3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
Size

573KB
MD5

fd53aa04a0dafdb9fa604826affdc344
SHA1

be14d050d1b7eae16de537c6d4cc5e3111d1068e
SHA256

3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664
SHA512

e77b193af7b7468eb1516bcab0ce41b8146a7c59904643c8553017704fdd868d8dc38cdad8a43b0b4a064dc75f09e662550561c60eb02a0d763006701ea9f51f
SSDEEP

12288:BmbKknYt4pmY2QzHeiILKhLKYVu/An5WDhQslKTAfKdBFhlOti5s:BmbKPoQQrjIiLKYVu/9uSDfKbDsi5s

Score

8^/10

defense_evasion discovery evasion execution upx

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1856-0-0x0000000000400000-0x0000000000566000-memory.dmp	upx
behavioral2/memory/1856-1-0x00000000023F0000-0x00000000023FB000-memory.dmp	upx
behavioral2/memory/1856-2-0x00000000023F0000-0x00000000023FB000-memory.dmp	upx
behavioral2/memory/1856-3-0x0000000000400000-0x0000000000566000-memory.dmp	upx
behavioral2/memory/1856-4-0x0000000000400000-0x0000000000566000-memory.dmp	upx
behavioral2/memory/1856-7-0x0000000000400000-0x0000000000566000-memory.dmp	upx
behavioral2/memory/1856-9-0x0000000000400000-0x0000000000566000-memory.dmp	upx
behavioral2/memory/1856-10-0x0000000000400000-0x0000000000566000-memory.dmp	upx

