exorcist | 9aa75631b7a56a84117e5aed0540fb74dfcde2c36d52744156381c9161603e28

Resubmissions

23-07-2020 14:59

200723-qeb9jz5z6e 10

23-07-2020 13:40

200723-1el7ztcngs 10

Analysis

max time kernel
98s
max time network
110s
platform
windows10_x64
resource
win10
submitted
23-07-2020 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build-x32.crypt.bin.exe

Score

10^/10

ransomware exorcist persistence

Malware Config

Signatures

Exorcist
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 17 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\LockSubmit.tiff	build-x32.crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\LockSubmit.tiff => C:\Users\Admin\Pictures\LockSubmit.tiff.RmJrcj	build-x32.crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromSkip.tiff => C:\Users\Admin\Pictures\ConvertFromSkip.tiff.RmJrcj	build-x32.crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\InvokeStep.tif => C:\Users\Admin\Pictures\InvokeStep.tif.RmJrcj	build-x32.crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\JoinResume.tiff => C:\Users\Admin\Pictures\JoinResume.tiff.RmJrcj	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\JoinResume.tiff.RmJrcj	build-x32.crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\SearchConvertFrom.tif => C:\Users\Admin\Pictures\SearchConvertFrom.tif.RmJrcj	build-x32.crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\BlockClose.png => C:\Users\Admin\Pictures\BlockClose.png.RmJrcj	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\JoinResume.tiff	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromSkip.tiff	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\LockSubmit.tiff.RmJrcj	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ClearOptimize.tif.RmJrcj	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromSkip.tiff.RmJrcj	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeStep.tif.RmJrcj	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SearchConvertFrom.tif.RmJrcj	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\BlockClose.png.RmJrcj	build-x32.crypt.bin.exe
File renamed	C:\Users\Admin\Pictures\ClearOptimize.tif => C:\Users\Admin\Pictures\ClearOptimize.tif.RmJrcj	build-x32.crypt.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	build-x32.crypt.bin.exe
File opened (read-only)	\??\H:	build-x32.crypt.bin.exe
File opened (read-only)	\??\L:	build-x32.crypt.bin.exe
File opened (read-only)	\??\P:	build-x32.crypt.bin.exe
File opened (read-only)	\??\Q:	build-x32.crypt.bin.exe
File opened (read-only)	\??\V:	build-x32.crypt.bin.exe
File opened (read-only)	\??\K:	build-x32.crypt.bin.exe
File opened (read-only)	\??\Y:	build-x32.crypt.bin.exe
File opened (read-only)	\??\Z:	build-x32.crypt.bin.exe
File opened (read-only)	\??\O:	build-x32.crypt.bin.exe
File opened (read-only)	\??\R:	build-x32.crypt.bin.exe
File opened (read-only)	\??\A:	build-x32.crypt.bin.exe
File opened (read-only)	\??\B:	build-x32.crypt.bin.exe
File opened (read-only)	\??\E:	build-x32.crypt.bin.exe
File opened (read-only)	\??\I:	build-x32.crypt.bin.exe
File opened (read-only)	\??\J:	build-x32.crypt.bin.exe
File opened (read-only)	\??\M:	build-x32.crypt.bin.exe
File opened (read-only)	\??\S:	build-x32.crypt.bin.exe
File opened (read-only)	\??\U:	build-x32.crypt.bin.exe
File opened (read-only)	\??\G:	build-x32.crypt.bin.exe
File opened (read-only)	\??\N:	build-x32.crypt.bin.exe
File opened (read-only)	\??\T:	build-x32.crypt.bin.exe
File opened (read-only)	\??\W:	build-x32.crypt.bin.exe
File opened (read-only)	\??\X:	build-x32.crypt.bin.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d.bmp"	build-x32.crypt.bin.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1568	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3888	vssadmin.exe

Kills process with taskkill 91 IoCs

evasion

pid	Process
3544	taskkill.exe
3208	taskkill.exe
1536	taskkill.exe
800	taskkill.exe
2772	taskkill.exe
1120	taskkill.exe
2076	taskkill.exe
1504	taskkill.exe
2208	taskkill.exe
3008	taskkill.exe
3516	taskkill.exe
1844	taskkill.exe
4044	taskkill.exe
3892	taskkill.exe
4048	taskkill.exe
3212	taskkill.exe
2864	taskkill.exe
2796	taskkill.exe
1532	taskkill.exe
3940	taskkill.exe
1728	taskkill.exe
1252	taskkill.exe
1308	taskkill.exe
2616	taskkill.exe
1460	taskkill.exe
500	taskkill.exe
3960	taskkill.exe
2496	taskkill.exe
1148	taskkill.exe
416	taskkill.exe
1068	taskkill.exe
2084	taskkill.exe
2248	taskkill.exe
1340	taskkill.exe
1360	taskkill.exe
804	taskkill.exe
3960	taskkill.exe
3936	taskkill.exe
1180	taskkill.exe
1904	taskkill.exe
424	taskkill.exe
2796	taskkill.exe
2980	taskkill.exe
848	taskkill.exe
2896	taskkill.exe
1688	taskkill.exe
2072	taskkill.exe
648	taskkill.exe
2564	taskkill.exe
2244	taskkill.exe
2244	taskkill.exe
3968	taskkill.exe
1972	taskkill.exe
2356	taskkill.exe
1564	taskkill.exe
512	taskkill.exe
3008	taskkill.exe
2140	taskkill.exe
3972	taskkill.exe
2192	taskkill.exe
560	taskkill.exe
4072	taskkill.exe
376	taskkill.exe
632	taskkill.exe
424	taskkill.exe
3960	taskkill.exe
1936	taskkill.exe
512	taskkill.exe
1564	taskkill.exe
2140	taskkill.exe
2356	taskkill.exe
1148	taskkill.exe
1360	taskkill.exe
636	taskkill.exe
2216	taskkill.exe
1668	taskkill.exe
1116	taskkill.exe
3800	taskkill.exe
3880	taskkill.exe
416	taskkill.exe
2564	taskkill.exe
500	taskkill.exe
996	taskkill.exe
2680	taskkill.exe
852	taskkill.exe
1668	taskkill.exe
1840	taskkill.exe
3872	taskkill.exe
408	taskkill.exe
1832	taskkill.exe
3956	taskkill.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:uzkcayivo	build-x32.crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:fwsjvisltoiwhlkd	build-x32.crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:uzkcayivo	build-x32.crypt.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:ftztnzezfosqioqjq	build-x32.crypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:qncbeovltenni	build-x32.crypt.bin.exe

Suspicious behavior: EnumeratesProcesses 318 IoCs

pid	Process
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe
3920	build-x32.crypt.bin.exe

