ryuk | e88f86634b1a30b45429d6f721fef75902fb55a78629f1c0193e1629e955a55d

Analysis

max time kernel
107s
max time network
137s
platform
windows7_x64
resource
win7v20210410
submitted
17-04-2021 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eiavW.exe

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails eliasmarco@tutanota.com or CamdenScott@protonmail.com BTC wallet: 15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj Ryuk No system is safe

Emails

eliasmarco@tutanota.com

CamdenScott@protonmail.com

Wallets

15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UseUpdate.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\UseUpdate.tiff	Dwm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eiavW.exe"	reg.exe

Enumerates connected drives 3 TTPs 36 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

Dwm.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107722.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02270_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACCS.ICO	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NVBELL.NET.XML	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.DPV	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107742.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02617_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15132_.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\JFONT.DAT	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR21F.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\background.gif	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBORDER.DPV	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\SATIN.INF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19582_.GIF	taskhost.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Taipei	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Eucla	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR30F.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Solstice.thmx	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21296_.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00194_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Clarity.eftx	taskhost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Pohnpei	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00231_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\REPTWIZ.POC	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate.css	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00799_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBARBLL.XML	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0335112.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01858_.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03464_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Phoenix	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNoteNames.gpd	Dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 28 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

pid	process
2420	vssadmin.exe
3484	vssadmin.exe
1784	vssadmin.exe
2356	vssadmin.exe
2324	vssadmin.exe
3100	vssadmin.exe
2304	vssadmin.exe
2696	vssadmin.exe
2180	vssadmin.exe
2132	vssadmin.exe
2340	vssadmin.exe
3824	vssadmin.exe
3680	vssadmin.exe
2136	vssadmin.exe
3504	vssadmin.exe
3376	vssadmin.exe
3760	vssadmin.exe
2600	vssadmin.exe
3080	vssadmin.exe
920	vssadmin.exe
2076	vssadmin.exe
3364	vssadmin.exe
3712	vssadmin.exe
2648	vssadmin.exe
2376	vssadmin.exe
660	vssadmin.exe
2484	vssadmin.exe
3068	vssadmin.exe

Kills process with taskkill 44 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2304	taskkill.exe
1784	taskkill.exe
2016	taskkill.exe
2064	taskkill.exe
2384	taskkill.exe
2736	taskkill.exe
2828	taskkill.exe
1568	taskkill.exe
1092	taskkill.exe
2512	taskkill.exe
2604	taskkill.exe
2952	taskkill.exe
3012	taskkill.exe
2164	taskkill.exe
2332	taskkill.exe
2444	taskkill.exe
2776	taskkill.exe
2064	taskkill.exe
2028	taskkill.exe
2860	taskkill.exe
1140	taskkill.exe
1584	taskkill.exe
896	taskkill.exe
240	taskkill.exe
1872	taskkill.exe
2124	taskkill.exe
2228	taskkill.exe
1444	taskkill.exe
2296	taskkill.exe
2576	taskkill.exe
2904	taskkill.exe
2400	taskkill.exe
1132	taskkill.exe
1516	taskkill.exe
732	taskkill.exe
2172	taskkill.exe
2668	taskkill.exe
1544	taskkill.exe
1200	taskkill.exe
1404	taskkill.exe
1876	taskkill.exe
2652	taskkill.exe
2520	taskkill.exe
436	taskkill.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

eiavW.exe

pid process

1676 eiavW.exe
1676 eiavW.exe
1676 eiavW.exe
1676 eiavW.exe
1676 eiavW.exe
1676 eiavW.exe
1676 eiavW.exe
1676 eiavW.exe
1676 eiavW.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

eiavW.exe

pid process

1676 eiavW.exe

pid	process
1676	eiavW.exe
1676	eiavW.exe
1676	eiavW.exe
1676	eiavW.exe
1676	eiavW.exe
1676	eiavW.exe
1676	eiavW.exe
1676	eiavW.exe
1676	eiavW.exe

pid	process
1676	eiavW.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

taskkill.exetaskkill.exenet.exenet.exetaskkill.exenet.execonhost.exetaskkill.exenet.execonhost.exetaskkill.exenet.exenet.execonhost.execonhost.execonhost.execonhost.exenet1.exetaskkill.exenet1.exetaskkill.exenet.exetaskkill.exetaskkill.execonhost.exetaskkill.exenet.execonhost.exenet.exetaskkill.exenet1.exenet.exetaskkill.exenet1.exenet.exenet1.exenet1.exenet1.exenet.exetaskkill.exenet1.exenet.exeeiavW.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	1132	net.exe
Token: SeDebugPrivilege	1516	net.exe
Token: SeDebugPrivilege	896	taskkill.exe
Token: SeDebugPrivilege	1092	net.exe
Token: SeDebugPrivilege	732	conhost.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	240
Token: SeDebugPrivilege	2028	net.exe
Token: SeDebugPrivilege	1444	conhost.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	2064	net.exe
Token: SeDebugPrivilege	2124	net.exe
Token: SeDebugPrivilege	2164	conhost.exe
Token: SeDebugPrivilege	2228	conhost.exe
Token: SeDebugPrivilege	2296	conhost.exe
Token: SeDebugPrivilege	2332	conhost.exe
Token: SeDebugPrivilege	2512	net1.exe
Token: SeDebugPrivilege	2384	taskkill.exe
Token: SeDebugPrivilege	2444	net1.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	2576	net.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	2828	conhost.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	2952	net.exe
Token: SeDebugPrivilege	2860	conhost.exe
Token: SeDebugPrivilege	3012	net.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	2304	net1.exe
Token: SeDebugPrivilege	2520	net.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	2668	net1.exe
Token: SeDebugPrivilege	1568	net.exe
Token: SeDebugPrivilege	436	net1.exe
Token: SeDebugPrivilege	1544	net1.exe
Token: SeDebugPrivilege	1140	net1.exe
Token: SeDebugPrivilege	1784	net.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1200	net1.exe
Token: SeDebugPrivilege	2400	net.exe
Token: SeDebugPrivilege	2064	net.exe
Token: SeDebugPrivilege	1676	eiavW.exe
Token: SeBackupPrivilege	3292	vssvc.exe
Token: SeRestorePrivilege	3292	vssvc.exe
Token: SeAuditPrivilege	3292	vssvc.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

taskhost.exeDwm.exe

pid process

1116 taskhost.exe
1156 Dwm.exe

pid	process
1116	taskhost.exe
1156	Dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

