ryuk | 98ece6bcafa296326654db862140520afc19cfa0b4a76a5950deedb2618097ab

Resubmissions

25-08-2021 09:58

210825-v7zzyl2nr6 10

27-04-2021 14:41

210427-xtq2b4mr86 10

Analysis

max time kernel
301s
max time network
274s
platform
windows7_x64
resource
win7v20210410
submitted
27-04-2021 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

red-necessary.exe
Size

171KB
MD5

8819d7f8069d35e71902025d801b44dd
SHA1

5af393e60df1140193ad172a917508e9682918ab
SHA256

98ece6bcafa296326654db862140520afc19cfa0b4a76a5950deedb2618097ab
SHA512

41ada66895e76a0ba3cf1feea4b9cb4c76d2df1b801c44a1d333cdb8c737001ab9dcc9ef35ba8f1a87d329aa23eeca0729b2279e1955d6657172a3593627cbb2

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 17v2cu8RDXhAxufQ1YKiauBq6GGAZzfnFw Ryuk No system is safe

Emails

[email protected]

Wallets

17v2cu8RDXhAxufQ1YKiauBq6GGAZzfnFw

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Dwm.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SetInstall.tiff	Dwm.exe
File opened for modification	C:\Users\Admin\Pictures\ExitSelect.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\HideAdd.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\SetInstall.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\ExitSelect.tiff	Dwm.exe
File opened for modification	C:\Users\Admin\Pictures\HideAdd.tiff	Dwm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\red-necessary.exe"	reg.exe

Enumerates connected drives 3 TTPs 36 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01628_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0228959.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157763.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IE.XML	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Toronto	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR7B.GIF	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\Proof.XML	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18193_.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae	Dwm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285820.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_COL.HXT	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR21F.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME24.CSS	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01472_.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02264_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Code_Signing_2001-4_CA.cer	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02282_.WMF	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_K_COL.HXK	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\SONORA.ELM	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Pushpin.thmx	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACTS.ICO	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00256_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis.css	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00685_.WMF	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195260.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLJRNLR.FAE	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00440_.WMF	Dwm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217262.WMF	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 28 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

pid	process
2204	vssadmin.exe
2888	vssadmin.exe
3028	vssadmin.exe
3048	vssadmin.exe
1832	vssadmin.exe
2152	vssadmin.exe
3096	vssadmin.exe
4000	vssadmin.exe
896	vssadmin.exe
3704	vssadmin.exe
2480	vssadmin.exe
3372	vssadmin.exe
3420	vssadmin.exe
1684	vssadmin.exe
3648	vssadmin.exe
2652	vssadmin.exe
1144	vssadmin.exe
2732	vssadmin.exe
3136	vssadmin.exe
936	vssadmin.exe
3392	vssadmin.exe
3104	vssadmin.exe
3588	vssadmin.exe
3004	vssadmin.exe
2688	vssadmin.exe
3016	vssadmin.exe
1796	vssadmin.exe
3956	vssadmin.exe

Kills process with taskkill 44 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1508	taskkill.exe
3344	taskkill.exe
3448	taskkill.exe
1428	taskkill.exe
2084	taskkill.exe
2192	taskkill.exe
2456	taskkill.exe
2732	taskkill.exe
3016	taskkill.exe
1532	taskkill.exe
956	taskkill.exe
2976	taskkill.exe
2132	taskkill.exe
2708	taskkill.exe
3400	taskkill.exe
324	taskkill.exe
2920	taskkill.exe
2908	taskkill.exe
2060	taskkill.exe
3104	taskkill.exe
772	taskkill.exe
1440	taskkill.exe
2580	taskkill.exe
2772	taskkill.exe
2876	taskkill.exe
900	taskkill.exe
2052	taskkill.exe
2156	taskkill.exe
2392	taskkill.exe
3296	taskkill.exe
2636	taskkill.exe
2676	taskkill.exe
1592	taskkill.exe
1460	taskkill.exe
748	taskkill.exe
1228	taskkill.exe
520	taskkill.exe
2124	taskkill.exe
2820	taskkill.exe
3052	taskkill.exe
780	taskkill.exe
2256	taskkill.exe
3180	taskkill.exe
3500	taskkill.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

red-necessary.exe

pid process

1664 red-necessary.exe
1664 red-necessary.exe
1664 red-necessary.exe
1664 red-necessary.exe
1664 red-necessary.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

red-necessary.exe

pid process

1664 red-necessary.exe

pid	process
1664	red-necessary.exe
1664	red-necessary.exe
1664	red-necessary.exe
1664	red-necessary.exe
1664	red-necessary.exe

pid	process
1664	red-necessary.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

taskkill.exenet.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exenet.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exered-necessary.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	1532	net.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	324	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	780	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	2580	taskkill.exe
Token: SeDebugPrivilege	2636	net.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	3016	taskkill.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	3104	taskkill.exe
Token: SeDebugPrivilege	3180	taskkill.exe
Token: SeDebugPrivilege	3296	taskkill.exe
Token: SeDebugPrivilege	3344	taskkill.exe
Token: SeDebugPrivilege	3400	taskkill.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	3500	taskkill.exe
Token: SeDebugPrivilege	1664	red-necessary.exe
Token: SeBackupPrivilege	3512	vssvc.exe
Token: SeRestorePrivilege	3512	vssvc.exe
Token: SeAuditPrivilege	3512	vssvc.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

taskhost.exeDwm.exe

pid process

1116 taskhost.exe
1176 Dwm.exe

pid	process
1116	taskhost.exe
1176	Dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

red-necessary.exe

description	pid	process	target process
PID 1664 wrote to memory of 1428	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1428	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1428	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1592	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1592	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1592	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1532	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1532	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1532	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 772	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 772	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 772	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1460	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1460	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1460	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 748	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 748	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 748	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1440	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1440	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1440	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1508	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1508	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1508	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1228	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1228	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 1228	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 780	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 780	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 780	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 520	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 520	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 520	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 324	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 324	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 324	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 956	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 956	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 956	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2052	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2052	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2052	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2084	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2084	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2084	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2124	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2124	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2124	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2156	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2156	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2156	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2192	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2192	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2192	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2256	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2256	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2256	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2392	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2392	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2392	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2456	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2456	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2456	1664	red-necessary.exe	taskkill.exe
PID 1664 wrote to memory of 2580	1664	red-necessary.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\red-necessary.exe
"C:\Users\Admin\AppData\Local\Temp\red-necessary.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
PID:1532