Suspicious use of AdjustPrivilegeToken 133 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3848	WMIC.exe
Token: SeSecurityPrivilege	3848	WMIC.exe
Token: SeTakeOwnershipPrivilege	3848	WMIC.exe
Token: SeLoadDriverPrivilege	3848	WMIC.exe
Token: SeSystemProfilePrivilege	3848	WMIC.exe
Token: SeSystemtimePrivilege	3848	WMIC.exe
Token: SeProfSingleProcessPrivilege	3848	WMIC.exe
Token: SeIncBasePriorityPrivilege	3848	WMIC.exe
Token: SeCreatePagefilePrivilege	3848	WMIC.exe
Token: SeBackupPrivilege	3848	WMIC.exe
Token: SeRestorePrivilege	3848	WMIC.exe
Token: SeShutdownPrivilege	3848	WMIC.exe
Token: SeDebugPrivilege	3848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3848	WMIC.exe
Token: SeRemoteShutdownPrivilege	3848	WMIC.exe
Token: SeUndockPrivilege	3848	WMIC.exe
Token: SeManageVolumePrivilege	3848	WMIC.exe
Token: 33	3848	WMIC.exe
Token: 34	3848	WMIC.exe
Token: 35	3848	WMIC.exe
Token: 36	3848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3848	WMIC.exe
Token: SeSecurityPrivilege	3848	WMIC.exe
Token: SeTakeOwnershipPrivilege	3848	WMIC.exe
Token: SeLoadDriverPrivilege	3848	WMIC.exe
Token: SeSystemProfilePrivilege	3848	WMIC.exe
Token: SeSystemtimePrivilege	3848	WMIC.exe
Token: SeProfSingleProcessPrivilege	3848	WMIC.exe
Token: SeIncBasePriorityPrivilege	3848	WMIC.exe
Token: SeCreatePagefilePrivilege	3848	WMIC.exe
Token: SeBackupPrivilege	3848	WMIC.exe
Token: SeRestorePrivilege	3848	WMIC.exe
Token: SeShutdownPrivilege	3848	WMIC.exe
Token: SeDebugPrivilege	3848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3848	WMIC.exe
Token: SeRemoteShutdownPrivilege	3848	WMIC.exe
Token: SeUndockPrivilege	3848	WMIC.exe
Token: SeManageVolumePrivilege	3848	WMIC.exe
Token: 33	3848	WMIC.exe
Token: 34	3848	WMIC.exe
Token: 35	3848	WMIC.exe
Token: 36	3848	WMIC.exe
Token: SeBackupPrivilege	496	vssvc.exe
Token: SeRestorePrivilege	496	vssvc.exe
Token: SeAuditPrivilege	496	vssvc.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	3960	taskkill.exe
Token: SeDebugPrivilege	416	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	3008	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	500	taskkill.exe
Token: SeDebugPrivilege	512	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	500	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	3960	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	1360	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	408	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	424	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	804	taskkill.exe
Token: SeDebugPrivilege	4048	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	3212	taskkill.exe
Token: SeDebugPrivilege	848	taskkill.exe
Token: SeDebugPrivilege	1360	taskkill.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	1120	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	3880	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	3960	taskkill.exe
Token: SeDebugPrivilege	376	taskkill.exe
Token: SeDebugPrivilege	3208	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	416	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	632	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	512	taskkill.exe
Token: SeDebugPrivilege	2216	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	424	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	3008	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe

Suspicious use of WriteProcessMemory 579 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 3872	3920	build-x32.crypt.bin.exe	68
PID 3920 wrote to memory of 3872	3920	build-x32.crypt.bin.exe	68
PID 3920 wrote to memory of 3872	3920	build-x32.crypt.bin.exe	68
PID 3872 wrote to memory of 3848	3872	cmd.exe	70
PID 3872 wrote to memory of 3848	3872	cmd.exe	70
PID 3872 wrote to memory of 3848	3872	cmd.exe	70
PID 3920 wrote to memory of 1936	3920	build-x32.crypt.bin.exe	73
PID 3920 wrote to memory of 1936	3920	build-x32.crypt.bin.exe	73
PID 3920 wrote to memory of 1936	3920	build-x32.crypt.bin.exe	73
PID 3920 wrote to memory of 3032	3920	build-x32.crypt.bin.exe	75
PID 3920 wrote to memory of 3032	3920	build-x32.crypt.bin.exe	75
PID 3920 wrote to memory of 3032	3920	build-x32.crypt.bin.exe	75
PID 3920 wrote to memory of 4072	3920	build-x32.crypt.bin.exe	77
PID 3920 wrote to memory of 4072	3920	build-x32.crypt.bin.exe	77
PID 3920 wrote to memory of 4072	3920	build-x32.crypt.bin.exe	77
PID 3920 wrote to memory of 2216	3920	build-x32.crypt.bin.exe	79
PID 3920 wrote to memory of 2216	3920	build-x32.crypt.bin.exe	79
PID 3920 wrote to memory of 2216	3920	build-x32.crypt.bin.exe	79
PID 3920 wrote to memory of 3804	3920	build-x32.crypt.bin.exe	81
PID 3920 wrote to memory of 3804	3920	build-x32.crypt.bin.exe	81
PID 3920 wrote to memory of 3804	3920	build-x32.crypt.bin.exe	81
PID 3804 wrote to memory of 3888	3804	cmd.exe	83
PID 3804 wrote to memory of 3888	3804	cmd.exe	83
PID 3804 wrote to memory of 3888	3804	cmd.exe	83
PID 3920 wrote to memory of 3208	3920	build-x32.crypt.bin.exe	84
PID 3920 wrote to memory of 3208	3920	build-x32.crypt.bin.exe	84
PID 3920 wrote to memory of 3208	3920	build-x32.crypt.bin.exe	84
PID 3920 wrote to memory of 412	3920	build-x32.crypt.bin.exe	86
PID 3920 wrote to memory of 412	3920	build-x32.crypt.bin.exe	86
PID 3920 wrote to memory of 412	3920	build-x32.crypt.bin.exe	86
PID 412 wrote to memory of 3872	412	cmd.exe	88
PID 412 wrote to memory of 3872	412	cmd.exe	88
PID 412 wrote to memory of 3872	412	cmd.exe	88
PID 3920 wrote to memory of 3028	3920	build-x32.crypt.bin.exe	90
PID 3920 wrote to memory of 3028	3920	build-x32.crypt.bin.exe	90
PID 3920 wrote to memory of 3028	3920	build-x32.crypt.bin.exe	90
PID 3028 wrote to memory of 2140	3028	cmd.exe	92
PID 3028 wrote to memory of 2140	3028	cmd.exe	92
PID 3028 wrote to memory of 2140	3028	cmd.exe	92
PID 3920 wrote to memory of 3516	3920	build-x32.crypt.bin.exe	93
PID 3920 wrote to memory of 3516	3920	build-x32.crypt.bin.exe	93
PID 3920 wrote to memory of 3516	3920	build-x32.crypt.bin.exe	93
PID 3516 wrote to memory of 3960	3516	cmd.exe	95
PID 3516 wrote to memory of 3960	3516	cmd.exe	95
PID 3516 wrote to memory of 3960	3516	cmd.exe	95
PID 3920 wrote to memory of 3788	3920	build-x32.crypt.bin.exe	96
PID 3920 wrote to memory of 3788	3920	build-x32.crypt.bin.exe	96
PID 3920 wrote to memory of 3788	3920	build-x32.crypt.bin.exe	96
PID 3788 wrote to memory of 416	3788	cmd.exe	98
PID 3788 wrote to memory of 416	3788	cmd.exe	98
PID 3788 wrote to memory of 416	3788	cmd.exe	98
PID 3920 wrote to memory of 512	3920	build-x32.crypt.bin.exe	99
PID 3920 wrote to memory of 512	3920	build-x32.crypt.bin.exe	99
PID 3920 wrote to memory of 512	3920	build-x32.crypt.bin.exe	99
PID 512 wrote to memory of 1936	512	cmd.exe	101
PID 512 wrote to memory of 1936	512	cmd.exe	101
PID 512 wrote to memory of 1936	512	cmd.exe	101
PID 3920 wrote to memory of 3956	3920	build-x32.crypt.bin.exe	102
PID 3920 wrote to memory of 3956	3920	build-x32.crypt.bin.exe	102
PID 3920 wrote to memory of 3956	3920	build-x32.crypt.bin.exe	102
PID 3956 wrote to memory of 2564	3956	cmd.exe	104
PID 3956 wrote to memory of 2564	3956	cmd.exe	104
PID 3956 wrote to memory of 2564	3956	cmd.exe	104
PID 3920 wrote to memory of 8	3920	build-x32.crypt.bin.exe	105
PID 3920 wrote to memory of 8	3920	build-x32.crypt.bin.exe	105
PID 3920 wrote to memory of 8	3920	build-x32.crypt.bin.exe	105
PID 8 wrote to memory of 3008	8	cmd.exe	107
PID 8 wrote to memory of 3008	8	cmd.exe	107
PID 8 wrote to memory of 3008	8	cmd.exe	107
PID 3920 wrote to memory of 1688	3920	build-x32.crypt.bin.exe	108
PID 3920 wrote to memory of 1688	3920	build-x32.crypt.bin.exe	108
PID 3920 wrote to memory of 1688	3920	build-x32.crypt.bin.exe	108
PID 1688 wrote to memory of 800	1688	cmd.exe	110
PID 1688 wrote to memory of 800	1688	cmd.exe	110
PID 1688 wrote to memory of 800	1688	cmd.exe	110
PID 3920 wrote to memory of 3224	3920	build-x32.crypt.bin.exe	111
PID 3920 wrote to memory of 3224	3920	build-x32.crypt.bin.exe	111
PID 3920 wrote to memory of 3224	3920	build-x32.crypt.bin.exe	111
PID 3224 wrote to memory of 500	3224	cmd.exe	113
PID 3224 wrote to memory of 500	3224	cmd.exe	113
PID 3224 wrote to memory of 500	3224	cmd.exe	113
PID 3920 wrote to memory of 3916	3920	build-x32.crypt.bin.exe	114
PID 3920 wrote to memory of 3916	3920	build-x32.crypt.bin.exe	114
PID 3920 wrote to memory of 3916	3920	build-x32.crypt.bin.exe	114
PID 3916 wrote to memory of 512	3916	cmd.exe	116
PID 3916 wrote to memory of 512	3916	cmd.exe	116
PID 3916 wrote to memory of 512	3916	cmd.exe	116
PID 3920 wrote to memory of 996	3920	build-x32.crypt.bin.exe	117
PID 3920 wrote to memory of 996	3920	build-x32.crypt.bin.exe	117
PID 3920 wrote to memory of 996	3920	build-x32.crypt.bin.exe	117
PID 996 wrote to memory of 2072	996	cmd.exe	119
PID 996 wrote to memory of 2072	996	cmd.exe	119
PID 996 wrote to memory of 2072	996	cmd.exe	119
PID 3920 wrote to memory of 408	3920	build-x32.crypt.bin.exe	120
PID 3920 wrote to memory of 408	3920	build-x32.crypt.bin.exe	120
PID 3920 wrote to memory of 408	3920	build-x32.crypt.bin.exe	120
PID 408 wrote to memory of 3972	408	cmd.exe	122
PID 408 wrote to memory of 3972	408	cmd.exe	122
PID 408 wrote to memory of 3972	408	cmd.exe	122
PID 3920 wrote to memory of 8	3920	build-x32.crypt.bin.exe	123
PID 3920 wrote to memory of 8	3920	build-x32.crypt.bin.exe	123
PID 3920 wrote to memory of 8	3920	build-x32.crypt.bin.exe	123
PID 8 wrote to memory of 1148	8	cmd.exe	125
PID 8 wrote to memory of 1148	8	cmd.exe	125
PID 8 wrote to memory of 1148	8	cmd.exe	125
PID 3920 wrote to memory of 2796	3920	build-x32.crypt.bin.exe	126
PID 3920 wrote to memory of 2796	3920	build-x32.crypt.bin.exe	126
PID 3920 wrote to memory of 2796	3920	build-x32.crypt.bin.exe	126
PID 2796 wrote to memory of 3516	2796	cmd.exe	128
PID 2796 wrote to memory of 3516	2796	cmd.exe	128
PID 2796 wrote to memory of 3516	2796	cmd.exe	128
PID 3920 wrote to memory of 1316	3920	build-x32.crypt.bin.exe	129
PID 3920 wrote to memory of 1316	3920	build-x32.crypt.bin.exe	129
PID 3920 wrote to memory of 1316	3920	build-x32.crypt.bin.exe	129
PID 1316 wrote to memory of 500	1316	cmd.exe	131