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\D:	cacls.exe
File opened (read-only)	\??\E:	cacls.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3984	sc.exe
768	sc.exe
5020	sc.exe
4296	sc.exe
364	sc.exe
3464	sc.exe
1948	sc.exe
3124	sc.exe
1192	sc.exe
5020	sc.exe
2760	sc.exe
2568	sc.exe
1508	sc.exe
4284	sc.exe
1884	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
4504	taskkill.exe
1952	taskkill.exe
1732	taskkill.exe
3992	taskkill.exe
3216	taskkill.exe
1008	taskkill.exe
3796	taskkill.exe
4744	taskkill.exe
3024	taskkill.exe
5092	taskkill.exe
3352	taskkill.exe
4856	taskkill.exe
3948	taskkill.exe
3988	taskkill.exe
3980	taskkill.exe
3008	taskkill.exe
4728	taskkill.exe
5000	taskkill.exe
1344	taskkill.exe
4788	taskkill.exe
3600	taskkill.exe
1572	taskkill.exe
4308	taskkill.exe
4408	taskkill.exe
3508	taskkill.exe
1192	taskkill.exe
732	taskkill.exe
2976	taskkill.exe
1232	taskkill.exe
4772	taskkill.exe
3064	taskkill.exe
3936	taskkill.exe
3444	taskkill.exe
4436	taskkill.exe
3912	taskkill.exe
1116	taskkill.exe
3936	taskkill.exe
744	taskkill.exe
3100	taskkill.exe
2172	taskkill.exe
3276	taskkill.exe
2144	taskkill.exe
4996	taskkill.exe
3404	taskkill.exe
4172	taskkill.exe
3452	taskkill.exe
2296	taskkill.exe
4916	taskkill.exe
3328	taskkill.exe
1652	taskkill.exe
6004	taskkill.exe
232	taskkill.exe
2200	taskkill.exe
3372	taskkill.exe
3984	taskkill.exe
1692	taskkill.exe
4312	taskkill.exe
4020	taskkill.exe
2296	taskkill.exe
1480	taskkill.exe
2256	taskkill.exe
544	taskkill.exe
4688	taskkill.exe
1224	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	232	taskkill.exe
Token: SeDebugPrivilege	3444	taskkill.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	4436	taskkill.exe
Token: SeDebugPrivilege	3008	taskkill.exe
Token: SeDebugPrivilege	744	taskkill.exe
Token: SeDebugPrivilege	732	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	4728	taskkill.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	5092	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeDebugPrivilege	3216	taskkill.exe
Token: SeDebugPrivilege	3172	taskkill.exe
Token: SeDebugPrivilege	4432	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	4780	taskkill.exe
Token: SeDebugPrivilege	3464	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	3404	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	544	taskkill.exe
Token: SeDebugPrivilege	4172	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	4408	taskkill.exe
Token: SeDebugPrivilege	3912	taskkill.exe
Token: SeDebugPrivilege	4772	taskkill.exe
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeDebugPrivilege	3100	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeDebugPrivilege	4856	taskkill.exe
Token: SeDebugPrivilege	1372	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	1344	taskkill.exe
Token: SeDebugPrivilege	3372	taskkill.exe
Token: SeDebugPrivilege	1420	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	4788	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	3508	taskkill.exe
Token: SeDebugPrivilege	3276	taskkill.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	3600	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1952	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	86
PID 1856 wrote to memory of 1952	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	86
PID 1856 wrote to memory of 1952	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	86
PID 1952 wrote to memory of 3024	1952	cmd.exe	88
PID 1952 wrote to memory of 3024	1952	cmd.exe	88
PID 1952 wrote to memory of 3024	1952	cmd.exe	88
PID 1856 wrote to memory of 1044	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	90
PID 1856 wrote to memory of 1044	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	90
PID 1856 wrote to memory of 1044	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	90
PID 1044 wrote to memory of 232	1044	cmd.exe	92
PID 1044 wrote to memory of 232	1044	cmd.exe	92
PID 1044 wrote to memory of 232	1044	cmd.exe	92
PID 1856 wrote to memory of 3736	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	93
PID 1856 wrote to memory of 3736	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	93
PID 1856 wrote to memory of 3736	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	93
PID 3736 wrote to memory of 3444	3736	cmd.exe	95
PID 3736 wrote to memory of 3444	3736	cmd.exe	95
PID 3736 wrote to memory of 3444	3736	cmd.exe	95
PID 1856 wrote to memory of 2672	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	96
PID 1856 wrote to memory of 2672	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	96
PID 1856 wrote to memory of 2672	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	96
PID 1856 wrote to memory of 4172	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	98
PID 1856 wrote to memory of 4172	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	98
PID 1856 wrote to memory of 4172	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	98
PID 1856 wrote to memory of 1524	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	101
PID 1856 wrote to memory of 1524	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	101
PID 1856 wrote to memory of 1524	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	101
PID 1856 wrote to memory of 2888	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	103
PID 1856 wrote to memory of 2888	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	103
PID 1856 wrote to memory of 2888	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	103
PID 1856 wrote to memory of 4868	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	105
PID 1856 wrote to memory of 4868	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	105
PID 1856 wrote to memory of 4868	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	105
PID 1524 wrote to memory of 3980	1524	cmd.exe	107
PID 1524 wrote to memory of 3980	1524	cmd.exe	107
PID 1524 wrote to memory of 3980	1524	cmd.exe	107
PID 1856 wrote to memory of 5072	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	108
PID 1856 wrote to memory of 5072	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	108
PID 1856 wrote to memory of 5072	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	108
PID 1856 wrote to memory of 752	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	110
PID 1856 wrote to memory of 752	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	110
PID 1856 wrote to memory of 752	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	110
PID 1856 wrote to memory of 4896	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	112
PID 1856 wrote to memory of 4896	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	112
PID 1856 wrote to memory of 4896	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	112
PID 1856 wrote to memory of 3532	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	114
PID 1856 wrote to memory of 3532	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	114
PID 1856 wrote to memory of 3532	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	114
PID 1856 wrote to memory of 3988	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	116
PID 1856 wrote to memory of 3988	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	116
PID 1856 wrote to memory of 3988	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	116
PID 1856 wrote to memory of 4548	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	246
PID 1856 wrote to memory of 4548	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	246
PID 1856 wrote to memory of 4548	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	246
PID 1856 wrote to memory of 4688	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	120
PID 1856 wrote to memory of 4688	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	120
PID 1856 wrote to memory of 4688	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	120