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
PID:2636

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
2⤵
PID:3556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
3⤵
PID:3688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:3888

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
2⤵
PID:3648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Enterprise Client Service" /y
3⤵
PID:3896

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Agent" /y
2⤵
PID:3720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Agent" /y
3⤵
PID:3948

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
2⤵
PID:3772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
3⤵
PID:3960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
2⤵
PID:3804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Clean Service" /y
3⤵
PID:4000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
2⤵
PID:3908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
3⤵
PID:4080

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
2⤵
PID:3872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
3⤵
PID:4016

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
2⤵
PID:568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Message Router" /y
3⤵
PID:3748

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
2⤵
PID:4060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Client" /y
3⤵
PID:3508

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
2⤵
PID:4036

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
2⤵
PID:3512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
3⤵
PID:3812

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
2⤵
PID:404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
3⤵
PID:3800

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
2⤵
PID:3980

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
2⤵
PID:2728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
3⤵
PID:3952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
4⤵
PID:3360

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
2⤵
PID:2636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
3⤵
PID:3988

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
2⤵
PID:3688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
3⤵
PID:3960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
2⤵
PID:3836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
3⤵
PID:3940

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
2⤵
PID:3824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
3⤵
PID:3948

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcronisAgent /y
2⤵
PID:3996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
3⤵
PID:4044

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcrSch2Svc /y
2⤵
PID:3928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
3⤵
PID:3912

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Antivirus /y
2⤵
PID:3888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
3⤵
PID:3992

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:3196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
3⤵
PID:3964

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ARSM /y
2⤵
PID:3848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ARSM /y
3⤵
PID:320

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
3⤵
PID:3760

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
2⤵
PID:4040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
3⤵
PID:3712

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
2⤵
PID:4064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
3⤵
PID:3736

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecManagementService /y
2⤵
PID:3360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
3⤵
PID:3788

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecRPCService /y
2⤵
PID:3656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
3⤵
PID:2728

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
2⤵
PID:404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:4004

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop bedbg /y
2⤵
PID:544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
3⤵
PID:3644

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EraserSvc11710 /y
2⤵
PID:3532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
3⤵
PID:3968

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPUpdateService /y
2⤵
PID:3976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
3⤵
PID:968

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPSecurityService /y
2⤵
PID:3688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
3⤵
PID:3996

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EsgShKernel /y
2⤵
PID:3776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
3⤵
PID:3112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
3⤵
PID:3120

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop DCAgent /y
2⤵
PID:3732

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop FA_Scheduler /y
2⤵
PID:3804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
3⤵
PID:2796

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IISAdmin /y
2⤵
PID:1680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
3⤵
PID:3332

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IMAP4Svc /y
2⤵
PID:1532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IMAP4Svc /y
3⤵
PID:3816

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop macmnsvc /y
2⤵
PID:3772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
3⤵
PID:3892

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop masvc /y
2⤵
PID:3916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
3⤵
PID:3360

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBAMService /y
2⤵
PID:4060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
3⤵
PID:4032

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBEndpointAgent /y
2⤵
PID:2664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
3⤵
PID:4068

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeEngineService /y
2⤵
PID:3512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
3⤵
PID:568

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFramework /y
2⤵
PID:3568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
3⤵
PID:3708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McTaskManager /y
2⤵
PID:3828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
3⤵
PID:3812

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfemms /y
2⤵
PID:3836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
3⤵
PID:3616

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McShield /y
2⤵
PID:3824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
3⤵
PID:320

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfevtp /y
2⤵
PID:3396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
3⤵
PID:2796

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
2⤵
PID:3556

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MMS /y
2⤵
PID:3808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
3⤵
PID:3816

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mozyprobackup /y
2⤵
PID:368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
3⤵
PID:3120

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer /y
2⤵
PID:292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
3⤵
PID:3196

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer100 /y
2⤵
PID:2640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
3⤵
PID:568

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeIS /y
2⤵
PID:3512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
3⤵
PID:3688

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
2⤵
PID:4036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
3⤵
PID:4024

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeES /y
2⤵
PID:4028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
3⤵
PID:2664

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer110 /y
2⤵
PID:3644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
3⤵
PID:2728

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMTA /y
2⤵
PID:3908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
3⤵
PID:3616

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSA /y
2⤵
PID:3964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
3⤵
PID:3972

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSRS /y
2⤵
PID:3656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
3⤵
PID:3988

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
2⤵
PID:2872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
3⤵
PID:3992

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
2⤵
PID:4056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
3⤵
PID:304

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
2⤵
PID:3648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
3⤵
PID:368

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
2⤵
PID:3936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
3⤵
PID:3960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
2⤵
PID:3576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
3⤵
PID:292

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
2⤵
PID:2636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
3⤵
PID:4000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
2⤵
PID:2168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
3⤵
PID:3772

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
2⤵
PID:3596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
3⤵
PID:3644

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
2⤵
PID:4028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
3⤵
PID:3712

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
2⤵
PID:3956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
3⤵
PID:304

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
2⤵
PID:3940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
3⤵
PID:3024

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPS /y
2⤵
PID:4024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
3⤵
PID:3576

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
2⤵
PID:3880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
3⤵
PID:3996

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
2⤵
PID:4012

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
2⤵
PID:3952

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:3988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:3828

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
2⤵
PID:3532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
3⤵
PID:2640

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
2⤵
PID:3836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher /y
3⤵
PID:3848

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
2⤵
PID:3808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
PID:3948

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
2⤵
PID:4072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:404

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
2⤵
PID:544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
3⤵
PID:3708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
2⤵
PID:3648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:4076

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLSERVER /y
2⤵
PID:4032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
3⤵
PID:4040

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
2⤵
PID:3568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
3⤵
PID:2872

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
2⤵
PID:3940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
3⤵
PID:3760

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
2⤵
PID:4028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
3⤵
PID:3936

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL80 /y
2⤵
PID:3804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
3⤵
PID:3828

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL57 /y
2⤵
PID:3656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
3⤵
PID:3796

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ntrtscan /y
2⤵
PID:4092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
3⤵
PID:3876

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop POP3Svc /y
2⤵
PID:3112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
3⤵
PID:2728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
4⤵
PID:3824

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop PDVFSService /y
2⤵
PID:3788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:3644

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop OracleClientCache80 /y
2⤵
PID:3532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
3⤵
PID:3968

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
2⤵
PID:3776

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer /y
2⤵
PID:3720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
3⤵
PID:3924

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:3708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
3⤵
PID:3688