PID 1316 wrote to memory of 500	1316	cmd.exe	131
PID 1316 wrote to memory of 500	1316	cmd.exe	131
PID 3920 wrote to memory of 3892	3920	build-x32.crypt.bin.exe	132
PID 3920 wrote to memory of 3892	3920	build-x32.crypt.bin.exe	132
PID 3920 wrote to memory of 3892	3920	build-x32.crypt.bin.exe	132
PID 3892 wrote to memory of 3544	3892	cmd.exe	134
PID 3892 wrote to memory of 3544	3892	cmd.exe	134
PID 3892 wrote to memory of 3544	3892	cmd.exe	134
PID 3920 wrote to memory of 3916	3920	build-x32.crypt.bin.exe	135
PID 3920 wrote to memory of 3916	3920	build-x32.crypt.bin.exe	135
PID 3920 wrote to memory of 3916	3920	build-x32.crypt.bin.exe	135
PID 3916 wrote to memory of 1532	3916	cmd.exe	137
PID 3916 wrote to memory of 1532	3916	cmd.exe	137
PID 3916 wrote to memory of 1532	3916	cmd.exe	137
PID 3920 wrote to memory of 3852	3920	build-x32.crypt.bin.exe	138
PID 3920 wrote to memory of 3852	3920	build-x32.crypt.bin.exe	138
PID 3920 wrote to memory of 3852	3920	build-x32.crypt.bin.exe	138
PID 3852 wrote to memory of 996	3852	cmd.exe	140
PID 3852 wrote to memory of 996	3852	cmd.exe	140
PID 3852 wrote to memory of 996	3852	cmd.exe	140
PID 3920 wrote to memory of 1684	3920	build-x32.crypt.bin.exe	141
PID 3920 wrote to memory of 1684	3920	build-x32.crypt.bin.exe	141
PID 3920 wrote to memory of 1684	3920	build-x32.crypt.bin.exe	141
PID 1684 wrote to memory of 3960	1684	cmd.exe	143
PID 1684 wrote to memory of 3960	1684	cmd.exe	143
PID 1684 wrote to memory of 3960	1684	cmd.exe	143
PID 3920 wrote to memory of 1728	3920	build-x32.crypt.bin.exe	144
PID 3920 wrote to memory of 1728	3920	build-x32.crypt.bin.exe	144
PID 3920 wrote to memory of 1728	3920	build-x32.crypt.bin.exe	144
PID 1728 wrote to memory of 3968	1728	cmd.exe	146
PID 1728 wrote to memory of 3968	1728	cmd.exe	146
PID 1728 wrote to memory of 3968	1728	cmd.exe	146
PID 3920 wrote to memory of 1120	3920	build-x32.crypt.bin.exe	147
PID 3920 wrote to memory of 1120	3920	build-x32.crypt.bin.exe	147
PID 3920 wrote to memory of 1120	3920	build-x32.crypt.bin.exe	147
PID 1120 wrote to memory of 1904	1120	cmd.exe	149
PID 1120 wrote to memory of 1904	1120	cmd.exe	149
PID 1120 wrote to memory of 1904	1120	cmd.exe	149
PID 3920 wrote to memory of 3516	3920	build-x32.crypt.bin.exe	150
PID 3920 wrote to memory of 3516	3920	build-x32.crypt.bin.exe	150
PID 3920 wrote to memory of 3516	3920	build-x32.crypt.bin.exe	150
PID 3516 wrote to memory of 1972	3516	cmd.exe	152
PID 3516 wrote to memory of 1972	3516	cmd.exe	152
PID 3516 wrote to memory of 1972	3516	cmd.exe	152
PID 3920 wrote to memory of 4048	3920	build-x32.crypt.bin.exe	153
PID 3920 wrote to memory of 4048	3920	build-x32.crypt.bin.exe	153
PID 3920 wrote to memory of 4048	3920	build-x32.crypt.bin.exe	153
PID 4048 wrote to memory of 1340	4048	cmd.exe	155
PID 4048 wrote to memory of 1340	4048	cmd.exe	155
PID 4048 wrote to memory of 1340	4048	cmd.exe	155
PID 3920 wrote to memory of 2496	3920	build-x32.crypt.bin.exe	156
PID 3920 wrote to memory of 2496	3920	build-x32.crypt.bin.exe	156
PID 3920 wrote to memory of 2496	3920	build-x32.crypt.bin.exe	156
PID 2496 wrote to memory of 1360	2496	cmd.exe	158
PID 2496 wrote to memory of 1360	2496	cmd.exe	158
PID 2496 wrote to memory of 1360	2496	cmd.exe	158
PID 3920 wrote to memory of 2140	3920	build-x32.crypt.bin.exe	159
PID 3920 wrote to memory of 2140	3920	build-x32.crypt.bin.exe	159
PID 3920 wrote to memory of 2140	3920	build-x32.crypt.bin.exe	159
PID 2140 wrote to memory of 1564	2140	cmd.exe	161
PID 2140 wrote to memory of 1564	2140	cmd.exe	161
PID 2140 wrote to memory of 1564	2140	cmd.exe	161
PID 3920 wrote to memory of 3916	3920	build-x32.crypt.bin.exe	162
PID 3920 wrote to memory of 3916	3920	build-x32.crypt.bin.exe	162
PID 3920 wrote to memory of 3916	3920	build-x32.crypt.bin.exe	162
PID 3916 wrote to memory of 1668	3916	cmd.exe	164
PID 3916 wrote to memory of 1668	3916	cmd.exe	164
PID 3916 wrote to memory of 1668	3916	cmd.exe	164
PID 3920 wrote to memory of 3848	3920	build-x32.crypt.bin.exe	165
PID 3920 wrote to memory of 3848	3920	build-x32.crypt.bin.exe	165
PID 3920 wrote to memory of 3848	3920	build-x32.crypt.bin.exe	165
PID 3848 wrote to memory of 408	3848	cmd.exe	167
PID 3848 wrote to memory of 408	3848	cmd.exe	167
PID 3848 wrote to memory of 408	3848	cmd.exe	167
PID 3920 wrote to memory of 3972	3920	build-x32.crypt.bin.exe	168
PID 3920 wrote to memory of 3972	3920	build-x32.crypt.bin.exe	168
PID 3920 wrote to memory of 3972	3920	build-x32.crypt.bin.exe	168
PID 3972 wrote to memory of 2356	3972	cmd.exe	170
PID 3972 wrote to memory of 2356	3972	cmd.exe	170
PID 3972 wrote to memory of 2356	3972	cmd.exe	170
PID 3920 wrote to memory of 3968	3920	build-x32.crypt.bin.exe	171
PID 3920 wrote to memory of 3968	3920	build-x32.crypt.bin.exe	171
PID 3920 wrote to memory of 3968	3920	build-x32.crypt.bin.exe	171
PID 3968 wrote to memory of 424	3968	cmd.exe	173
PID 3968 wrote to memory of 424	3968	cmd.exe	173
PID 3968 wrote to memory of 424	3968	cmd.exe	173
PID 3920 wrote to memory of 1904	3920	build-x32.crypt.bin.exe	174
PID 3920 wrote to memory of 1904	3920	build-x32.crypt.bin.exe	174
PID 3920 wrote to memory of 1904	3920	build-x32.crypt.bin.exe	174
PID 1904 wrote to memory of 2796	1904	cmd.exe	176
PID 1904 wrote to memory of 2796	1904	cmd.exe	176
PID 1904 wrote to memory of 2796	1904	cmd.exe	176
PID 3920 wrote to memory of 3788	3920	build-x32.crypt.bin.exe	177
PID 3920 wrote to memory of 3788	3920	build-x32.crypt.bin.exe	177
PID 3920 wrote to memory of 3788	3920	build-x32.crypt.bin.exe	177
PID 3788 wrote to memory of 804	3788	cmd.exe	179
PID 3788 wrote to memory of 804	3788	cmd.exe	179
PID 3788 wrote to memory of 804	3788	cmd.exe	179
PID 3920 wrote to memory of 2076	3920	build-x32.crypt.bin.exe	180
PID 3920 wrote to memory of 2076	3920	build-x32.crypt.bin.exe	180
PID 3920 wrote to memory of 2076	3920	build-x32.crypt.bin.exe	180
PID 2076 wrote to memory of 4048	2076	cmd.exe	182
PID 2076 wrote to memory of 4048	2076	cmd.exe	182
PID 2076 wrote to memory of 4048	2076	cmd.exe	182
PID 3920 wrote to memory of 2100	3920	build-x32.crypt.bin.exe	183
PID 3920 wrote to memory of 2100	3920	build-x32.crypt.bin.exe	183
PID 3920 wrote to memory of 2100	3920	build-x32.crypt.bin.exe	183
PID 2100 wrote to memory of 2496	2100	cmd.exe	185
PID 2100 wrote to memory of 2496	2100	cmd.exe	185
PID 2100 wrote to memory of 2496	2100	cmd.exe	185
PID 3920 wrote to memory of 2756	3920	build-x32.crypt.bin.exe	186
PID 3920 wrote to memory of 2756	3920	build-x32.crypt.bin.exe	186
PID 3920 wrote to memory of 2756	3920	build-x32.crypt.bin.exe	186
PID 2756 wrote to memory of 648	2756	cmd.exe	188
PID 2756 wrote to memory of 648	2756	cmd.exe	188
PID 2756 wrote to memory of 648	2756	cmd.exe	188
