	100
PID 372 wrote to memory of 1848	372	cmd.exe	100
PID 1000 wrote to memory of 1740	1000	build-x64-crypt.bin.exe	101
PID 1000 wrote to memory of 1740	1000	build-x64-crypt.bin.exe	101
PID 1000 wrote to memory of 1740	1000	build-x64-crypt.bin.exe	101
PID 1740 wrote to memory of 1456	1740	cmd.exe	103
PID 1740 wrote to memory of 1456	1740	cmd.exe	103
PID 1740 wrote to memory of 1456	1740	cmd.exe	103
PID 1000 wrote to memory of 2024	1000	build-x64-crypt.bin.exe	104
PID 1000 wrote to memory of 2024	1000	build-x64-crypt.bin.exe	104
PID 1000 wrote to memory of 2024	1000	build-x64-crypt.bin.exe	104
PID 2024 wrote to memory of 316	2024	cmd.exe	106
PID 2024 wrote to memory of 316	2024	cmd.exe	106
PID 2024 wrote to memory of 316	2024	cmd.exe	106
PID 1000 wrote to memory of 1248	1000	build-x64-crypt.bin.exe	107
PID 1000 wrote to memory of 1248	1000	build-x64-crypt.bin.exe	107
PID 1000 wrote to memory of 1248	1000	build-x64-crypt.bin.exe	107
PID 1248 wrote to memory of 2044	1248	cmd.exe	109
PID 1248 wrote to memory of 2044	1248	cmd.exe	109
PID 1248 wrote to memory of 2044	1248	cmd.exe	109
PID 1000 wrote to memory of 920	1000	build-x64-crypt.bin.exe	110
PID 1000 wrote to memory of 920	1000	build-x64-crypt.bin.exe	110
PID 1000 wrote to memory of 920	1000	build-x64-crypt.bin.exe	110
PID 920 wrote to memory of 1524	920	cmd.exe	112
PID 920 wrote to memory of 1524	920	cmd.exe	112
PID 920 wrote to memory of 1524	920	cmd.exe	112
PID 1000 wrote to memory of 1792	1000	build-x64-crypt.bin.exe	113
PID 1000 wrote to memory of 1792	1000	build-x64-crypt.bin.exe	113
PID 1000 wrote to memory of 1792	1000	build-x64-crypt.bin.exe	113
PID 1792 wrote to memory of 1040	1792	cmd.exe	115
PID 1792 wrote to memory of 1040	1792	cmd.exe	115
PID 1792 wrote to memory of 1040	1792	cmd.exe	115
PID 1000 wrote to memory of 804	1000	build-x64-crypt.bin.exe	116
PID 1000 wrote to memory of 804	1000	build-x64-crypt.bin.exe	116
PID 1000 wrote to memory of 804	1000	build-x64-crypt.bin.exe	116
PID 804 wrote to memory of 2036	804	cmd.exe	118
PID 804 wrote to memory of 2036	804	cmd.exe	118
PID 804 wrote to memory of 2036	804	cmd.exe	118
PID 1000 wrote to memory of 840	1000	build-x64-crypt.bin.exe	119
PID 1000 wrote to memory of 840	1000	build-x64-crypt.bin.exe	119
PID 1000 wrote to memory of 840	1000	build-x64-crypt.bin.exe	119
PID 840 wrote to memory of 228	840	cmd.exe	121
PID 840 wrote to memory of 228	840	cmd.exe	121
PID 840 wrote to memory of 228	840	cmd.exe	121
PID 1000 wrote to memory of 1472	1000	build-x64-crypt.bin.exe	122
PID 1000 wrote to memory of 1472	1000	build-x64-crypt.bin.exe	122
PID 1000 wrote to memory of 1472	1000	build-x64-crypt.bin.exe	122
PID 1472 wrote to memory of 1736	1472	cmd.exe	124
PID 1472 wrote to memory of 1736	1472	cmd.exe	124
PID 1472 wrote to memory of 1736	1472	cmd.exe	124
PID 1000 wrote to memory of 1824	1000	build-x64-crypt.bin.exe	125
PID 1000 wrote to memory of 1824	1000	build-x64-crypt.bin.exe	125
PID 1000 wrote to memory of 1824	1000	build-x64-crypt.bin.exe	125
PID 1824 wrote to memory of 848	1824	cmd.exe	127
PID 1824 wrote to memory of 848	1824	cmd.exe	127
PID 1824 wrote to memory of 848	1824	cmd.exe	127
PID 1000 wrote to memory of 204	1000	build-x64-crypt.bin.exe	128
PID 1000 wrote to memory of 204	1000	build-x64-crypt.bin.exe	128
PID 1000 wrote to memory of 204	1000	build-x64-crypt.bin.exe	128
PID 204 wrote to memory of 684	204	cmd.exe	130
PID 204 wrote to memory of 684	204	cmd.exe	130
PID 204 wrote to memory of 684	204	cmd.exe	130
PID 1000 wrote to memory of 928	1000	build-x64-crypt.bin.exe	131
PID 1000 wrote to memory of 928	1000	build-x64-crypt.bin.exe	131
PID 1000 wrote to memory of 928	1000	build-x64-crypt.bin.exe	131
PID 928 wrote to memory of 924	928	cmd.exe	133
PID 928 wrote to memory of 924	928	cmd.exe	133
PID 928 wrote to memory of 924	928	cmd.exe	133
PID 1000 wrote to memory of 1780	1000	build-x64-crypt.bin.exe	134
PID 1000 wrote to memory of 1780	1000	build-x64-crypt.bin.exe	134
PID 1000 wrote to memory of 1780	1000	build-x64-crypt.bin.exe	134
PID 1780 wrote to memory of 1556	1780	cmd.exe	136
PID 1780 wrote to memory of 1556	1780	cmd.exe	136
PID 1780 wrote to memory of 1556	1780	cmd.exe	136
PID 1000 wrote to memory of 1504	1000	build-x64-crypt.bin.exe	137
PID 1000 wrote to memory of 1504	1000	build-x64-crypt.bin.exe	137
PID 1000 wrote to memory of 1504	1000	build-x64-crypt.bin.exe	137
PID 1504 wrote to memory of 1952	1504	cmd.exe	139
PID 1504 wrote to memory of 1952	1504	cmd.exe	139
PID 1504 wrote to memory of 1952	1504	cmd.exe	139
PID 1000 wrote to memory of 908	1000	build-x64-crypt.bin.exe	140
PID 1000 wrote to memory of 908	1000	build-x64-crypt.bin.exe	140
PID 1000 wrote to memory of 908	1000	build-x64-crypt.bin.exe	140
PID 908 wrote to memory of 232	908	cmd.exe	142
PID 908 wrote to memory of 232	908	cmd.exe	142
PID 908 wrote to memory of 232	908	cmd.exe	142
PID 1000 wrote to memory of 1296	1000	build-x64-crypt.bin.exe	143
PID 1000 wrote to memory of 1296	1000	build-x64-crypt.bin.exe	143
PID 1000 wrote to memory of 1296	1000	build-x64-crypt.bin.exe	143
PID 1296 wrote to memory of 1500	1296	cmd.exe	145
PID 1296 wrote to memory of 1500	1296	cmd.exe	145
PID 1296 wrote to memory of 1500	1296	cmd.exe	145
PID 1000 wrote to memory of 372	1000	build-x64-crypt.bin.exe	146
PID 1000 wrote to memory of 372	1000	build-x64-crypt.bin.exe	146
PID 1000 wrote to memory of 372	1000	build-x64-crypt.bin.exe	146
