3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819

Analysis

max time kernel
142s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
Size

588KB
MD5

5f2f60e0cb2a4b5e2ec849641a3b08dd
SHA1

3fded9610433c618f48176940474b74df6c2b49d
SHA256

3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819
SHA512

7b6ca5ba95234202700e794c266ae5fe51282a79b4bd01c4815bc886290196a0e708d337ea105f89f4b8a43c7e3b15ffab9efbc346bfd26a62de75e603b05bfa
SSDEEP

12288:hrWfN3TrQ/g3iK5iiWjnyOymhwiAAsvYciSdsaNolSbycDNXiG5tc9:hif1gTKETHsOesayS+INHc9

Score

8^/10

defense_evasion discovery evasion execution upx

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2344-0-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral1/memory/2344-1-0x0000000000250000-0x000000000025B000-memory.dmp	upx
behavioral1/memory/2344-2-0x0000000000250000-0x000000000025B000-memory.dmp	upx
behavioral1/memory/2344-3-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral1/memory/2344-4-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral1/memory/2344-7-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral1/memory/2344-15-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral1/memory/2344-16-0x0000000000400000-0x000000000056C000-memory.dmp	upx

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Launches sc.exe 27 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2900	sc.exe
2452	sc.exe
1524	sc.exe
2040	sc.exe
1276	sc.exe
3020	sc.exe
2440	sc.exe
2912	sc.exe
868	sc.exe
2712	sc.exe
2424	sc.exe
1328	sc.exe
1908	sc.exe
1660	sc.exe
1792	sc.exe
2236	sc.exe
2628	sc.exe
2528	sc.exe
2968	sc.exe
924	sc.exe
768	sc.exe
2468	sc.exe
2088	sc.exe
2560	sc.exe
1480	sc.exe
1552	sc.exe
2112	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
2476	taskkill.exe
1876	taskkill.exe
1260	taskkill.exe
2456	taskkill.exe
832	taskkill.exe
1964	taskkill.exe
2924	taskkill.exe
2264	taskkill.exe
1632	taskkill.exe
308	taskkill.exe
2168	taskkill.exe
2856	taskkill.exe
2232	taskkill.exe
1792	taskkill.exe
2340	taskkill.exe
308	taskkill.exe
1552	taskkill.exe
1860	taskkill.exe
436	taskkill.exe
1204	taskkill.exe
2676	taskkill.exe
2920	taskkill.exe
2816	taskkill.exe
2008	taskkill.exe
2448	taskkill.exe
1680	taskkill.exe
1488	taskkill.exe
2616	taskkill.exe
2320	taskkill.exe
332	taskkill.exe
1492	taskkill.exe
3060	taskkill.exe
2816	taskkill.exe
2896	taskkill.exe
1876	taskkill.exe
1344	taskkill.exe
1920	taskkill.exe
3032	taskkill.exe
1932	taskkill.exe
1540	taskkill.exe
1748	taskkill.exe
2056	taskkill.exe
1940	taskkill.exe
2036	taskkill.exe
3040	taskkill.exe
2244	taskkill.exe
1412	taskkill.exe
2456	taskkill.exe
1992	taskkill.exe
1712	taskkill.exe
1680	taskkill.exe
1800	taskkill.exe
2820	taskkill.exe
2088	taskkill.exe
2940	taskkill.exe
468	taskkill.exe
1688	taskkill.exe
2964	taskkill.exe
2716	taskkill.exe
2812	taskkill.exe
2800	taskkill.exe
676	taskkill.exe
1368	taskkill.exe
2024	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	332	taskkill.exe
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	2964	taskkill.exe
Token: SeDebugPrivilege	3060	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	308	taskkill.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	792	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	2964	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	2868	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	308	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	436	taskkill.exe
Token: SeDebugPrivilege	448	taskkill.exe
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	904	taskkill.exe
Token: SeDebugPrivilege	2232	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2140	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	31
PID 2344 wrote to memory of 2140	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	31
PID 2344 wrote to memory of 2140	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	31
PID 2344 wrote to memory of 2140	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	31
PID 2140 wrote to memory of 2800	2140	cmd.exe	33
PID 2140 wrote to memory of 2800	2140	cmd.exe	33
PID 2140 wrote to memory of 2800	2140	cmd.exe	33
PID 2140 wrote to memory of 2800	2140	cmd.exe	33
PID 2344 wrote to memory of 2992	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	35
PID 2344 wrote to memory of 2992	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	35