PID 3920 wrote to memory of 1536	3920	build-x32.crypt.bin.exe	189
PID 3920 wrote to memory of 1536	3920	build-x32.crypt.bin.exe	189
PID 3920 wrote to memory of 1536	3920	build-x32.crypt.bin.exe	189
PID 1536 wrote to memory of 1564	1536	cmd.exe	191
PID 1536 wrote to memory of 1564	1536	cmd.exe	191
PID 1536 wrote to memory of 1564	1536	cmd.exe	191
PID 3920 wrote to memory of 3888	3920	build-x32.crypt.bin.exe	192
PID 3920 wrote to memory of 3888	3920	build-x32.crypt.bin.exe	192
PID 3920 wrote to memory of 3888	3920	build-x32.crypt.bin.exe	192
PID 3888 wrote to memory of 2564	3888	cmd.exe	194
PID 3888 wrote to memory of 2564	3888	cmd.exe	194
PID 3888 wrote to memory of 2564	3888	cmd.exe	194
PID 3920 wrote to memory of 3000	3920	build-x32.crypt.bin.exe	195
PID 3920 wrote to memory of 3000	3920	build-x32.crypt.bin.exe	195
PID 3920 wrote to memory of 3000	3920	build-x32.crypt.bin.exe	195
PID 3000 wrote to memory of 2244	3000	cmd.exe	197
PID 3000 wrote to memory of 2244	3000	cmd.exe	197
PID 3000 wrote to memory of 2244	3000	cmd.exe	197
PID 3920 wrote to memory of 904	3920	build-x32.crypt.bin.exe	198
PID 3920 wrote to memory of 904	3920	build-x32.crypt.bin.exe	198
PID 3920 wrote to memory of 904	3920	build-x32.crypt.bin.exe	198
PID 904 wrote to memory of 1844	904	cmd.exe	200
PID 904 wrote to memory of 1844	904	cmd.exe	200
PID 904 wrote to memory of 1844	904	cmd.exe	200
PID 3920 wrote to memory of 2568	3920	build-x32.crypt.bin.exe	201
PID 3920 wrote to memory of 2568	3920	build-x32.crypt.bin.exe	201
PID 3920 wrote to memory of 2568	3920	build-x32.crypt.bin.exe	201
PID 2568 wrote to memory of 1832	2568	cmd.exe	203
PID 2568 wrote to memory of 1832	2568	cmd.exe	203
PID 2568 wrote to memory of 1832	2568	cmd.exe	203
PID 3920 wrote to memory of 2608	3920	build-x32.crypt.bin.exe	204
PID 3920 wrote to memory of 2608	3920	build-x32.crypt.bin.exe	204
PID 3920 wrote to memory of 2608	3920	build-x32.crypt.bin.exe	204
PID 2608 wrote to memory of 1116	2608	cmd.exe	206
PID 2608 wrote to memory of 1116	2608	cmd.exe	206
PID 2608 wrote to memory of 1116	2608	cmd.exe	206
PID 3920 wrote to memory of 556	3920	build-x32.crypt.bin.exe	207
PID 3920 wrote to memory of 556	3920	build-x32.crypt.bin.exe	207
PID 3920 wrote to memory of 556	3920	build-x32.crypt.bin.exe	207
PID 556 wrote to memory of 3212	556	cmd.exe	209
PID 556 wrote to memory of 3212	556	cmd.exe	209
PID 556 wrote to memory of 3212	556	cmd.exe	209
PID 3920 wrote to memory of 1308	3920	build-x32.crypt.bin.exe	210
PID 3920 wrote to memory of 1308	3920	build-x32.crypt.bin.exe	210
PID 3920 wrote to memory of 1308	3920	build-x32.crypt.bin.exe	210
PID 1308 wrote to memory of 848	1308	cmd.exe	212
PID 1308 wrote to memory of 848	1308	cmd.exe	212
PID 1308 wrote to memory of 848	1308	cmd.exe	212
PID 3920 wrote to memory of 560	3920	build-x32.crypt.bin.exe	213
PID 3920 wrote to memory of 560	3920	build-x32.crypt.bin.exe	213
PID 3920 wrote to memory of 560	3920	build-x32.crypt.bin.exe	213
PID 560 wrote to memory of 1360	560	cmd.exe	215
PID 560 wrote to memory of 1360	560	cmd.exe	215
PID 560 wrote to memory of 1360	560	cmd.exe	215
PID 3920 wrote to memory of 2980	3920	build-x32.crypt.bin.exe	216
PID 3920 wrote to memory of 2980	3920	build-x32.crypt.bin.exe	216
PID 3920 wrote to memory of 2980	3920	build-x32.crypt.bin.exe	216
PID 2980 wrote to memory of 4072	2980	cmd.exe	218
PID 2980 wrote to memory of 4072	2980	cmd.exe	218
PID 2980 wrote to memory of 4072	2980	cmd.exe	218
PID 3920 wrote to memory of 3956	3920	build-x32.crypt.bin.exe	219
PID 3920 wrote to memory of 3956	3920	build-x32.crypt.bin.exe	219
PID 3920 wrote to memory of 3956	3920	build-x32.crypt.bin.exe	219
PID 3956 wrote to memory of 4044	3956	cmd.exe	221
PID 3956 wrote to memory of 4044	3956	cmd.exe	221
PID 3956 wrote to memory of 4044	3956	cmd.exe	221
PID 3920 wrote to memory of 1668	3920	build-x32.crypt.bin.exe	222
PID 3920 wrote to memory of 1668	3920	build-x32.crypt.bin.exe	222
PID 3920 wrote to memory of 1668	3920	build-x32.crypt.bin.exe	222
PID 1668 wrote to memory of 3940	1668	cmd.exe	224
PID 1668 wrote to memory of 3940	1668	cmd.exe	224
PID 1668 wrote to memory of 3940	1668	cmd.exe	224
PID 3920 wrote to memory of 2244	3920	build-x32.crypt.bin.exe	225
PID 3920 wrote to memory of 2244	3920	build-x32.crypt.bin.exe	225
PID 3920 wrote to memory of 2244	3920	build-x32.crypt.bin.exe	225
PID 2244 wrote to memory of 1728	2244	cmd.exe	227
PID 2244 wrote to memory of 1728	2244	cmd.exe	227
PID 2244 wrote to memory of 1728	2244	cmd.exe	227
PID 3920 wrote to memory of 2356	3920	build-x32.crypt.bin.exe	228
PID 3920 wrote to memory of 2356	3920	build-x32.crypt.bin.exe	228
PID 3920 wrote to memory of 2356	3920	build-x32.crypt.bin.exe	228
PID 2356 wrote to memory of 1120	2356	cmd.exe	230
PID 2356 wrote to memory of 1120	2356	cmd.exe	230
PID 2356 wrote to memory of 1120	2356	cmd.exe	230
PID 3920 wrote to memory of 424	3920	build-x32.crypt.bin.exe	231
PID 3920 wrote to memory of 424	3920	build-x32.crypt.bin.exe	231
PID 3920 wrote to memory of 424	3920	build-x32.crypt.bin.exe	231
PID 424 wrote to memory of 3800	424	cmd.exe	233
PID 424 wrote to memory of 3800	424	cmd.exe	233
PID 424 wrote to memory of 3800	424	cmd.exe	233
PID 3920 wrote to memory of 2796	3920	build-x32.crypt.bin.exe	234
PID 3920 wrote to memory of 2796	3920	build-x32.crypt.bin.exe	234
PID 3920 wrote to memory of 2796	3920	build-x32.crypt.bin.exe	234
PID 2796 wrote to memory of 2896	2796	cmd.exe	236
PID 2796 wrote to memory of 2896	2796	cmd.exe	236
PID 2796 wrote to memory of 2896	2796	cmd.exe	236
PID 3920 wrote to memory of 1688	3920	build-x32.crypt.bin.exe	237
PID 3920 wrote to memory of 1688	3920	build-x32.crypt.bin.exe	237
PID 3920 wrote to memory of 1688	3920	build-x32.crypt.bin.exe	237
PID 1688 wrote to memory of 2076	1688	cmd.exe	239
PID 1688 wrote to memory of 2076	1688	cmd.exe	239
PID 1688 wrote to memory of 2076	1688	cmd.exe	239
PID 3920 wrote to memory of 1180	3920	build-x32.crypt.bin.exe	240
PID 3920 wrote to memory of 1180	3920	build-x32.crypt.bin.exe	240
PID 3920 wrote to memory of 1180	3920	build-x32.crypt.bin.exe	240
PID 1180 wrote to memory of 636	1180	cmd.exe	242
PID 1180 wrote to memory of 636	1180	cmd.exe	242
PID 1180 wrote to memory of 636	1180	cmd.exe	242
PID 3920 wrote to memory of 2084	3920	build-x32.crypt.bin.exe	243
PID 3920 wrote to memory of 2084	3920	build-x32.crypt.bin.exe	243
PID 3920 wrote to memory of 2084	3920	build-x32.crypt.bin.exe	243
PID 2084 wrote to memory of 2864	2084	cmd.exe	245
PID 2084 wrote to memory of 2864	2084	cmd.exe	245
PID 2084 wrote to memory of 2864	2084	cmd.exe	245
PID 3920 wrote to memory of 2140	3920	build-x32.crypt.bin.exe	246
PID 3920 wrote to memory of 2140	3920	build-x32.crypt.bin.exe	246