eiavW.exe

description	pid	process	target process
PID 1676 wrote to memory of 2016	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 2016	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 2016	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 1404	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 1404	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 1404	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 1132	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 1132	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 1132	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 1516	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 1516	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 1516	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 896	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 896	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 896	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 1092	1676	eiavW.exe	net.exe
PID 1676 wrote to memory of 1092	1676	eiavW.exe	net.exe
PID 1676 wrote to memory of 1092	1676	eiavW.exe	net.exe
PID 1676 wrote to memory of 732	1676	eiavW.exe	net.exe
PID 1676 wrote to memory of 732	1676	eiavW.exe	net.exe
PID 1676 wrote to memory of 732	1676	eiavW.exe	net.exe
PID 1676 wrote to memory of 1872	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 1872	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 1872	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 240	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 240	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 240	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 2028	1676	eiavW.exe	net.exe
PID 1676 wrote to memory of 2028	1676	eiavW.exe	net.exe
PID 1676 wrote to memory of 2028	1676	eiavW.exe	net.exe
PID 1676 wrote to memory of 1444	1676	eiavW.exe	conhost.exe
PID 1676 wrote to memory of 1444	1676	eiavW.exe	conhost.exe
PID 1676 wrote to memory of 1444	1676	eiavW.exe	conhost.exe
PID 1676 wrote to memory of 1876	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 1876	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 1876	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 2064	1676	eiavW.exe	net.exe
PID 1676 wrote to memory of 2064	1676	eiavW.exe	net.exe
PID 1676 wrote to memory of 2064	1676	eiavW.exe	net.exe
PID 1676 wrote to memory of 2124	1676	eiavW.exe	net.exe
PID 1676 wrote to memory of 2124	1676	eiavW.exe	net.exe
PID 1676 wrote to memory of 2124	1676	eiavW.exe	net.exe
PID 1676 wrote to memory of 2164	1676	eiavW.exe	conhost.exe
PID 1676 wrote to memory of 2164	1676	eiavW.exe	conhost.exe
PID 1676 wrote to memory of 2164	1676	eiavW.exe	conhost.exe
PID 1676 wrote to memory of 2228	1676	eiavW.exe	conhost.exe
PID 1676 wrote to memory of 2228	1676	eiavW.exe	conhost.exe
PID 1676 wrote to memory of 2228	1676	eiavW.exe	conhost.exe
PID 1676 wrote to memory of 2296	1676	eiavW.exe	conhost.exe
PID 1676 wrote to memory of 2296	1676	eiavW.exe	conhost.exe
PID 1676 wrote to memory of 2296	1676	eiavW.exe	conhost.exe
PID 1676 wrote to memory of 2332	1676	eiavW.exe	conhost.exe
PID 1676 wrote to memory of 2332	1676	eiavW.exe	conhost.exe
PID 1676 wrote to memory of 2332	1676	eiavW.exe	conhost.exe
PID 1676 wrote to memory of 2384	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 2384	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 2384	1676	eiavW.exe	taskkill.exe
PID 1676 wrote to memory of 2444	1676	eiavW.exe	net1.exe
PID 1676 wrote to memory of 2444	1676	eiavW.exe	net1.exe
PID 1676 wrote to memory of 2444	1676	eiavW.exe	net1.exe
PID 1676 wrote to memory of 2512	1676	eiavW.exe	net1.exe
PID 1676 wrote to memory of 2512	1676	eiavW.exe	net1.exe
PID 1676 wrote to memory of 2512	1676	eiavW.exe	net1.exe
PID 1676 wrote to memory of 2576	1676	eiavW.exe	net.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
PID:3112

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2600

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:2304

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:3080

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2136

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2420

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3376

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3484

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3824

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1784

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2696

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2132

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2076

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2324

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2340

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
PID:3168

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2180

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:3100

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:2484

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3068

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2648

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2376

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3504

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:920

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3364

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:660

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3680

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2356

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3760

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3712

C:\Users\Admin\AppData\Local\Temp\eiavW.exe
"C:\Users\Admin\AppData\Local\Temp\eiavW.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
PID:1132

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
PID:1516

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
PID:1092

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
PID:732

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
PID:240

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
PID:1444

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
PID:2028

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
PID:2064

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
PID:2124

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
PID:2164

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
PID:2228

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
PID:2296

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
PID:2332

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
PID:2444

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
PID:2512

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
PID:2576

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
PID:2828

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
PID:2860

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
PID:2952

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
PID:3012

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
PID:2304

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
PID:2520

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
PID:2668

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
PID:436

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
PID:1544

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
PID:1784

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
PID:1568

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
PID:1140

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
PID:1200

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
PID:2400

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
PID:2064

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
2⤵
PID:2992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
3⤵
PID:2060

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
2⤵
PID:2284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Enterprise Client Service" /y
3⤵
PID:2268

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Agent" /y
2⤵
PID:2916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Agent" /y
3⤵
PID:2700

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
2⤵
PID:2964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
3⤵
PID:2108

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
2⤵
PID:2352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Clean Service" /y
3⤵
PID:2016

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
2⤵
PID:2512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
3⤵
PID:2860

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
2⤵
PID:1316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
3⤵
PID:2284

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
2⤵
PID:2676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service" /y
3⤵
PID:2896

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
2⤵
PID:1112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Client" /y
3⤵
PID:2360

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
2⤵
PID:3064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Message Router" /y
3⤵
PID:2584

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
2⤵
PID:2240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
3⤵
PID:2228

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
2⤵
PID:2564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
3⤵
PID:1184

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
2⤵
PID:1512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
3⤵
PID:2752

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
2⤵
PID:2628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
3⤵
PID:2320

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
3⤵
PID:2932

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
2⤵
PID:948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
3⤵
PID:2596

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
2⤵
PID:2056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
3⤵
PID:1308

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcronisAgent /y
2⤵
PID:2832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
3⤵
PID:2412

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcrSch2Svc /y
2⤵
PID:3008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
3⤵
PID:856

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Antivirus /y
2⤵
PID:2392

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
3⤵
PID:1544

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ARSM /y
2⤵
PID:2576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ARSM /y
3⤵
PID:1080

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:2696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:2192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
3⤵
PID:2924

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
2⤵
PID:2072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
3⤵
PID:2020

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
2⤵
PID:2840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
3⤵
PID:3004

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecManagementService /y
2⤵
PID:2100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
3⤵
PID:816

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecRPCService /y
2⤵
PID:1836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
3⤵
PID:3056

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
2⤵
PID:556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:3028

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop bedbg /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
3⤵
PID:2116

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop DCAgent /y
2⤵
PID:732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
3⤵
PID:2520

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPSecurityService /y
2⤵
PID:2248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
3⤵
PID:2784

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPUpdateService /y
2⤵
PID:2136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EraserSvc11710 /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EsgShKernel /y
2⤵
PID:2220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
3⤵
PID:3240

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop FA_Scheduler /y
2⤵
PID:3068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
3⤵
PID:3288

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IISAdmin /y
2⤵
PID:2408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
3⤵
PID:3344

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IMAP4Svc /y
2⤵
PID:2780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IMAP4Svc /y
3⤵
PID:3360

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop macmnsvc /y
2⤵
PID:1688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
3⤵
PID:3536