PID 372 wrote to memory of 1108	372	cmd.exe	148
PID 372 wrote to memory of 1108	372	cmd.exe	148
PID 372 wrote to memory of 1108	372	cmd.exe	148
PID 1000 wrote to memory of 1740	1000	build-x64-crypt.bin.exe	149
PID 1000 wrote to memory of 1740	1000	build-x64-crypt.bin.exe	149
PID 1000 wrote to memory of 1740	1000	build-x64-crypt.bin.exe	149
PID 1740 wrote to memory of 1064	1740	cmd.exe	151
PID 1740 wrote to memory of 1064	1740	cmd.exe	151
PID 1740 wrote to memory of 1064	1740	cmd.exe	151
PID 1000 wrote to memory of 360	1000	build-x64-crypt.bin.exe	152
PID 1000 wrote to memory of 360	1000	build-x64-crypt.bin.exe	152
PID 1000 wrote to memory of 360	1000	build-x64-crypt.bin.exe	152
PID 360 wrote to memory of 1100	360	cmd.exe	154
PID 360 wrote to memory of 1100	360	cmd.exe	154
PID 360 wrote to memory of 1100	360	cmd.exe	154
PID 1000 wrote to memory of 1352	1000	build-x64-crypt.bin.exe	155
PID 1000 wrote to memory of 1352	1000	build-x64-crypt.bin.exe	155
PID 1000 wrote to memory of 1352	1000	build-x64-crypt.bin.exe	155
PID 1352 wrote to memory of 1756	1352	cmd.exe	157
PID 1352 wrote to memory of 1756	1352	cmd.exe	157
PID 1352 wrote to memory of 1756	1352	cmd.exe	157
PID 1000 wrote to memory of 1480	1000	build-x64-crypt.bin.exe	158
PID 1000 wrote to memory of 1480	1000	build-x64-crypt.bin.exe	158
PID 1000 wrote to memory of 1480	1000	build-x64-crypt.bin.exe	158
PID 1480 wrote to memory of 1488	1480	cmd.exe	160
PID 1480 wrote to memory of 1488	1480	cmd.exe	160
PID 1480 wrote to memory of 1488	1480	cmd.exe	160
PID 1000 wrote to memory of 276	1000	build-x64-crypt.bin.exe	161
PID 1000 wrote to memory of 276	1000	build-x64-crypt.bin.exe	161
PID 1000 wrote to memory of 276	1000	build-x64-crypt.bin.exe	161
PID 276 wrote to memory of 2036	276	cmd.exe	163
PID 276 wrote to memory of 2036	276	cmd.exe	163
PID 276 wrote to memory of 2036	276	cmd.exe	163
PID 1000 wrote to memory of 1776	1000	build-x64-crypt.bin.exe	164
PID 1000 wrote to memory of 1776	1000	build-x64-crypt.bin.exe	164
PID 1000 wrote to memory of 1776	1000	build-x64-crypt.bin.exe	164
PID 1776 wrote to memory of 1836	1776	cmd.exe	166
PID 1776 wrote to memory of 1836	1776	cmd.exe	166
PID 1776 wrote to memory of 1836	1776	cmd.exe	166
PID 1000 wrote to memory of 804	1000	build-x64-crypt.bin.exe	167
PID 1000 wrote to memory of 804	1000	build-x64-crypt.bin.exe	167
PID 1000 wrote to memory of 804	1000	build-x64-crypt.bin.exe	167
PID 804 wrote to memory of 1144	804	cmd.exe	169
PID 804 wrote to memory of 1144	804	cmd.exe	169
PID 804 wrote to memory of 1144	804	cmd.exe	169
PID 1000 wrote to memory of 216	1000	build-x64-crypt.bin.exe	170
PID 1000 wrote to memory of 216	1000	build-x64-crypt.bin.exe	170
PID 1000 wrote to memory of 216	1000	build-x64-crypt.bin.exe	170
PID 216 wrote to memory of 1336	216	cmd.exe	172
PID 216 wrote to memory of 1336	216	cmd.exe	172
PID 216 wrote to memory of 1336	216	cmd.exe	172
PID 1000 wrote to memory of 1768	1000	build-x64-crypt.bin.exe	173
PID 1000 wrote to memory of 1768	1000	build-x64-crypt.bin.exe	173
PID 1000 wrote to memory of 1768	1000	build-x64-crypt.bin.exe	173
PID 1768 wrote to memory of 968	1768	cmd.exe	175
PID 1768 wrote to memory of 968	1768	cmd.exe	175
PID 1768 wrote to memory of 968	1768	cmd.exe	175
PID 1000 wrote to memory of 1248	1000	build-x64-crypt.bin.exe	176
PID 1000 wrote to memory of 1248	1000	build-x64-crypt.bin.exe	176
PID 1000 wrote to memory of 1248	1000	build-x64-crypt.bin.exe	176
PID 1248 wrote to memory of 340	1248	cmd.exe	178
PID 1248 wrote to memory of 340	1248	cmd.exe	178
PID 1248 wrote to memory of 340	1248	cmd.exe	178
PID 1000 wrote to memory of 928	1000	build-x64-crypt.bin.exe	179
PID 1000 wrote to memory of 928	1000	build-x64-crypt.bin.exe	179
PID 1000 wrote to memory of 928	1000	build-x64-crypt.bin.exe	179
PID 928 wrote to memory of 1300	928	cmd.exe	181
PID 928 wrote to memory of 1300	928	cmd.exe	181
PID 928 wrote to memory of 1300	928	cmd.exe	181
PID 1000 wrote to memory of 1040	1000	build-x64-crypt.bin.exe	182
PID 1000 wrote to memory of 1040	1000	build-x64-crypt.bin.exe	182
PID 1000 wrote to memory of 1040	1000	build-x64-crypt.bin.exe	182
PID 1040 wrote to memory of 1936	1040	cmd.exe	184
PID 1040 wrote to memory of 1936	1040	cmd.exe	184
PID 1040 wrote to memory of 1936	1040	cmd.exe	184
PID 1000 wrote to memory of 2000	1000	build-x64-crypt.bin.exe	185
PID 1000 wrote to memory of 2000	1000	build-x64-crypt.bin.exe	185
PID 1000 wrote to memory of 2000	1000	build-x64-crypt.bin.exe	185
PID 2000 wrote to memory of 2016	2000	cmd.exe	187
PID 2000 wrote to memory of 2016	2000	cmd.exe	187
PID 2000 wrote to memory of 2016	2000	cmd.exe	187
PID 1000 wrote to memory of 1792	1000	build-x64-crypt.bin.exe	188
PID 1000 wrote to memory of 1792	1000	build-x64-crypt.bin.exe	188
PID 1000 wrote to memory of 1792	1000	build-x64-crypt.bin.exe	188
PID 1792 wrote to memory of 1476	1792	cmd.exe	190
PID 1792 wrote to memory of 1476	1792	cmd.exe	190
PID 1792 wrote to memory of 1476	1792	cmd.exe	190
PID 1000 wrote to memory of 908	1000	build-x64-crypt.bin.exe	191
PID 1000 wrote to memory of 908	1000	build-x64-crypt.bin.exe	191
PID 1000 wrote to memory of 908	1000	build-x64-crypt.bin.exe	191
PID 908 wrote to memory of 1228	908	cmd.exe	193
PID 908 wrote to memory of 1228	908	cmd.exe	193
PID 908 wrote to memory of 1228	908	cmd.exe	193
PID 1000 wrote to memory of 1408	1000	build-x64-crypt.bin.exe	194