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
2⤵
PID:3740

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPS /y
2⤵
PID:3984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
3⤵
PID:4036

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
2⤵
PID:3852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
3⤵
PID:3816

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
2⤵
PID:3904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
3⤵
PID:3568

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop RESvc /y
2⤵
PID:3556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
3⤵
PID:652

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SamSs /y
2⤵
PID:3912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
3⤵
PID:3036

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SDRSVC /y
2⤵
PID:3596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
3⤵
PID:404

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ShMonitor /y
2⤵
PID:4076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
3⤵
PID:4064

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SepMasterService /y
2⤵
PID:3972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
3⤵
PID:3772

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVService /y
2⤵
PID:3964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
3⤵
PID:3740

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVAdminService /y
2⤵
PID:3460

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sacsvr /y
2⤵
PID:4012

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Smcinst /y
2⤵
PID:3992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
3⤵
PID:3800

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SMTPSvc /y
2⤵
PID:3792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
3⤵
PID:4060

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SNAC /y
2⤵
PID:3708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SNAC /y
3⤵
PID:3804

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SntpService /y
2⤵
PID:3512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
3⤵
PID:3892

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sophossps /y
2⤵
PID:4036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
3⤵
PID:652

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SmcService /y
2⤵
PID:3692

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
2⤵
PID:3848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
3⤵
PID:3460

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
2⤵
PID:3616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
3⤵
PID:2168

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
2⤵
PID:3812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
3⤵
PID:3532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:3788

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
2⤵
PID:3748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
3⤵
PID:568

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
2⤵
PID:4016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
3⤵
PID:2640

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
2⤵
PID:3644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
3⤵
PID:3596

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
2⤵
PID:3912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
3⤵
PID:4056

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
2⤵
PID:2656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
3⤵
PID:4052

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
2⤵
PID:3924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
3⤵
PID:3944

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
2⤵
PID:3712

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
3⤵
PID:3512

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
3⤵
PID:3788

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
2⤵
PID:3816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
3⤵
PID:3776

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:3112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:368

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLBrowser /y
2⤵
PID:3568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
3⤵
PID:3960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
2⤵
PID:3936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
3⤵
PID:404

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
2⤵
PID:4084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
3⤵
PID:4044

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
2⤵
PID:3836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
3⤵
PID:1540

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
2⤵
PID:3616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
3⤵
PID:3948

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLWriter /y
2⤵
PID:3036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
3⤵
PID:3652

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SstpSvc /y
2⤵
PID:3824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
3⤵
PID:3956

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop svcGenericHost /y
2⤵
PID:3992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
3⤵
PID:3980

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_filter /y
2⤵
PID:4080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
3⤵
PID:3708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_service /y
2⤵
PID:3720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
3⤵
PID:3804

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update_64 /y
2⤵
PID:3944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
3⤵
PID:3532

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TmCCSF /y
2⤵
PID:3888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
3⤵
PID:3952

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop tmlisten /y
2⤵
PID:4072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
3⤵
PID:3460

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKey /y
2⤵
PID:3892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
3⤵
PID:3228

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
2⤵
PID:3960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
3⤵
PID:3908

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop UI0Detect /y
2⤵
PID:968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
3⤵
PID:320

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
2⤵
PID:3800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
3⤵
PID:3968

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
2⤵
PID:4044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
3⤵
PID:3036

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
2⤵
PID:3836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
3⤵
PID:3772

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
2⤵
PID:544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
3⤵
PID:3788

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
2⤵
PID:3396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
3⤵
PID:4080

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
2⤵
PID:2640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
3⤵
PID:3808

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
2⤵
PID:3828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
3⤵
PID:4000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamMountSvc /y
2⤵
PID:3924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
3⤵
PID:652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
4⤵
PID:3652

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
2⤵
PID:3852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:3892

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
2⤵
PID:3332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
3⤵
PID:3800

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
2⤵
PID:4036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:3964

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop W3Svc /y
2⤵
PID:1540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
3⤵
PID:3036

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
2⤵
PID:2796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:3692

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop WRSVC /y
2⤵
PID:3120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
3⤵
PID:3772

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
2⤵
PID:4012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
3⤵
PID:3992

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update /y
2⤵
PID:3836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
3⤵
PID:4000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:3948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:3880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
2⤵
PID:3956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
3⤵
PID:3808

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
2⤵
PID:2664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
3⤵
PID:3828

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:3812

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
2⤵
PID:2728

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQL Backups" /y
2⤵
PID:3904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQL Backups" /y
3⤵
PID:3876

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROD /y
2⤵
PID:3712

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
3⤵
PID:3332

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
2⤵
PID:404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
3⤵
PID:568

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
2⤵
PID:3892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
3⤵
PID:3984

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop msftesql$PROD /y
2⤵
PID:3800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
3⤵
PID:3768

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop NetMsmqActivator /y
2⤵
PID:2796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
3⤵
PID:2728

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EhttpSrv /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
3⤵
PID:3596

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ekrn /y
2⤵
PID:1540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
3⤵
PID:4016

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ESHASRV /y
2⤵
PID:3884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
3⤵
PID:3796

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
2⤵
PID:652

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
2⤵
PID:3788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
3⤵
PID:3808

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
2⤵
PID:4012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
3⤵
PID:3460

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop klnagent /y
2⤵
PID:2872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop klnagent /y
3⤵
PID:3904

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
2⤵
PID:3944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
3⤵
PID:3996

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AVP /y
2⤵
PID:4000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AVP /y
3⤵
PID:3952

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
2⤵
PID:3916

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
2⤵
PID:3024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:1500

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop kavfsslp /y
2⤵
PID:3724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
3⤵
PID:3908

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFSGT /y
2⤵
PID:3556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
3⤵
PID:4024

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFS /y
2⤵
PID:2168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
3⤵
PID:2728

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfefire /y
2⤵
PID:3984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
3⤵
PID:368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\red-necessary.exe" /f
2⤵
PID:3040

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\red-necessary.exe" /f
3⤵
- Adds Run key to start application
PID:3816

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
PID:2992

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2688

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:2480

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:1144

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1684

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3648

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2152

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2732

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3136

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4000

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3104

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3028

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:936

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3588

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3004

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
PID:2260

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1796

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:2652

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:3956

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2204

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1832

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3096

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2888

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3016

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3392

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3372

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3420

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3048

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:896

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-168798055-1444985905-1893297306-107697307682263022420304235281175102278-1365598554"
1⤵
PID:1652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-636933296-1805798515926259055-48626883534319121612962919813644452421361045222"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4381188587119623571298636342167377635512991531253108220017195550731907552128"
1⤵
PID:436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
1⤵
PID:3228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service" /y
1⤵
PID:3360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
1⤵
PID:3792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
1⤵
PID:4032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21126319021843653114907711059-442186945506862435-668777789-2088770542-1083544506"
1⤵
PID:3928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:3652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-821017948-1248954951-1123877254-135047072-16440088481150810576-1335046322-1692769036"
1⤵
PID:3576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:3836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:3968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11569372011321569274-506359678490263507691803890-1767789283-442334184-1851099301"
1⤵
PID:4092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
1⤵
PID:3828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6573030951198812736-1891746038130542067781960458-726738911-573854345413749426"
1⤵
PID:1680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2672838351138040108867407497-1248279363-6984646481185108648873313021-42592816"
1⤵
PID:3736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-270836232-1179235228163773908399657188914744865511736661502-6289462431136857687"
1⤵
PID:3196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19301569231425179800-5059607891356928242-2037999149-4706064821946659454-1574835684"
1⤵
PID:4068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1857549094-197881509-887270094-2003636900-5511515621090707594-11839115371319492186"
1⤵
PID:3644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1923190888-16059689111494211601-1422297467-157204730611852458961350722228-801470760"
1⤵
PID:3648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "353767043-626467904-19468496131331947802-20427916811978198713-1537643415-960121841"
1⤵
PID:304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16119605923667602517061781665258454326231320351796373829-13884344942094405090"
1⤵
PID:4004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4956975969282292111520849133-13455319161006830028-1017996922-1960683763-1334628622"
1⤵
PID:3732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1311091692777334518863040791575268574920398186-366996253-6434278011470731077"
1⤵
PID:3112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4358455231082503717-25726416567756251369741195-531215286-322186613263731938"
1⤵
PID:292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12916597731502539974-2038776131369933146-747957352-2805456461218364600-615928298"
1⤵
PID:4032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7935202611185007927-788308654-1002550108-11517883391679303428-750377662-1372916866"
1⤵
PID:4028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1609631280-125621929068901909321048933931478555271-187625641-8271754002135556465"
1⤵
PID:4052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-352841683-1018059016-730941640140492307111562053082440548391609984655-1723688492"
1⤵
PID:3936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1691298154516800356-495833586797088174-1011051446-13575368092093476058390799423"
1⤵
PID:3792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-522582893-374098418-654221294-231140494-716401780-482200709-102038393152270566"
1⤵
PID:3888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1718065946259044766-309637448826994889-1426774474466400929-13630349561821467282"
1⤵
PID:3692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "948277857-4014364061171705394-1013816956-2068479853-266734576-351871759283627814"
1⤵
PID:3688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1015540526-701531158-1521189155-777307703-273031031724722441033309034-904930978"
1⤵
PID:3896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-261629681426370704-651944910-1555761850-2567967021821669819136546248973003885"
1⤵
PID:3960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1497086039-2032986154-333652166-5116039651407415325-1343192251636236813-83932404"
1⤵
PID:3980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-817062777806419653-1462784672-1553552609-367232116-1701625082796839847-1750669925"
1⤵
PID:3848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "63565353-768998263-612092337-1716300715-132912227-324954236786012756975471725"
1⤵
PID:3940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1466612791-4380331831039780616-1399283307-1588673245-8472790271996142454935518421"
1⤵
PID:2640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1042915509-80753634798255339-2046152607440007722650333112-1680057671-982226232"
1⤵
PID:2656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1502507091-1043215156-1029670408996422929181312710014180130971964372150458061478"
1⤵
PID:3828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:4076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6417883731265337623-1267979256-11609147193906960011289856012557373767615899"
1⤵
PID:320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1146597108718687606-214682479-70404620318329337218445844415619141371796520782"
1⤵
PID:3912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1904696925-466573414-410629657-58620632-1197436253-1569239217117778741-44717973"
1⤵
PID:3652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8653696957156019421277996475-331124069-7373718091281205265-2146096074164721438"
1⤵
PID:3228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-34448431-110581121217554987811754673822854138595-1595589801-3878633131292597936"
1⤵
PID:3760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-144902727815177795114554188921208458561694731060-1716625253304444172090881162"
1⤵
PID:2796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
91701bc70aff1eecf90c331368b5b8f8

SHA1
ccad72f7c869e733f9565dc914da36dac348e4fb

SHA256
15f216f713a93832f2f911d7e379fa7316e509caa415ad9e84976376b70be643

SHA512
317def874ffa797a1707e00083ef8b27da8e8d56a2351562bf8bfe3f3bed7f35f166fc41695b6d0b6fac5eccc77807e4ca7e3e1e1e8e55a15a43dfd45e67954f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

MD5
52b8b7829c81314e26166dae47735680

SHA1
61e9cd817c29c9fe38a6ec98f80a420a21e7f5ba

SHA256
ddddb29a1e401763ed0b76f052c82634fe143d6607cf32cf5845e10175d4668e

SHA512
acb8f45465c309d2521b6ca601e821a8eddd3a517a791816198bb192d5d58df56a1d10f8773244be74d7e6863f3be38e972a9176fdb2d8e15c4c3e3cb63134c6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml

MD5
ae34d454b87a5920c5819f69e5883cac

SHA1
b5df034b8a0b1c62085d1f2c3754400eab0cbd4e

SHA256
a3fff8907148f03fca5302185df3180cc93f8002afb41ff1be799057a271f5c3

SHA512
ffe6ab4c9d7c30417a0b6cdc1cc111de4aaf03da64141336da213fbdfcd6e033744087d35c30a0b7138252e82f91d2ea01431a4a99db0e8544644921023abb48

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
1fdff597b52e6ec5d3c670ffcfc7daa4

SHA1
ca989872ee7fb694bfff11b7bf9e83f6c5379497

SHA256
a1967299a5b180038bfee219b9c4df8ac8a3666dd5f7f1d57cbaaca5260574b7

SHA512
baa04be1786c974dfbe284bea198b3d4ea8894441af1e7edb68b281aea36ac31c547a5b6076a28b0445e7db1482327c589369994ce4813045b34ae7da50936cf

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

MD5
b451691944068375932a54657caa67cc

SHA1
16f80176bb0f4628c979626de6a69d8123e5d920

SHA256
d8e19669700180ad22ffed1e0aee81e0a5f730e0363ba5e462f788902aea73ef

SHA512
d51ae632f9680cad49d45c8fdef9a83b33c7f97f570e09b89078b28c3e06257bc23aac6e74319a5d1d6e292935379540a49b914123190f5d49bbef5b63bfec1b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
4baa831aeaf687e7120b315fccff56a2