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop masvc /y
2⤵
PID:2880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
3⤵
PID:3696

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBAMService /y
2⤵
PID:2668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
3⤵
PID:3776

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBEndpointAgent /y
2⤵
PID:2400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
3⤵
PID:3820

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeEngineService /y
2⤵
PID:1840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
3⤵
PID:3836

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFramework /y
2⤵
PID:2124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
3⤵
PID:3844

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
2⤵
PID:1036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:3856

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McShield /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
3⤵
PID:3892

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McTaskManager /y
2⤵
PID:316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
3⤵
PID:3916

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfemms /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
3⤵
PID:3900

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfevtp /y
2⤵
PID:1476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
3⤵
PID:3908

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MMS /y
2⤵
PID:2588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
3⤵
PID:3948

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mozyprobackup /y
2⤵
PID:2452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
3⤵
PID:1392

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer /y
2⤵
PID:2816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
3⤵
PID:3284

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer100 /y
2⤵
PID:2688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
3⤵
PID:3372

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer110 /y
2⤵
PID:2672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
3⤵
PID:3208

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeES /y
2⤵
PID:1456

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
3⤵
PID:3228

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeIS /y
2⤵
PID:1992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
3⤵
PID:1200

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
2⤵
PID:2676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
3⤵
PID:3088

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMTA /y
2⤵
PID:2836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
3⤵
PID:2464

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSA /y
2⤵
PID:2320

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
3⤵
PID:3488

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
2⤵
PID:2284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
3⤵
PID:2788

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSRS /y
2⤵
PID:2216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
3⤵
PID:3396

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
2⤵
PID:2012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
3⤵
PID:3656

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
2⤵
PID:2436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
3⤵
PID:3632

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
2⤵
PID:2940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
3⤵
PID:3640

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
2⤵
PID:1416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
3⤵
PID:1556

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
2⤵
PID:2524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
3⤵
PID:1312

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
2⤵
PID:2160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
3⤵
PID:4004

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
2⤵
PID:1184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
3⤵
PID:3968

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
2⤵
PID:1188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
3⤵
PID:2060

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
2⤵
PID:2596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
3⤵
PID:2324

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
2⤵
PID:564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
3⤵
PID:1592

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
2⤵
PID:2752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
3⤵
PID:1624

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
2⤵
PID:1512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
3⤵
PID:2092

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPS /y
2⤵
PID:948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
3⤵
PID:2264

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
2⤵
PID:2412

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
3⤵
PID:3860

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:3844

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
2⤵
PID:2832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
3⤵
PID:1036

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
2⤵
PID:1328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher /y
3⤵
PID:1688

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
2⤵
PID:3100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:2052

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
2⤵
PID:3128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
2⤵
PID:3156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:2304

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
2⤵
PID:3188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
3⤵
PID:1840

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
2⤵
PID:3220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
3⤵
PID:316

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
2⤵
PID:3256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
3⤵
PID:2724

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
2⤵
PID:3276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
3⤵
PID:3080

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLSERVER /y
2⤵
PID:3308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
3⤵
PID:2376

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
2⤵
PID:3336

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
3⤵
PID:2232

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
2⤵
PID:3384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
3⤵
PID:2352

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL80 /y
2⤵
PID:3408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
3⤵
PID:2148

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL57 /y
2⤵
PID:3440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
3⤵
PID:2868

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ntrtscan /y
2⤵
PID:3464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
3⤵
PID:2836

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop OracleClientCache80 /y
2⤵
PID:3504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
3⤵
PID:2800

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop PDVFSService /y
2⤵
PID:3544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:1660

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop POP3Svc /y
2⤵
PID:3568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
3⤵
PID:1200

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer /y
2⤵
PID:3596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
3⤵
PID:3488

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:3620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
3⤵
PID:2144

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
2⤵
PID:3644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
3⤵
PID:2896

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPS /y
2⤵
PID:3668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
3⤵
PID:2388

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
2⤵
PID:3708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
3⤵
PID:2764

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop RESvc /y
2⤵
PID:3732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
3⤵
PID:1316

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sacsvr /y
2⤵
PID:3768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
3⤵
PID:3656

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SamSs /y
2⤵
PID:3804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
3⤵
PID:472

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVAdminService /y
2⤵
PID:3864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
3⤵
PID:2548

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVService /y
2⤵
PID:3928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
3⤵
PID:2940

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SDRSVC /y
2⤵
PID:3960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
3⤵
PID:2624

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SepMasterService /y
2⤵
PID:3984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
3⤵
PID:1664

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ShMonitor /y
2⤵
PID:4020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
3⤵
PID:2924

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Smcinst /y
2⤵
PID:4044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
3⤵
PID:3980

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SmcService /y
2⤵
PID:4076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
3⤵
PID:1188

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SMTPSvc /y
2⤵
PID:3124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
3⤵
PID:2060

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SNAC /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SNAC /y
3⤵
PID:2292

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SntpService /y
2⤵
PID:2536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
3⤵
PID:2600

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sophossps /y
2⤵
PID:3428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
3⤵
PID:896

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
2⤵
PID:3052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
3⤵
PID:1624

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
2⤵
PID:3616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
3⤵
PID:2240

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
2⤵
PID:2096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
3⤵
PID:2844

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
2⤵
PID:1308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
2⤵
PID:3752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
3⤵
PID:2568

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
2⤵
PID:2424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
3⤵
PID:3900

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
2⤵
PID:2276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
3⤵
PID:3168

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
2⤵
PID:816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
3⤵
PID:3184

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
3⤵
PID:3344

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
2⤵
PID:4040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
3⤵
PID:2212

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
2⤵
PID:2180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
3⤵
PID:2664

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:2784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:3212

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
2⤵
PID:904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
3⤵
PID:3204

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLBrowser /y
2⤵
PID:3300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
3⤵
PID:3296

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
2⤵
PID:2220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
3⤵
PID:3276

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
2⤵
PID:2840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
3⤵
PID:3284

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
2⤵
PID:2072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
2⤵
PID:2256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
3⤵
PID:2376

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLWriter /y
2⤵
PID:432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
3⤵
PID:3460

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SstpSvc /y
2⤵
PID:2108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
3⤵
PID:3444

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop svcGenericHost /y
2⤵
PID:1492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
3⤵
PID:3412

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_filter /y
2⤵
PID:2268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
3⤵
PID:2464

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_service /y
2⤵
PID:2648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
3⤵
PID:3472

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update_64 /y
2⤵
PID:1248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
3⤵
PID:3432

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TmCCSF /y
2⤵
PID:3824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
3⤵
PID:2800

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop tmlisten /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
3⤵
PID:2352

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKey /y
2⤵
PID:2972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
3⤵
PID:3508

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
3⤵
PID:3524

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
2⤵
PID:2692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
3⤵
PID:3436

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop UI0Detect /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
3⤵
PID:3488