PID 1856 wrote to memory of 608	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	121
PID 1856 wrote to memory of 608	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	121
PID 1856 wrote to memory of 608	1856	3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe	121
PID 4896 wrote to memory of 3936	4896	cmd.exe	123
PID 4896 wrote to memory of 3936	4896	cmd.exe	123
PID 4896 wrote to memory of 3936	4896	cmd.exe	123
PID 3532 wrote to memory of 4604	3532	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe
"C:\Users\Admin\AppData\Local\Temp\3448f9b0716afc7106595a7765f6d3544e25c5dfbbd2e83604c5170ea82ef664.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im wscript.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wscript.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWD.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWD.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im taskger.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskger.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\ProgramData\taskger.exe
  2⤵
  PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\RECYCLER\taskger.exe
  2⤵
  PID:4172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im taskmgzr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgzr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\ProgramData\taskmgzr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\RECYCLER\taskmgzr.exe
  2⤵
  PID:4868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\ProgramData\vget.vbs
  2⤵
  PID:5072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\RECYCLER\vget.vbs
  2⤵
  PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im assm.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im assm.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls assm.exe /t /e /c /d everyone
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\SysWOW64\cacls.exe
    Cacls assm.exe /t /e /c /d everyone
    3⤵
    PID:4604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls assm.exe /t /e /c /d system
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3988
- - C:\Windows\SysWOW64\cacls.exe
    Cacls assm.exe /t /e /c /d system
    3⤵
    PID:3120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SqlManagement.exe
  2⤵
  PID:4548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SqlManagement.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SqlManagement.exe /t /e /c /d everyone
  2⤵
  PID:4688
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SqlManagement.exe /t /e /c /d everyone
    3⤵
    PID:3356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SqlManagement.exe /t /e /c /d system
  2⤵
  PID:608
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SqlManagement.exe /t /e /c /d system
    3⤵
    PID:2324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SystemManagement.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SystemManagement.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SystemManagement.exe /t /e /c /d everyone
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SystemManagement.exe /t /e /c /d everyone
    3⤵
    PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls SystemManagement.exe /t /e /c /d system
  2⤵
  PID:1260
- - C:\Windows\SysWOW64\cacls.exe
    Cacls SystemManagement.exe /t /e /c /d system
    3⤵
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im msinfo.exe
  2⤵
  PID:4788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msinfo.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls msinfo.exe /t /e /c /d everyone
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /d everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls msinfo.exe /t /e /c /d system
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3508
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /d system
    3⤵
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im rundlls.exe
  2⤵
  PID:624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundlls.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls rundlls.exe /t /e /c /d everyone
  2⤵
  PID:3972
- - C:\Windows\SysWOW64\cacls.exe
    Cacls rundlls.exe /t /e /c /d everyone
    3⤵
    PID:4672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls rundlls.exe /t /e /c /d system
  2⤵
  PID:3584
- - C:\Windows\SysWOW64\cacls.exe
    Cacls rundlls.exe /t /e /c /d system
    3⤵
    PID:4776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoy.exe
  2⤵
  PID:2464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls conhoy.exe /t /e /c /d everyone
  2⤵
  PID:968
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /d everyone
    3⤵
    PID:832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls conhoy.exe /t /e /c /d system
  2⤵
  - System Location Discovery: System Language Discovery
  PID:508
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /d system
    3⤵
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im OmdBase.exe
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OmdBase.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls OmdBase.exe /t /e /c /d everyone
  2⤵
  PID:4684
- - C:\Windows\SysWOW64\cacls.exe
    Cacls OmdBase.exe /t /e /c /d everyone
    3⤵
    PID:4780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls OmdBase.exe /t /e /c /d system
  2⤵
  PID:2272
- - C:\Windows\SysWOW64\cacls.exe
    Cacls OmdBase.exe /t /e /c /d system
    3⤵
    PID:4820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im System.exe
  2⤵
  PID:4252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im System.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls System.exe /t /e /c /d everyone
  2⤵
  PID:3040
- - C:\Windows\SysWOW64\cacls.exe
    Cacls System.exe /t /e /c /d everyone
    3⤵
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Cacls System.exe /t /e /c /d system
  2⤵
  PID:464
- - C:\Windows\SysWOW64\cacls.exe
    Cacls System.exe /t /e /c /d system
    3⤵
    PID:3396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im spoolys.exe
  2⤵
  PID:1244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spoolys.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im OmdBase.exe
  2⤵
  PID:1132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OmdBase.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft Maker\OmdBase.exe
  2⤵
  PID:4984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft Maker\OmdBase.exe
  2⤵
  PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft Maker\OmdBase.exe
  2⤵
  PID:4480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows DVD Maker"
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows DVD Maker"
    3⤵
    - Launches sc.exe
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows DVD Maker"
  2⤵
  PID:3564
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows DVD Maker"
    3⤵
    - Launches sc.exe
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im GthUdTask.exe
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im GthUdTask.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft GthUdTask\GthUdTask.exe
  2⤵
  PID:5116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft GthUdTask\GthUdTask.exe
  2⤵
  PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft GthUdTask\GthUdTask.exe
  2⤵
  PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies GthUdTask"
  2⤵
  PID:3432
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies GthUdTask"
    3⤵
    - Launches sc.exe
    PID:4296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies GthUdTask"
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies GthUdTask"
    3⤵
    - Launches sc.exe
    PID:3984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im BthUdTask.exe
  2⤵
  PID:4980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im BthUdTask.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft BthUdTask\BthUdTask.exe