PID 2344 wrote to memory of 2992	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	35
PID 2344 wrote to memory of 2992	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	35
PID 2992 wrote to memory of 2728	2992	cmd.exe	37
PID 2992 wrote to memory of 2728	2992	cmd.exe	37
PID 2992 wrote to memory of 2728	2992	cmd.exe	37
PID 2992 wrote to memory of 2728	2992	cmd.exe	37
PID 2344 wrote to memory of 2752	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	38
PID 2344 wrote to memory of 2752	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	38
PID 2344 wrote to memory of 2752	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	38
PID 2344 wrote to memory of 2752	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	38
PID 2752 wrote to memory of 2820	2752	cmd.exe	40
PID 2752 wrote to memory of 2820	2752	cmd.exe	40
PID 2752 wrote to memory of 2820	2752	cmd.exe	40
PID 2752 wrote to memory of 2820	2752	cmd.exe	40
PID 2344 wrote to memory of 2220	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	41
PID 2344 wrote to memory of 2220	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	41
PID 2344 wrote to memory of 2220	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	41
PID 2344 wrote to memory of 2220	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	41
PID 2344 wrote to memory of 2640	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	43
PID 2344 wrote to memory of 2640	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	43
PID 2344 wrote to memory of 2640	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	43
PID 2344 wrote to memory of 2640	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	43
PID 2344 wrote to memory of 2792	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	45
PID 2344 wrote to memory of 2792	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	45
PID 2344 wrote to memory of 2792	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	45
PID 2344 wrote to memory of 2792	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	45
PID 2344 wrote to memory of 2552	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	47
PID 2344 wrote to memory of 2552	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	47
PID 2344 wrote to memory of 2552	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	47
PID 2344 wrote to memory of 2552	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	47
PID 2792 wrote to memory of 2616	2792	cmd.exe	48
PID 2792 wrote to memory of 2616	2792	cmd.exe	48
PID 2792 wrote to memory of 2616	2792	cmd.exe	48
PID 2792 wrote to memory of 2616	2792	cmd.exe	48
PID 2344 wrote to memory of 2648	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	50
PID 2344 wrote to memory of 2648	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	50
PID 2344 wrote to memory of 2648	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	50
PID 2344 wrote to memory of 2648	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	50
PID 2344 wrote to memory of 1096	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	52
PID 2344 wrote to memory of 1096	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	52
PID 2344 wrote to memory of 1096	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	52
PID 2344 wrote to memory of 1096	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	52
PID 2344 wrote to memory of 1984	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	54
PID 2344 wrote to memory of 1984	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	54
PID 2344 wrote to memory of 1984	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	54
PID 2344 wrote to memory of 1984	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	54
PID 2344 wrote to memory of 2144	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	56
PID 2344 wrote to memory of 2144	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	56
PID 2344 wrote to memory of 2144	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	56
PID 2344 wrote to memory of 2144	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	56
PID 2344 wrote to memory of 1240	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	58
PID 2344 wrote to memory of 1240	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	58
PID 2344 wrote to memory of 1240	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	58
PID 2344 wrote to memory of 1240	2344	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	58