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
2⤵
PID:2152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
3⤵
PID:3544

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
2⤵
PID:3840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
2⤵
PID:2156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
3⤵
PID:2896

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
3⤵
PID:3732

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
2⤵
PID:2556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
3⤵
PID:3828

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
2⤵
PID:2956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
3⤵
PID:3740

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
2⤵
PID:3952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
3⤵
PID:3880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamMountSvc /y
2⤵
PID:2884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
3⤵
PID:3632

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
2⤵
PID:2716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:3764

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
2⤵
PID:2816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
3⤵
PID:2628

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
2⤵
PID:2132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:2452

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop W3Svc /y
2⤵
PID:3908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
3⤵
PID:3984

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
2⤵
PID:2120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:3928

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop WRSVC /y
2⤵
PID:2592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
3⤵
PID:3424

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:2216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:3708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:2320

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:4012

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
2⤵
PID:2016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
3⤵
PID:3572

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update /y
2⤵
PID:4052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
3⤵
PID:3792

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
2⤵
PID:2580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
3⤵
PID:584

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
2⤵
PID:932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
3⤵
PID:3604

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQL Backups" /y
2⤵
PID:1556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQL Backups" /y
3⤵
PID:3748

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROD /y
2⤵
PID:2700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
3⤵
PID:3648

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
2⤵
PID:2968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
3⤵
PID:3804

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
2⤵
PID:3872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
3⤵
PID:4000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
2⤵
PID:2524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
3⤵
PID:2748

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop msftesql$PROD /y
2⤵
PID:3996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
3⤵
PID:2068

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop NetMsmqActivator /y
2⤵
PID:2908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
3⤵
PID:1588

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EhttpSrv /y
2⤵
PID:1592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
3⤵
PID:3808

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ekrn /y
2⤵
PID:964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
3⤵
PID:472

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ESHASRV /y
2⤵
PID:2948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
3⤵
PID:3980

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
2⤵
PID:3020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
3⤵
PID:2852

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
3⤵
PID:1080

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AVP /y
2⤵
PID:3180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AVP /y
3⤵
PID:3816

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop klnagent /y
2⤵
PID:2880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop klnagent /y
3⤵
PID:3964

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
2⤵
PID:2472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
3⤵
PID:2888

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
2⤵
PID:2500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
3⤵
PID:4016

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
2⤵
PID:3120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:3960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop kavfsslp /y
2⤵
PID:3248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
3⤵
PID:2112

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFSGT /y
2⤵
PID:3252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
3⤵
PID:4024

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFS /y
2⤵
PID:856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
3⤵
PID:2088

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfefire /y
2⤵
PID:3304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
3⤵
PID:4008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\eiavW.exe" /f
2⤵
PID:3312

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\eiavW.exe" /f
3⤵
- Adds Run key to start application
PID:3564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-673452605-1185310803-20974433281237817542689635202-19697379272132419711-379015728"
1⤵
PID:2916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "578281246361719974-1629407189-488764342480209615-133681858318950355851592673497"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1945493239612697598945072024-2077542387-650647566-17693767321546715987911006494"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "722858885-508015254-2115177162134465564-522844146-1400196272-1502929264193237264"
1⤵
PID:3056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16028711021354298861393513427-279388397-1143662640-505288851337913811906046005"
1⤵
PID:2100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "156614034225086693-437341138-3004103581720753166-699403337-581906304-1697816685"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "418985462-813709377-1887617626-998022499114590615856206814-745325511-797873259"
1⤵
PID:2584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5981604821578586961-470232107-1118786892-145914170523218622-858104736-2096585458"
1⤵
PID:3068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1420856438444476971862241353-1448911194-1531686914-16812732675280367081268658158"
1⤵
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "490321483-216315163-450479420-128838184-1385764538-53792015668637012-2055399663"
1⤵
PID:2408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2067970106509993499-14477892756564231292075938075-501745704542366350-745446720"
1⤵
PID:2136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "537365789-1368370136-1562894952129796900-195783279533089592-1547930033-1705648910"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1760580013-1755318413-1074931468171343416310409619661497859321359357382-2092530602"
1⤵
PID:3696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1701053500-1122403679-1150890102-299681631764503920-44999408211354211461856276487"
1⤵
PID:2688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "62602930417599754341110602642-948680290-26206638-1251591618-35780840-56650565"
1⤵
PID:3228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "177544762627436002447339064818398115221989554171-1404219220-1212087437-2129835270"
1⤵
PID:3208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "786282689-17460288361760043117-1081535625-114279677441305925-1991692635-36610252"
1⤵
PID:2284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-126882753-1948495093-19316498141004221102-725504511423679292-14469067341893798156"
1⤵
PID:2012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "516869836-1576456949-1902874941919692897-6888307361180328656613104772-32634428"
1⤵
PID:3396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-71453041-773706779-1904354511-1721758703225717890-521626788178629079330406114"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-510964068-547371312-1238411104-698517067755697536-6622462992103371354-1997411188"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "138240497319285160891305695821-198436932399408627570833102-794710393-650698485"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-889997558-12754883391436050072-158046993-299559634-947990029-176400700324668782"
1⤵
PID:1036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-576534248-308652861-318895791-82622616-7396260101195341051-813679720-1503533286"
1⤵
PID:1476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "33381704016052110601315792531921284562-735070016-1768584928962105485587234563"
1⤵
PID:1328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3304068092008651857-1740347278-780253576-1242545767-1022068064-998885487-454247167"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2039019155-1251211227916884496920678901-152983485-987005089-1985888846-1328789564"
1⤵
PID:1840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-537128023-696085835-1320794747578213540-77271400934093647857099567376147008"
1⤵
PID:2412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-355554299-1859880873-9705625441918157772-156112817-567853228-13553852581828578880"
1⤵
PID:1456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-723739593-373917471-1652779793-16552045351182386135-1279110572-10403083791733046851"
1⤵
PID:2160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:3328

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
MD5
665bd706eca3c7a3abf0865a09626260

SHA1
160cd60d668ffd3ccf143adcfdf029731bf45d0c

SHA256
04953bf890b929fd61df226125febcafa307eedf1c5cbb63a6e5ab974a5730d3

SHA512
02497707bdc172f4338d573b3fb17a9d043c0a2ad8055f1f67fc00a9a28496089e241906324ec8a4d5083b1e8cef27a05672e6dbb7ba68c365a47885c4104b26

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi
MD5
edc63a16c5fcba9bb9303748578d91d4

SHA1
83b1619277ff10db27907f44d28c3033f43986f3

SHA256
f9a7071882785a57f5daf2cf9e6eb931fbb1ca9ed3fe75181ded7b2b976c84c7

SHA512
b718d19c6499148fef896d0519d9c08bf32dc8823c1afb57b2122d5d52ba70b3813dce883f869463084b0fccd59027163c8eb973ea5534580baa2f0c3e8931e6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml
MD5
a49ebec2dad5a12e7cc59d463963499a

