3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
Size

573KB
MD5

fd53aa04a0dafdb9fa604826affdc344
SHA1

be14d050d1b7eae16de537c6d4cc5e3111d1068e
SHA256

3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664
SHA512

e77b193af7b7468eb1516bcab0ce41b8146a7c59904643c8553017704fdd868d8dc38cdad8a43b0b4a064dc75f09e662550561c60eb02a0d763006701ea9f51f
SSDEEP

12288:BmbKknYt4pmY2QzHeiILKhLKYVu/An5WDhQslKTAfKdBFhlOti5s:BmbKPoQQrjIiLKYVu/9uSDfKbDsi5s

Score

8^/10

defense_evasion discovery evasion execution upx

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2328-0-0x0000000000400000-0x0000000000566000-memory.dmp	upx
behavioral1/memory/2328-1-0x0000000000250000-0x000000000025B000-memory.dmp	upx
behavioral1/memory/2328-2-0x0000000000250000-0x000000000025B000-memory.dmp	upx
behavioral1/memory/2328-3-0x0000000000400000-0x0000000000566000-memory.dmp	upx
behavioral1/memory/2328-4-0x0000000000400000-0x0000000000566000-memory.dmp	upx
behavioral1/memory/2328-7-0x0000000000400000-0x0000000000566000-memory.dmp	upx
behavioral1/memory/2328-9-0x0000000000400000-0x0000000000566000-memory.dmp	upx
behavioral1/memory/2328-10-0x0000000000400000-0x0000000000566000-memory.dmp	upx