  2⤵
  PID:3384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft BthUdTask\BthUdTask.exe
  2⤵
  PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft BthUdTask\BthUdTask.exe
  2⤵
  PID:1780
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies BthUdTask"
  2⤵
  PID:1260
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies BthUdTask"
    3⤵
    - Launches sc.exe
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies BthUdTask"
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies BthUdTask"
    3⤵
    - Launches sc.exe
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SvidaPctb.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SvidaPctb.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SvidaPctb\SvidaPctb.exe
  2⤵
  PID:3640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft SvidaPctb\SvidaPctb.exe
  2⤵
  PID:5012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SvidaPctb\SvidaPctb.exe
  2⤵
  PID:4932
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im WavesSys.exe
  2⤵
  PID:4496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WavesSys.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies WavesSys"
  2⤵
  PID:2464
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies WavesSys"
    3⤵
    - Launches sc.exe
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Assemblies WavesSys"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1480
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Assemblies WavesSys"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im System.exe
  2⤵
  PID:2960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im System.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft StuSystem\System.exe
  2⤵
  PID:708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft StuSystem\System.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft StuSystem\System.exe
  2⤵
  PID:3736
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Nvdxgiwrap.exe
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Nvdxgiwrap.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows Nvdxgiwrap"
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows Nvdxgiwrap"
    3⤵
    - Launches sc.exe
    PID:3124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows Nvdxgiwrap"
  2⤵
  PID:312
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows Nvdxgiwrap"
    3⤵
    - Launches sc.exe
    PID:768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows Rsytvcem"
  2⤵
  PID:3996
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows Rsytvcem"
    3⤵
    - Launches sc.exe
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete "Corporati Windows Rsytvcem"
  2⤵
  PID:4060
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows Rsytvcem"
    3⤵
    - Launches sc.exe
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Rsytvcp.exe
  2⤵
  PID:744
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Rsytvcp.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft Rsytvcem\Rsytvcp.exe
  2⤵
  PID:4276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files (x86)\Microsoft Rsytvcem\Rsytvcp.exe
  2⤵
  PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft Rsytvcem\Rsytvcp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im spoolys.exe
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spoolys.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\Help\spoolys.exe
  2⤵
  PID:5016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im lsma12.exe
  2⤵
  PID:692
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lsma12.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\INF\aspnet\lsma12.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3384
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im assm.exe
  2⤵
  PID:5072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im assm.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe
  2⤵
  PID:5004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\assm.exe
  2⤵
  PID:3884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im sqlcmd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlcmd.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sqlcmd.exe
  2⤵
  PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sqlcmd.exe
  2⤵
  PID:116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhos.exe
  2⤵
  PID:4924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhos.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhos.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2888
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhos.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhou.exe
  2⤵
  PID:608
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhou.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhou.exe
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhou.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im m6.bin.bin.exe
  2⤵
  PID:1832
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im m6.bin.bin.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im javaw.exe
  2⤵
  PID:3992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im javaw.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im clsso.exe
  2⤵
  PID:3568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clsso.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  PID:4368
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1544
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  PID:3804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoz.exe
  2⤵
  PID:216
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoz.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoy.exe
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im conhoy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:376
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im csrs.exe
  2⤵
  PID:4276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im csrs.exe
  2⤵
  PID:1272
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im sysdo.exe
  2⤵
  PID:2528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysdo.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im sysdo.exe
  2⤵
  PID:2380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysdo.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SqlManagement.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4504
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SqlManagement.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\sSqlManagement.exe
  2⤵
  PID:1148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SqlManagement.exe
  2⤵
  PID:4264
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SystemManagement.exe
  2⤵
  PID:3716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SystemManagement.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe
  2⤵
  PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\SystemManagement.exe
  2⤵
  PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\SqlManagement\*
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im taskmgr.exe
  2⤵
  PID:4272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im wscript.exe
  2⤵
  PID:2836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wscript.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWD.exe
  2⤵
  PID:4964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWD.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWA.exe
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWA.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWB.exe
  2⤵
  PID:2152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWB.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTSWC.exe
  2⤵
  PID:2852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTSWC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENAC.exe
  2⤵
  PID:2604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENAC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:1460
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:4036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:3736
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /t /g system:f
  2⤵
  PID:4064
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /t /g system:f
    3⤵
    PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:4976
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:4076
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:4408
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:3540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:2348
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:4504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:2408
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4544
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:3832
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:3420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g system:f
  2⤵
  PID:768
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:1244
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1644
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g system:f
    3⤵
    PID:4704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g everyone:f
  2⤵
  PID:3852
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlagentc.exe /e /t /g everyone:f
    3⤵
    PID:4880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTC.exe
  2⤵
  PID:3792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTC.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTC.exe
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTN.exe
  2⤵
  PID:856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTN.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTN.exe
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTN.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTA.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTA.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGENTA.exe
  2⤵
  PID:2788
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGENTA.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2820
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:2148
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /t /g system:f
  2⤵
  PID:996
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /t /g system:f
    3⤵
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:2256
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:3128
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:3768
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:4796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:3172
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:2960
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:5092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:3344
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:4216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:3028
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:3640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:4548
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:4512
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g system:f
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g system:f
    3⤵
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g everyone:f
  2⤵
  PID:2972
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\SQLAGEATC.exe /e /t /g everyone:f
    3⤵
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATC.exe
  2⤵
  PID:3736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATC.exe
  2⤵
  PID:5048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATN.exe
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATN.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATN.exe
  2⤵
  PID:3464
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATN.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATA.exe
  2⤵
  PID:4340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATA.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im SQLAGEATA.exe
  2⤵
  PID:3064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SQLAGEATA.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Users\MSSQL~1\AppData\Local\Temp\*
  2⤵
  PID:1008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Users\MSSQLSERVER\AppData\Local\Temp\*
  2⤵
  PID:4684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\Temp\*
  2⤵
  PID:4924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\*
  2⤵
  PID:4788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a /q C:\Users\Administrator\AppData\Local\Temp\*
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\TempUpdate2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g everyone:f
    3⤵
    PID:5104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g system:f
    3⤵
    PID:692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g system:f
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cacls.exe" /e /t /g system:f
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cacls.exe" /e /t /g system:f
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g everyone:f
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g everyone:f
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g everyone:f
    3⤵
    PID:640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g everyone:f
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g system:f
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g system:f
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\cmd.exe" /e /t /g system:f
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\cmd.exe" /e /t /g system:f
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g everyone:f
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g everyone:f
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g everyone:f
    3⤵
    PID:628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g everyone:f
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g system:f
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\ftp.exe" /e /t /g system:f
    3⤵
    PID:464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\SysWOW64\ftp.exe" /e /t /g system:f
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Rsytvcp.exe
    3⤵
    - Kills process with taskkill
    PID:4504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Rsytvcp.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Nvdxgiwrap.exe
    3⤵
    - Kills process with taskkill
    PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Nvdxgiwrap.exe
    3⤵
    - Kills process with taskkill
    PID:4916
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem" /t /e /c /r everyone
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem" /t /e /c /r system
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1232
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap" /t /e /c /r everyone
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap" /t /e /c /r system
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Rsytvcem" /t /e /c /r everyone
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Rsytvcem" /t /e /c /r system
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Nvdxgiwrap" /t /e /c /r everyone
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Nvdxgiwrap" /t /e /c /r system
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1464
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem" /t /e /c /r everyone
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem" /t /e /c /r system
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap" /t /e /c /r everyone
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap" /t /e /c /r system
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem\*" /t /e /c /r everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3940
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem\*" /t /e /c /r system