SHA1
990cdbcc036d6585faa65e4d56d147a826c1bdb4

SHA256
6476038c5e5e9d1247ed75442fb574fcbadd73ea17e37e598815a4472a8283a4

SHA512
09eddb3ba7511a08df5a1c066bbc337d54797c3e3c32d27bf60b6c4a1290a9a8a3b7515b1d420327616161d89370c664e57affc45ccaeaf083bad49d88170107

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
MD5
2aa0849fe21678e2847371590e4f5c2b

SHA1
ce57e7c88c198f0cf59332e90d5562a10b3f86f0

SHA256
720abd2c254edbff57c2a13c4a6eb3ff001b35190b2ce9f3a125c1590dce369d

SHA512
a94db0313f59c326146a695e7ec2489e8162615659eb42c858905d137c56b10eeb86635f2b87d3b192429c84ef5de629015978fe2e66fed91861f6fa0e4de0d4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml
MD5
1c0e1fc88a5ed285b8918bdd98ed5922

SHA1
3af7d5702520aa721daf4a1bb5caca2074592824

SHA256
497c4d171fe0cc75f51d9066d203631fb49070faa43d7b0836831813f75f9e64

SHA512
89f7c36fbccc0f1e9e93c6924ef439f19762320ea622f74c9fc638c16ff42da1402b0b50abdfc5b32f8ee267e88ee1bfcee8233b0bc989143c92043837796050

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
MD5
b092d941c935e1eba8734044364ac53e

SHA1
4f0819b64796709eaeb8e40ec4119ea21dd8c281

SHA256
b6fbbf648f81da9157b05b69b808dec78de3fcf1d11ea447988478d4335a421e

SHA512
464fea992caf88ca1e486d82568a3e3d130129c66620368175ac98fc69f71ee0b92180cafbe4a6ac13b9a76c19a6f004aacef7e23b187aba8198fb071ff74767

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
MD5
c8ac1531317f77a736471716d086f608

SHA1
5adbcdbe8bb7089895cfb31bba4db77df937ec2c

SHA256
d32c68af507133f85ac2f495a34dfcf28554ff528df88250044726d009834535

SHA512
8d9783801dd15593f50f96a17539e5f9f63dcc16e2877fb9de358dd70800d6efb9dcce916b6cd8b611432c7f035cdaba5994c9a07927b1d46cc5ddc7d8f1a34b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml
MD5
1bb72ad2528c65b0e746e34d752d3a9f

SHA1
57fac107f99f49553e42d8b3d669741118b8eaa8

SHA256
3138af69f3957d0c4e2aa49cc8bb4fbc6dd7e13452e1f487fa49fa6098e31240

SHA512
c90ec57c1f2a5d610777d4889d527f67cd8c27c93874b5782d08cd4b7799173c1ffcf317784aa7e812ca740d280053e23a6e6b8912e975f5336f42b981acace4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms
MD5
78144a8d2a2c37e8b65199bd6dbb42bb

SHA1
36ca953ef685066f79e1c68f4db285503f4c798e

SHA256
7551f32bfe5d09bc5e2f1c8e3444049e0a5910a7cfc1daacca62dfec136f55cc

SHA512
849f3f699ce9461da7e394957a575024ab458e689da43490a4c3249bd83f814897cc3afefde932a1288a9b8d44e9b30b886fc110e8e604d1062d59cc7211d592

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab
MD5
bc8de4cbe20e296130d648d97c64cd66

SHA1
64ec5c66661016e79bdd2eccb06f53129991582b

SHA256
a5789c0cbb6c5075ba1425695aebd48778f2cc8c209b622221496f5f584a29ca

SHA512
5ddc96501fadddc8dbeb002ca729049d24eb33e4f735c514999f5e68cafe4eaea36990c624959a508d1512a74bb4492ba458c8097b36fc1bc5dfaf225f91fac7

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi
MD5
090da7030c47d62a5b32170e03fe9cd6

SHA1
ead78eff67190ab27aa319c5f708bf1c934bf8ee

SHA256
d10d471622ee68a340abace0cc25abc7241e61bea3918af766b341d305d03165

SHA512
b7e92fbaa9e38f3cc5801dc458ff94b78571f84f05e40647e4caa0fb442b598ba2402616b50ef09ab5e9c828f245b9ad1d193e1056339b2fb7d8fc545729641d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
MD5
fa98865074bacc81822cf70eecc3a842

SHA1
ac54eda6380ebf405740126b0d2506a50d3f2645

SHA256
e5698070e94e7979580743fb6abc237b7b24c76322fc0b306bc552f5f2f4f37d

SHA512
fc8075d079ac27e3f457f9d7e5e2e530dc861f79185a4ced75bec2d423fd7af2b29e1d1c8ff2a4b63311ae77759b138768fbfaee049070ebb34188351dcad896

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
dfc7c340c492421b3177a2acfd39463c

SHA1
1f8f849de623cfb045ea7cdea81e0d765d37f288

SHA256
386a0e62f3c72f5b0176f015cd0479d5084b2ca4a6ed2d54d4ba9a8df47dd2b2

SHA512
9325869374c3d2eec265881d2c02e3eab4a489d377ad60f014bcd5911fe5a2bb3a48293508836eec27225dd5c6e390f20bd5dc2a360d5ad9e3ced46005ad4255

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi
MD5
78115e112b8d57824ee357efc7fa51dc

SHA1
d18e98e9d34431b7b867946c117533bf9a3df36b

SHA256
59bb82cc1a097a0f75c75579e0afbf0ba43a7f35268c3463971b4055912012b1

SHA512
e8cc53a5ad7c21b9e6bc2cc51c96e62e5296b11a9f6cdc394539c207bbf6af7c756186e8fc515311f3dd969aa237133962550b441b2a5fc7cd585fd004992db7

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
MD5
34eceaf151cf7ce4a7aca8d503d50a6e

SHA1
5822b981ad52940569351b2eab9e1eecfeadc4f5

SHA256
9ce2ec399be00224363a8776065aef1e091865f14631c867e42360ed5ce8a86d

SHA512
93c00203b093fba1b3b19524b6164d29b3c1131a36a208feae40cc2a14c8e7bdc1ac9c9d7fa3c737f17db23ff6dcc699923b0e24e9e2469324b6965347bbd1e2

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab
MD5
cc2979d46421ed51f34954b63618857f

SHA1
11a331244e20e2c9a67413a1a97c274f9d0c6ee1

SHA256
4025b4ac41275116978da2fe60f3ac583b5483623d406642c9876f9f8e84992f

SHA512
93ed02e02295173075ff2d68d25846d6534175a7c6bebbd5cd0a82a44ef219000bbe834f3d838c2320ae6a5c83aefbe7f7d7a4bd5d3c4d520f0696849cdbcf53