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1860	sc.exe
2316	sc.exe
976	sc.exe
1688	sc.exe
2592	sc.exe
1708	sc.exe
1800	sc.exe
880	sc.exe
1232	sc.exe
524	sc.exe
2300	sc.exe
1236	sc.exe
2840	sc.exe
2584	sc.exe
1592	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1668	taskkill.exe
2324	taskkill.exe
2808	taskkill.exe
2860	taskkill.exe
2684	taskkill.exe
2412	taskkill.exe
1748	taskkill.exe
2584	taskkill.exe
1432	taskkill.exe
2600	taskkill.exe
3024	taskkill.exe
2772	taskkill.exe
2456	taskkill.exe
1876	taskkill.exe
2324	taskkill.exe
2724	taskkill.exe
2020	taskkill.exe
1592	taskkill.exe
896	taskkill.exe
548	taskkill.exe
1264	taskkill.exe
1028	taskkill.exe
2040	taskkill.exe
2340	taskkill.exe
492	taskkill.exe
1316	taskkill.exe
2672	taskkill.exe
2788	taskkill.exe
3048	taskkill.exe
1000	taskkill.exe
2464	taskkill.exe
1664	taskkill.exe
2740	taskkill.exe
2596	taskkill.exe
2412	taskkill.exe
2508	taskkill.exe
3052	taskkill.exe
1616	taskkill.exe
2872	taskkill.exe
1672	taskkill.exe
2012	taskkill.exe
2032	taskkill.exe
2616	taskkill.exe
1592	taskkill.exe
376	taskkill.exe
2616	taskkill.exe
2076	taskkill.exe
2596	taskkill.exe
2728	taskkill.exe
1136	taskkill.exe
2992	taskkill.exe
3000	taskkill.exe
2716	taskkill.exe
664	taskkill.exe
2356	taskkill.exe
1300	taskkill.exe
2372	taskkill.exe
1616	taskkill.exe
1796	taskkill.exe
2436	taskkill.exe
2156	taskkill.exe
2448	taskkill.exe
1204	taskkill.exe
1436	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	2800	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	492	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	1028	taskkill.exe
Token: SeDebugPrivilege	2600	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	404	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	2992	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	3008	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	2516	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	2944	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2324	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	31
PID 2328 wrote to memory of 2324	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	31
PID 2328 wrote to memory of 2324	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	31
PID 2328 wrote to memory of 2324	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	31
PID 2324 wrote to memory of 1300	2324	cmd.exe	33
PID 2324 wrote to memory of 1300	2324	cmd.exe	33
PID 2324 wrote to memory of 1300	2324	cmd.exe	33
PID 2324 wrote to memory of 1300	2324	cmd.exe	33
PID 2328 wrote to memory of 2924	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	35
PID 2328 wrote to memory of 2924	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	35
PID 2328 wrote to memory of 2924	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	35
PID 2328 wrote to memory of 2924	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	35
PID 2924 wrote to memory of 2800	2924	cmd.exe	37
PID 2924 wrote to memory of 2800	2924	cmd.exe	37
PID 2924 wrote to memory of 2800	2924	cmd.exe	37
PID 2924 wrote to memory of 2800	2924	cmd.exe	37
PID 2328 wrote to memory of 2792	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	38
PID 2328 wrote to memory of 2792	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	38
PID 2328 wrote to memory of 2792	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	38
PID 2328 wrote to memory of 2792	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	38
PID 2792 wrote to memory of 2372	2792	cmd.exe	40
PID 2792 wrote to memory of 2372	2792	cmd.exe	40
PID 2792 wrote to memory of 2372	2792	cmd.exe	40
PID 2792 wrote to memory of 2372	2792	cmd.exe	40
PID 2328 wrote to memory of 2648	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	41
PID 2328 wrote to memory of 2648	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	41
PID 2328 wrote to memory of 2648	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	41
PID 2328 wrote to memory of 2648	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	41
PID 2328 wrote to memory of 2720	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	43
PID 2328 wrote to memory of 2720	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	43
PID 2328 wrote to memory of 2720	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	43
PID 2328 wrote to memory of 2720	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	43
PID 2328 wrote to memory of 2848	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	45
PID 2328 wrote to memory of 2848	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	45
PID 2328 wrote to memory of 2848	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	45
PID 2328 wrote to memory of 2848	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	45
PID 2328 wrote to memory of 2840	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	47
PID 2328 wrote to memory of 2840	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	47
PID 2328 wrote to memory of 2840	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	47
PID 2328 wrote to memory of 2840	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	47
PID 2848 wrote to memory of 1668	2848	cmd.exe	48
PID 2848 wrote to memory of 1668	2848	cmd.exe	48
PID 2848 wrote to memory of 1668	2848	cmd.exe	48
PID 2848 wrote to memory of 1668	2848	cmd.exe	48
PID 2328 wrote to memory of 2544	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	50
PID 2328 wrote to memory of 2544	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	50
PID 2328 wrote to memory of 2544	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	50
PID 2328 wrote to memory of 2544	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	50
PID 2328 wrote to memory of 3048	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	52
PID 2328 wrote to memory of 3048	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	52
PID 2328 wrote to memory of 3048	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	52
PID 2328 wrote to memory of 3048	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	52
PID 2328 wrote to memory of 2216	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	54
PID 2328 wrote to memory of 2216	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	54
PID 2328 wrote to memory of 2216	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	54
PID 2328 wrote to memory of 2216	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	54
PID 2328 wrote to memory of 2736	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	56
PID 2328 wrote to memory of 2736	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	56
PID 2328 wrote to memory of 2736	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	56
PID 2328 wrote to memory of 2736	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	56
PID 2328 wrote to memory of 1620	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	58
PID 2328 wrote to memory of 1620	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	58
PID 2328 wrote to memory of 1620	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	58
PID 2328 wrote to memory of 1620	2328	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	58

C:\Users\Admin\AppData\Local\Temp\3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
"C:\Users\Admin\AppData\Local\Temp\3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im wscript.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wscript.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWD.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWD.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im taskger.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskger.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\ProgramData\taskger.exe
  2⤵
  PID:2648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\RECYCLER\taskger.exe
  2⤵
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im taskmgzr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgzr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\ProgramData\taskmgzr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\RECYCLER\taskmgzr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\ProgramData\vget.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\RECYCLER\vget.vbs
  2⤵
  PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im assm.exe
  2⤵
  PID:2736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im assm.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls assm.exe /t /e /c /d everyone
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\cacls.exe
    Cacls assm.exe /t /e /c /d everyone
    3⤵
    PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls assm.exe /t /e /c /d system
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\cacls.exe
    Cacls assm.exe /t /e /c /d system
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SqlManagement.exe
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SqlManagement.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SqlManagement.exe /t /e /c /d everyone
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SqlManagement.exe /t /e /c /d everyone
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SqlManagement.exe /t /e /c /d system
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SqlManagement.exe /t /e /c /d system
    3⤵
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SystemManagement.exe
  2⤵
  PID:576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SystemManagement.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SystemManagement.exe /t /e /c /d everyone
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SystemManagement.exe /t /e /c /d everyone
    3⤵
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SystemManagement.exe /t /e /c /d system
  2⤵
  PID:956
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SystemManagement.exe /t /e /c /d system
    3⤵
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im msinfo.exe
  2⤵
  PID:2144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msinfo.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls msinfo.exe /t /e /c /d everyone
  2⤵
  PID:912
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /d everyone
    3⤵
    PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls msinfo.exe /t /e /c /d system
  2⤵
  PID:444
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /d system
    3⤵
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im rundlls.exe
  2⤵
  PID:740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundlls.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls rundlls.exe /t /e /c /d everyone
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\cacls.exe
    Cacls rundlls.exe /t /e /c /d everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls rundlls.exe /t /e /c /d system
  2⤵
  PID:896
- - C:\Windows\SysWOW64\cacls.exe
    Cacls rundlls.exe /t /e /c /d system
    3⤵
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoy.exe
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls conhoy.exe /t /e /c /d everyone
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /d everyone
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls conhoy.exe /t /e /c /d system
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /d system
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im OmdBase.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OmdBase.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls OmdBase.exe /t /e /c /d everyone
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\cacls.exe
    Cacls OmdBase.exe /t /e /c /d everyone
    3⤵
    PID:1216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls OmdBase.exe /t /e /c /d system
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\cacls.exe
    Cacls OmdBase.exe /t /e /c /d system
    3⤵
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im System.exe
  2⤵
  PID:756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im System.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls System.exe /t /e /c /d everyone
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    Cacls System.exe /t /e /c /d everyone
    3⤵
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls System.exe /t /e /c /d system
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\cacls.exe
    Cacls System.exe /t /e /c /d system
    3⤵
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im spoolys.exe
  2⤵
  PID:2064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spoolys.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im OmdBase.exe
  2⤵
  PID:2612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OmdBase.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft Maker\OmdBase.exe
  2⤵
  PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft Maker\OmdBase.exe
  2⤵
  PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft Maker\OmdBase.exe
  2⤵
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows DVD Maker"
  2⤵
  PID:2536
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows DVD Maker"
    3⤵
    - Launches sc.exe
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows DVD Maker"
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows DVD Maker"
    3⤵
    - Launches sc.exe
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im GthUdTask.exe
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im GthUdTask.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft GthUdTask\GthUdTask.exe
  2⤵
  PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft GthUdTask\GthUdTask.exe
  2⤵
  PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft GthUdTask\GthUdTask.exe
  2⤵
  PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies GthUdTask"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3004
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies GthUdTask"
    3⤵
    - Launches sc.exe
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies GthUdTask"
  2⤵
  PID:2428
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies GthUdTask"
    3⤵
    - Launches sc.exe
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im BthUdTask.exe
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im BthUdTask.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft BthUdTask\BthUdTask.exe
  2⤵
  PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft BthUdTask\BthUdTask.exe
  2⤵
  PID:2304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft BthUdTask\BthUdTask.exe
  2⤵
  PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies BthUdTask"
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies BthUdTask"
    3⤵
    - Launches sc.exe
    PID:524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies BthUdTask"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1156
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies BthUdTask"
    3⤵
    - Launches sc.exe
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SvidaPctb.exe
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SvidaPctb.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SvidaPctb\SvidaPctb.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft SvidaPctb\SvidaPctb.exe
  2⤵
  PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SvidaPctb\SvidaPctb.exe
  2⤵
  PID:2108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im WavesSys.exe
  2⤵
  PID:2384
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WavesSys.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies WavesSys"
  2⤵
  PID:2740
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies WavesSys"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies WavesSys"
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies WavesSys"
    3⤵
    - Launches sc.exe
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im System.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im System.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft StuSystem\System.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft StuSystem\System.exe
  2⤵
  PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft StuSystem\System.exe
  2⤵
  PID:2516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Nvdxgiwrap.exe
  2⤵
  PID:2500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Nvdxgiwrap.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows Nvdxgiwrap"
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows Nvdxgiwrap"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows Nvdxgiwrap"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1984
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows Nvdxgiwrap"
    3⤵
    - Launches sc.exe
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows Rsytvcem"
  2⤵
  PID:740
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows Rsytvcem"
    3⤵
    - Launches sc.exe
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows Rsytvcem"
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows Rsytvcem"
    3⤵
    - Launches sc.exe
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Rsytvcp.exe
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Rsytvcp.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft Rsytvcem\Rsytvcp.exe
  2⤵
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft Rsytvcem\Rsytvcp.exe
  2⤵
  PID:2944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft Rsytvcem\Rsytvcp.exe
  2⤵
  PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im spoolys.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spoolys.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\Help\spoolys.exe
  2⤵
  PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im lsma12.exe
  2⤵
  PID:480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lsma12.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\INF\aspnet\lsma12.exe
  2⤵
  PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im assm.exe
  2⤵
  PID:2568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im assm.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe
  2⤵
  PID:2692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe
  2⤵
  PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im sqlcmd.exe
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlcmd.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sqlcmd.exe
  2⤵
  PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sqlcmd.exe
  2⤵
  PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhos.exe
  2⤵
  PID:2652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhos.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhos.exe
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhos.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhou.exe
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhou.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhou.exe
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhou.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im m6.bin.bin.exe
  2⤵
  PID:3016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im m6.bin.bin.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im javaw.exe
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im javaw.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im clsso.exe
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clsso.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoy.exe
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoy.exe
  2⤵
  PID:2708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im csrs.exe
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im csrs.exe
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im sysdo.exe
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysdo.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im sysdo.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysdo.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SqlManagement.exe
  2⤵
  PID:2912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SqlManagement.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sSqlManagement.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe
  2⤵
  PID:1264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SystemManagement.exe
  2⤵
  PID:2444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SystemManagement.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe
  2⤵
  PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe
  2⤵
  PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\*
  2⤵
  PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im taskmgr.exe
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im wscript.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wscript.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWD.exe
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWD.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWA.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWA.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWB.exe
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWB.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWC.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENAC.exe
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENAC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:2284
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:744
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /t /g system:f
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /t /g system:f
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:2116
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3016
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:492
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:1244
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:2420
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:1872
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTC.exe
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTC.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTC.exe
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTN.exe
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTN.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTN.exe
  2⤵
  PID:1308
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTN.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTA.exe
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTA.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTA.exe
  2⤵
  PID:2944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTA.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:2932
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /t /g system:f
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /t /g system:f
    3⤵
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:480
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2556
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:2852
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:988
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATC.exe
  2⤵
  PID:2652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATC.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATC.exe
  2⤵
  PID:2736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATN.exe
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATN.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATN.exe
  2⤵
  PID:2888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATN.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATA.exe
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATA.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATA.exe
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATA.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Users\MSSQL~1\AppData\Local\Temp\*
  2⤵
  PID:1200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Users\MSSQLSERVER\AppData\Local\Temp\*
  2⤵
  PID:492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\Temp\*
  2⤵
  PID:956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\*
  2⤵
  PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Users\Administrator\AppData\Local\Temp\*
  2⤵
  PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\TempUpdate2.bat
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g system:f
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g system:f
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g system:f
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g system:f
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g everyone:f
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g everyone:f
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g everyone:f
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g everyone:f
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g system:f
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g system:f
    3⤵
    PID:976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g system:f
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g system:f
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g everyone:f
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g everyone:f
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1264
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g everyone:f
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g system:f
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g system:f
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g system:f
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Rsytvcp.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Rsytvcp.exe
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Nvdxgiwrap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Nvdxgiwrap.exe
    3⤵
    - Kills process with taskkill
    PID:2464
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem" /t /e /c /r everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2528
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem" /t /e /c /r system
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2444
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap" /t /e /c /r everyone
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap" /t /e /c /r system
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Rsytvcem" /t /e /c /r everyone
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Rsytvcem" /t /e /c /r system
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Nvdxgiwrap" /t /e /c /r everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3048
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Nvdxgiwrap" /t /e /c /r system
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem" /t /e /c /r everyone
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem" /t /e /c /r system
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap" /t /e /c /r everyone
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap" /t /e /c /r system
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem\*" /t /e /c /r everyone
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem\*" /t /e /c /r system
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap\*" /t /e /c /r everyone
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap\*" /t /e /c /r system
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem\Rsytvcp.exe" /t /e /c /r everyone
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem\Rsytvcp.exe" /t /e /c /r system
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap\Nvdxgiwrap.exe" /t /e /c /r everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap\Nvdxgiwrap.exe" /t /e /c /r system
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Rsytvcem\*" /t /e /c /r everyone
    3⤵
    PID:572
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Rsytvcem\*" /t /e /c /r system
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Nvdxgiwrap\*" /t /e /c /r everyone
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Nvdxgiwrap\*" /t /e /c /r system
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Rsytvcem\Rsytvcp.exe" /t /e /c /r everyone
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Rsytvcem\Rsytvcp.exe" /t /e /c /r system
    3⤵
    PID:480
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Nvdxgiwrap\Nvdxgiwrap.exe" /t /e /c /r everyone
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Nvdxgiwrap\Nvdxgiwrap.exe" /t /e /c /r system
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows Nvdxgiwrap"
    3⤵
    - Launches sc.exe
    PID:1236
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows Rsytvcem"
    3⤵
    - Launches sc.exe
    PID:880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysdo.exe
    3⤵
    - Kills process with taskkill
    PID:2356
- - C:\Windows\SysWOW64\cacls.exe
    Cacls c:\windows\temp\conhoy.exe /t /e /c /r everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:832
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /r everyone
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /r system
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\system\msinfo.exe /t /e /c /r everyone
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /r everyone
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /r system
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msinfo.exe
    3⤵
    - Kills process with taskkill
    PID:1436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msinfo.exe
    3⤵
    - Kills process with taskkill
    PID:1664
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\system/t /e /c /r everyone
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\INF\aspnet/t /e /c /r everyone
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\cacls.exe
    Cacls lsma12.exe /t /e /c /r everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    Cacls lsma12.exe /t /e /c /r system
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lsma12.exe
    3⤵
    - Kills process with taskkill
    PID:376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lsma12.exe
    3⤵
    - Kills process with taskkill
    PID:2740
- - C:\Windows\SysWOW64\cacls.exe
    Cacls csrs.exe /t /e /c /r everyone
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    Cacls csrs.exe /t /e /c /r system
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1200
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\SysWOW64\csrs.exe /t /e /c /r everyone
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    - Kills process with taskkill
    PID:492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftWindows" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2160
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa" /F
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa1" /F
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa2" /F
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa3" /F
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "OKa" /F
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "OK" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1356
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindows" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2516
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindowsu" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindowsy" /F
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "At1" /F
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "At2" /F
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "45645" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindowsy" /F
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\sc.exe
    sc delete "xwinwpdsrv"
    3⤵
    - Launches sc.exe
    PID:1688
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\ProgramData\Oracle\Java\java.exe" /t /e /c /r everyone
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\ProgramData\Oracle\Java\java.exe" /t /e /c /r system
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\ProgramData\Oracle\Java\java.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:1248
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\ProgramData\Oracle\Java\java.exe" /t /e /c /r system
    3⤵
    - Enumerates connected drives
    PID:2864
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\ProgramData\Oracle\Java\java.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:1600
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\ProgramData\Oracle\Java\java.exe" /t /e /c /r system
    3⤵
    - Enumerates connected drives
    PID:976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im java.exe
    3⤵
    - Kills process with taskkill
    PID:2724
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Windows\svchost.com" /t /e /c /r everyone
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Windows\svchost.com" /t /e /c /r system
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Windows\svchost.com" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:1884
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Windows\svchost.com" /t /e /c /r system
    3⤵
    - Enumerates connected drives
    PID:3024
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Windows\svchost.com" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:2448
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Windows\svchost.com" /t /e /c /r system
    3⤵
    - Enumerates connected drives
    PID:2856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im svchost.com
    3⤵
    - Kills process with taskkill
    PID:2616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WavesSys.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SvidaPctb.exe
    3⤵
    - Kills process with taskkill
    PID:2788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im GthUdTask.exe
    3⤵
    - Kills process with taskkill
    PID:2596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im BthUdTask.exe
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OmdBase.exe
    3⤵
    - Kills process with taskkill
    PID:2076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im System.exe
    3⤵
    - Kills process with taskkill
    PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d everyone
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d system
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2840
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d system
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Maker" /t /e /c /d everyone
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Maker" /t /e /c /d system
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft StuSystem" /t /e /c /d everyone
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft StuSystem" /t /e /c /d system
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft StuSystem" /t /e /c /d everyone
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft StuSystem" /t /e /c /d system
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft StuSystem" /t /e /c /d everyone
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft StuSystem" /t /e /c /d system
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\WindowsRunner.exe" /t /e /c /r everyone
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe" /t /e /c /r everyone
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe" /t /e /c /d everyone
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe" /t /e /c /d everyone
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\*" /t /e /c /d everyone
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\WindowsRunner.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:572
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:2664
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\*" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:1636
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\WindowsRunner.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:480
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:2140
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:2872
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:1236
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\SqlManagement\*" /t /e /c /d everyone
    3⤵
    - Enumerates connected drives
    PID:880
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "WindowsRunner.exe" /t /e /c /d everyone
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "WindowsRunner.exe" /t /e /c /d system
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "SystemManagement.exe" /t /e /c /d everyone
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "SystemManagement.exe" /t /e /c /d system
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "SqlManagement.exe" /t /e /c /d everyone
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "SqlManagement.exe" /t /e /c /d system
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WindowsRunner.exe
    3⤵
    - Kills process with taskkill
    PID:2412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SystemManagement.exe
    3⤵
    - Kills process with taskkill
    PID:1592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SqlManagement.exe
    3⤵
    - Kills process with taskkill
    PID:2436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im assm.exe
    3⤵
    - Kills process with taskkill
    PID:896
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "?C:\ProgramData\Microsoft\RAC\lcacs.exe" /t /e /c /r everyone
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\ProgramData\Microsoft\RAC\lcacs.exe" /t /e /c /r system
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "?C:\ProgramData\Microsoft\RAC\lsass.exe" /t /e /c /r everyone
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "?C:\ProgramData\Microsoft\RAC\lsass.exe" /t /e /c /r system
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\ProgramData\Oracle\Java\*" /t /e /c /r everyone
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "?C:\ProgramData\Oracle\Java\*" /t /e /c /r system
    3⤵
    PID:376
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "?C:\ProgramData\Microsoft\RAC\*" /t /e /c /r everyone
    3⤵
    PID:444
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\ProgramData\Microsoft\RAC\*" /t /e /c /r system
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lcacs.exe
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysdo.exe
    3⤵
    - Kills process with taskkill
    PID:548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cacls.exe /e /t /g everyone:f
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cacls.exe /e /t /g everyone:f
  2⤵
  PID:740
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
    3⤵
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
  2⤵
  PID:1308
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
    3⤵
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cacls.exe /e /t /g system:f
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g system:f
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cacls.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
    3⤵
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cacls.exe /e /t /g system:f
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g system:f
    3⤵
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1724
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
    3⤵
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cmd.exe /e /t /g everyone:f
  2⤵
  PID:2228
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cmd.exe /e /t /g everyone:f
  2⤵
  PID:2576
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
    3⤵
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
    3⤵
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cmd.exe /e /t /g system:f
  2⤵
  PID:3048
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g system:f
    3⤵
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cmd.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3004
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
    3⤵
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cmd.exe /e /t /g system:f
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g system:f
    3⤵
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\ftp.exe /e /t /g everyone:f
  2⤵
  PID:480
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
    3⤵
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\ftp.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2140
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
  2⤵
  PID:2500
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
    3⤵
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
    3⤵
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\ftp.exe /e /t /g system:f
  2⤵
  PID:2736
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g system:f
    3⤵
    PID:1892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\ftp.exe /e /t /g system:f
  2⤵
  PID:2304
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
    3⤵
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\ftp.exe /e /t /g system:f
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g system:f
    3⤵
    PID:1248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
  2⤵
  PID:696
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
  2⤵
  PID:2784
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
    3⤵
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
  2⤵
  PID:2116
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
    3⤵
    PID:1308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:444
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:664
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
  2⤵
  PID:1756
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
    3⤵
    PID:304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:2868
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:1356
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:960
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:2480
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:3052
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:2396
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im cmd.exe
  2⤵
  PID:316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im cacls.exe
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cacls.exe
    3⤵
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempUpdate2.bat

Filesize
20KB

MD5
1d2e1796333e760e1c23814ff1dd866d

SHA1
af00c86e4d35219ed5be85490f33f0c2f5bb8e85

SHA256
20afa16cee1f051a7163b2245dd51412aa7d04a578a3351e3021ad3388dfa7a6

SHA512
94feb9e580fe3e654ab838095d09a068315d96211e4b120599ef8b076b8ed836b7019260f9c0202c55b282cc2d880b3d07f920098836ddcebd193bfbd1749581

Download Submit
memory/2328-0-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/2328-1-0x0000000000250000-0x000000000025B000-memory.dmp

Filesize
44KB

Download
memory/2328-2-0x0000000000250000-0x000000000025B000-memory.dmp

Filesize
44KB

Download
memory/2328-3-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/2328-4-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/2328-7-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/2328-9-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/2328-10-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download