PID 3920 wrote to memory of 2140	3920	build-x32.crypt.bin.exe	246
PID 2140 wrote to memory of 3880	2140	cmd.exe	248
PID 2140 wrote to memory of 3880	2140	cmd.exe	248
PID 2140 wrote to memory of 3880	2140	cmd.exe	248
PID 3920 wrote to memory of 1504	3920	build-x32.crypt.bin.exe	249
PID 3920 wrote to memory of 1504	3920	build-x32.crypt.bin.exe	249
PID 3920 wrote to memory of 1504	3920	build-x32.crypt.bin.exe	249
PID 1504 wrote to memory of 2192	1504	cmd.exe	251
PID 1504 wrote to memory of 2192	1504	cmd.exe	251
PID 1504 wrote to memory of 2192	1504	cmd.exe	251
PID 3920 wrote to memory of 2248	3920	build-x32.crypt.bin.exe	252
PID 3920 wrote to memory of 2248	3920	build-x32.crypt.bin.exe	252
PID 3920 wrote to memory of 2248	3920	build-x32.crypt.bin.exe	252
PID 2248 wrote to memory of 3960	2248	cmd.exe	254
PID 2248 wrote to memory of 3960	2248	cmd.exe	254
PID 2248 wrote to memory of 3960	2248	cmd.exe	254
PID 3920 wrote to memory of 3008	3920	build-x32.crypt.bin.exe	255
PID 3920 wrote to memory of 3008	3920	build-x32.crypt.bin.exe	255
PID 3920 wrote to memory of 3008	3920	build-x32.crypt.bin.exe	255
PID 3008 wrote to memory of 376	3008	cmd.exe	257
PID 3008 wrote to memory of 376	3008	cmd.exe	257
PID 3008 wrote to memory of 376	3008	cmd.exe	257
PID 3920 wrote to memory of 1840	3920	build-x32.crypt.bin.exe	258
PID 3920 wrote to memory of 1840	3920	build-x32.crypt.bin.exe	258
PID 3920 wrote to memory of 1840	3920	build-x32.crypt.bin.exe	258
PID 1840 wrote to memory of 3208	1840	cmd.exe	260
PID 1840 wrote to memory of 3208	1840	cmd.exe	260
PID 1840 wrote to memory of 3208	1840	cmd.exe	260
PID 3920 wrote to memory of 3936	3920	build-x32.crypt.bin.exe	261
PID 3920 wrote to memory of 3936	3920	build-x32.crypt.bin.exe	261
PID 3920 wrote to memory of 3936	3920	build-x32.crypt.bin.exe	261
PID 3936 wrote to memory of 1252	3936	cmd.exe	263
PID 3936 wrote to memory of 1252	3936	cmd.exe	263
PID 3936 wrote to memory of 1252	3936	cmd.exe	263
PID 3920 wrote to memory of 2208	3920	build-x32.crypt.bin.exe	264
PID 3920 wrote to memory of 2208	3920	build-x32.crypt.bin.exe	264
PID 3920 wrote to memory of 2208	3920	build-x32.crypt.bin.exe	264
PID 2208 wrote to memory of 416	2208	cmd.exe	266
PID 2208 wrote to memory of 416	2208	cmd.exe	266
PID 2208 wrote to memory of 416	2208	cmd.exe	266
PID 3920 wrote to memory of 3892	3920	build-x32.crypt.bin.exe	267
PID 3920 wrote to memory of 3892	3920	build-x32.crypt.bin.exe	267
PID 3920 wrote to memory of 3892	3920	build-x32.crypt.bin.exe	267
PID 3892 wrote to memory of 2680	3892	cmd.exe	269
PID 3892 wrote to memory of 2680	3892	cmd.exe	269
PID 3892 wrote to memory of 2680	3892	cmd.exe	269
PID 3920 wrote to memory of 1548	3920	build-x32.crypt.bin.exe	270
PID 3920 wrote to memory of 1548	3920	build-x32.crypt.bin.exe	270
PID 3920 wrote to memory of 1548	3920	build-x32.crypt.bin.exe	270
PID 1548 wrote to memory of 1308	1548	cmd.exe	272
PID 1548 wrote to memory of 1308	1548	cmd.exe	272
PID 1548 wrote to memory of 1308	1548	cmd.exe	272
PID 3920 wrote to memory of 1032	3920	build-x32.crypt.bin.exe	273
PID 3920 wrote to memory of 1032	3920	build-x32.crypt.bin.exe	273
PID 3920 wrote to memory of 1032	3920	build-x32.crypt.bin.exe	273
PID 1032 wrote to memory of 560	1032	cmd.exe	275
PID 1032 wrote to memory of 560	1032	cmd.exe	275
PID 1032 wrote to memory of 560	1032	cmd.exe	275
PID 3920 wrote to memory of 3932	3920	build-x32.crypt.bin.exe	276
PID 3920 wrote to memory of 3932	3920	build-x32.crypt.bin.exe	276
PID 3920 wrote to memory of 3932	3920	build-x32.crypt.bin.exe	276
PID 3932 wrote to memory of 2980	3932	cmd.exe	278
PID 3932 wrote to memory of 2980	3932	cmd.exe	278
PID 3932 wrote to memory of 2980	3932	cmd.exe	278
PID 3920 wrote to memory of 2184	3920	build-x32.crypt.bin.exe	279
PID 3920 wrote to memory of 2184	3920	build-x32.crypt.bin.exe	279
PID 3920 wrote to memory of 2184	3920	build-x32.crypt.bin.exe	279
PID 2184 wrote to memory of 3956	2184	cmd.exe	281
PID 2184 wrote to memory of 3956	2184	cmd.exe	281
PID 2184 wrote to memory of 3956	2184	cmd.exe	281
PID 3920 wrote to memory of 3780	3920	build-x32.crypt.bin.exe	282
PID 3920 wrote to memory of 3780	3920	build-x32.crypt.bin.exe	282
PID 3920 wrote to memory of 3780	3920	build-x32.crypt.bin.exe	282
PID 3780 wrote to memory of 1068	3780	cmd.exe	284
PID 3780 wrote to memory of 1068	3780	cmd.exe	284
PID 3780 wrote to memory of 1068	3780	cmd.exe	284
PID 3920 wrote to memory of 1184	3920	build-x32.crypt.bin.exe	285
PID 3920 wrote to memory of 1184	3920	build-x32.crypt.bin.exe	285
PID 3920 wrote to memory of 1184	3920	build-x32.crypt.bin.exe	285
PID 1184 wrote to memory of 1148	1184	cmd.exe	287
PID 1184 wrote to memory of 1148	1184	cmd.exe	287
PID 1184 wrote to memory of 1148	1184	cmd.exe	287
PID 3920 wrote to memory of 1304	3920	build-x32.crypt.bin.exe	288
PID 3920 wrote to memory of 1304	3920	build-x32.crypt.bin.exe	288
PID 3920 wrote to memory of 1304	3920	build-x32.crypt.bin.exe	288
PID 1304 wrote to memory of 852	1304	cmd.exe	290
PID 1304 wrote to memory of 852	1304	cmd.exe	290
PID 1304 wrote to memory of 852	1304	cmd.exe	290
PID 3920 wrote to memory of 3224	3920	build-x32.crypt.bin.exe	291
PID 3920 wrote to memory of 3224	3920	build-x32.crypt.bin.exe	291
PID 3920 wrote to memory of 3224	3920	build-x32.crypt.bin.exe	291
PID 3224 wrote to memory of 2616	3224	cmd.exe	293
PID 3224 wrote to memory of 2616	3224	cmd.exe	293
PID 3224 wrote to memory of 2616	3224	cmd.exe	293
PID 3920 wrote to memory of 3872	3920	build-x32.crypt.bin.exe	294
PID 3920 wrote to memory of 3872	3920	build-x32.crypt.bin.exe	294
PID 3920 wrote to memory of 3872	3920	build-x32.crypt.bin.exe	294
PID 3872 wrote to memory of 632	3872	cmd.exe	296
PID 3872 wrote to memory of 632	3872	cmd.exe	296
PID 3872 wrote to memory of 632	3872	cmd.exe	296
PID 3920 wrote to memory of 1936	3920	build-x32.crypt.bin.exe	297
PID 3920 wrote to memory of 1936	3920	build-x32.crypt.bin.exe	297
PID 3920 wrote to memory of 1936	3920	build-x32.crypt.bin.exe	297
PID 1936 wrote to memory of 1460	1936	cmd.exe	299
PID 1936 wrote to memory of 1460	1936	cmd.exe	299
PID 1936 wrote to memory of 1460	1936	cmd.exe	299
PID 3920 wrote to memory of 2956	3920	build-x32.crypt.bin.exe	300
PID 3920 wrote to memory of 2956	3920	build-x32.crypt.bin.exe	300
PID 3920 wrote to memory of 2956	3920	build-x32.crypt.bin.exe	300
PID 2956 wrote to memory of 512	2956	cmd.exe	302
PID 2956 wrote to memory of 512	2956	cmd.exe	302
PID 2956 wrote to memory of 512	2956	cmd.exe	302
PID 3920 wrote to memory of 648	3920	build-x32.crypt.bin.exe	303
PID 3920 wrote to memory of 648	3920	build-x32.crypt.bin.exe	303
PID 3920 wrote to memory of 648	3920	build-x32.crypt.bin.exe	303
PID 648 wrote to memory of 2216	648	cmd.exe	305