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
f319b69136a3df94bd57c5b88989a639

SHA1
3d3e63d646556eb11d6f388525413c15e96496fa

SHA256
1d7a80074e3be666b68d20a4c2663cc9eeb0cf92002de99f0e4f3a8b1aa056eb

SHA512
b9d549606bee6ba32988d1ef2043a0a961bc3e3388d61a3a15bcec4e828cc62bc85fea0b096b8ea4aacff258dcb0b8c2b4523e2be74ae950924df9631490f4f0

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab
MD5
4bc3a72750a17056ad23ce3dd185d379

SHA1
398969a89a021c9c1a14333b189fa1fa73d609eb

SHA256
bec1ff96ac3a4ebb13862bfe287dc9b5bc2dd233ba2370a980fefc0ab243c9a8

SHA512
a35a3310f1cb019fb650fa6937c61b52523c12399fe2dc9196a0c83ea176dd358f233d33465c2bee873a6fd87a2e9baec99208e3e419fd6e65f408e9a89fceb1

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi
MD5
9b8d1bd7ca354e11f114db334ef4bb8f

SHA1
206b38d637eb9f3536db8c6bd2d8781bac051f2c

SHA256
32973ea1d5f714757f356b2d7af8c9cdf786503458f421f7222bbc2dc5ad553b

SHA512
d02e13f73ddd512e571da2b34933b37dbe61bad699e17abf6d87b15d7e60b4de4d325f62db76c966bab8bd4319ff51115348aa01bc10c8876620ab0034c92ecf

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml
MD5
490d57ca5728d901c3501bec42e6796d

SHA1
f29e4f3aae29bf1b0e41ae0758e8a4b5aa72ae00

SHA256
2207b89e1785974639b12750973ddee9364265eb1728fc2dde85748952b01ed8

SHA512
1cce34f46bd651f8c260481a8bbf9f9bb38cde02eed726159c908453090888cc328079aa6b00125c76176d9effe202c134761d5e86aad6cbf7a6f8445d3c4be2

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
fcfbc8489ebc05f6212c933bf480d3d6

SHA1
2024b7815120a12aa52f6120679787d66d871038

SHA256
98ccc694449e78fa94483b9b275841ff816a4678f652dbc0291d723f5ee91dae

SHA512
64f6113b232caf9d7a8c8aa695996fbafca89c48aea19e17bff95fc2462b0958cb8ef34efac40e3be67b467b59e83890e0e19b1da0c71e2262acf973358e95fa

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab
MD5
8a22591a932fa67891d9a7afe7c82358

SHA1
3967b2bef5d1e44940af73222fbcd26ad28e7f62

SHA256
8e2e5cf50883bcbaf479d270582f1ec9e48968ce85795b5edda0648128fa65b5

SHA512
4f291861a21d3028549db2e29c67fe2435f9091649c91b83e9c4de80853a77425972f0c678595526537685dbae68bd81909c7a49f0af2421f69d97eaee076d73

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi
MD5
ae3f3e69758e1a0fe1edf4b8e388976f

SHA1
8dc527fbb64fa99de6a5acb467d602cc0c67c4c8

SHA256
e3195f3caa5d7d6ed15e7dc3b54ab849c0fe1097627d88e8379e378854e3509f

SHA512
0aadc55047675e82aefc5d06b5d2e4e2971ee1750d486bd31fd55b8a258ed295cb2305a16e4eaf1e56368da29fd789a901fb2dc25273b93301107ff30d21ed5e

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
MD5
8c108d918a3e4076f1c931256bf565e2

SHA1
6e62dbd845e834d737a7c5956d0d66c22feb9184

SHA256
a12f2b2f87f99d8f15953dbe7895e24705856039c54391cd276db1de2fe1a0b4

SHA512
acc8e2b866323a9343acbbba1262dfd88439b94d78ec4913159278722480a7b7dca99099814f6f94c8f82c29adc16642173105e9d77ddbc080367fee1c4d46dd

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
d215beba229972615433d80428882935

SHA1
78bef0516a90ee420c0f5929ebab96eacaf8595c

SHA256
b4cb41a630352e14fb237610b1bbf363e5313e23aeef0dc3e8f7524b8408ba36

SHA512
a499f636e46df74d1468300251497d2280bd7fdb26804d5ebde0fc38115f26840a274c0732cf47b3fedba50ae5a5b0a0d44ded4b8c96bd6b95c77f99991daa6a

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
2043387018050739669b3571d44c2442

SHA1
4f01e9030912b2d5271779205215947fc237dce6

SHA256
35d3eec06c2a0c7e5e55fd5027947a3306bb2df07c21e725ac4c58998a5a5bb3

SHA512
4540481e115dadaceaca17bcb7cd01fc5baa2be4aa84da42f7510e720bce23700c8c0f0b48972321c3a46d1fdf101a2caca16924eeb98a9f08af23efd8961b24

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab
MD5
6806b4d9ca67e161c7f04db6ee24e3ba

SHA1
749282df61ca682e7fb594f0709fa39bc9d93efd

SHA256
a0c7046b31c21581b1927917de33115172806fae9cd96f72167a0cfe5cc3a776

SHA512
0da276c8e38bfbdb96f8aff2fb24e6f64dc4f153f854ce75390c6320d5b7f75d95090f532ed38c3971897fb372f12295e7a08688d2232855ff23a6a84b09fb20

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi
MD5
4024b55e72594f84648f3b754cd0c9b0

SHA1
2580575d84b0dfb9d999d5990dc863291f5c99b7

SHA256
e113d7fb9c80729c8fa70772712df25fc9c353a19aed4b445841fdadbdd39b0c

SHA512
781c4f9bd0761deace30911c9e52dc156d05e32a7e34598f2e3108538d27ee53182c40642e5939ca29ea912e72ab5daefec951a5ca46f17d422df2d7c78f548b

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
MD5
e6d2769ec7a0bbaac2f5d017fcadd66c

SHA1
f477f0ee5c642e541af0e7f240ff9417bd7c7065

SHA256
03cf9016bfe641dd3eb88da1381a3130d415db76629973fffaeba98a76ae1a6f

SHA512
f5e85b809a17c51640b4b913ff8d874645a91ccde1884a6a4f4c85ebb8342ca743b68791a4acc9fd1f12bdc3e9dbf1204638809c61629da78d82b2999065fb0e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab
MD5
be7d8928b263ce4edf3380726cf52dc5

SHA1
3301828c5e8949234d4d1ddc98678e2999b1702b

SHA256
b151a1bed5e87bc8df2b7540bacee481a3ff07544b45a569e096c4b82de2c29a

SHA512
cc62b39308c0cb1d46d7864b6fffb5e93ba46f1a78ce44690be3ce39a9ab3f8a23588c8fe600e735df3b434ebe758dfa5c227f6f58b5a9214bbd6f677337651f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi
MD5
9df5d83ebff63eeaa9bbecc7790db618

