3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
Size

588KB
MD5

5f2f60e0cb2a4b5e2ec849641a3b08dd
SHA1

3fded9610433c618f48176940474b74df6c2b49d
SHA256

3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819
SHA512

7b6ca5ba95234202700e794c266ae5fe51282a79b4bd01c4815bc886290196a0e708d337ea105f89f4b8a43c7e3b15ffab9efbc346bfd26a62de75e603b05bfa
SSDEEP

12288:hrWfN3TrQ/g3iK5iiWjnyOymhwiAAsvYciSdsaNolSbycDNXiG5tc9:hif1gTKETHsOesayS+INHc9

Score

8^/10

defense_evasion discovery evasion execution upx

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2512-0-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral2/memory/2512-1-0x00000000023F0000-0x00000000023FB000-memory.dmp	upx
behavioral2/memory/2512-2-0x00000000023F0000-0x00000000023FB000-memory.dmp	upx
behavioral2/memory/2512-3-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral2/memory/2512-4-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral2/memory/2512-7-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral2/memory/2512-9-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral2/memory/2512-10-0x0000000000400000-0x000000000056C000-memory.dmp	upx

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Launches sc.exe 27 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
468	sc.exe
3100	sc.exe
4312	sc.exe
4536	sc.exe
1132	sc.exe
1728	sc.exe
4076	sc.exe
1548	sc.exe
1468	sc.exe
4088	sc.exe
3192	sc.exe
3176	sc.exe
3164	sc.exe
3536	sc.exe
2784	sc.exe
1208	sc.exe
624	sc.exe
3688	sc.exe
3756	sc.exe
2748	sc.exe
2376	sc.exe
4472	sc.exe
3972	sc.exe
3084	sc.exe
2536	sc.exe
4784	sc.exe
3664	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
4416	taskkill.exe
4392	taskkill.exe
2972	taskkill.exe
2412	taskkill.exe
2528	taskkill.exe
1868	taskkill.exe
2580	taskkill.exe
1192	taskkill.exe
880	taskkill.exe
1560	taskkill.exe
3628	taskkill.exe
1608	taskkill.exe
4636	taskkill.exe
5832	taskkill.exe
5212	taskkill.exe
4496	taskkill.exe
4276	taskkill.exe
1096	taskkill.exe
2960	taskkill.exe
4016	taskkill.exe
1248	taskkill.exe
2760	taskkill.exe
3196	taskkill.exe
1484	taskkill.exe
4620	taskkill.exe
5000	taskkill.exe
1728	taskkill.exe
2072	taskkill.exe
3720	taskkill.exe
3532	taskkill.exe
3856	taskkill.exe
4352	taskkill.exe
3352	taskkill.exe
3756	taskkill.exe
4312	taskkill.exe
2364	taskkill.exe
1272	taskkill.exe
2292	taskkill.exe
1428	taskkill.exe
208	taskkill.exe
3688	taskkill.exe
3196	taskkill.exe
1468	taskkill.exe
3536	taskkill.exe
1244	taskkill.exe
3732	taskkill.exe
3152	taskkill.exe
3112	taskkill.exe
3332	taskkill.exe
4212	taskkill.exe
5000	taskkill.exe
1432	taskkill.exe
4864	taskkill.exe
4996	taskkill.exe
812	taskkill.exe
1672	taskkill.exe
4672	taskkill.exe
3132	taskkill.exe
6040	taskkill.exe
3932	taskkill.exe
208	taskkill.exe
3608	taskkill.exe
3652	taskkill.exe
3632	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	4016	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	1244	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	3532	taskkill.exe
Token: SeDebugPrivilege	3732	taskkill.exe
Token: SeDebugPrivilege	112	taskkill.exe
Token: SeDebugPrivilege	4416	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	3628	taskkill.exe
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	3632	taskkill.exe
Token: SeDebugPrivilege	4276	taskkill.exe
Token: SeDebugPrivilege	3152	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	2884	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	4620	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	4608	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeDebugPrivilege	4412	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	4644	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	3628	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	3856	taskkill.exe
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	3332	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	880	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	208	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	5080	taskkill.exe
Token: SeDebugPrivilege	3356	taskkill.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	4996	taskkill.exe
Token: SeDebugPrivilege	4000	taskkill.exe
Token: SeDebugPrivilege	812	taskkill.exe
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 4848	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	87
PID 2512 wrote to memory of 4848	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	87
PID 2512 wrote to memory of 4848	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	87
PID 4848 wrote to memory of 4352	4848	cmd.exe	89
PID 4848 wrote to memory of 4352	4848	cmd.exe	89
PID 4848 wrote to memory of 4352	4848	cmd.exe	89
PID 2512 wrote to memory of 4456	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	90
PID 2512 wrote to memory of 4456	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	90
PID 2512 wrote to memory of 4456	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	90
PID 4456 wrote to memory of 4016	4456	cmd.exe	93
PID 4456 wrote to memory of 4016	4456	cmd.exe	93
PID 4456 wrote to memory of 4016	4456	cmd.exe	93
PID 2512 wrote to memory of 3440	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	94
PID 2512 wrote to memory of 3440	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	94
PID 2512 wrote to memory of 3440	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	94
PID 3440 wrote to memory of 3132	3440	cmd.exe	96
PID 3440 wrote to memory of 3132	3440	cmd.exe	96
PID 3440 wrote to memory of 3132	3440	cmd.exe	96
PID 2512 wrote to memory of 3352	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	97
PID 2512 wrote to memory of 3352	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	97
PID 2512 wrote to memory of 3352	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	97
PID 2512 wrote to memory of 548	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	99
PID 2512 wrote to memory of 548	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	99
PID 2512 wrote to memory of 548	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	99
PID 2512 wrote to memory of 3608	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	101
PID 2512 wrote to memory of 3608	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	101
PID 2512 wrote to memory of 3608	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	101
PID 2512 wrote to memory of 4012	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	103
PID 2512 wrote to memory of 4012	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	103
PID 2512 wrote to memory of 4012	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	103
PID 2512 wrote to memory of 3632	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	105
PID 2512 wrote to memory of 3632	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	105
PID 2512 wrote to memory of 3632	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	105
PID 3608 wrote to memory of 4496	3608	cmd.exe	107
PID 3608 wrote to memory of 4496	3608	cmd.exe	107
PID 3608 wrote to memory of 4496	3608	cmd.exe	107
PID 2512 wrote to memory of 2676	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	108
PID 2512 wrote to memory of 2676	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	108
PID 2512 wrote to memory of 2676	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	108
PID 2512 wrote to memory of 5024	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	110
PID 2512 wrote to memory of 5024	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	110
PID 2512 wrote to memory of 5024	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	110
PID 2512 wrote to memory of 4104	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	112
PID 2512 wrote to memory of 4104	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	112
PID 2512 wrote to memory of 4104	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	112
PID 2512 wrote to memory of 3636	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	114
PID 2512 wrote to memory of 3636	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	114
PID 2512 wrote to memory of 3636	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	114
PID 2512 wrote to memory of 1212	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	116
PID 2512 wrote to memory of 1212	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	116
PID 2512 wrote to memory of 1212	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	116
PID 4104 wrote to memory of 1244	4104	cmd.exe	117
PID 4104 wrote to memory of 1244	4104	cmd.exe	117
PID 4104 wrote to memory of 1244	4104	cmd.exe	117
PID 3636 wrote to memory of 3928	3636	cmd.exe	119
PID 3636 wrote to memory of 3928	3636	cmd.exe	119
PID 3636 wrote to memory of 3928	3636	cmd.exe	119
PID 2512 wrote to memory of 1952	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	214
PID 2512 wrote to memory of 1952	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	214
PID 2512 wrote to memory of 1952	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	214
PID 2512 wrote to memory of 728	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	122
PID 2512 wrote to memory of 728	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	122
PID 2512 wrote to memory of 728	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	122
PID 2512 wrote to memory of 2216	2512	3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe	123

C:\Users\Admin\AppData\Local\Temp\3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe
"C:\Users\Admin\AppData\Local\Temp\3736ea3381e5411c891a367acdf0e92cbf890fb926db9a470b6d3cf8fa415819.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im wscript.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wscript.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWD.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWD.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im taskger.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskger.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\ProgramData\taskger.exe
  2⤵
  PID:3352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\RECYCLER\taskger.exe
  2⤵
  PID:548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im taskmgzr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgzr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\ProgramData\taskmgzr.exe
  2⤵
  PID:4012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\RECYCLER\taskmgzr.exe
  2⤵
  PID:3632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\ProgramData\vget.vbs
  2⤵
  PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\RECYCLER\vget.vbs
  2⤵
  PID:5024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im assm.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im assm.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls assm.exe /t /e /c /d everyone
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\SysWOW64\cacls.exe
    Cacls assm.exe /t /e /c /d everyone
    3⤵
    PID:3928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls assm.exe /t /e /c /d system
  2⤵
  PID:1212
- - C:\Windows\SysWOW64\cacls.exe
    Cacls assm.exe /t /e /c /d system
    3⤵
    PID:4284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SqlManagement.exe
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SqlManagement.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SqlManagement.exe /t /e /c /d everyone
  2⤵
  PID:728
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SqlManagement.exe /t /e /c /d everyone
    3⤵
    PID:4416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SqlManagement.exe /t /e /c /d system
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SqlManagement.exe /t /e /c /d system
    3⤵
    PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SystemManagement.exe
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SystemManagement.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SystemManagement.exe /t /e /c /d everyone
  2⤵
  PID:3564
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SystemManagement.exe /t /e /c /d everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SystemManagement.exe /t /e /c /d system
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SystemManagement.exe /t /e /c /d system
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im msinfo.exe
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msinfo.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls msinfo.exe /t /e /c /d everyone
  2⤵
  PID:928
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /d everyone
    3⤵
    PID:4964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls msinfo.exe /t /e /c /d system
  2⤵
  PID:3100
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /d system
    3⤵
    PID:4076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im rundlls.exe
  2⤵
  PID:4244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundlls.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls rundlls.exe /t /e /c /d everyone
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\cacls.exe
    Cacls rundlls.exe /t /e /c /d everyone
    3⤵
    PID:4464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls rundlls.exe /t /e /c /d system
  2⤵
  PID:3112
- - C:\Windows\SysWOW64\cacls.exe
    Cacls rundlls.exe /t /e /c /d system
    3⤵
    PID:3084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoy.exe
  2⤵
  PID:4628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls conhoy.exe /t /e /c /d everyone
  2⤵
  PID:3456
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /d everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls conhoy.exe /t /e /c /d system
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4016
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /d system
    3⤵
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im OmdBase.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OmdBase.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls OmdBase.exe /t /e /c /d everyone
  2⤵
  PID:624
- - C:\Windows\SysWOW64\cacls.exe
    Cacls OmdBase.exe /t /e /c /d everyone
    3⤵
    PID:3088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls OmdBase.exe /t /e /c /d system
  2⤵
  PID:4052
- - C:\Windows\SysWOW64\cacls.exe
    Cacls OmdBase.exe /t /e /c /d system
    3⤵
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im System.exe
  2⤵
  PID:116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im System.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls System.exe /t /e /c /d everyone
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\cacls.exe
    Cacls System.exe /t /e /c /d everyone
    3⤵
    PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls System.exe /t /e /c /d system
  2⤵
  PID:2196
- - C:\Windows\SysWOW64\cacls.exe
    Cacls System.exe /t /e /c /d system
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im spoolys.exe
  2⤵
  PID:4600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spoolys.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im OmdBase.exe
  2⤵
  PID:628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OmdBase.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft Maker\OmdBase.exe
  2⤵
  PID:4268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft Maker\OmdBase.exe
  2⤵
  PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft Maker\OmdBase.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows DVD Maker"
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows DVD Maker"
    3⤵
    - Launches sc.exe
    PID:4076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows DVD Maker"
  2⤵
  PID:3848
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows DVD Maker"
    3⤵
    - Launches sc.exe
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im GthUdTask.exe
  2⤵
  PID:880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im GthUdTask.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft GthUdTask\GthUdTask.exe
  2⤵
  PID:4532
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft GthUdTask\GthUdTask.exe
  2⤵
  PID:3644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft GthUdTask\GthUdTask.exe
  2⤵
  PID:4000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies GthUdTask"
  2⤵
  PID:860
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies GthUdTask"
    3⤵
    - Launches sc.exe
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies GthUdTask"
  2⤵
  PID:3640
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies GthUdTask"
    3⤵
    - Launches sc.exe
    PID:3688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im BthUdTask.exe
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im BthUdTask.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft BthUdTask\BthUdTask.exe
  2⤵
  PID:4972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft BthUdTask\BthUdTask.exe
  2⤵
  PID:1576
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft BthUdTask\BthUdTask.exe
  2⤵
  PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies BthUdTask"
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies BthUdTask"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies BthUdTask"
  2⤵
  PID:4172
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies BthUdTask"
    3⤵
    - Launches sc.exe
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SvidaPctb.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SvidaPctb.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SvidaPctb\SvidaPctb.exe
  2⤵
  PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft SvidaPctb\SvidaPctb.exe
  2⤵
  PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SvidaPctb\SvidaPctb.exe
  2⤵
  PID:4052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im WavesSys.exe
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WavesSys.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies WavesSys"
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies WavesSys"
    3⤵
    - Launches sc.exe
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies WavesSys"
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies WavesSys"
    3⤵
    - Launches sc.exe
    PID:3176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im System.exe
  2⤵
  PID:4268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im System.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft StuSystem\System.exe
  2⤵
  PID:3564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft StuSystem\System.exe
  2⤵
  PID:2492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft StuSystem\System.exe
  2⤵
  PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im spoolys.exe
  2⤵
  PID:4600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spoolys.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\Help\spoolys.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im lsma12.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lsma12.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\INF\aspnet\lsma12.exe
  2⤵
  PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im assm.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im assm.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe
  2⤵
  PID:4320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe
  2⤵
  PID:3756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im sqlcmd.exe
  2⤵
  PID:2452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlcmd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sqlcmd.exe
  2⤵
  PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sqlcmd.exe
  2⤵
  PID:2596
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhos.exe
  2⤵
  PID:952
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhos.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhos.exe
  2⤵
  PID:2616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhos.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhou.exe
  2⤵
  PID:3344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhou.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhou.exe
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhou.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im m6.bin.bin.exe
  2⤵
  PID:4684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im m6.bin.bin.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im javaw.exe
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im javaw.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im clsso.exe
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clsso.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  PID:4812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  PID:3084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoy.exe
  2⤵
  PID:3720
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im csrs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im csrs.exe
  2⤵
  PID:2784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im sysdo.exe
  2⤵
  PID:3872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysdo.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im sysdo.exe
  2⤵
  PID:3112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysdo.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SqlManagement.exe
  2⤵
  PID:3184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SqlManagement.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sSqlManagement.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SystemManagement.exe
  2⤵
  PID:4928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SystemManagement.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe
  2⤵
  PID:4604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe
  2⤵
  PID:3176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\*
  2⤵
  PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im taskmgr.exe
  2⤵
  PID:3440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im wscript.exe
  2⤵
  PID:3652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wscript.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWD.exe
  2⤵
  PID:2456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWD.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWA.exe
  2⤵
  PID:2972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWA.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWB.exe
  2⤵
  PID:5040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWB.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWC.exe
  2⤵
  PID:3608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWC.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENAC.exe
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENAC.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:4796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /t /g system:f
  2⤵
  PID:4680
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /t /g system:f
    3⤵
    PID:5008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:3924
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1896
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:928
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:3564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:1576
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:1216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:3456
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:772
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:60
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:2784
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:1244
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:4212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:3732
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:4208
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTC.exe
  2⤵
  PID:4012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTC.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTC.exe
  2⤵
  PID:1008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTN.exe
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTN.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTN.exe
  2⤵
  PID:3108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTN.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTA.exe
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTA.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTA.exe
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTA.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:4396
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:1560
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /t /g system:f
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /t /g system:f
    3⤵
    PID:4628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:4188
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:3176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:4724
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1472
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:4412
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:4012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4324
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:3664
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:3924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:4244
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:2604
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:3856
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATC.exe
  2⤵
  PID:3564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATC.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATC.exe
  2⤵
  PID:4308
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATC.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATN.exe
  2⤵
  PID:4532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATN.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATN.exe
  2⤵
  PID:5040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATN.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATA.exe
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATA.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATA.exe
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATA.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Users\MSSQL~1\AppData\Local\Temp\*
  2⤵
  PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Users\MSSQLSERVER\AppData\Local\Temp\*
  2⤵
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\Temp\*
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4860
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\*
  2⤵
  PID:3688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Users\Administrator\AppData\Local\Temp\*
  2⤵
  PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\TempUpdate2.bat
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g system:f
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g system:f
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g system:f
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g system:f
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g everyone:f
    3⤵
    PID:3088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g everyone:f
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g everyone:f
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g system:f
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g system:f
    3⤵
    PID:644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g system:f
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g system:f
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g everyone:f
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g everyone:f
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g everyone:f
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g everyone:f
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g system:f
    3⤵
    PID:956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g system:f
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g system:f
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WavesSys.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SvidaPctb.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im GthUdTask.exe
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im BthUdTask.exe
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OmdBase.exe
    3⤵
    - Kills process with taskkill
    PID:3756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im System.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d everyone
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d system
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d everyone
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d system
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Maker" /t /e /c /d everyone
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Maker" /t /e /c /d system
    3⤵
    PID:440
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft StuSystem" /t /e /c /d everyone
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft StuSystem" /t /e /c /d system
    3⤵
    PID:812
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft StuSystem" /t /e /c /d everyone
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft StuSystem" /t /e /c /d system
    3⤵
    PID:436
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft StuSystem" /t /e /c /d everyone
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft StuSystem" /t /e /c /d system
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\WindowsRunner.exe" /t /e /c /r everyone
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe" /t /e /c /r everyone
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe" /t /e /c /d everyone
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe" /t /e /c /d everyone
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\*" /t /e /c /d everyone
    3⤵
    PID:544
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\WindowsRunner.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:2220
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:4952
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:2184
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:2936
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\*" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:1848
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\WindowsRunner.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:1136
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:2780
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:1132
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:2760
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\*" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:2944
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "WindowsRunner.exe" /t /e /c /d everyone
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "WindowsRunner.exe" /t /e /c /d system
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "SystemManagement.exe" /t /e /c /d everyone
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "SystemManagement.exe" /t /e /c /d system
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "SqlManagement.exe" /t /e /c /d everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "SqlManagement.exe" /t /e /c /d system
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WindowsRunner.exe
    3⤵
    - Kills process with taskkill
    PID:4312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SystemManagement.exe
    3⤵
    - Kills process with taskkill
    PID:3196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SqlManagement.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im assm.exe
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "?C:\ProgramData\Microsoft\RAC\lcacs.exe" /t /e /c /r everyone
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\ProgramData\Microsoft\RAC\lcacs.exe" /t /e /c /r system
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "?C:\ProgramData\Microsoft\RAC\lsass.exe" /t /e /c /r everyone
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "?C:\ProgramData\Microsoft\RAC\lsass.exe" /t /e /c /r system
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\ProgramData\Oracle\Java\*" /t /e /c /r everyone
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "?C:\ProgramData\Oracle\Java\*" /t /e /c /r system
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "?C:\ProgramData\Microsoft\RAC\*" /t /e /c /r everyone
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\ProgramData\Microsoft\RAC\*" /t /e /c /r system
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lcacs.exe
    3⤵
    - Kills process with taskkill
    PID:1868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysdo.exe
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\cacls.exe
    Cacls c:\windows\temp\conhoy.exe /t /e /c /r everyone
    3⤵
    PID:684
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /r everyone
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /r system
    3⤵
    PID:208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    - Kills process with taskkill
    PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\system\msinfo.exe /t /e /c /r everyone
    3⤵
    PID:840
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /r everyone
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /r system
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msinfo.exe
    3⤵
    - Kills process with taskkill
    PID:4672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msinfo.exe
    3⤵
    - Kills process with taskkill
    PID:3720
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\system/t /e /c /r everyone
    3⤵
    PID:880
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\INF\aspnet/t /e /c /r everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3564
- - C:\Windows\SysWOW64\cacls.exe
    Cacls lsma12.exe /t /e /c /r everyone
    3⤵
    PID:3616
- - C:\Windows\SysWOW64\cacls.exe
    Cacls lsma12.exe /t /e /c /r system
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lsma12.exe
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lsma12.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2384
- - C:\Windows\SysWOW64\cacls.exe
    Cacls csrs.exe /t /e /c /r everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4928
- - C:\Windows\SysWOW64\cacls.exe
    Cacls csrs.exe /t /e /c /r system
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\SysWOW64\csrs.exe /t /e /c /r everyone
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    - Kills process with taskkill
    PID:1248
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftWindows" /F
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa" /F
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa1" /F
    3⤵
    PID:540
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa2" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa3" /F
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "OKa" /F
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "OK" /F
    3⤵
    PID:8
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindows" /F
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindowsu" /F
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindowsy" /F
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "At1" /F
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "At2" /F
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "45645" /F
    3⤵
    PID:3152
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindowsy" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- - C:\Windows\SysWOW64\sc.exe
    sc delete "xwinwpdsrv"
    3⤵
    - Launches sc.exe
    PID:1132
- - C:\Windows\SysWOW64\sc.exe
    sc stop "Corporati Assemblies GthUdTask"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:468
- - C:\Windows\SysWOW64\sc.exe
    sc stop "Corporati Assemblies BthUdTask"
    3⤵
    - Launches sc.exe
    PID:2536
- - C:\Windows\SysWOW64\sc.exe
    sc stop "kugoumusic"
    3⤵
    - Launches sc.exe
    PID:3164
- - C:\Windows\SysWOW64\sc.exe
    sc stop "wmiapsrvs"
    3⤵
    - Launches sc.exe
    PID:4088
- - C:\Windows\SysWOW64\sc.exe
    sc stop "w3svchttps"
    3⤵
    - Launches sc.exe
    PID:3536
- - C:\Windows\SysWOW64\sc.exe
    sc delete GthUdTask
    3⤵
    - Launches sc.exe
    PID:2784
- - C:\Windows\SysWOW64\sc.exe
    sc delete BthUdTask
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2748
- - C:\Windows\SysWOW64\sc.exe
    sc delete System
    3⤵
    - Launches sc.exe
    PID:1208
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies GthUdTask"
    3⤵
    - Launches sc.exe
    PID:2376
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies BthUdTask"
    3⤵
    - Launches sc.exe
    PID:4472
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies Maker"
    3⤵
    - Launches sc.exe
    PID:4784
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies nvtray"
    3⤵
    - Launches sc.exe
    PID:4312
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies OmdBase"
    3⤵
    - Launches sc.exe
    PID:4536
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows DVD Maker"
    3⤵
    - Launches sc.exe
    PID:3972
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies Windows DVD Maker"
    3⤵
    - Launches sc.exe
    PID:3100
- - C:\Windows\SysWOW64\sc.exe
    sc delete kugoumusic
    3⤵
    - Launches sc.exe
    PID:3664
- - C:\Windows\SysWOW64\sc.exe
    sc delete wmiapsrvs
    3⤵
    - Launches sc.exe
    PID:3084
- - C:\Windows\SysWOW64\sc.exe
    sc delete w3svchttps
    3⤵
    - Launches sc.exe
    PID:624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWD.exe
    3⤵
    - Kills process with taskkill
    PID:4212
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWD.exe
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSPW.exe
    3⤵
    - Kills process with taskkill
    PID:208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSUW.exe
    3⤵
    - Kills process with taskkill
    PID:5000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWA.exe
    3⤵
    - Kills process with taskkill
    PID:2364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWB.exe
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWB.exe
    3⤵
    - Kills process with taskkill
    PID:3608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTC.exe
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTC.exe
    3⤵
    - Kills process with taskkill
    PID:2760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ntvdm.exe
    3⤵
    - Kills process with taskkill
    PID:6040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im drwtsn32.exe
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ws.exe
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im secedit.exe
    3⤵
    - Kills process with taskkill
    PID:3652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ntsd.exe
    3⤵
    - Kills process with taskkill
    PID:1468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mshta.exe
    3⤵
    - Kills process with taskkill
    PID:2580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im net1.exe
    3⤵
    - Kills process with taskkill
    PID:3196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cscript.exe
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wscript.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csql.exe
    3⤵
    - Kills process with taskkill
    PID:2960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ping.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:5832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nvtray.exe
    3⤵
    - Kills process with taskkill
    PID:3932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rnaphin.exe
    3⤵
    - Kills process with taskkill
    PID:5212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cacls.exe /e /t /g everyone:f
  2⤵
  PID:4928
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cacls.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1252
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
    3⤵
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3960
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
    3⤵
    PID:5812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cacls.exe /e /t /g system:f
  2⤵
  PID:3800
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g system:f
    3⤵
    PID:5804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cacls.exe /e /t /g system:f
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
    3⤵
    PID:5788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cacls.exe /e /t /g system:f
  2⤵
  PID:4128
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g system:f
    3⤵
    PID:5764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
  2⤵
  PID:3500
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
    3⤵
    PID:5796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cmd.exe /e /t /g everyone:f
  2⤵
  PID:468
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
    3⤵
    PID:5820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cmd.exe /e /t /g everyone:f
  2⤵
  PID:4444
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3652
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3548
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
    3⤵
    PID:5976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cmd.exe /e /t /g system:f
  2⤵
  PID:3456
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cmd.exe /e /t /g system:f
  2⤵
  PID:3536
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
    3⤵
    PID:6012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cmd.exe /e /t /g system:f
  2⤵
  PID:4324
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g system:f
    3⤵
    PID:6096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
  2⤵
  PID:2784
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
    3⤵
    PID:5988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\ftp.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2596
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
    3⤵
    PID:5824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\ftp.exe /e /t /g everyone:f
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
    3⤵
    PID:6120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
  2⤵
  PID:4212
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
    3⤵
    PID:6016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
  2⤵
  PID:4352
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
    3⤵
    PID:6128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\ftp.exe /e /t /g system:f
  2⤵
  PID:684
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\ftp.exe /e /t /g system:f
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
    3⤵
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\ftp.exe /e /t /g system:f
  2⤵
  PID:4284
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g system:f
    3⤵
    PID:5804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
  2⤵
  PID:3460
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
    3⤵
    PID:5768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
    3⤵
    PID:6020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
    3⤵
    PID:5304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
    3⤵
    PID:5808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
  2⤵
  PID:536
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
    3⤵
    PID:6112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:60
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
  2⤵
  PID:1180
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
    3⤵
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:4684
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:5992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:4000
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:6028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:4952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2704
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:5080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:4748
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:5996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:4712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4328
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:2836
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:3884
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:3084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im cmd.exe
  2⤵
  PID:5964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im cacls.exe
  2⤵
  PID:5364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cacls.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempUpdate2.bat

Filesize
15KB

MD5
8c74da913ec93b3ab42fd1026a872e9f

SHA1
8525f2512a9db3fabdcfad0c571c198774c7f48c

SHA256
22782ab8ef711f7fa0e93041222fd69d47ccd28e6fff191537e6ad5d29c847a2

SHA512
4ad5eb6b695315ca3e0cf2b93ccbaa4b39dbcaeb8e577d64c7b96ba39029eb3ef4cb449d29026a254be08a45e22174aa45607b4096ad4fd0f8f0fecdf2a86651

Download Submit
memory/2512-0-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2512-1-0x00000000023F0000-0x00000000023FB000-memory.dmp

Filesize
44KB

Download
memory/2512-2-0x00000000023F0000-0x00000000023FB000-memory.dmp

Filesize
44KB

Download
memory/2512-3-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2512-4-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2512-7-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2512-9-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2512-10-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download