SHA1
321afbefc1804e7f032ea277d8f776b61f418c35

SHA256
ccc97755244e277e331f6a40e2612313bf9e0c0156ae66f176a8983d079db79a

SHA512
307ebaef2715c8be8125bb2d27d17ad15e2b6aae05ec816b8fbb1967c6239aa647417f14161b60b3f995bb3846a400ad1f0c67fbb99f593998d429bc2cfb56aa

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
60a849d69628012864da0d03a8a2edf7

SHA1
feb632d7d02bcb28ce3de406693dd0fa0d57998e

SHA256
a2616d0f97adbd5d574880e2da585e315c347ad02f47f83caa9b2a96f5b9d60c

SHA512
b8b2eba530d0121c884dd9cab0c52de506f5a13c520c97b9cf2933be946fe44810cabab36961a94d380c5d9e17b13018df9f0b8885cc2958d1e6c3656d693575

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml

MD5
85cf04f41620e0881457977b1e0d317f

SHA1
4a555f92e156ee6d86f5d11a8b7bb59bb5700282

SHA256
75da2eb15747bc1592aed53ddb30d432236fbde6251aa75005797c6f8d9b3af8

SHA512
f3e7a05c3a4b2fa131370d87fb5c85fd78b87464633b75879dd6c725c73d7df7225f3b0b6907e16cfa16bdb09cac205c0105980c05afa024b33be51948bc6788

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms

MD5
92124cf8dda8f1148ab3a455ffad1771

SHA1
9582eba022948f0111c9b9422cf695525961fa21

SHA256
b98eb63194a9af32dc4a27312649bd32668d35e339c65f7576a37fe15d87ec37

SHA512
0f53d096f86a49dd9f6545e691954e31add41dfeb2a1f7a71511a71e3179de5b4ef945d0eb4536ec2ff80e7d00340d590ff4a07651987af7425377560c5f4499

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

MD5
c9255f1c109444e187308c4be6321ae0

SHA1
1625c37e3550c8ee51b5961b85e3a82c34d140ce

SHA256
034f54f7614923da9c76ca53210e083398d0053983d8dc0beb7ab29ca0d08b6b

SHA512
55fdfd43a0222c9afd42d9ff2ebbf97c3cfd19ba6de41ae60808eba077cb382169b9c4f9ad87f38d75332252ab5f0640552e7dc638e6e7b59a31e231866bfef1

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

MD5
611b8f5d3528b143a9e5f880ac529942

SHA1
3a9d5d52e546a4e44921e23249abc1cf427fb63a

SHA256
df36287dbb0390945a106102ad3b7139113a544c871858963b759e2f9b4c3c04

SHA512
d4edf5a5842d78234db017a9d29fb26645e38b7cad5a67e5e96f1211e43801c14c91a7e96de0e7669f0b90cf51c7df1d0faafb3dea832b284704f25ab804f0fc

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml

MD5
a73860ba1b0642c369ee38354a813bae

SHA1
3314f8dca49b60b12b32f4e4ff743ce46cbdeeee

SHA256
7e3487a5d2553d9c346d4dcc2f4eaf6f786c3b578c50b5173ff3c5ae81cc7ae2

SHA512
e4ecb255e153994e6a815e6c57619cc80bd038bfd4e59ca02d00dc5435762fbf1dab8067f7a77894b222ca37743f6ffb882d24636e9c126162d1d37e45caed09

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
222c9c64abf828cb5bd644e51fcec593

SHA1
f97bfc87fefd71c9901f31103ba6d58a34ec9d37

SHA256
987b3198bd23c42b0f20b365bd115eaf65d7bdeca1669ed24e3863b3ded94a1d

SHA512
d965553c714fc2f5c063ee4e15ef6a5b70ed1d57e417d972aa9819f63520a5936ae8b8673bb979f44992e9931a0c83ae9e0ff95d39e9879d0393954e68094c75

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi

MD5
034f3785cf4a2be5793fb2fce06e67f0

SHA1
12cc6119dbc132d16f5fb0f09eeb289c70b735a0

SHA256
337f23f31ee653cd4e4dfd7e918b1bebc8782b592ea95a73c7d8e222716caee8

SHA512
e1a4b8b8e336942a96c47989f0a7488de3d35de76616d6e6f489363f10459b0e357d5cd9fbb6b576846553f7aea846bd227d156621c84099433086ece4c3d953

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml

MD5
bb9625cae0022a63b46d035a9b627fae

SHA1
9487421100cdc70e1eaab092c3399001f5343923

SHA256
a179e01f2baac35d695835d48265c63d9eb7bfebcedf232ac289e9fd887c03c0

SHA512
f68bf8e150feda3e23ccfad65a992264c7935f21ea02129ffa9a3fc1881d7636f1ed947f493e9a85dca2d6f8f82dfbe10c62bfbde1bfc8168962c3da57a974ce

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab

MD5
85e1e510f1de6c35234bd1f59f66ea40

SHA1
672638594c0961a2f73253b28cc3fea8263a8d9c

SHA256
b12a2cfcc8cd9f0c46fb63918c10222687d629c331c396ee78e9981f876a8e2e

SHA512
b05dacbfcb880ee5cc472060e9a58da86c55eda97885beb21e8613287ecf61beab6922b121406255f8210898dc90899b37f787cce81645fd5fd1e147ff642534

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
f18eabc8f7cb74286d9218a2a5083707

SHA1
1438f0902092b04868161a9347e80e728a0a4a8e

SHA256
ec7737515f98a634f761053f9b4fe0fcb74be4020e5414514f2d8d0576b7ccfe

SHA512
4c19c22b198e14bfc635ec674090795d60df1b19c32802403518f8dacdc55acdb49f85a18db7bac769a6930af0ace3b5e4be87208654b799d91937afbd17b475

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab

MD5
a963fc60f7e2dd273e70d97b7a9112ae

SHA1
19ba2d7f376c3e0a4f8dfa4bd87a887d43b1997b

SHA256
1497bb977abad941ffec3a4e1e57ab214ae8f937b9079b2677b9b8af25cc1444

SHA512
6630d72774c22bfb2f0af9541bcd406ca40641a3428e9213eaa9574f5b91be11f473ee47ce73c458f6ae916590f31f641a17ee0590b62719a03c556412e9cb74