SHA1
bafa7c105985d6fa2c5166726d5dc83de676a70c

SHA256
005bc22a66e51511c300ea9636384ca7308f966a38c9a21e155453f2bb17da7f

SHA512
db4337323200d96ff830619bf708f6b259b0d62f2d07190fe52bdbdcd7d5e3aa15db24e2ef4af9871118564695fa15572cb718f7fa8923e8eb52b26da4e12a1c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
MD5
99004c11d07ccbd4d2a36f6fabb650dd

SHA1
4718aec95cc339dcd0d75f658b7d64adec7054e2

SHA256
6d8defb9379ae5626ccfeda2e2f3d37a2632a8a9feadd26bf8950e4668de0cab

SHA512
b21e6d97741542922dc009a06c4512af746a8ee64b026babafd1a67839bb56f880575d5221b1c02d8ed8786435d38aa7242b0dbb29885ba61c3b220e1d31a45c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab
MD5
df52b6b99d72624215605ca66b86c50d

SHA1
6ea3de8b05494f947d5edbd23664caff283a86d4

SHA256
a38e8e1e1d40ee826dc76f72053dc29cf6e08d3688952807c8cbcd2df312f0ec

SHA512
b4bef3a58fa676b51322d190a5b75471b9cb413f7ab23fe7c5238b0bd3dd14a1b0c0938c573521cf70bb166a3f999f9e46b0a33e1470213bc695091a6fde62ad

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi
MD5
b6d75ef4bcb257e6cfac090347fca06e

SHA1
a588018e2e8fa4c941748fecf7bd186ea558e644

SHA256
5f7d3b612d7c9e291b3b8c37dd6dec12a41f9022e5011b3dbf418dda36866e70

SHA512
689b706fca04269c206c63df5ef0f7bd6ee480187fca5b9c0decb3263a817cde30e1e93fa652b06e7bf6c7c73d145b1c64075860a22e27e4d45499e9bf51b1f2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
MD5
55a8ed1dc6db6566d14cb150e8ab922b

SHA1
9117eaf04f1064e2e44d00dcf953cba44790268b

SHA256
de7d1589f8fb700bccb1a2e915131e7c0bc56d51ceeebb34df40651eeca164fa

SHA512
98902c3fe8cc807db85e9afe4fc318f957f33805ef56f9ca7e5a3c01d6517b49baa51e19280f64a0cab39200835a4b936d063601ba3a2ab6460a0d062483899c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab
MD5
1a6896e11627bc0444b214a900b8f951

SHA1
04f867b65480ede343cc6793d8b0db27410ea713

SHA256
3b85b9af079ad8f6cabedf9632638de2464d1dc9fd76201cc7c010e107482d1f

SHA512
c27f7bfeeb332f8cc8e26090ad71f67ae26cda077fccbece2a7a703e02cbf7b83282c25fcf03c4372f99ec4c53329b88707fb857b6c1c63ef00b53736138c0db

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi
MD5
98199d982170205f74437454afd27da7

SHA1
c91f373dce80b0f18a8c760426d821df9b3de47b

SHA256
e469aa85a363caaf407d491a28b84cfc05a93631e017f32ac1581892f47a71a4

SHA512
82333e552490165b222c3afea17e6a92575d34d5e349e771fae2eb01dac74139960ecbb073435459787eea5534d2aad4bdb90f486471a017636c4c4bd4f30360

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
MD5
6b2d1188d37808f80000a275a85e18de

SHA1
4b8383ab7933bb7ead6b5e6e5aeb3e937305c850

SHA256
83416de6cb487eea7137988d47f49507032a740554f58e6fc3c350fb984e2218

SHA512
ef7cf35dad7e61578ed3514eb51f21090f7e7a568a7a7d4060f29db8e905e8e3acdb1b3169e5e723a260ef48a83a2e82837170c22b7bf43571c89c9f4330e657

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi
MD5
d8b4788578fcb11d02d87b493c84673d

SHA1
bb73c47630753f762ac842bee1d850d1ef5d8b91

SHA256
5b177006d8ed7f05ef44815f752e93ea55df554c6012ec9e6d80904481719abe

SHA512
533fc308389dd2a9c18189fa48d94fb5e3a54e56fbc881c4369b0dd7a898b8f11369c21ef0d405ebf8334a42f9b05aa379bc282d0dbde4a1d476b3915a4ef88b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
MD5
e974cc2513dc37f5859bb73f9f9c3cb8

SHA1
ffd859a6c8c2e26c19c7196458a0fd34bc131617

SHA256
e1b3d438ff8d28a9de72fa8082987eb5d46df9ca0560147ffb20c099a494af71

SHA512
5a7e5917134d1c779e0cc6b65bc4e689a9c58a82d6d9d1051250fcfd5704dd3de7e1940ae81aba3fe7fe8264b2cb40b37dc6f10358391980bca3b343d9fe0fc2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
9f95bb16ee9f3b3e2836629bc26fda3f

SHA1
73d2186257334aa7c1aa9d4421ec22541adc5dab

SHA256
46d1ebd0945161335329cdd77dc000cc8b82056b0af377b795e1b568b749acd4

SHA512
97f5fc5985ea9186ad0f91cdc0f9ae1c8c61a176eca26f4ae9b53f094aa6de7ec7bb49e02f91780e0b616f0f4747f5c84656f5fb766fc03cafc764e90ff49d8a

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab
MD5
5d8fc773aecb2ded4ffa68c646f0834b

SHA1
e410c8de740857d1a7af534641e217dffacdda54

SHA256
a90e4f1db4d50ebbf62f81400113d0f83167439d87bfdac318081e08a7311d40

SHA512
38ebc9248e4e54fbd6175829260b575e8c284b223ed5e98434f6f54a2d3b3b4aefda18217dc384de9345b88bf1cb7f523aed05b7d79e55752b0092b96c143932

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi
MD5
3d926ce59e4edfc77c39f4934722ff68

SHA1
a1c26de23ac60615da8b2d0248c99ec1a7039eab

SHA256
306dae69025fa15eebe8a07f72a5bc902c02d2314ad8a1a368b08ee86e6668c1

SHA512
eee4ad235486bcbb62fc5ceb6304fe2ec62e2bc9ca7413126ff9e505514105632cde6c025e4cb976e8dd0463bd7697dfbdd5fba228236f3e7dee1bb3840a75da

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml
MD5
3afeafec25c48e2bf87cfc6b772fcc91

SHA1
a71ab44a13e16bfbeb3a041eeb62e6dc8e890f1f

SHA256
cc40f05822fc2e694cd8669fb810e52c3922e96971a9b54441a21d46ac94517f

SHA512
9ded8b9ecfb27a478f3a0c5db30486c805a1597299a49d8405cbf90d5ef37cd6ff46609e77cb9d3439dc7b6071356b99bf5fe561922f843d5447a69cf277eea5