C:\Users\Admin\AppData\Local\Temp\3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
"C:\Users\Admin\AppData\Local\Temp\3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im wscript.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wscript.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWD.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWD.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im taskger.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskger.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\ProgramData\taskger.exe
  2⤵
  PID:2220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\RECYCLER\taskger.exe
  2⤵
  PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im taskmgzr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgzr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\ProgramData\taskmgzr.exe
  2⤵
  PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\RECYCLER\taskmgzr.exe
  2⤵
  PID:2648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\ProgramData\vget.vbs
  2⤵
  PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\RECYCLER\vget.vbs
  2⤵
  PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im assm.exe
  2⤵
  PID:2144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im assm.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls assm.exe /t /e /c /d everyone
  2⤵
  PID:1240
- - C:\Windows\SysWOW64\cacls.exe
    Cacls assm.exe /t /e /c /d everyone
    3⤵
    PID:304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls assm.exe /t /e /c /d system
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    Cacls assm.exe /t /e /c /d system
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SqlManagement.exe
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SqlManagement.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SqlManagement.exe /t /e /c /d everyone
  2⤵
  PID:2136
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SqlManagement.exe /t /e /c /d everyone
    3⤵
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SqlManagement.exe /t /e /c /d system
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2520
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SqlManagement.exe /t /e /c /d system
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SystemManagement.exe
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SystemManagement.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SystemManagement.exe /t /e /c /d everyone
  2⤵
  PID:468
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SystemManagement.exe /t /e /c /d everyone
    3⤵
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SystemManagement.exe /t /e /c /d system
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SystemManagement.exe /t /e /c /d system
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im msinfo.exe
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msinfo.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls msinfo.exe /t /e /c /d everyone
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /d everyone
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls msinfo.exe /t /e /c /d system
  2⤵
  PID:2156
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /d system
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im rundlls.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundlls.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls rundlls.exe /t /e /c /d everyone
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\cacls.exe
    Cacls rundlls.exe /t /e /c /d everyone
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls rundlls.exe /t /e /c /d system
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\cacls.exe
    Cacls rundlls.exe /t /e /c /d system
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls conhoy.exe /t /e /c /d everyone
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /d everyone
    3⤵
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls conhoy.exe /t /e /c /d system
  2⤵
  PID:612
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /d system
    3⤵
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im OmdBase.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OmdBase.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls OmdBase.exe /t /e /c /d everyone
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    Cacls OmdBase.exe /t /e /c /d everyone
    3⤵
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls OmdBase.exe /t /e /c /d system
  2⤵
  PID:2476
- - C:\Windows\SysWOW64\cacls.exe
    Cacls OmdBase.exe /t /e /c /d system
    3⤵
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im System.exe
  2⤵
  PID:2316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im System.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls System.exe /t /e /c /d everyone
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- - C:\Windows\SysWOW64\cacls.exe
    Cacls System.exe /t /e /c /d everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls System.exe /t /e /c /d system
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\cacls.exe
    Cacls System.exe /t /e /c /d system
    3⤵
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im spoolys.exe
  2⤵
  PID:2536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spoolys.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im OmdBase.exe
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OmdBase.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft Maker\OmdBase.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft Maker\OmdBase.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft Maker\OmdBase.exe
  2⤵
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows DVD Maker"
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows DVD Maker"
    3⤵
    - Launches sc.exe
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows DVD Maker"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1436
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows DVD Maker"
    3⤵
    - Launches sc.exe
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im GthUdTask.exe
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im GthUdTask.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft GthUdTask\GthUdTask.exe
  2⤵
  PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft GthUdTask\GthUdTask.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft GthUdTask\GthUdTask.exe
  2⤵
  PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies GthUdTask"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1360
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies GthUdTask"
    3⤵
    - Launches sc.exe
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies GthUdTask"
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies GthUdTask"
    3⤵
    - Launches sc.exe
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im BthUdTask.exe
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im BthUdTask.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft BthUdTask\BthUdTask.exe
  2⤵
  PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft BthUdTask\BthUdTask.exe
  2⤵
  PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft BthUdTask\BthUdTask.exe
  2⤵
  PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies BthUdTask"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1712
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies BthUdTask"
    3⤵
    - Launches sc.exe
    PID:2900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies BthUdTask"
  2⤵
  PID:796
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies BthUdTask"
    3⤵
    - Launches sc.exe
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SvidaPctb.exe
  2⤵
  PID:2288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SvidaPctb.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SvidaPctb\SvidaPctb.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft SvidaPctb\SvidaPctb.exe
  2⤵
  PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SvidaPctb\SvidaPctb.exe
  2⤵
  PID:436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im WavesSys.exe
  2⤵
  PID:3036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WavesSys.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies WavesSys"
  2⤵
  PID:352
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies WavesSys"
    3⤵
    - Launches sc.exe
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies WavesSys"
  2⤵
  PID:2720
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies WavesSys"
    3⤵
    - Launches sc.exe
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im System.exe
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im System.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft StuSystem\System.exe
  2⤵
  PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft StuSystem\System.exe
  2⤵
  PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft StuSystem\System.exe
  2⤵
  PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im spoolys.exe
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spoolys.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\Help\spoolys.exe
  2⤵
  PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im lsma12.exe
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lsma12.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\INF\aspnet\lsma12.exe
  2⤵
  PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im assm.exe
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im assm.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe
  2⤵
  PID:868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe
  2⤵
  PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im sqlcmd.exe
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlcmd.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sqlcmd.exe
  2⤵
  PID:332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sqlcmd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhos.exe
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhos.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhos.exe
  2⤵
  PID:2728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhos.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhou.exe
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhou.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhou.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhou.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im m6.bin.bin.exe
  2⤵
  PID:2856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im m6.bin.bin.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im javaw.exe
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im javaw.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im clsso.exe
  2⤵
  PID:2612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clsso.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoy.exe
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im csrs.exe
  2⤵
  PID:2288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im csrs.exe
  2⤵
  PID:2828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im sysdo.exe
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysdo.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im sysdo.exe
  2⤵
  PID:2588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysdo.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SqlManagement.exe
  2⤵
  PID:988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SqlManagement.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sSqlManagement.exe
  2⤵
  PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe
  2⤵
  PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SystemManagement.exe
  2⤵
  PID:888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SystemManagement.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe
  2⤵
  PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe
  2⤵
  PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\*
  2⤵
  PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im taskmgr.exe
  2⤵
  PID:3004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im wscript.exe
  2⤵
  PID:868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wscript.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWD.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWD.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWA.exe
  2⤵
  PID:2892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWA.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWB.exe
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWB.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWC.exe
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWC.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENAC.exe
  2⤵
  PID:2800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENAC.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /t /g system:f
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /t /g system:f
    3⤵
    PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:2628
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:1892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:2640
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:1068
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:760
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:2616
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTC.exe
  2⤵
  PID:2304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTC.exe
  2⤵
  PID:468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTC.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTN.exe
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTN.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTN.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTA.exe
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTA.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTA.exe
  2⤵
  PID:756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTA.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:2460
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /t /g system:f
  2⤵
  PID:692
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /t /g system:f
    3⤵
    PID:2308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:2604
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:296
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:2452