    3⤵
    - System Location Discovery: System Language Discovery
    PID:980
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap\*" /t /e /c /r everyone
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap\*" /t /e /c /r system
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem\Rsytvcp.exe" /t /e /c /r everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1524
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Rsytvcem\Rsytvcp.exe" /t /e /c /r system
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap\Nvdxgiwrap.exe" /t /e /c /r everyone
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Nvdxgiwrap\Nvdxgiwrap.exe" /t /e /c /r system
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Rsytvcem\*" /t /e /c /r everyone
    3⤵
    PID:444
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Rsytvcem\*" /t /e /c /r system
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Nvdxgiwrap\*" /t /e /c /r everyone
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Nvdxgiwrap\*" /t /e /c /r system
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Rsytvcem\Rsytvcp.exe" /t /e /c /r everyone
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Rsytvcem\Rsytvcp.exe" /t /e /c /r system
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Nvdxgiwrap\Nvdxgiwrap.exe" /t /e /c /r everyone
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Nvdxgiwrap\Nvdxgiwrap.exe" /t /e /c /r system
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows Nvdxgiwrap"
    3⤵
    - Launches sc.exe
    PID:3464
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Corporati Windows Rsytvcem"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sysdo.exe
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\cacls.exe
    Cacls c:\windows\temp\conhoy.exe /t /e /c /r everyone
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /r everyone
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\cacls.exe
    Cacls conhoy.exe /t /e /c /r system
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im conhoy.exe
    3⤵
    - Kills process with taskkill
    PID:4744
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\system\msinfo.exe /t /e /c /r everyone
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /r everyone
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\cacls.exe
    Cacls msinfo.exe /t /e /c /r system
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msinfo.exe
    3⤵
    - Kills process with taskkill
    PID:2144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msinfo.exe
    3⤵
    - Kills process with taskkill
    PID:4996
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\system/t /e /c /r everyone
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\INF\aspnet/t /e /c /r everyone
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\cacls.exe
    Cacls lsma12.exe /t /e /c /r everyone
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\cacls.exe
    Cacls lsma12.exe /t /e /c /r system
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lsma12.exe
    3⤵
    - Kills process with taskkill
    PID:3328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lsma12.exe
    3⤵
    - Kills process with taskkill
    PID:3948
- - C:\Windows\SysWOW64\cacls.exe
    Cacls csrs.exe /t /e /c /r everyone
    3⤵
    PID:732
- - C:\Windows\SysWOW64\cacls.exe
    Cacls csrs.exe /t /e /c /r system
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\cacls.exe
    Cacls C:\Windows\SysWOW64\csrs.exe /t /e /c /r everyone
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    - Kills process with taskkill
    PID:4312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im csrs.exe
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftWindows" /F
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa" /F
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa1" /F
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa2" /F
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "Mysa3" /F
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "OKa" /F
    3⤵
    PID:544
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "OK" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1064
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindows" /F
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindowsu" /F
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindowsy" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:364
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "At1" /F
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "At2" /F
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "45645" /F
    3⤵
    PID:676
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Delete /TN "MicrosoftsWindowsy" /F
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\sc.exe
    sc delete "xwinwpdsrv"
    3⤵
    - Launches sc.exe
    PID:5020
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\ProgramData\Oracle\Java\java.exe" /t /e /c /r everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1320
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\ProgramData\Oracle\Java\java.exe" /t /e /c /r system
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\ProgramData\Oracle\Java\java.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:4216
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\ProgramData\Oracle\Java\java.exe" /t /e /c /r system
    3⤵
    - Enumerates connected drives
    PID:4264
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\ProgramData\Oracle\Java\java.exe" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:1372
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\ProgramData\Oracle\Java\java.exe" /t /e /c /r system
    3⤵
    - Enumerates connected drives
    PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im java.exe
    3⤵
    - Kills process with taskkill
    PID:3988
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Windows\svchost.com" /t /e /c /r everyone
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Windows\svchost.com" /t /e /c /r system
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Windows\svchost.com" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    PID:2972
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "D:\Windows\svchost.com" /t /e /c /r system
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:4244
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Windows\svchost.com" /t /e /c /r everyone
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:2968
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "E:\Windows\svchost.com" /t /e /c /r system
    3⤵
    - Enumerates connected drives
    PID:3040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im svchost.com
    3⤵
    - Kills process with taskkill
    PID:3936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WavesSys.exe
    3⤵
    - Kills process with taskkill
    PID:1952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im SvidaPctb.exe
    3⤵
    - Kills process with taskkill
    PID:1732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im GthUdTask.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im BthUdTask.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OmdBase.exe
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im System.exe
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d everyone
    3⤵
    PID:512
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d system
    3⤵
    PID:800
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1884
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft Maker" /t /e /c /d system
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Maker" /t /e /c /d everyone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3324
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files\Microsoft Maker" /t /e /c /d system
    3⤵
    PID:960
- - C:\Windows\SysWOW64\cacls.exe
    Cacls "C:\Program Files (x86)\Microsoft StuSystem" /t /e /c /d everyone
    3⤵
    PID:4896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cacls.exe /e /t /g everyone:f
  2⤵
  PID:2064
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cacls.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1304
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
    3⤵
    PID:3600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
  2⤵
  PID:4676
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g everyone:f
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
  2⤵
  PID:3488
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g everyone:f
    3⤵
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cacls.exe /e /t /g system:f
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g system:f
    3⤵
    PID:4276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cacls.exe /e /t /g system:f
  2⤵
  PID:3828
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
    3⤵
    PID:4604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cacls.exe /e /t /g system:f
  2⤵
  PID:4948
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cacls.exe /e /t /g system:f
    3⤵
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4084
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cacls.exe /e /t /g system:f
    3⤵
    PID:4984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cmd.exe /e /t /g everyone:f
  2⤵
  PID:4920
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
    3⤵
    PID:5236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cmd.exe /e /t /g everyone:f
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
    3⤵
    PID:5264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g everyone:f
    3⤵
    PID:5320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4476
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g everyone:f
    3⤵
    PID:5244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\cmd.exe /e /t /g system:f
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g system:f
    3⤵
    PID:5400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\cmd.exe /e /t /g system:f
  2⤵
  PID:3432
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
    3⤵
    PID:5288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\cmd.exe /e /t /g system:f
  2⤵
  PID:3208
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\cmd.exe /e /t /g system:f
    3⤵
    PID:5304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
  2⤵
  PID:4852
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\cmd.exe /e /t /g system:f
    3⤵
    PID:5332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\ftp.exe /e /t /g everyone:f
  2⤵
  PID:5064
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
    3⤵
    PID:5360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\ftp.exe /e /t /g everyone:f
  2⤵
  PID:1460
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
    3⤵
    PID:5844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
  2⤵
  PID:756
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g everyone:f
    3⤵
    PID:5456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g everyone:f
    3⤵
    PID:5480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\system32\ftp.exe /e /t /g system:f
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g system:f
    3⤵
    PID:5228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls %systemroot%\SysWOW64\ftp.exe /e /t /g system:f
  2⤵
  PID:2972
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
    3⤵
    PID:5836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32\ftp.exe /e /t /g system:f
  2⤵
  PID:3448
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\ftp.exe /e /t /g system:f
    3⤵
    PID:5668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
  2⤵
  PID:1420
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\SysWOW64\ftp.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
  2⤵
  PID:2968
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
  2⤵
  PID:2780
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« CPUÊÍ·ÅÃû £« e /t /g everyone:f
    3⤵
    PID:5632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
  2⤵
  PID:3540
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
  2⤵
  PID:5084
- - C:\Windows\SysWOW64\cacls.exe
    cacls £« È¡ÌØ¶¨Ä¿Â¼ (11) £« sqlageatc.exe £« e /t /g everyone:f
    3⤵
    PID:5792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1316
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:5728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:512
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQL~1\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:5888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
  2⤵
  PID:3608
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /t /g system:f
    3⤵
    PID:5856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:3344
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\MSSQLSERVER\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:5752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:800
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:5868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:1848
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:544
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:5744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:1884
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:5700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:1612
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:5736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:3500
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g system:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:3324
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:5500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:4020
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:5708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:960
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\1\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:5312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
  2⤵
  PID:4036
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g system:f
    3⤵
    PID:5720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
  2⤵
  PID:444
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Users\Administrator\AppData\Local\Temp\2\sqlageatc.exe /e /t /g everyone:f
    3⤵
    PID:5772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im cmd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    - Kills process with taskkill
    PID:6004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im cacls.exe
  2⤵
  PID:6068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cacls.exe
    3⤵
    - Kills process with taskkill
    PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempUpdate2.bat

Filesize
20KB

MD5
1d2e1796333e760e1c23814ff1dd866d

SHA1
af00c86e4d35219ed5be85490f33f0c2f5bb8e85

SHA256
20afa16cee1f051a7163b2245dd51412aa7d04a578a3351e3021ad3388dfa7a6

SHA512
94feb9e580fe3e654ab838095d09a068315d96211e4b120599ef8b076b8ed836b7019260f9c0202c55b282cc2d880b3d07f920098836ddcebd193bfbd1749581

Download Submit
memory/1856-0-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/1856-1-0x00000000023F0000-0x00000000023FB000-memory.dmp

Filesize
44KB

Download
memory/1856-2-0x00000000023F0000-0x00000000023FB000-memory.dmp

Filesize
44KB

Download
memory/1856-3-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/1856-4-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/1856-7-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/1856-9-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/1856-10-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download