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
2425bfd31d2f7cdb5db93f1d356a430b

SHA1
94eecfd424edfaa953cbf65c62f2b12c1cb55ae3

SHA256
41d8375e771e6adff9a588de6f2737bf0b77cfefe7ea74765cec0aded5131b93

SHA512
48b551ed1947235ae2219e26830624965eca0f9e3ad5ac77c1ad92e865b0140ebfce0fc720dae6d52db3b6af39cdb5e4bb44f39ff925ea29aba2ddf881fc6ef8

Download Submit
C:\MSOCache\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_17ebba21-ade9-4848-b865-5b9359ee593d
MD5
ef9b047b9b3c1e01646dcce9067c8f2d

SHA1
fce5a6205791ba3fc95c8e57b797b9cd903f96e4

SHA256
d50ae959353af819066d1589d3a1b88154f77e572df80cae02524a35b8f22eed

SHA512
67aa993ea02a5ae5da0926f7fe2a43b7d955711e85d2126c7d367337f4975a6df4ca0c3eb5c0cc5ef2625c3b04845b9e5af6f15ffc41053dc9486195eee79675

Download Submit
C:\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\users\Public\PUBLIC
MD5
c60821cc4336f6453f9dc5453d8f0b7d

SHA1
09719d9251a7ec8f4c809f4c4377ae48a1629d3a

SHA256
df506e1f6cba7dbcad75cebde8340000b3181409fa672f971825c2c06ec764a1

SHA512
6040d0b375ecc727f62a044289d6218c39deb2395e7c4fd15d8e026654a38bb59df01440c1a9efd49b6c1e8d421cab2eff6c1c71f5927f87be0a523639398a64

Download Submit
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE
MD5
f22186973841401a70277250dbeef346

SHA1
34cca504a460a77da3b937c85f6dd8ea64e4dea1

SHA256
1de15421cf2aecb17166b630867ba5a9718e3825e0b29847244c24e124de961d

SHA512
7ec83d04a5e14099cbbfaf50d5c38488753bff3f446bd3331f0b39b6e55fcd7937472fb6c5c1dced0a310e052909b8e4faf1a70a151e04e07099e7ee6c00a34b

Download Submit
C:\users\Public\window.bat
MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
memory/240-68-0x0000000000000000-mapping.dmp

Download
memory/436-95-0x0000000000000000-mapping.dmp

Download
memory/732-66-0x0000000000000000-mapping.dmp

Download
memory/896-64-0x0000000000000000-mapping.dmp

Download
memory/1092-65-0x0000000000000000-mapping.dmp

Download
memory/1112-117-0x0000000000000000-mapping.dmp

Download
memory/1116-124-0x000000013FC70000-0x000000013FCA6000-memory.dmp

Filesize
216KB

Download
memory/1132-62-0x0000000000000000-mapping.dmp

Download
memory/1140-99-0x0000000000000000-mapping.dmp

Download
memory/1200-101-0x0000000000000000-mapping.dmp

Download
memory/1316-116-0x0000000000000000-mapping.dmp

Download
memory/1404-61-0x0000000000000000-mapping.dmp

Download
memory/1444-70-0x0000000000000000-mapping.dmp

Download
memory/1512-122-0x0000000000000000-mapping.dmp

Download
memory/1516-114-0x0000000000000000-mapping.dmp

Download
memory/1516-63-0x0000000000000000-mapping.dmp

Download
memory/1544-96-0x0000000000000000-mapping.dmp

Download
memory/1568-97-0x0000000000000000-mapping.dmp

Download
memory/1584-100-0x0000000000000000-mapping.dmp

Download
memory/1676-59-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

Filesize
8KB

Download
memory/1784-98-0x0000000000000000-mapping.dmp

Download
memory/1872-67-0x0000000000000000-mapping.dmp

Download
memory/1876-71-0x0000000000000000-mapping.dmp

Download
memory/2016-60-0x0000000000000000-mapping.dmp

Download
memory/2028-69-0x0000000000000000-mapping.dmp

Download
memory/2056-123-0x0000000000000000-mapping.dmp

Download
memory/2060-108-0x0000000000000000-mapping.dmp

Download
memory/2064-72-0x0000000000000000-mapping.dmp

Download
memory/2064-103-0x0000000000000000-mapping.dmp

Download
memory/2108-113-0x0000000000000000-mapping.dmp

Download
memory/2124-73-0x0000000000000000-mapping.dmp

Download
memory/2164-74-0x0000000000000000-mapping.dmp

Download
memory/2172-90-0x0000000000000000-mapping.dmp

Download
memory/2228-75-0x0000000000000000-mapping.dmp

Download
memory/2240-119-0x0000000000000000-mapping.dmp

Download
memory/2268-109-0x0000000000000000-mapping.dmp

Download
memory/2284-105-0x0000000000000000-mapping.dmp

Download
memory/2296-76-0x0000000000000000-mapping.dmp

Download
memory/2304-91-0x0000000000000000-mapping.dmp

Download
memory/2332-77-0x0000000000000000-mapping.dmp

Download
memory/2352-110-0x0000000000000000-mapping.dmp

Download
memory/2384-78-0x0000000000000000-mapping.dmp

Download
memory/2400-102-0x0000000000000000-mapping.dmp

Download
memory/2444-79-0x0000000000000000-mapping.dmp

Download
memory/2512-111-0x0000000000000000-mapping.dmp

Download
memory/2512-80-0x0000000000000000-mapping.dmp

Download
memory/2520-92-0x0000000000000000-mapping.dmp

Download
memory/2564-120-0x0000000000000000-mapping.dmp

Download
memory/2576-81-0x0000000000000000-mapping.dmp

Download
memory/2604-82-0x0000000000000000-mapping.dmp

Download
memory/2628-121-0x0000000000000000-mapping.dmp

Download
memory/2652-83-0x0000000000000000-mapping.dmp

Download
memory/2668-93-0x0000000000000000-mapping.dmp

Download
memory/2676-115-0x0000000000000000-mapping.dmp

Download
memory/2700-112-0x0000000000000000-mapping.dmp

Download
memory/2736-84-0x0000000000000000-mapping.dmp

Download
memory/2776-94-0x0000000000000000-mapping.dmp

Download
memory/2828-85-0x0000000000000000-mapping.dmp

Download
memory/2860-86-0x0000000000000000-mapping.dmp

Download
memory/2904-87-0x0000000000000000-mapping.dmp

Download
memory/2916-106-0x0000000000000000-mapping.dmp

Download
memory/2952-88-0x0000000000000000-mapping.dmp

Download
memory/2964-107-0x0000000000000000-mapping.dmp

Download
memory/2992-104-0x0000000000000000-mapping.dmp

Download
memory/3012-89-0x0000000000000000-mapping.dmp

Download
memory/3064-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads