targetcompany | 5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Size

468KB
MD5

883f55d9e1da68bf5bc0a05c679d0a8b
SHA1

5d9fc45aa719b4268688281e116aa49e3e289c74
SHA256

5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb
SHA512

3eb558b2762ff2c156c411b80ad8e1fc00c7f237cf0b062e23c319e68bcf00e9c7c1e98d06de800797563826703044a20d73af17571c03724822555a8798ae02
SSDEEP

12288:rhSBH928uaXDhBlFApCML4LXBf7TZghul8MN3dEsq:FW9HrTjiLMvghulnS

Score

10^/10

targetcompany discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\HOW TO BACK FILES.txt

Family

targetcompany

Ransom Note

Hello Your files are encrypted and can not be used We have downloaded your confidential data and are ready to publish it on our blog To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: A475228428FBC061502932EE 5) You will see payment information and we can make free test decryption here 6)After payment, you will receive a tool for decrypting files, and we will delete the data that was taken from you Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�

Emails

[email protected]

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2516	bcdedit.exe
2848	bcdedit.exe

Renames multiple (6523) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe

Modifies file permissions 1 TTPs 18 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3800	takeown.exe
3832	takeown.exe
948	takeown.exe
728	takeown.exe
4080	takeown.exe
1676	takeown.exe
2848	takeown.exe
1884	takeown.exe
4808	takeown.exe
4920	takeown.exe
3372	takeown.exe
4508	takeown.exe
2644	takeown.exe
3624	takeown.exe
4532	takeown.exe
452	takeown.exe
4172	takeown.exe
4724	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ahlnfrbjt = "C:\\Users\\Admin\\AppData\\Roaming\\Ahlnfrbjt.exe"	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\P:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\X:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\Y:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\Z:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\B:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\I:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\L:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\T:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\U:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\E:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\G:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\J:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\M:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\O:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\R:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\V:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\W:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\D:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\A:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\H:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\K:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\Q:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened (read-only)	\??\S:	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 1920	2008	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe	92

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\MedTile.scale-200.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\identity_helper.Sparse.Canary.msix	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\HOW TO BACK FILES.txt	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\HOW TO BACK FILES.txt	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg4_thumb.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sl.pak.DATA	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Social	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\ui-strings.js	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\EdgeWebView.dat.DATA	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\HOW TO BACK FILES.txt	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-200_contrast-white.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Snooze.scale-64.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-200.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-lightunplated.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalMedTile.scale-125_contrast-black.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-unplated.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-125.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\HOW TO BACK FILES.txt	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\da-dk\HOW TO BACK FILES.txt	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-72_altform-unplated.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\remove.svg	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\HOW TO BACK FILES.txt	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.winmd	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-125_contrast-black.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-32_altform-unplated.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-64.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\HOW TO BACK FILES.txt	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-white_scale-200.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\selector.js	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssci.dll.mui	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\HOW TO BACK FILES.txt	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine.winmd	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-150.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\ui-strings.js	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\HOW TO BACK FILES.txt	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNB.TTF	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-24.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\hr.pak	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-150.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleSplashScreen.scale-125.png	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	2848	takeown.exe
Token: SeTakeOwnershipPrivilege	3624	takeown.exe
Token: SeTakeOwnershipPrivilege	3372	takeown.exe
Token: SeTakeOwnershipPrivilege	4724	takeown.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeDebugPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	3800	takeown.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
Token: SeTakeOwnershipPrivilege	1920	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 3732	2008	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe	90
PID 2008 wrote to memory of 3732	2008	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe	90
PID 2008 wrote to memory of 1920	2008	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe	92
PID 2008 wrote to memory of 1920	2008	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe	92
PID 2008 wrote to memory of 1920	2008	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe	92
PID 2008 wrote to memory of 1920	2008	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe	92
PID 2008 wrote to memory of 1920	2008	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe	92
PID 2008 wrote to memory of 1920	2008	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe	92
PID 2008 wrote to memory of 1920	2008	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe	92
PID 2008 wrote to memory of 1920	2008	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe	92
PID 2008 wrote to memory of 1920	2008	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe	92
PID 2008 wrote to memory of 1920	2008	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe	92
PID 3732 wrote to memory of 2516	3732	cmd.exe	168
PID 3732 wrote to memory of 2516	3732	cmd.exe	168
PID 3732 wrote to memory of 2848	3732	cmd.exe	170
PID 3732 wrote to memory of 2848	3732	cmd.exe	170
PID 3732 wrote to memory of 4740	3732	cmd.exe	95
PID 3732 wrote to memory of 4740	3732	cmd.exe	95
PID 3732 wrote to memory of 3244	3732	cmd.exe	172
PID 3732 wrote to memory of 3244	3732	cmd.exe	172
PID 3732 wrote to memory of 1580	3732	cmd.exe	98
PID 3732 wrote to memory of 1580	3732	cmd.exe	98
PID 3732 wrote to memory of 412	3732	cmd.exe	99
PID 3732 wrote to memory of 412	3732	cmd.exe	99
PID 3732 wrote to memory of 5036	3732	cmd.exe	100
PID 3732 wrote to memory of 5036	3732	cmd.exe	100
PID 3732 wrote to memory of 4712	3732	cmd.exe	101
PID 3732 wrote to memory of 4712	3732	cmd.exe	101
PID 3732 wrote to memory of 5040	3732	cmd.exe	102
PID 3732 wrote to memory of 5040	3732	cmd.exe	102
PID 3732 wrote to memory of 1468	3732	cmd.exe	103
PID 3732 wrote to memory of 1468	3732	cmd.exe	103
PID 3732 wrote to memory of 4356	3732	cmd.exe	104
PID 3732 wrote to memory of 4356	3732	cmd.exe	104
PID 3732 wrote to memory of 3680	3732	cmd.exe	105
PID 3732 wrote to memory of 3680	3732	cmd.exe	105
PID 3732 wrote to memory of 3712	3732	cmd.exe	106
PID 3732 wrote to memory of 3712	3732	cmd.exe	106
PID 3732 wrote to memory of 3960	3732	cmd.exe	107
PID 3732 wrote to memory of 3960	3732	cmd.exe	107
PID 3732 wrote to memory of 5008	3732	cmd.exe	186
PID 3732 wrote to memory of 5008	3732	cmd.exe	186
PID 3732 wrote to memory of 2728	3732	cmd.exe	109
PID 3732 wrote to memory of 2728	3732	cmd.exe	109
PID 3732 wrote to memory of 1540	3732	cmd.exe	110
PID 3732 wrote to memory of 1540	3732	cmd.exe	110
PID 3732 wrote to memory of 4604	3732	cmd.exe	111
PID 3732 wrote to memory of 4604	3732	cmd.exe	111
PID 3732 wrote to memory of 3624	3732	cmd.exe	112
PID 3732 wrote to memory of 3624	3732	cmd.exe	112
PID 3732 wrote to memory of 456	3732	cmd.exe	113
PID 3732 wrote to memory of 456	3732	cmd.exe	113
PID 3732 wrote to memory of 2844	3732	cmd.exe	114
PID 3732 wrote to memory of 2844	3732	cmd.exe	114
PID 3732 wrote to memory of 4880	3732	cmd.exe	115
PID 3732 wrote to memory of 4880	3732	cmd.exe	115
PID 3732 wrote to memory of 4988	3732	cmd.exe	116
PID 3732 wrote to memory of 4988	3732	cmd.exe	116
PID 3732 wrote to memory of 2144	3732	cmd.exe	118
PID 3732 wrote to memory of 2144	3732	cmd.exe	118
PID 3732 wrote to memory of 1056	3732	cmd.exe	119
PID 3732 wrote to memory of 1056	3732	cmd.exe	119
PID 3732 wrote to memory of 4076	3732	cmd.exe	190
PID 3732 wrote to memory of 4076	3732	cmd.exe	190

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe

C:\Users\Admin\AppData\Local\Temp\5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
"C:\Users\Admin\AppData\Local\Temp\5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kill-Delete.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
    3⤵
    PID:2516
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\cmd.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4740
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /g Administrators:f
    3⤵
    PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1580
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g Users:r
    3⤵
    PID:412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5036
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
    3⤵
    PID:4712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5040
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d SERVICE
    3⤵
    PID:1468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4356
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
    3⤵
    PID:3680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3712
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d "network service"
    3⤵
    PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5008
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g system:r
    3⤵
    PID:2728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1540
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
    3⤵
    PID:4604
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\cmd.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:456
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
    3⤵
    PID:2844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4880
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
    3⤵
    PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2144
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
    3⤵
    PID:1056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4076
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
    3⤵
    PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1876
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
    3⤵
    PID:2912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2536
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
    3⤵
    PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2640
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
    3⤵
    PID:3748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2704
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
    3⤵
    PID:2480
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\net.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3232
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /g Administrators:f
    3⤵
    PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4892
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /g Users:r
    3⤵
    PID:2156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3936
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /g Administrators:r
    3⤵
    PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4800
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d SERVICE
    3⤵
    PID:2924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4332
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d mssqlserver
    3⤵
    PID:3804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4980
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d "network service"
    3⤵
    PID:632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3496
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d system
    3⤵
    PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4052
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
    3⤵
    PID:5112
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\net.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:544
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
    3⤵
    PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:728
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
    3⤵
    PID:2832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1092
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
    3⤵
    PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4064
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
    3⤵
    PID:1292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3868
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
    3⤵
    PID:4652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2416
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
    3⤵
    PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2508
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d system
    3⤵
    PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2100
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
    3⤵
    PID:3552
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\net1.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2980
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /g Administrators:f
    3⤵
    PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:224
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /g Users:r
    3⤵
    PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:844
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /g Administrators:r
    3⤵
    PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:548
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d SERVICE
    3⤵
    PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3372
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d mssqlserver
    3⤵
    PID:2924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1432
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d "network service"
    3⤵
    PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3516
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d system
    3⤵
    PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4504
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
    3⤵
    PID:4512
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\net1.exe /a
    3⤵
    - Modifies file permissions
    PID:1884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4076
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
    3⤵
    PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3960
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
    3⤵
    PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2100
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
    3⤵
    PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3436
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
    3⤵
    PID:2172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3372
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
    3⤵
    PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4336
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
    3⤵
    PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4828
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d system
    3⤵
    PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4900
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress
    3⤵
    PID:2156
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\mshta.exe /a
    3⤵
    - Modifies file permissions
    PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3612
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /g Administrators:f
    3⤵
    PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2172
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /g Users:r
    3⤵
    PID:2520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1808
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /g Administrators:r
    3⤵
    PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3372
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d SERVICE
    3⤵
    PID:3872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3720
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d mssqlserver
    3⤵
    PID:4712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1140
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d "network service"
    3⤵
    PID:2424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4936
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d system
    3⤵
    PID:2708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:928
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress
    3⤵
    PID:3600
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\mshta.exe /a
    3⤵
    - Modifies file permissions
    PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:732
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f
    3⤵
    PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1012
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r
    3⤵
    PID:2900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1244
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r
    3⤵
    PID:4864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2196
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE
    3⤵
    PID:3764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3484
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver
    3⤵
    PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2416
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"
    3⤵
    PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3612
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d system
    3⤵
    PID:1924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4248
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress
    3⤵
    PID:1484
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\FTP.exe /a
    3⤵
    - Modifies file permissions
    PID:4172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3964
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /g Administrators:f
    3⤵
    PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1368
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /g Users:r
    3⤵
    PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2704
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /g Administrators:r
    3⤵
    PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4904
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d SERVICE
    3⤵
    PID:4328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3580
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d mssqlserver
    3⤵
    PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2844
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d "network service"
    3⤵
    PID:3924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4228
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d system
    3⤵
    PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2716
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress
    3⤵
    PID:1972
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\FTP.exe /a
    3⤵
    - Modifies file permissions
    PID:3832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5008
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f
    3⤵
    PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4828
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r
    3⤵
    PID:3712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:632
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r
    3⤵
    PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4572
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE
    3⤵
    PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4052
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver
    3⤵
    PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1956
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"
    3⤵
    PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:732
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d system
    3⤵
    PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4664
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress
    3⤵
    PID:2528
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\wscript.exe /a
    3⤵
    - Modifies file permissions
    PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3804
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /g Administrators:f
    3⤵
    PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1012
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /g Users:r
    3⤵
    PID:3188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1312
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /g Administrators:r
    3⤵
    PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1244
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d SERVICE
    3⤵
    PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2164
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d mssqlserver
    3⤵
    PID:3748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:844
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d "network service"
    3⤵
    PID:3076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1528
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d system
    3⤵
    PID:460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3260
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:2492
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\wscript.exe /a
    3⤵
    - Modifies file permissions
    PID:728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2896
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f
    3⤵
    PID:1924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2172
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r
    3⤵
    PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3404
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r
    3⤵
    PID:1808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2832
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE
    3⤵
    PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4528
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver
    3⤵
    PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:412
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"
    3⤵
    PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:636
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d system
    3⤵
    PID:2844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4628
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:4228
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\cscript.exe /a
    3⤵
    - Modifies file permissions
    PID:452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1416
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /g Administrators:f
    3⤵
    PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3588
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /g Users:r
    3⤵
    PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3516
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /g Administrators:r
    3⤵
    PID:4828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2008
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d SERVICE
    3⤵
    PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4752
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d mssqlserver
    3⤵
    PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2100
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d "network service"
    3⤵
    PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4900
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d system
    3⤵
    PID:2728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3288
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:732
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\cscript.exe /a
    3⤵
    - Modifies file permissions
    PID:2644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2852
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f
    3⤵
    PID:2528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2980
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r
    3⤵
    PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4636
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r
    3⤵
    PID:3800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2940
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE
    3⤵
    PID:3188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4532
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver
    3⤵
    PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2780
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"
    3⤵
    PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2432
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d system
    3⤵
    PID:3764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2504
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:1528
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a
    3⤵
    - Modifies file permissions
    PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2416
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
    3⤵
    PID:4788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4660
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
    3⤵
    PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5000
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
    3⤵
    PID:2172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:760
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
    3⤵
    PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1808
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
    3⤵
    PID:1432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3244
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
    3⤵
    PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2480
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system
    3⤵
    PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4336
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
    3⤵
    PID:3872
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
    3⤵
    - Modifies file permissions
    PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3296
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
    3⤵
    PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:452
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
    3⤵
    PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1972
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
    3⤵
    PID:676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3532
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
    3⤵
    PID:3712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2964
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
    3⤵
    PID:2008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4560
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
    3⤵
    PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4808
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4772
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
    3⤵
    PID:5028
- - C:\Windows\system32\takeown.exe
    takeown /f C:\ProgramData /a
    3⤵
    - Modifies file permissions
    PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2920
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /g Administrators:f
    3⤵
    PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2856
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /g Users:r
    3⤵
    PID:1820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2900
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /g Administrators:r
    3⤵
    PID:2976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5016
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /d SERVICE
    3⤵
    PID:3140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4408
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /d mssqlserver
    3⤵
    PID:2144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3008
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /d "network service"
    3⤵
    PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4316
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /d system
    3⤵
    PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2196
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /d mssql$sqlexpress
    3⤵
    PID:844
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Users\Public /a
    3⤵
    - Modifies file permissions
    PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1784
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /g Administrators:f
    3⤵
    PID:1924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2632
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /g Users:r
    3⤵
    PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3244
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /g Administrators:r
    3⤵
    PID:4328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1112
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /d SERVICE
    3⤵
    PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1416
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /d mssqlserver
    3⤵
    PID:3832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3588
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /d "network service"
    3⤵
    PID:676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4052
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /d system
    3⤵
    PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2852
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /d mssql$sqlexpress
    3⤵
    PID:2856
- C:\Users\Admin\AppData\Local\Temp\5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
  C:\Users\Admin\AppData\Local\Temp\5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe
  2⤵
  - Checks computer location settings
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1920
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1412
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2516
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
    3⤵
    PID:1388
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2848

C:\Windows\System32\wuapihost.exe
C:\Windows\System32\wuapihost.exe -Embedding
1⤵
PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\Local Settings\Microsoft\CLR_v4.0\UsageLogs\5e9b0301f94bd49cd95c9bc077066f1676421891b2193d5e9b38dba24c20aafb.exe.log

Filesize
1KB

MD5
c0ad7690835a2f61299f04c96af23d2b

SHA1
79cd874e8d323692de427db311cd906e06eb3693

SHA256
08c45658f517f6214fb6660ee1715281bb9d4e8a4675dd4035006a4a637a4355

SHA512
67fa1066691e684478c7a7b1ef9358e54d665fab4f8286861430ef6425ccaad1f14ff287f0b939b880de33ecc2adeb06296829dbafaf1bc9b3899f8ba58d6b1d

Download Submit
C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.f74ef681.pri

Filesize
35KB

MD5
175eec1470ded9d65bdb337eb480b511

SHA1
85ad1ac211f9a7ebfc23adc1209076c4bb8ab6ef

SHA256
411ca28abf1259e17ec875dfbe57c6cfcfd75cd1db3334ed55168084b038fa6c

SHA512
d12b1d1d08fed5a6bea72b39441bd14d086607dbf575aa4bc8d1f2668aec629fdf766a6835839455298434e1a2f57105fab3b84c03aa5f33867bc64109138f91

Download Submit
C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-275798769-4264537674-1142822080-1000-MergedResources-0.pri

Filesize
6KB

MD5
204718fbcb3ca86180ad82020012f65c

SHA1
a51406211a442ded321dc88e3236f78cc6d323e6

SHA256
1b62ef2e8af770ddaa86544e4bd97f3803cad5d42c204feb011cd81e8f04fad0

SHA512
1fb771a95928f6aa969dae96641350f4926ca0c476ac1201250a57619a381ef3cfe5709397449096146f3a4f20783d9469ef672d6e9f46c8ecf8cb9a15e5d6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kill-Delete.bat

Filesize
10KB

MD5
1726416850d3bba46eeb804fae57083d

SHA1
7e7957d7e7fd7c27b9fb903a0828b09cbb44c196

SHA256
c207a7a561ab726fb272b5abd99c4da8e927b5da788210d5dd186023c2783990

SHA512
7747e5c6bd77a43ee958cb7b533a73757e8bfb7b3706af4eb7ec9a99458720f89cd30bb23b4cb069826dc36a6ce737424ad0007307be67a7391591f6c936df27

Download Submit
C:\Users\Admin\Contacts\HOW TO BACK FILES.txt

Filesize
1KB

MD5
14189dc93099573eaa21f24fbf0dabb5

SHA1
d8b0af9e5c83db20e89ac0a3c8adec81d9cc889f

SHA256
a189897e310b163ee30ddb8bb2394956992d8675de06c96f0a41220f6be13164

SHA512
8e8e940e79f2f83fb3aa8797dafff10a9e33852bdd4ac06635ff2115fb34e647369e1c90cf4b74878e22d521eb8014e4354f4a9e3b278efbb5dd59beea3d4cca

Download Submit
memory/1920-25-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-33-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-25182-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-13-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-12-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-15-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-12411-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-19-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-5410-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-20-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-23-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-5253-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-26-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-5107-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-5015-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-44-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-96-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/1920-5013-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/2008-3-0x00007FFC73510000-0x00007FFC73FD1000-memory.dmp

Filesize
10.8MB

Download
memory/2008-6-0x00000218424F0000-0x000002184254A000-memory.dmp

Filesize
360KB

Download
memory/2008-0-0x0000021827EE0000-0x0000021827F5A000-memory.dmp

Filesize
488KB

Download
memory/2008-5-0x0000021842490000-0x00000218424EA000-memory.dmp

Filesize
360KB

Download
memory/2008-4-0x0000021829C20000-0x0000021829C30000-memory.dmp

Filesize
64KB

Download
memory/2008-18-0x00007FFC73510000-0x00007FFC73FD1000-memory.dmp

Filesize
10.8MB

Download
memory/2008-2-0x0000021842420000-0x0000021842492000-memory.dmp

Filesize
456KB

Download
memory/2008-1-0x0000021842370000-0x00000218423E2000-memory.dmp

Filesize
456KB

Download
memory/2008-7-0x0000021842550000-0x000002184259C000-memory.dmp

Filesize
304KB

Download