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi

MD5
1d2873e6ed62bea9bc1a5b33f17c95d0

SHA1
2c36844a424597660944c8f2835b88e1914ea9d9

SHA256
f9e2c2097447d3307d6eeea139aabeccb00e594bcfba458f0823653daa487140

SHA512
3389f89f4fb5eb94b0665d32a5572c23c90e445a2aae75548659dbbb9fb47206c79d83dcec84f883fd7b20786272266e18fc8ff4b730d8842603300775b90a33

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml

MD5
2362309020fcb19958a86793e5f6be8b

SHA1
7aef120c57fca2b45327c6aa90a91caceeb03079

SHA256
a20a9272b6d007eadec5c5f66d40b04512a56adb1ee57049f4b90ce6cc0d2bc3

SHA512
7bd8cbaa205fc400a241e5836054cf9b1013d95f891014a43013848bdc19742421d22b5e9b94ba000b76f76add09cfa7d508a0f1a4688c8cb39e6191847f3d2a

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
b98ce2bba91eb0fda55c5625cc9463a4

SHA1
084c4975bf54668e54df2a151572c0f05589be3d

SHA256
467607cadba51ca8b06164688daa775e8e1a924543de25fdff06491e6695cd3f

SHA512
fc2cec8d6f993b6037a290d92f3cf54c8893cffdee8f40e568fc537e199ed2620a25508f84e6032978dcea829cb4a6ed91ad6cc8e586135a06eb37047a3b62da

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

MD5
beec47469ac1d18bff7259351a75ca74

SHA1
7519c5e1e4382399bfcf37f0793fb00241a53844

SHA256
58fc1157d9f395d6e9d2fe908d5f5ac84d0677e5ea92ca4a44e10e71b0de9ae9

SHA512
e1e9b490b43b9a4b8840fb243e4cd0dd96eeb9f7b50f12d129e9b12ce8eee0342481f7586edb49e6d60fc070bf43efa9c619ae954cdeb67d5b20068dc1b83a1d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi

MD5
694f52e54140ba44fb55d3c61224136f

SHA1
e0117b4c8324772d1a2dbd666db9f9166e2a12f1

SHA256
0ffe3e99b9a6ac990179e9df8559334bc08e5bb3ad8b8b4cb2f93b782c5f44a0

SHA512
7c20ef8c7cd66ebc4d8b4eb6f03f81f8aff398181d91c548d7cb8452a31ddba7d2875c40aba2b18403ccfdfd5961be2e8515821b852c63daf0fd32866aa8ea22

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml

MD5
4c63cdb67ca770c251461802e19ddd38

SHA1
8c49ca89358625dd6b3736155d5d413a2ddf59ca

SHA256
9a4ebc8f8ca34ea52572ddd7029a74abb37edcc50df7098e0ff65361b2709bc3

SHA512
af317f2a53c207cd4775f33d41717873874b1488af0733773a11889a9df4f4515794ecc6abb7533c4c30bb912c69bd92bfb96b4a653c638aa6b3251a43092b3d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
a7adb38cbc2e76b2aff35bf3243ec8a7

SHA1
1e9ce86d5612ac36b0cb148ebddd530e9e965527

SHA256
c58218424de879b0ed5643b8a2934f37d8a12eb7062e14de9523e77b0b8aee3a

SHA512
ead35ee939297199d6f3f2a3ac314de836c193f69b6b74e4dc74e268e5b4c8fba18ad1299d7cac490d1d5fa7b4b0f8c7ab20569f7664cb568a935d5a15931701

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
5e1f30e3713c96e8b95aebe64b62874d

SHA1
ff9b3a13e9887ce531b3d41db2e1798bc64b4285

SHA256
3d4ba7e47e514cef51ffb8b165ae372fa2ee77e2d72f696ed256386458d19828

SHA512
3699c5069237c51fd8025c7281e58e2c20ae45dfb48939cc403e8f5ddfac300ae76209a628dcb9924c7e470abb53fd35bceed407aa9c45b3e0cbd010abe32c8c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5
f6edd41db8c8671e6a135e8343dfac9b

SHA1
c747cb58ad339d8d114a56622864374839fa014a

SHA256
a14fc55d5861a7918c577a3dbc6624abdae192b3cefa3db993ac69bea10bd520

SHA512
336a9224253c58e21db61a222d6ef2448497bc18e295a9005727c9bd427c0b628730ebac06da697b2d1d6c06d2903e5c80f21d49032478fca800f38e2f122f19

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi

MD5
a71a845e3c980cfcc9fc26c9b7ad50d9

SHA1
d7688f8a837f67d52065f60560d3b8eb949bd43d

SHA256
b8bfcd2c50eab77b6d04a9baa661fe167f9b62f8c23414436bd6106638d4968e

SHA512
fd4eb42c11d95608e8f80946a3140d4bca63b284fa594de2f2668391b552d48b25bb31ad4990219e94059b3652b0b11462ee1b20fe713f9cf25835b179abdbb1

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml

MD5
30a5160123019048faf434fe03d73ac4

SHA1
309af5bc045d30011025d58d97461ab59a762d35

SHA256
5798e185ed9714b269f7563c5e5e58407cebf990856831345c7f0aeeea2dd43b

SHA512
1939f2a0eb14144fc03e00a79b06f08870bc31f07dfe8bb9c323dcf981e32440d76f3039934b90aeb846b42b2970b191de5ed227650dd445f2a1295373e5befc

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab

MD5
cd84d096b836926cc53beab0e554d1ec

SHA1
d7f900af75af2afcb81e70c206a925c5e980a043

SHA256
d55e2409ed065db1b6425415e3d3d7717144557bdc6e45939f04beea463aece9

SHA512
fe6f3227b4f14a7c2580682e70e705fc985997eafd97c8024ad25977aaf78dd118b20725eed00c5fd0219a7a5d4a88a0f81a6524ba03e0fa898b3180ab814f5a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi

MD5
3368b2f481c67e4705f87e661f3bf6f2

SHA1
8c1a65b33827b619c4d97c6ebcf2d72dcce486e8

SHA256
1dfd218a72e30a4981430be0634d0fa1c282f118a35ebf3501df6ad160c24b69

SHA512
e15fb40252cc5ccb3c183d08b4eead5e4b4662e84afe3d10e25149452e209e88ca922b789f5339b7ef6ea948b73467ef86cd91d589756e2f5bf32092439813e9