PID 1000 wrote to memory of 1408	1000	build-x64-crypt.bin.exe	194
PID 1000 wrote to memory of 1408	1000	build-x64-crypt.bin.exe	194
PID 1408 wrote to memory of 1824	1408	cmd.exe	196
PID 1408 wrote to memory of 1824	1408	cmd.exe	196
PID 1408 wrote to memory of 1824	1408	cmd.exe	196
PID 1000 wrote to memory of 1484	1000	build-x64-crypt.bin.exe	197
PID 1000 wrote to memory of 1484	1000	build-x64-crypt.bin.exe	197
PID 1000 wrote to memory of 1484	1000	build-x64-crypt.bin.exe	197
PID 1484 wrote to memory of 1524	1484	cmd.exe	199
PID 1484 wrote to memory of 1524	1484	cmd.exe	199
PID 1484 wrote to memory of 1524	1484	cmd.exe	199
PID 1000 wrote to memory of 1100	1000	build-x64-crypt.bin.exe	200
PID 1000 wrote to memory of 1100	1000	build-x64-crypt.bin.exe	200
PID 1000 wrote to memory of 1100	1000	build-x64-crypt.bin.exe	200
PID 1100 wrote to memory of 1780	1100	cmd.exe	202
PID 1100 wrote to memory of 1780	1100	cmd.exe	202
PID 1100 wrote to memory of 1780	1100	cmd.exe	202
PID 1000 wrote to memory of 420	1000	build-x64-crypt.bin.exe	204
PID 1000 wrote to memory of 420	1000	build-x64-crypt.bin.exe	204
PID 1000 wrote to memory of 420	1000	build-x64-crypt.bin.exe	204
PID 420 wrote to memory of 2008	420	cmd.exe	206
PID 420 wrote to memory of 2008	420	cmd.exe	206
PID 420 wrote to memory of 2008	420	cmd.exe	206
PID 1000 wrote to memory of 1832	1000	build-x64-crypt.bin.exe	207
PID 1000 wrote to memory of 1832	1000	build-x64-crypt.bin.exe	207
PID 1000 wrote to memory of 1832	1000	build-x64-crypt.bin.exe	207
PID 1832 wrote to memory of 236	1832	cmd.exe	209
PID 1832 wrote to memory of 236	1832	cmd.exe	209
PID 1832 wrote to memory of 236	1832	cmd.exe	209
PID 1000 wrote to memory of 1304	1000	build-x64-crypt.bin.exe	210
PID 1000 wrote to memory of 1304	1000	build-x64-crypt.bin.exe	210
PID 1000 wrote to memory of 1304	1000	build-x64-crypt.bin.exe	210
PID 1304 wrote to memory of 1336	1304	cmd.exe	212
PID 1304 wrote to memory of 1336	1304	cmd.exe	212
PID 1304 wrote to memory of 1336	1304	cmd.exe	212
PID 1000 wrote to memory of 544	1000	build-x64-crypt.bin.exe	213
PID 1000 wrote to memory of 544	1000	build-x64-crypt.bin.exe	213
PID 1000 wrote to memory of 544	1000	build-x64-crypt.bin.exe	213
PID 544 wrote to memory of 1840	544	cmd.exe	215
PID 544 wrote to memory of 1840	544	cmd.exe	215
PID 544 wrote to memory of 1840	544	cmd.exe	215
PID 1000 wrote to memory of 2044	1000	build-x64-crypt.bin.exe	216
PID 1000 wrote to memory of 2044	1000	build-x64-crypt.bin.exe	216
PID 1000 wrote to memory of 2044	1000	build-x64-crypt.bin.exe	216
PID 2044 wrote to memory of 1868	2044	cmd.exe	218
PID 2044 wrote to memory of 1868	2044	cmd.exe	218
PID 2044 wrote to memory of 1868	2044	cmd.exe	218
PID 1000 wrote to memory of 1484	1000	build-x64-crypt.bin.exe	219
PID 1000 wrote to memory of 1484	1000	build-x64-crypt.bin.exe	219
PID 1000 wrote to memory of 1484	1000	build-x64-crypt.bin.exe	219
PID 1484 wrote to memory of 1556	1484	cmd.exe	221
PID 1484 wrote to memory of 1556	1484	cmd.exe	221
PID 1484 wrote to memory of 1556	1484	cmd.exe	221
PID 1000 wrote to memory of 1752	1000	build-x64-crypt.bin.exe	222
PID 1000 wrote to memory of 1752	1000	build-x64-crypt.bin.exe	222
PID 1000 wrote to memory of 1752	1000	build-x64-crypt.bin.exe	222
PID 1752 wrote to memory of 1772	1752	cmd.exe	224
PID 1752 wrote to memory of 1772	1752	cmd.exe	224
PID 1752 wrote to memory of 1772	1752	cmd.exe	224
PID 1000 wrote to memory of 1432	1000	build-x64-crypt.bin.exe	225
PID 1000 wrote to memory of 1432	1000	build-x64-crypt.bin.exe	225
PID 1000 wrote to memory of 1432	1000	build-x64-crypt.bin.exe	225
PID 1432 wrote to memory of 2008	1432	cmd.exe	227
PID 1432 wrote to memory of 2008	1432	cmd.exe	227
PID 1432 wrote to memory of 2008	1432	cmd.exe	227
PID 1000 wrote to memory of 228	1000	build-x64-crypt.bin.exe	228
PID 1000 wrote to memory of 228	1000	build-x64-crypt.bin.exe	228
PID 1000 wrote to memory of 228	1000	build-x64-crypt.bin.exe	228
PID 228 wrote to memory of 1548	228	cmd.exe	230
PID 228 wrote to memory of 1548	228	cmd.exe	230
PID 228 wrote to memory of 1548	228	cmd.exe	230
PID 1000 wrote to memory of 1456	1000	build-x64-crypt.bin.exe	231
PID 1000 wrote to memory of 1456	1000	build-x64-crypt.bin.exe	231
PID 1000 wrote to memory of 1456	1000	build-x64-crypt.bin.exe	231
PID 1456 wrote to memory of 1736	1456	cmd.exe	233
PID 1456 wrote to memory of 1736	1456	cmd.exe	233
PID 1456 wrote to memory of 1736	1456	cmd.exe	233
PID 1000 wrote to memory of 316	1000	build-x64-crypt.bin.exe	234
PID 1000 wrote to memory of 316	1000	build-x64-crypt.bin.exe	234
PID 1000 wrote to memory of 316	1000	build-x64-crypt.bin.exe	234
PID 316 wrote to memory of 848	316	cmd.exe	236
PID 316 wrote to memory of 848	316	cmd.exe	236
PID 316 wrote to memory of 848	316	cmd.exe	236
PID 1000 wrote to memory of 968	1000	build-x64-crypt.bin.exe	237
PID 1000 wrote to memory of 968	1000	build-x64-crypt.bin.exe	237
PID 1000 wrote to memory of 968	1000	build-x64-crypt.bin.exe	237
PID 968 wrote to memory of 900	968	cmd.exe	239
PID 968 wrote to memory of 900	968	cmd.exe	239
PID 968 wrote to memory of 900	968	cmd.exe	239
PID 1000 wrote to memory of 1708	1000	build-x64-crypt.bin.exe	241
PID 1000 wrote to memory of 1708	1000	build-x64-crypt.bin.exe	241
PID 1000 wrote to memory of 1708	1000	build-x64-crypt.bin.exe	241
PID 1708 wrote to memory of 956	1708	cmd.exe	243
PID 1708 wrote to memory of 956	1708	cmd.exe	243
PID 1708 wrote to memory of 956	1708	cmd.exe	243
PID 1000 wrote to memory of 924	1000	build-x64-crypt.bin.exe	244
PID 1000 wrote to memory of 924	1000	build-x64-crypt.bin.exe	244
PID 1000 wrote to memory of 924	1000	build-x64-crypt.bin.exe	244
PID 924 wrote to memory of 1780	924	cmd.exe	246
PID 924 wrote to memory of 1780	924	cmd.exe	246
PID 924 wrote to memory of 1780	924	cmd.exe	246
PID 1000 wrote to memory of 552	1000	build-x64-crypt.bin.exe	247
PID 1000 wrote to memory of 552	1000	build-x64-crypt.bin.exe	247
PID 1000 wrote to memory of 552	1000	build-x64-crypt.bin.exe	247
PID 552 wrote to memory of 1544	552	cmd.exe	249
PID 552 wrote to memory of 1544	552	cmd.exe	249
PID 552 wrote to memory of 1544	552	cmd.exe	249
PID 1000 wrote to memory of 1996	1000	build-x64-crypt.bin.exe	250
PID 1000 wrote to memory of 1996	1000	build-x64-crypt.bin.exe	250
PID 1000 wrote to memory of 1996	1000	build-x64-crypt.bin.exe	250
PID 1996 wrote to memory of 1836	1996	cmd.exe	252
PID 1996 wrote to memory of 1836	1996	cmd.exe	252
PID 1996 wrote to memory of 1836	1996	cmd.exe	252
PID 1000 wrote to memory of 1108	1000	build-x64-crypt.bin.exe	253
PID 1000 wrote to memory of 1108	1000	build-x64-crypt.bin.exe	253
PID 1000 wrote to memory of 1108	1000	build-x64-crypt.bin.exe	253
PID 1108 wrote to memory of 276	1108	cmd.exe	255
PID 1108 wrote to memory of 276	1108	cmd.exe	255
PID 1108 wrote to memory of 276	1108	cmd.exe	255
PID 1000 wrote to memory of 588	1000	build-x64-crypt.bin.exe	256
PID 1000 wrote to memory of 588	1000	build-x64-crypt.bin.exe	256
PID 1000 wrote to memory of 588	1000	build-x64-crypt.bin.exe	256
PID 588 wrote to memory of 220	588	cmd.exe	258
PID 588 wrote to memory of 220	588	cmd.exe	258
PID 588 wrote to memory of 220	588	cmd.exe	258
PID 1000 wrote to memory of 936	1000	build-x64-crypt.bin.exe	259
PID 1000 wrote to memory of 936	1000	build-x64-crypt.bin.exe	259
PID 1000 wrote to memory of 936	1000	build-x64-crypt.bin.exe	259
PID 936 wrote to memory of 968	936	cmd.exe	261
PID 936 wrote to memory of 968	936	cmd.exe	261
PID 936 wrote to memory of 968	936	cmd.exe	261
PID 1000 wrote to memory of 1080	1000	build-x64-crypt.bin.exe	262
PID 1000 wrote to memory of 1080	1000	build-x64-crypt.bin.exe	262
PID 1000 wrote to memory of 1080	1000	build-x64-crypt.bin.exe	262
PID 1080 wrote to memory of 1708	1080	cmd.exe	264
PID 1080 wrote to memory of 1708	1080	cmd.exe	264
PID 1080 wrote to memory of 1708	1080	cmd.exe	264
PID 1000 wrote to memory of 2016	1000	build-x64-crypt.bin.exe	265
PID 1000 wrote to memory of 2016	1000	build-x64-crypt.bin.exe	265
PID 1000 wrote to memory of 2016	1000	build-x64-crypt.bin.exe	265
PID 2016 wrote to memory of 924	2016	cmd.exe	267
PID 2016 wrote to memory of 924	2016	cmd.exe	267
PID 2016 wrote to memory of 924	2016	cmd.exe	267
PID 1000 wrote to memory of 1668	1000	build-x64-crypt.bin.exe	268
PID 1000 wrote to memory of 1668	1000	build-x64-crypt.bin.exe	268
PID 1000 wrote to memory of 1668	1000	build-x64-crypt.bin.exe	268
PID 1668 wrote to memory of 1972	1668	cmd.exe	270
PID 1668 wrote to memory of 1972	1668	cmd.exe	270
PID 1668 wrote to memory of 1972	1668	cmd.exe	270
PID 1000 wrote to memory of 1472	1000	build-x64-crypt.bin.exe	271
PID 1000 wrote to memory of 1472	1000	build-x64-crypt.bin.exe	271
PID 1000 wrote to memory of 1472	1000	build-x64-crypt.bin.exe	271
PID 1472 wrote to memory of 1792	1472	cmd.exe	273
PID 1472 wrote to memory of 1792	1472	cmd.exe	273
PID 1472 wrote to memory of 1792	1472	cmd.exe	273
PID 1000 wrote to memory of 1064	1000	build-x64-crypt.bin.exe	274
PID 1000 wrote to memory of 1064	1000	build-x64-crypt.bin.exe	274
PID 1000 wrote to memory of 1064	1000	build-x64-crypt.bin.exe	274
PID 1064 wrote to memory of 804	1064	cmd.exe	276
PID 1064 wrote to memory of 804	1064	cmd.exe	276
PID 1064 wrote to memory of 804	1064	cmd.exe	276
PID 1000 wrote to memory of 948	1000	build-x64-crypt.bin.exe	277
PID 1000 wrote to memory of 948	1000	build-x64-crypt.bin.exe	277
PID 1000 wrote to memory of 948	1000	build-x64-crypt.bin.exe	277
PID 948 wrote to memory of 316	948	cmd.exe	279
PID 948 wrote to memory of 316	948	cmd.exe	279
PID 948 wrote to memory of 316	948	cmd.exe	279
PID 1000 wrote to memory of 1508	1000	build-x64-crypt.bin.exe	280
PID 1000 wrote to memory of 1508	1000	build-x64-crypt.bin.exe	280
PID 1000 wrote to memory of 1508	1000	build-x64-crypt.bin.exe	280
PID 1508 wrote to memory of 1760	1508	cmd.exe	282
PID 1508 wrote to memory of 1760	1508	cmd.exe	282
PID 1508 wrote to memory of 1760	1508	cmd.exe	282
PID 1000 wrote to memory of 1252	1000	build-x64-crypt.bin.exe	283
PID 1000 wrote to memory of 1252	1000	build-x64-crypt.bin.exe	283
PID 1000 wrote to memory of 1252	1000	build-x64-crypt.bin.exe	283
PID 1252 wrote to memory of 1484	1252	cmd.exe	285
PID 1252 wrote to memory of 1484	1252	cmd.exe	285
PID 1252 wrote to memory of 1484	1252	cmd.exe	285
PID 1000 wrote to memory of 1772	1000	build-x64-crypt.bin.exe	286
PID 1000 wrote to memory of 1772	1000	build-x64-crypt.bin.exe	286
PID 1000 wrote to memory of 1772	1000	build-x64-crypt.bin.exe	286
PID 1772 wrote to memory of 1752	1772	cmd.exe	288
PID 1772 wrote to memory of 1752	1772	cmd.exe	288
PID 1772 wrote to memory of 1752	1772	cmd.exe	288
PID 1000 wrote to memory of 1480	1000	build-x64-crypt.bin.exe	289
PID 1000 wrote to memory of 1480	1000	build-x64-crypt.bin.exe	289
PID 1000 wrote to memory of 1480	1000	build-x64-crypt.bin.exe	289
PID 1480 wrote to memory of 552	1480	cmd.exe	291
PID 1480 wrote to memory of 552	1480	cmd.exe	291
PID 1480 wrote to memory of 552	1480	cmd.exe	291
PID 1000 wrote to memory of 228	1000	build-x64-crypt.bin.exe	292
PID 1000 wrote to memory of 228	1000	build-x64-crypt.bin.exe	292
PID 1000 wrote to memory of 228	1000	build-x64-crypt.bin.exe	292
PID 228 wrote to memory of 1996	228	cmd.exe	294
PID 228 wrote to memory of 1996	228	cmd.exe	294
PID 228 wrote to memory of 1996	228	cmd.exe	294
PID 1000 wrote to memory of 1456	1000	build-x64-crypt.bin.exe	295
PID 1000 wrote to memory of 1456	1000	build-x64-crypt.bin.exe	295
PID 1000 wrote to memory of 1456	1000	build-x64-crypt.bin.exe	295
PID 1456 wrote to memory of 1736	1456	cmd.exe	297
PID 1456 wrote to memory of 1736	1456	cmd.exe	297
PID 1456 wrote to memory of 1736	1456	cmd.exe	297
PID 1000 wrote to memory of 608	1000	build-x64-crypt.bin.exe	298
PID 1000 wrote to memory of 608	1000	build-x64-crypt.bin.exe	298
PID 1000 wrote to memory of 608	1000	build-x64-crypt.bin.exe	298
PID 608 wrote to memory of 588	608	cmd.exe	300
PID 608 wrote to memory of 588	608	cmd.exe	300
PID 608 wrote to memory of 588	608	cmd.exe	300
PID 1000 wrote to memory of 928	1000	build-x64-crypt.bin.exe	301
PID 1000 wrote to memory of 928	1000	build-x64-crypt.bin.exe	301
PID 1000 wrote to memory of 928	1000	build-x64-crypt.bin.exe	301
PID 928 wrote to memory of 936	928	cmd.exe	303
PID 928 wrote to memory of 936	928	cmd.exe	303
PID 928 wrote to memory of 936	928	cmd.exe	303
PID 1000 wrote to memory of 1504	1000	build-x64-crypt.bin.exe	304
PID 1000 wrote to memory of 1504	1000	build-x64-crypt.bin.exe	304
PID 1000 wrote to memory of 1504	1000	build-x64-crypt.bin.exe	304
PID 1504 wrote to memory of 1248	1504	cmd.exe	306
PID 1504 wrote to memory of 1248	1504	cmd.exe	306
PID 1504 wrote to memory of 1248	1504	cmd.exe	306
PID 1000 wrote to memory of 1516	1000	build-x64-crypt.bin.exe	307
PID 1000 wrote to memory of 1516	1000	build-x64-crypt.bin.exe	307
PID 1000 wrote to memory of 1516	1000	build-x64-crypt.bin.exe	307
PID 1516 wrote to memory of 2016	1516	cmd.exe	309
PID 1516 wrote to memory of 2016	1516	cmd.exe	309
PID 1516 wrote to memory of 2016	1516	cmd.exe	309
PID 1000 wrote to memory of 1848	1000	build-x64-crypt.bin.exe	310
PID 1000 wrote to memory of 1848	1000	build-x64-crypt.bin.exe	310
PID 1000 wrote to memory of 1848	1000	build-x64-crypt.bin.exe	310
PID 1848 wrote to memory of 1144	1848	cmd.exe	312
PID 1848 wrote to memory of 1144	1848	cmd.exe	312
PID 1848 wrote to memory of 1144	1848	cmd.exe	312
PID 1000 wrote to memory of 236	1000	build-x64-crypt.bin.exe	313
PID 1000 wrote to memory of 236	1000	build-x64-crypt.bin.exe	313
PID 1000 wrote to memory of 236	1000	build-x64-crypt.bin.exe	313
PID 236 wrote to memory of 480	236	cmd.exe	315
PID 236 wrote to memory of 480	236	cmd.exe	315
PID 236 wrote to memory of 480	236	cmd.exe	315
PID 1000 wrote to memory of 1196	1000	build-x64-crypt.bin.exe	316
PID 1000 wrote to memory of 1196	1000	build-x64-crypt.bin.exe	316
PID 1000 wrote to memory of 1196	1000	build-x64-crypt.bin.exe	316
PID 1196 wrote to memory of 1064	1196	cmd.exe	318
PID 1196 wrote to memory of 1064	1196	cmd.exe	318
PID 1196 wrote to memory of 1064	1196	cmd.exe	318
PID 1000 wrote to memory of 1524	1000	build-x64-crypt.bin.exe	319
PID 1000 wrote to memory of 1524	1000	build-x64-crypt.bin.exe	319
PID 1000 wrote to memory of 1524	1000	build-x64-crypt.bin.exe	319
PID 1524 wrote to memory of 684	1524	cmd.exe	321
PID 1524 wrote to memory of 684	1524	cmd.exe	321
PID 1524 wrote to memory of 684	1524	cmd.exe	321
PID 1000 wrote to memory of 1304	1000	build-x64-crypt.bin.exe	322
PID 1000 wrote to memory of 1304	1000	build-x64-crypt.bin.exe	322
PID 1000 wrote to memory of 1304	1000	build-x64-crypt.bin.exe	322
PID 1304 wrote to memory of 1936	1304	cmd.exe	324
PID 1304 wrote to memory of 1936	1304	cmd.exe	324
PID 1304 wrote to memory of 1936	1304	cmd.exe	324
PID 1000 wrote to memory of 820	1000	build-x64-crypt.bin.exe	325
PID 1000 wrote to memory of 820	1000	build-x64-crypt.bin.exe	325
PID 1000 wrote to memory of 820	1000	build-x64-crypt.bin.exe	325
PID 820 wrote to memory of 1252	820	cmd.exe	327
PID 820 wrote to memory of 1252	820	cmd.exe	327
PID 820 wrote to memory of 1252	820	cmd.exe	327

C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe
"C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\system32\cmd.exe
  cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY DELETE /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
- C:\Windows\system32\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\system32\wbadmin.exe
    wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    - Deletes System State backups
    - Drops file in Windows directory
    PID:1780
- C:\Windows\system32\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:420
- - C:\Windows\system32\wbadmin.exe
    wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
    3⤵
    - Deletes System State backups
    - Drops file in Windows directory
    PID:316
- C:\Windows\system32\cmd.exe
  cmd /C bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:360
- C:\Windows\system32\cmd.exe
  cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:276
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:912
- C:\Windows\system32\cmd.exe
  cmd /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1408
- C:\Windows\system32\cmd.exe
  cmd /C C:\Windows\system32\vssvc.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\system32\VSSVC.exe
    C:\Windows\system32\vssvc.exe
    3⤵
    PID:1040
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM wxServer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wxServer*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBFCService*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBFCService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBVSS*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBVSS*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sql*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sql*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM msaccess*
  2⤵
  PID:1792
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msaccess*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:968
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM mssql*
  2⤵
  PID:804
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM mssql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM mysql*
  2⤵
  PID:840
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM mysql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM wxServerView*
  2⤵
  PID:1472
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wxServerView*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sqlmangr*
  2⤵
  PID:1824
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlmangr*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:232
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM RAgui*
  2⤵
  PID:204
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RAgui*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM supervise*
  2⤵
  PID:1744
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM supervise*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Culture*
  2⤵
  PID:1780
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Culture*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:360
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Defwatch*
  2⤵
  PID:420
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Defwatch*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM winword*
  2⤵
  PID:908
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM winword*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBW32*
  2⤵
  PID:1296
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBW32*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgr*
  2⤵
  PID:372
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBDBMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM qbupdate*
  2⤵
  PID:1740
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM qbupdate*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1456
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM axlbridge*
  2⤵
  PID:2024
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM axlbridge*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:316
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM httpd*
  2⤵
  PID:1248
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM httpd*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM fdlauncher*
  2⤵
  PID:920
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fdlauncher*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MsDtSrvr*
  2⤵
  PID:1792
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MsDtSrvr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM java*
  2⤵
  PID:804
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM java*
    3⤵
    - Kills process with taskkill
    PID:2036
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM 360se*
  2⤵
  PID:840
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM 360se*
    3⤵
    - Kills process with taskkill
    PID:228
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM 360doctor*
  2⤵
  PID:1472
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM 360doctor*
    3⤵
    - Kills process with taskkill
    PID:1736
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM wdswfsafe*
  2⤵
  PID:1824
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wdswfsafe*
    3⤵
    - Kills process with taskkill
    PID:848
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM fdhost*
  2⤵
  PID:204
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fdhost*
    3⤵
    - Kills process with taskkill
    PID:684
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM GDscan*
  2⤵
  PID:928
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM GDscan*
    3⤵
    - Kills process with taskkill
    PID:924
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM ZhuDongFangYu*
  2⤵
  PID:1780
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ZhuDongFangYu*
    3⤵
    - Kills process with taskkill
    PID:1556
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgrN*
  2⤵
  PID:1504
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBDBMgrN*
    3⤵
    - Kills process with taskkill
    PID:1952
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM mysqld*
  2⤵
  PID:908
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM mysqld*
    3⤵
    PID:232
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM AutodeskDesktopApp*
  2⤵
  PID:1296
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM AutodeskDesktopApp*
    3⤵
    - Kills process with taskkill
    PID:1500
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM acwebbrowser*
  2⤵
  PID:372
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM acwebbrowser*
    3⤵
    PID:1108
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Creative Cloud*
  2⤵
  PID:1740
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Creative Cloud*
    3⤵
    PID:1064
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Adobe Desktop Service*
  2⤵
  PID:360
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Adobe Desktop Service*
    3⤵
    - Kills process with taskkill
    PID:1100
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM CoreSync*
  2⤵
  PID:1352
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM CoreSync*
    3⤵
    - Kills process with taskkill
    PID:1756
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Adobe CEF Helper*
  2⤵
  PID:1480
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Adobe CEF Helper*
    3⤵
    PID:1488
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM node*
  2⤵
  PID:276
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM node*
    3⤵
    - Kills process with taskkill
    PID:2036
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM AdobeIPCBroker*
  2⤵
  PID:1776
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM AdobeIPCBroker*
    3⤵
    - Kills process with taskkill
    PID:1836
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sync-taskbar*
  2⤵
  PID:804
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sync-taskbar*
    3⤵
    - Kills process with taskkill
    PID:1144
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sync-worker*
  2⤵
  PID:216
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sync-worker*
    3⤵
    - Kills process with taskkill
    PID:1336
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM InputPersonalization*
  2⤵
  PID:1768
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM InputPersonalization*
    3⤵
    - Kills process with taskkill
    PID:968
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM AdobeCollabSync*
  2⤵
  PID:1248
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM AdobeCollabSync*
    3⤵
    - Kills process with taskkill
    PID:340
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM BrCtrlCntr*
  2⤵
  PID:928
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM BrCtrlCntr*
    3⤵
    - Kills process with taskkill
    PID:1300
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM BrCcUxSys*
  2⤵
  PID:1040
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM BrCcUxSys*
    3⤵
    - Kills process with taskkill
    PID:1936
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SimplyConnectionManager*
  2⤵
  PID:2000
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SimplyConnectionManager*
    3⤵
    - Kills process with taskkill
    PID:2016
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
  2⤵
  PID:1792
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Simply.SystemTrayIcon*
    3⤵
    PID:1476
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM fbguard*
  2⤵
  PID:908
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fbguard*
    3⤵
    PID:1228
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM fbserver*
  2⤵
  PID:1408
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM fbserver*
    3⤵
    PID:1824
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM ONENOTEM*
  2⤵
  PID:1484
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ONENOTEM*
    3⤵
    - Kills process with taskkill
    PID:1524
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM wrapper*
  2⤵
  PID:1100
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM wrapper*
    3⤵
    - Kills process with taskkill
    PID:1780
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM DefWatch*
  2⤵
  PID:420
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM DefWatch*
    3⤵
    - Kills process with taskkill
    PID:2008
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM ccEvtMgr*
  2⤵
  PID:1832
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    PID:236
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM ccSetMgr*
  2⤵
  PID:1304
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM ccSetMgr*
    3⤵
    - Kills process with taskkill
    PID:1336
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SavRoam*
  2⤵
  PID:544
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SavRoam*
    3⤵
    PID:1840
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Sqlservr*
  2⤵
  PID:2044
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Sqlservr*
    3⤵
    PID:1868
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sqlagent*
  2⤵
  PID:1484
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlagent*
    3⤵
    - Kills process with taskkill
    PID:1556
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sqladhlp*
  2⤵
  PID:1752
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqladhlp*
    3⤵
    PID:1772
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Culserver*
  2⤵
  PID:1432
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Culserver*
    3⤵
    - Kills process with taskkill
    PID:2008
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM RTVscan*
  2⤵
  PID:228
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RTVscan*
    3⤵
    - Kills process with taskkill
    PID:1548
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sqlbrowser*
  2⤵
  PID:1456
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlbrowser*
    3⤵
    PID:1736
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLADHLP*
  2⤵
  PID:316
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLADHLP*
    3⤵
    - Kills process with taskkill
    PID:848
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBIDPService*
  2⤵
  PID:968
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBIDPService*
    3⤵
    - Kills process with taskkill
    PID:900
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
  2⤵
  PID:1708
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:956
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM QBCFMonitorService*
  2⤵
  PID:924
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM QBCFMonitorService*
    3⤵
    PID:1780
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM sqlwriter*
  2⤵
  PID:552
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM sqlwriter*
    3⤵
    - Kills process with taskkill
    PID:1544
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM msmdsrv*
  2⤵
  PID:1996
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msmdsrv*
    3⤵
    - Kills process with taskkill
    PID:1836
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM tomcat6*
  2⤵
  PID:1108
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM tomcat6*
    3⤵
    PID:276
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM zhudongfangyu*
  2⤵
  PID:588
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    PID:220
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM vmware-usbarbitator64*
  2⤵
  PID:936
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vmware-usbarbitator64*
    3⤵
    PID:968
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM vmware-converter*
  2⤵
  PID:1080
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vmware-converter*
    3⤵
    - Kills process with taskkill
    PID:1708
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM dbsrv12*
  2⤵
  PID:2016
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM dbsrv12*
    3⤵
    PID:924
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM dbeng8*
  2⤵
  PID:1668
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM dbeng8*
    3⤵
    - Kills process with taskkill
    PID:1972
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:1472
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    - Kills process with taskkill
    PID:1792
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
  2⤵
  PID:1064
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:804
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
  2⤵
  PID:948
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:316
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLBrowser*
  2⤵
  PID:1508
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLBrowser*
    3⤵
    - Kills process with taskkill
    PID:1760
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLWriter*
  2⤵
  PID:1252
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLWriter*
    3⤵
    PID:1484
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM FishbowlMySQL*
  2⤵
  PID:1772
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FishbowlMySQL*
    3⤵
    PID:1752
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:1480
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    - Kills process with taskkill
    PID:552
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MySQL57*
  2⤵
  PID:228
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MySQL57*
    3⤵
    PID:1996
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
  2⤵
  PID:1456
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
    3⤵
    - Kills process with taskkill
    PID:1736
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
  2⤵
  PID:608
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQLServerADHelper100*
    3⤵
    - Kills process with taskkill
    PID:588
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
  2⤵
  PID:928
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
    3⤵
    - Kills process with taskkill
    PID:936
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM msftesql-Exchange*
  2⤵
  PID:1504
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msftesql-Exchange*
    3⤵
    PID:1248
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
  2⤵
  PID:1516
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
    3⤵
    - Kills process with taskkill
    PID:2016
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
  2⤵
  PID:1848
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:1144
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
  2⤵
  PID:236
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQL$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:480
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
  2⤵
  PID:1196
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:1064
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
  2⤵
  PID:1524
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:684
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
  2⤵
  PID:1304
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:1936
- C:\Windows\system32\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
  2⤵
  PID:820
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SQLAgent$SHAREPOINT*
    3⤵
    PID:1252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e0
1⤵
PID:808

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\Ejdgcj-decrypt.hta"
1⤵
- Modifies Internet Explorer settings
PID:1936