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1272
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2596
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:2468
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1480
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:972
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATC.exe
  2⤵
  PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATC.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATC.exe
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATN.exe
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATN.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATN.exe
  2⤵
  PID:780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATN.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATA.exe
  2⤵
  PID:2220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATA.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATA.exe
  2⤵
  PID:2136
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATA.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Users\MSSQL~1\AppData\Local\Temp\*
  2⤵
  PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Users\MSSQLSERVER\AppData\Local\Temp\*
  2⤵
  PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\Temp\*
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\*
  2⤵
  PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Users\Administrator\AppData\Local\Temp\*
  2⤵
  PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\TempUpdate2.bat
  2⤵
  PID:2612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g system:f
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g system:f
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g system:f
    3⤵
    PID:448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g system:f
    3⤵
    PID:468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g everyone:f
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g everyone:f
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g everyone:f
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g everyone:f
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g system:f
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g system:f
    3⤵
    PID:956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g system:f
    3⤵
    PID:896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g everyone:f
    3⤵
    PID:840
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g everyone:f
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g everyone:f
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g everyone:f
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g system:f
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g system:f
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g system:f
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g system:f
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WavesSys.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SvidaPctb.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im GthUdTask.exe
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im BthUdTask.exe
    3⤵
    PID:960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OmdBase.exe
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im System.exe
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d everyone
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d system
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d everyone
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d system
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Maker" /t /e /c /d everyone
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Maker" /t /e /c /d system
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft StuSystem" /t /e /c /d everyone
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft StuSystem" /t /e /c /d system
    3⤵
    PID:332
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft StuSystem" /t /e /c /d everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2204
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft StuSystem" /t /e /c /d system
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft StuSystem" /t /e /c /d everyone
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft StuSystem" /t /e /c /d system
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\WindowsRunner.exe" /t /e /c /r everyone
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe" /t /e /c /r everyone
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe" /t /e /c /d everyone
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe" /t /e /c /d everyone
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\*" /t /e /c /d everyone
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\WindowsRunner.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:2548
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:296
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:2760
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:1632
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\*" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:284
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\WindowsRunner.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:2728
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:1652
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:2792
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:2664
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\*" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "WindowsRunner.exe" /t /e /c /d everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "WindowsRunner.exe" /t /e /c /d system
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "SystemManagement.exe" /t /e /c /d everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1980
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "SystemManagement.exe" /t /e /c /d system
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "SqlManagement.exe" /t /e /c /d everyone
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "SqlManagement.exe" /t /e /c /d system
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WindowsRunner.exe
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SystemManagement.exe
    3⤵
    - Kills process with taskkill
    PID:1712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SqlManagement.exe
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im assm.exe
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "?C:\ProgramData\Microsoft\RAC\lcacs.exe" /t /e /c /r everyone
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\ProgramData\Microsoft\RAC\lcacs.exe" /t /e /c /r system
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "?C:\ProgramData\Microsoft\RAC\lsass.exe" /t /e /c /r everyone
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "?C:\ProgramData\Microsoft\RAC\lsass.exe" /t /e /c /r system
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\ProgramData\Oracle\Java\*" /t /e /c /r everyone
    3⤵
    PID:596
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "?C:\ProgramData\Oracle\Java\*" /t /e /c /r system
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "?C:\ProgramData\Microsoft\RAC\*" /t /e /c /r everyone
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\ProgramData\Microsoft\RAC\*" /t /e /c /r system
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lcacs.exe
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysdo.exe
    3⤵
    - Kills process with taskkill
    PID:1932
- - C:\Windows\SysWOW64\cacls.exe
    Cacls c:\windows\temp\conhoy.exe /t /e /c /r everyone
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /r everyone
    3⤵
    PID:796
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /r system
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    - Kills process with taskkill
    PID:1204
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\system\msinfo.exe /t /e /c /r everyone
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /r everyone
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /r system
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msinfo.exe
    3⤵
    - Kills process with taskkill
    PID:2716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msinfo.exe
    3⤵
    - Kills process with taskkill
    PID:832
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\system/t /e /c /r everyone
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\INF\aspnet/t /e /c /r everyone
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\cacls.exe
    Cacls lsma12.exe /t /e /c /r everyone
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\cacls.exe
    Cacls lsma12.exe /t /e /c /r system
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lsma12.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lsma12.exe
    3⤵
    - Kills process with taskkill
    PID:2920
- - C:\Windows\SysWOW64\cacls.exe
    Cacls csrs.exe /t /e /c /r everyone
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\cacls.exe
    Cacls csrs.exe /t /e /c /r system
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\SysWOW64\csrs.exe /t /e /c /r everyone
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    - Kills process with taskkill
    PID:1680
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftWindows" /F
    3⤵
    PID:308
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa" /F
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa1" /F
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa2" /F
    3⤵
    PID:756
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa3" /F
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "OKa" /F
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "OK" /F
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindows" /F
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindowsu" /F
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindowsy" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:988
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "At1" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2272
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "At2" /F
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "45645" /F
    3⤵
    PID:872
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindowsy" /F
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\sc.exe
    sc delete "xwinwpdsrv"
    3⤵
    - Launches sc.exe
    PID:2424
- - C:\Windows\SysWOW64\sc.exe
    sc stop "Corporati Assemblies GthUdTask"
    3⤵
    - Launches sc.exe
    PID:924
- - C:\Windows\SysWOW64\sc.exe
    sc stop "Corporati Assemblies BthUdTask"
    3⤵
    - Launches sc.exe
    PID:2560
- - C:\Windows\SysWOW64\sc.exe
    sc stop "kugoumusic"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:768
- - C:\Windows\SysWOW64\sc.exe
    sc stop "wmiapsrvs"
    3⤵
    - Launches sc.exe
    PID:1328
- - C:\Windows\SysWOW64\sc.exe
    sc stop "w3svchttps"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2452
- - C:\Windows\SysWOW64\sc.exe
    sc delete GthUdTask
    3⤵
    - Launches sc.exe
    PID:1480
- - C:\Windows\SysWOW64\sc.exe
    sc delete BthUdTask
    3⤵
    - Launches sc.exe
    PID:1908
- - C:\Windows\SysWOW64\sc.exe
    sc delete System
    3⤵
    - Launches sc.exe
    PID:3020
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies GthUdTask"
    3⤵
    - Launches sc.exe
    PID:1552
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies BthUdTask"
    3⤵
    - Launches sc.exe
    PID:1524
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies Maker"
    3⤵
    - Launches sc.exe
    PID:2528
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies nvtray"
    3⤵
    - Launches sc.exe
    PID:2968
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies OmdBase"
    3⤵
    - Launches sc.exe
    PID:2440
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows DVD Maker"
    3⤵
    - Launches sc.exe
    PID:2112
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies Windows DVD Maker"
    3⤵
    - Launches sc.exe
    PID:1792
- - C:\Windows\SysWOW64\sc.exe
    sc delete kugoumusic
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:868
- - C:\Windows\SysWOW64\sc.exe
    sc delete wmiapsrvs
    3⤵
    - Launches sc.exe
    PID:2236
- - C:\Windows\SysWOW64\sc.exe
    sc delete w3svchttps
    3⤵
    - Launches sc.exe
    PID:2468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWD.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWD.exe
    3⤵
    - Kills process with taskkill
    PID:2244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSPW.exe
    3⤵
    - Kills process with taskkill
    PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSUW.exe
    3⤵
    PID:284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWA.exe
    3⤵
    - Kills process with taskkill
    PID:1964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWB.exe
    3⤵
    - Kills process with taskkill
    PID:1876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWB.exe
    3⤵
    - Kills process with taskkill
    PID:2816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTC.exe
    3⤵
    - Kills process with taskkill
    PID:1540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTC.exe
    3⤵
    - Kills process with taskkill
    PID:1748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ntvdm.exe
    3⤵
    - Kills process with taskkill
    PID:2812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im drwtsn32.exe
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ws.exe
    3⤵
    - Kills process with taskkill
    PID:1412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im secedit.exe
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ntsd.exe
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mshta.exe
    3⤵
    - Kills process with taskkill
    PID:2940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im net1.exe
    3⤵
    PID:876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cscript.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wscript.exe
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csql.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2024
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ping.exe
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nvtray.exe