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml

MD5
3d50c33c580e13fc0ec2d94ad8ccb0b5

SHA1
44a8364ef4619aa8d52877449afb9b5a4959b804

SHA256
d428d4510a6f83973b2debb491e2e8daede20c1bc8686f3a8c0036c09f0dac26

SHA512
5c220e2538d584b62be1eed28c9b6d852c6a1e8a772fe4828e910230c510154e5a5d801519a862dbfdb5e69b52c92bdc73551f1fd1d9fc9fb454126c185819d3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab

MD5
3c88b3de28b09349b0f1bc17fd951681

SHA1
b440e817c58ad0372540b406b8465cf892c3bf9a

SHA256
f91ad1590c40687f246fcc3ef17dff7aa3efd1566d95ce627d6c6cbefb5109a9

SHA512
6c78067bbfb70025fb709581382ee857a9143748e5d309736e7c1aa516d8479c9bf2425d3c1623c868aae2a9ea25c992c448b59eb2d18e25836448cfae5d5df0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi

MD5
5228aff127d96b339b27ac282de009ab

SHA1
afd4b4c0d819b5a5673e2a8adaa4ef073a69feb6

SHA256
140233b6b480a15c4af9b2c6d1ff5b9d6e49fe14e7399f2c2b03cd23f208323d

SHA512
e6c40eb08f183b9312ebde66550d507387fc74521d769c17508a40131f45fb1386a9c36ea6ac20b9fb53df72f4873cfe435c8f24b464b85e4f9f4b9108f19dc9

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml

MD5
0fc5c9b7be8705691c58d501db180241

SHA1
6b60ed3aff238a855c9be1c29301b5d89687f307

SHA256
ac65aa1eac69ca91e80bc44dcdfea73a2ed3b06d804c3847a5cf5c422027f27d

SHA512
5425d16236bb0e70386452a906109da94665095a68ccf7742c150fe3861af9f953a35de06ba7bc04f237b9e490ee1a8a8be30db2bdc4c5cd0218aac2c54fdef8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab

MD5
a8a2027f513332f303870295c1eff792

SHA1
6c983eb36f1e664b2ce3b4325ececa00ae521be6

SHA256
7dbc7c76f112c9a7fda73abff4b3bea7662d487106986faae5b675add67ec4d2

SHA512
63d90016c7bb2ae7b9b515bc2852d5b27c219a4b0c420ceeada0a288dc66bd7d531cce414ae068fb6aeb684c574bb40302abac79952f4a210fc054690f1044f3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi

MD5
8a758a753f3c24346fdb6a9775225acb

SHA1
c9155f01e57d4a154f09821f2d4252ececc035e6

SHA256
eef984c09bab340547c32ebe396472a1f53ad64081e0df8da82919c7f99e5c64

SHA512
11243bd043d2e654344855fa05d8704f06036389a0a747f241fb50f7d20f6189f94076e30a0826d2b96897e66814e7773c1828753861d7de3587f99dc126844b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml

MD5
3b32e2163df8244a3f24749ecef8209c

SHA1
58f1803613c90271ca2d6aa91263e0c16f3d034d

SHA256
17f586b6a54d7f31c39c7bc069650df2503b9199b62aeaf79c464442a38c2c99

SHA512
687baab4ba7d60065271af49b5dedcfccf43bc33e2ff82d5892bef36659e077805c91e6ed308cfad86c0c743cfe9d5c5a3404125c1f87fa9f901a35405455606

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi

MD5
666c159971cdd3c858b7803825b9caf3

SHA1
6dfc3c61c50ea77d0ef77757dbdd056246fc0401

SHA256
55be17f2eef146b99b4654a44a74bd86fd81c884ef8e201f298361a2dd424c07

SHA512
704dee33b0fa4eabef95f101870a43c1c4ead616e7cf70382a30e2060cd616939106842342326b04f3c51300dd999a939f7611ce998153c9e451528d7aa2ce44

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml

MD5
a632251a05e46783f32632b4cced8f89

SHA1
c816813f27c5825d42beb56a060257ef048d3686

SHA256
1365386450e25c3074ace15b3483c96cec612b7c7a0fcfc67cd2b8377dd75b31

SHA512
5a1bc675bac7825b15d7194465f4a084fc74e3b8399061f8c91f6f9afd746b39b86a31d214b123d500a3e1475b3fe233ab6b9d02411025b2681dcbdb1bebdc90

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
66b1901979775bc1b25c04bc8bf669f7

SHA1
96104c97cdfcc1598c831815b295fd4fb216c4e0

SHA256
9ed80e9a4679d642e1f7c7844b801d7698d9144fd8fe39713719b41766b85ede

SHA512
87091c900032618b261a227bb24923efaa411f3509104215d75bf69df8f4c37f379e272d3fbf1ff80d956a79573b9a34b16d227285922ac13a847a75e53897bd

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab

MD5
a05e56106a6315ee744fc8919023c5a9

SHA1
82e5c5662c6ee9445d1a76b8fecb54217870ded6

SHA256
0a08823193f24b690b396321738f5eef72d3e76c81d566062064a5dbd955eb0c

SHA512
e0bd9875c1ec84c8b37ab2a31aa44fffe46f9762bb69e6417e13a2e9cc4480aefb75d2c1cb1b18b6a0486efd3248d5b2eda92be2eff30ece1f8d7cdeefeef023

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi

MD5
75ed844137d3ea9307f78e4b387d7311

SHA1
01fd9d908843c15e6dd0396228b6c143069c1e44

SHA256
ecbc0aedc86256681e4c26c8856e7a952b8b5ffab6981918af62a70beeb05eb4

SHA512
555f324fc87a7eefb6f90c1189f60c95938f936345a70c4a111f36860ee1ef38f91c74a734773300944814876cdf6d033e6403a00b538d370b4748aeb1660659

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml

MD5
b28af0a8f0271843590c0e439bf1c90f

SHA1
20eb82527e14e6f275fad3cad2c06344c4f18a82

SHA256
f09454304896e9233aa0ee403587ffd2c823a0fd752b2bd8420aea2b03894138

SHA512
38eef0d4b9a3f1b755a87ae4bb241a8b5155ae7af46686ff49ae80601f4f1a14c8d81e8b282c1799f41fc1a801e3a3c707c7ed0891402a6d7b6c9c495100f013

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
205489a8a1efc1ca0e9303a681cb500a

SHA1
1074d76434d38553adf3c10547f56157d771c5ac

SHA256
85a2863fabbd1ea2372bb654cdd8ce7215c4d35185c6cc26bbd6e441fb4bf22c

SHA512
ee3dd194ab37708f07b7c35166f7ecde288ce3efacf22cd83b76c7ee6cc582a8ece2c3fb1d114b319186f5479efea3be2b22652c79dbc542b46bbf161afeff32