PID 648 wrote to memory of 2216	648	cmd.exe	305
PID 648 wrote to memory of 2216	648	cmd.exe	305
PID 3920 wrote to memory of 1564	3920	build-x32.crypt.bin.exe	306
PID 3920 wrote to memory of 1564	3920	build-x32.crypt.bin.exe	306
PID 3920 wrote to memory of 1564	3920	build-x32.crypt.bin.exe	306
PID 1564 wrote to memory of 2772	1564	cmd.exe	308
PID 1564 wrote to memory of 2772	1564	cmd.exe	308
PID 1564 wrote to memory of 2772	1564	cmd.exe	308
PID 3920 wrote to memory of 3848	3920	build-x32.crypt.bin.exe	309
PID 3920 wrote to memory of 3848	3920	build-x32.crypt.bin.exe	309
PID 3920 wrote to memory of 3848	3920	build-x32.crypt.bin.exe	309
PID 3848 wrote to memory of 1536	3848	cmd.exe	311
PID 3848 wrote to memory of 1536	3848	cmd.exe	311
PID 3848 wrote to memory of 1536	3848	cmd.exe	311
PID 3920 wrote to memory of 3972	3920	build-x32.crypt.bin.exe	312
PID 3920 wrote to memory of 3972	3920	build-x32.crypt.bin.exe	312
PID 3920 wrote to memory of 3972	3920	build-x32.crypt.bin.exe	312
PID 3972 wrote to memory of 1668	3972	cmd.exe	314
PID 3972 wrote to memory of 1668	3972	cmd.exe	314
PID 3972 wrote to memory of 1668	3972	cmd.exe	314
PID 3920 wrote to memory of 3968	3920	build-x32.crypt.bin.exe	315
PID 3920 wrote to memory of 3968	3920	build-x32.crypt.bin.exe	315
PID 3920 wrote to memory of 3968	3920	build-x32.crypt.bin.exe	315
PID 3968 wrote to memory of 2244	3968	cmd.exe	317
PID 3968 wrote to memory of 2244	3968	cmd.exe	317
PID 3968 wrote to memory of 2244	3968	cmd.exe	317
PID 3920 wrote to memory of 1904	3920	build-x32.crypt.bin.exe	318
PID 3920 wrote to memory of 1904	3920	build-x32.crypt.bin.exe	318
PID 3920 wrote to memory of 1904	3920	build-x32.crypt.bin.exe	318
PID 1904 wrote to memory of 2356	1904	cmd.exe	320
PID 1904 wrote to memory of 2356	1904	cmd.exe	320
PID 1904 wrote to memory of 2356	1904	cmd.exe	320
PID 3920 wrote to memory of 3788	3920	build-x32.crypt.bin.exe	321
PID 3920 wrote to memory of 3788	3920	build-x32.crypt.bin.exe	321
PID 3920 wrote to memory of 3788	3920	build-x32.crypt.bin.exe	321
PID 3788 wrote to memory of 424	3788	cmd.exe	323
PID 3788 wrote to memory of 424	3788	cmd.exe	323
PID 3788 wrote to memory of 424	3788	cmd.exe	323
PID 3920 wrote to memory of 3964	3920	build-x32.crypt.bin.exe	324
PID 3920 wrote to memory of 3964	3920	build-x32.crypt.bin.exe	324
PID 3920 wrote to memory of 3964	3920	build-x32.crypt.bin.exe	324
PID 3964 wrote to memory of 2796	3964	cmd.exe	326
PID 3964 wrote to memory of 2796	3964	cmd.exe	326
PID 3964 wrote to memory of 2796	3964	cmd.exe	326
PID 3920 wrote to memory of 508	3920	build-x32.crypt.bin.exe	327
PID 3920 wrote to memory of 508	3920	build-x32.crypt.bin.exe	327
PID 3920 wrote to memory of 508	3920	build-x32.crypt.bin.exe	327
PID 508 wrote to memory of 1688	508	cmd.exe	329
PID 508 wrote to memory of 1688	508	cmd.exe	329
PID 508 wrote to memory of 1688	508	cmd.exe	329
PID 3920 wrote to memory of 3544	3920	build-x32.crypt.bin.exe	330
PID 3920 wrote to memory of 3544	3920	build-x32.crypt.bin.exe	330
PID 3920 wrote to memory of 3544	3920	build-x32.crypt.bin.exe	330
PID 3544 wrote to memory of 1180	3544	cmd.exe	332
PID 3544 wrote to memory of 1180	3544	cmd.exe	332
PID 3544 wrote to memory of 1180	3544	cmd.exe	332
PID 3920 wrote to memory of 2860	3920	build-x32.crypt.bin.exe	333
PID 3920 wrote to memory of 2860	3920	build-x32.crypt.bin.exe	333
PID 3920 wrote to memory of 2860	3920	build-x32.crypt.bin.exe	333
PID 2860 wrote to memory of 2084	2860	cmd.exe	335
PID 2860 wrote to memory of 2084	2860	cmd.exe	335
PID 2860 wrote to memory of 2084	2860	cmd.exe	335
PID 3920 wrote to memory of 2432	3920	build-x32.crypt.bin.exe	336
PID 3920 wrote to memory of 2432	3920	build-x32.crypt.bin.exe	336
PID 3920 wrote to memory of 2432	3920	build-x32.crypt.bin.exe	336
PID 2432 wrote to memory of 2140	2432	cmd.exe	338
PID 2432 wrote to memory of 2140	2432	cmd.exe	338
PID 2432 wrote to memory of 2140	2432	cmd.exe	338
PID 3920 wrote to memory of 2564	3920	build-x32.crypt.bin.exe	339
PID 3920 wrote to memory of 2564	3920	build-x32.crypt.bin.exe	339
PID 3920 wrote to memory of 2564	3920	build-x32.crypt.bin.exe	339
PID 2564 wrote to memory of 1504	2564	cmd.exe	341
PID 2564 wrote to memory of 1504	2564	cmd.exe	341
PID 2564 wrote to memory of 1504	2564	cmd.exe	341
PID 3920 wrote to memory of 1164	3920	build-x32.crypt.bin.exe	342
PID 3920 wrote to memory of 1164	3920	build-x32.crypt.bin.exe	342
PID 3920 wrote to memory of 1164	3920	build-x32.crypt.bin.exe	342
PID 1164 wrote to memory of 2248	1164	cmd.exe	344
PID 1164 wrote to memory of 2248	1164	cmd.exe	344
PID 1164 wrote to memory of 2248	1164	cmd.exe	344
PID 3920 wrote to memory of 1236	3920	build-x32.crypt.bin.exe	345
PID 3920 wrote to memory of 1236	3920	build-x32.crypt.bin.exe	345
PID 3920 wrote to memory of 1236	3920	build-x32.crypt.bin.exe	345
PID 1236 wrote to memory of 3008	1236	cmd.exe	347
PID 1236 wrote to memory of 3008	1236	cmd.exe	347
PID 1236 wrote to memory of 3008	1236	cmd.exe	347
PID 3920 wrote to memory of 3492	3920	build-x32.crypt.bin.exe	348
PID 3920 wrote to memory of 3492	3920	build-x32.crypt.bin.exe	348
PID 3920 wrote to memory of 3492	3920	build-x32.crypt.bin.exe	348
PID 3492 wrote to memory of 1840	3492	cmd.exe	350
PID 3492 wrote to memory of 1840	3492	cmd.exe	350
PID 3492 wrote to memory of 1840	3492	cmd.exe	350
PID 3920 wrote to memory of 2672	3920	build-x32.crypt.bin.exe	351
PID 3920 wrote to memory of 2672	3920	build-x32.crypt.bin.exe	351
PID 3920 wrote to memory of 2672	3920	build-x32.crypt.bin.exe	351
PID 2672 wrote to memory of 3936	2672	cmd.exe	353
PID 2672 wrote to memory of 3936	2672	cmd.exe	353
PID 2672 wrote to memory of 3936	2672	cmd.exe	353
PID 3920 wrote to memory of 2644	3920	build-x32.crypt.bin.exe	354
PID 3920 wrote to memory of 2644	3920	build-x32.crypt.bin.exe	354
PID 3920 wrote to memory of 2644	3920	build-x32.crypt.bin.exe	354
PID 2644 wrote to memory of 2208	2644	cmd.exe	356
PID 2644 wrote to memory of 2208	2644	cmd.exe	356
PID 2644 wrote to memory of 2208	2644	cmd.exe	356
PID 3920 wrote to memory of 1316	3920	build-x32.crypt.bin.exe	357
PID 3920 wrote to memory of 1316	3920	build-x32.crypt.bin.exe	357
PID 3920 wrote to memory of 1316	3920	build-x32.crypt.bin.exe	357
PID 1316 wrote to memory of 3892	1316	cmd.exe	359
PID 1316 wrote to memory of 3892	1316	cmd.exe	359
PID 1316 wrote to memory of 3892	1316	cmd.exe	359
PID 3920 wrote to memory of 2616	3920	build-x32.crypt.bin.exe	367
PID 3920 wrote to memory of 2616	3920	build-x32.crypt.bin.exe	367
PID 3920 wrote to memory of 2616	3920	build-x32.crypt.bin.exe	367
PID 2616 wrote to memory of 1568	2616	cmd.exe	369
PID 2616 wrote to memory of 1568	2616	cmd.exe	369
PID 2616 wrote to memory of 1568	2616	cmd.exe	369

C:\Users\Admin\AppData\Local\Temp\build-x32.crypt.bin.exe
"C:\Users\Admin\AppData\Local\Temp\build-x32.crypt.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY DELETE /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3848
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  PID:3032
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} recoveryenabled No
  2⤵
  PID:4072
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3888
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\vssvc.exe
  2⤵
  PID:3208
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServer*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBFCService*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBFCService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBVSS*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBVSS*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3960
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sql*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sql*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:416
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msaccess*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msaccess*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM mssql*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM mssql*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM mysql*
  2⤵
  PID:8
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM mysql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wxServerView*
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wxServerView*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:800
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlmangr*
  2⤵
  PID:3224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlmangr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:500
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RAgui*
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RAgui*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:512
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM supervise*
  2⤵
  PID:996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM supervise*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culture*
  2⤵
  PID:408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culture*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Defwatch*
  2⤵
  PID:8
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Defwatch*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM winword*
  2⤵
  PID:2796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM winword*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3516
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBW32*
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBW32*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:500
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgr*
  2⤵
  PID:3892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3544
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM qbupdate*
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM qbupdate*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM axlbridge*
  2⤵
  PID:3852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM axlbridge*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM httpd*
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM httpd*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3960
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdlauncher*
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdlauncher*
    3⤵
    - Kills process with taskkill
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MsDtSrvr*
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MsDtSrvr*
    3⤵
    - Kills process with taskkill
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM java*
  2⤵
  PID:3516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM java*
    3⤵
    - Kills process with taskkill
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360se*
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360se*
    3⤵
    - Kills process with taskkill
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM 360doctor*
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM 360doctor*
    3⤵
    - Kills process with taskkill
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wdswfsafe*
  2⤵
  PID:2140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wdswfsafe*
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fdhost*
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fdhost*
    3⤵
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM GDscan*
  2⤵
  PID:3848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM GDscan*
    3⤵
    PID:408
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ZhuDongFangYu*
  2⤵
  PID:3972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ZhuDongFangYu*
    3⤵
    - Kills process with taskkill
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBDBMgrN*
  2⤵
  PID:3968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBDBMgrN*
    3⤵
    - Kills process with taskkill
    PID:424
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM mysqld*
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM mysqld*
    3⤵
    - Kills process with taskkill
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AutodeskDesktopApp*
  2⤵
  PID:3788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AutodeskDesktopApp*
    3⤵
    - Kills process with taskkill
    PID:804
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM acwebbrowser*
  2⤵
  PID:2076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM acwebbrowser*
    3⤵
    - Kills process with taskkill
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Creative Cloud*
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Creative Cloud*
    3⤵
    - Kills process with taskkill
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe Desktop Service*
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe Desktop Service*
    3⤵
    - Kills process with taskkill
    PID:648
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM CoreSync*
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM CoreSync*
    3⤵
    - Kills process with taskkill
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Adobe CEF Helper*
  2⤵
  PID:3888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Adobe CEF Helper*
    3⤵
    - Kills process with taskkill
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM node*
  2⤵
  PID:3000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM node*
    3⤵
    - Kills process with taskkill
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeIPCBroker*
  2⤵
  PID:904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeIPCBroker*
    3⤵
    - Kills process with taskkill
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-taskbar*
  2⤵
  PID:2568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-taskbar*
    3⤵
    PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sync-worker*
  2⤵
  PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sync-worker*
    3⤵
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM InputPersonalization*
  2⤵
  PID:556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM InputPersonalization*
    3⤵
    - Kills process with taskkill
    PID:3212
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM AdobeCollabSync*
  2⤵
  PID:1308
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM AdobeCollabSync*
    3⤵
    - Kills process with taskkill
    PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCtrlCntr*
  2⤵
  PID:560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCtrlCntr*
    3⤵
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM BrCcUxSys*
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM BrCcUxSys*
    3⤵
    - Kills process with taskkill
    PID:4072
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SimplyConnectionManager*
  2⤵
  PID:3956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SimplyConnectionManager*
    3⤵
    - Kills process with taskkill
    PID:4044
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Simply.SystemTrayIcon*
    3⤵
    - Kills process with taskkill
    PID:3940
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbguard*
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbguard*
    3⤵
    - Kills process with taskkill
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM fbserver*
  2⤵
  PID:2356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM fbserver*
    3⤵
    - Kills process with taskkill
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ONENOTEM*
  2⤵
  PID:424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ONENOTEM*
    3⤵
    PID:3800
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM wrapper*
  2⤵
  PID:2796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM wrapper*
    3⤵
    - Kills process with taskkill
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM DefWatch*
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM DefWatch*
    3⤵
    - Kills process with taskkill
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccEvtMgr*
  2⤵
  PID:1180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccEvtMgr*
    3⤵
    PID:636
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM ccSetMgr*
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM ccSetMgr*
    3⤵
    - Kills process with taskkill
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SavRoam*
  2⤵
  PID:2140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SavRoam*
    3⤵
    PID:3880
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Sqlservr*
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Sqlservr*
    3⤵
    - Kills process with taskkill
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlagent*
  2⤵
  PID:2248
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlagent*
    3⤵
    - Kills process with taskkill
    PID:3960
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqladhlp*
  2⤵
  PID:3008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqladhlp*
    3⤵
    - Kills process with taskkill
    PID:376
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Culserver*
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Culserver*
    3⤵
    - Kills process with taskkill
    PID:3208
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM RTVscan*
  2⤵
  PID:3936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM RTVscan*
    3⤵
    - Kills process with taskkill
    PID:1252
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlbrowser*
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlbrowser*
    3⤵
    - Kills process with taskkill
    PID:416
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLADHLP*
  2⤵
  PID:3892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLADHLP*
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBIDPService*
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBIDPService*
    3⤵
    - Kills process with taskkill
    PID:1308
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
  2⤵
  PID:1032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM QBCFMonitorService*
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM QBCFMonitorService*
    3⤵
    - Kills process with taskkill
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM sqlwriter*
  2⤵
  PID:2184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM sqlwriter*
    3⤵
    PID:3956
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msmdsrv*
  2⤵
  PID:3780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msmdsrv*
    3⤵
    - Kills process with taskkill
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM tomcat6*
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM tomcat6*
    3⤵
    - Kills process with taskkill
    PID:1148
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM zhudongfangyu*
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM zhudongfangyu*
    3⤵
    PID:852
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-usbarbitator64*
  2⤵
  PID:3224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-usbarbitator64*
    3⤵
    - Kills process with taskkill
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM vmware-converter*
  2⤵
  PID:3872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM vmware-converter*
    3⤵
    - Kills process with taskkill
    PID:632
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbsrv12*
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbsrv12*
    3⤵
    - Kills process with taskkill
    PID:1460
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM dbeng8*
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM dbeng8*
    3⤵
    - Kills process with taskkill
    PID:512
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
  2⤵
  PID:3848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
    3⤵
    - Kills process with taskkill
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLBrowser*
  2⤵
  PID:3972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLBrowser*
    3⤵
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLWriter*
  2⤵
  PID:3968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLWriter*
    3⤵
    - Kills process with taskkill
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM FishbowlMySQL*
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM FishbowlMySQL*
    3⤵
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
  2⤵
  PID:3788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##WID*
    3⤵
    PID:424
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MySQL57*
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MySQL57*
    3⤵
    - Kills process with taskkill
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
  2⤵
  PID:508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
    3⤵
    - Kills process with taskkill
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
  2⤵
  PID:3544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLServerADHelper100*
    3⤵
    - Kills process with taskkill
    PID:1180
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
    3⤵
    - Kills process with taskkill
    PID:2084
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM msftesql-Exchange*
  2⤵
  PID:2432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM msftesql-Exchange*
    3⤵
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
    3⤵
    - Kills process with taskkill
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQL$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
  2⤵
  PID:3492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
    3⤵
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:3936
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SBSMONITORING*
    3⤵
    - Kills process with taskkill
    PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM SQLAgent$SHAREPOINT*
    3⤵
    - Kills process with taskkill
    PID:3892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /T 15 /NOBREAK && del "C:\Users\Admin\AppData\Local\Temp\build-x32.crypt.bin.exe" /F
  2⤵
  PID:2616
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 15 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:1568