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rnaphin.exe
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im schtasks.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im powershell.exe
    3⤵
    - Kills process with taskkill
    PID:2924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ftp.exe
    3⤵
    - Kills process with taskkill
    PID:468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fpp.exe
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im p.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spp.exe
    3⤵
    - Kills process with taskkill
    PID:2008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im down.exe
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im net.exe
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cacls.exe
    3⤵
    - Kills process with taskkill
    PID:1680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regini.exe
    3⤵
    - Kills process with taskkill
    PID:1688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im windowslsmer.exe
    3⤵
    - Kills process with taskkill
    PID:2456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im TrustedInsteller.exe
    3⤵
    - Kills process with taskkill
    PID:1940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wshom.exe
    3⤵
    - Kills process with taskkill
    PID:1492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im postgres.exe
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im alger.exe
    3⤵
    - Kills process with taskkill
    PID:2036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im smsser.exe
    3⤵
    - Kills process with taskkill
    PID:3040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im asdg.exe
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tool.exe
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im smss.exe
    3⤵
    - Kills process with taskkill
    PID:1488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im suup.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sc.exe
    3⤵
    - Kills process with taskkill
    PID:1800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im hexscvhost.exe
    3⤵
    - Kills process with taskkill
    PID:1792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SvidaPaun.exe
    3⤵
    - Kills process with taskkill
    PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cacls.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2900
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cacls.exe /e /t /g everyone:f
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
    3⤵
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
  2⤵
  PID:780
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
  2⤵
  PID:1412
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cacls.exe /e /t /g system:f
  2⤵
  PID:2904
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cacls.exe /e /t /g system:f
  2⤵
  PID:300
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
    3⤵
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cacls.exe /e /t /g system:f
  2⤵
  PID:2784
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g system:f
    3⤵
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
    3⤵
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cmd.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:356
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
    3⤵
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cmd.exe /e /t /g everyone:f
  2⤵
  PID:436
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
    3⤵
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2320
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
    3⤵
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cmd.exe /e /t /g system:f
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g system:f
    3⤵
    PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cmd.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cmd.exe /e /t /g system:f
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g system:f
    3⤵
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2676
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
    3⤵
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\ftp.exe /e /t /g everyone:f
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
    3⤵
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\ftp.exe /e /t /g everyone:f
  2⤵
  PID:1756
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
    3⤵
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
  2⤵
  PID:692
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
    3⤵
    PID:924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\ftp.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1504
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g system:f
    3⤵
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\ftp.exe /e /t /g system:f
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
    3⤵
    PID:2124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\ftp.exe /e /t /g system:f
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
  2⤵
  PID:988
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
    3⤵
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
    3⤵
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
    3⤵
    PID:776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
  2⤵
  PID:2604
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:2684
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:2196
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
    3⤵
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:2464
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:1236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:284
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:2472
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:2416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:2468
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:1872
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im cmd.exe
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:1252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im cacls.exe
  2⤵
  PID:612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cacls.exe
    3⤵
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempUpdate2.bat

Filesize
15KB

MD5
8c74da913ec93b3ab42fd1026a872e9f

SHA1
8525f2512a9db3fabdcfad0c571c198774c7f48c

SHA256
22782ab8ef711f7fa0e93041222fd69d47ccd28e6fff191537e6ad5d29c847a2

SHA512
4ad5eb6b695315ca3e0cf2b93ccbaa4b39dbcaeb8e577d64c7b96ba39029eb3ef4cb449d29026a254be08a45e22174aa45607b4096ad4fd0f8f0fecdf2a86651

Download Submit
memory/2344-0-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2344-1-0x0000000000250000-0x000000000025B000-memory.dmp

Filesize
44KB

Download
memory/2344-2-0x0000000000250000-0x000000000025B000-memory.dmp

Filesize
44KB

Download
memory/2344-3-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2344-4-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2344-7-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2344-15-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2344-16-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download