Download Submit
C:\MSOCache\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_17ebba21-ade9-4848-b865-5b9359ee593d

MD5
3a108ca4cc3e3900c39cda6e541b8e41

SHA1
b94099e9988101f40be95b44b09433d69adfcc56

SHA256
799826f7335bc9fa5b1f50d0cb5894fc56b6800d97f44aa5ef97862aa7054043

SHA512
f22bcd17f2382c365f37975e3e4b606a64806e840b5b18b04b8673852ad9fbf4d1bb4af59086e3837794f7cc8ca841aa4a15dc6198f250b073fb1ae17e3b0d53

Download Submit
C:\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\users\Public\PUBLIC

MD5
1a102fa28008c336c9bc6d62ae0f729f

SHA1
fc55a3649267691da3f4f71e848aa76d6e843b47

SHA256
17eb7385a4b43c2e2f44547a0caeaf90dc98e2da7239608540c02a4dacf8dc00

SHA512
427e7ef5a8eac5a5f0a89ccb71f4aec6e4060067cda0687df749fdd43b98a3ebac05f710ee4380c725dbeefd7710fa4e45898e5157abd9acd99af5cdeeaba05d

Download Submit
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE

MD5
3899bea08a88fdd6f8588d0639adef70

SHA1
2b95421c431165b3d0c08607fcf2438b1637ebe4

SHA256
4a0199996634c6d9c5e28f823a7fec69573d4162711c36f297184f3e3a6ac9b9

SHA512
ef48722658a0e3e5b3b291bf805850878916d65097ce68307e6fd3f666effa75e0e227867081dc4b5cd5ae700ba61295e63238125f83ca3b7cbece61a051a597

Download Submit
C:\users\Public\window.bat

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
memory/324-72-0x0000000000000000-mapping.dmp

Download
memory/520-71-0x0000000000000000-mapping.dmp

Download
memory/568-122-0x0000000000000000-mapping.dmp

Download
memory/748-66-0x0000000000000000-mapping.dmp

Download
memory/772-64-0x0000000000000000-mapping.dmp

Download
memory/780-70-0x0000000000000000-mapping.dmp

Download
memory/900-95-0x0000000000000000-mapping.dmp

Download
memory/956-73-0x0000000000000000-mapping.dmp

Download
memory/1116-125-0x000000013F670000-0x000000013F6A6000-memory.dmp

Filesize
216KB

Download
memory/1228-69-0x0000000000000000-mapping.dmp

Download
memory/1428-61-0x0000000000000000-mapping.dmp

Download
memory/1440-67-0x0000000000000000-mapping.dmp

Download
memory/1460-65-0x0000000000000000-mapping.dmp

Download
memory/1508-68-0x0000000000000000-mapping.dmp

Download
memory/1532-63-0x0000000000000000-mapping.dmp

Download
memory/1592-62-0x0000000000000000-mapping.dmp

Download
memory/1664-60-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp

Filesize
8KB

Download
memory/2052-74-0x0000000000000000-mapping.dmp

Download
memory/2060-96-0x0000000000000000-mapping.dmp

Download
memory/2084-75-0x0000000000000000-mapping.dmp

Download
memory/2124-76-0x0000000000000000-mapping.dmp

Download
memory/2132-93-0x0000000000000000-mapping.dmp

Download
memory/2156-77-0x0000000000000000-mapping.dmp

Download
memory/2192-78-0x0000000000000000-mapping.dmp

Download
memory/2256-79-0x0000000000000000-mapping.dmp

Download
memory/2392-80-0x0000000000000000-mapping.dmp

Download
memory/2456-81-0x0000000000000000-mapping.dmp

Download
memory/2580-82-0x0000000000000000-mapping.dmp

Download
memory/2636-83-0x0000000000000000-mapping.dmp

Download
memory/2676-84-0x0000000000000000-mapping.dmp

Download
memory/2708-94-0x0000000000000000-mapping.dmp

Download
memory/2732-85-0x0000000000000000-mapping.dmp

Download
memory/2772-86-0x0000000000000000-mapping.dmp

Download
memory/2820-87-0x0000000000000000-mapping.dmp

Download
memory/2876-88-0x0000000000000000-mapping.dmp

Download
memory/2908-97-0x0000000000000000-mapping.dmp

Download
memory/2920-89-0x0000000000000000-mapping.dmp

Download
memory/2976-90-0x0000000000000000-mapping.dmp

Download
memory/3016-91-0x0000000000000000-mapping.dmp

Download
memory/3052-92-0x0000000000000000-mapping.dmp

Download
memory/3104-98-0x0000000000000000-mapping.dmp

Download
memory/3180-99-0x0000000000000000-mapping.dmp

Download
memory/3228-123-0x0000000000000000-mapping.dmp

Download
memory/3296-100-0x0000000000000000-mapping.dmp

Download
memory/3344-101-0x0000000000000000-mapping.dmp

Download
memory/3360-124-0x0000000000000000-mapping.dmp

Download
memory/3400-102-0x0000000000000000-mapping.dmp

Download
memory/3448-103-0x0000000000000000-mapping.dmp

Download
memory/3500-104-0x0000000000000000-mapping.dmp

Download
memory/3556-105-0x0000000000000000-mapping.dmp

Download
memory/3648-106-0x0000000000000000-mapping.dmp

Download
memory/3688-107-0x0000000000000000-mapping.dmp

Download
memory/3720-108-0x0000000000000000-mapping.dmp

Download
memory/3772-109-0x0000000000000000-mapping.dmp

Download
memory/3804-110-0x0000000000000000-mapping.dmp

Download
memory/3872-111-0x0000000000000000-mapping.dmp

Download
memory/3896-112-0x0000000000000000-mapping.dmp

Download
memory/3908-113-0x0000000000000000-mapping.dmp

Download
memory/3948-114-0x0000000000000000-mapping.dmp

Download
memory/3960-115-0x0000000000000000-mapping.dmp

Download
memory/3980-116-0x0000000000000000-mapping.dmp

Download
memory/4000-117-0x0000000000000000-mapping.dmp

Download
memory/4016-118-0x0000000000000000-mapping.dmp

Download
memory/4036-119-0x0000000000000000-mapping.dmp

Download
memory/4060-120-0x0000000000000000-mapping.dmp

Download
memory/4080-121-0x0000000000000000-mapping.dmp

Download